locked
UAG Direct Access and NAT RRS feed

  • Question

  • hi all,

    i want to ask if i can deploy UAG direct access behind a NAT and is it supported by Microsoft or not and what is teh pros and cons for that if applicable.

    Thanks


    Tarek Khairy

    Monday, July 30, 2012 8:35 AM

All replies

  • Hi,

    No you cannot deploy UAG for directaccess behind a NAT device. So therefore it is not supported by Microsoft.

    If you want to wait for Server 2012 and directaccess then it will be supported


    Regards, Rmknight

    • Proposed as answer by rm_knight Monday, July 30, 2012 3:19 PM
    Monday, July 30, 2012 9:59 AM
  • thanks for the reply is there any official document or article from Microsoft confirm that?

    Tarek Khairy

    Monday, July 30, 2012 10:02 AM
  • Forefront UAG DirectAccess prerequisites for SP1

    http://technet.microsoft.com/en-us/library/gg274304.aspx

    Two Internet-facing consecutive public static IPv4 addresses.


    Regards, Rmknight

    Monday, July 30, 2012 10:06 AM
  • i read in some technet discussions some people do it behind a NAT what is the disadvantage if we do that ?


    Tarek Khairy

    Tuesday, July 31, 2012 8:11 AM
  • DirectAccess is not supported behind NAT devices.

    http://technet.microsoft.com/en-us/library/dd637780(WS.10).aspx - 5th bullet point - Cannot be behind a NAT

    I believe people have tried but it does not work.

    If you are only doing portal publishing then this is supported and you can place the UAG server behind a NAT device as it is only HTTP and HTTPS traffic.

    Please supply the discussions you have read?


    Regards, Rmknight

    Tuesday, July 31, 2012 8:18 AM
  • Direct access wil work behind NAT but there will be a wastage of public ip addresses.

    Cheers...

    Ashu

    Tuesday, July 31, 2012 8:29 AM
  • my network engineer has concern regarding having the UAG server connected to the public internet through the ISP router without a firewall from a security prospective

    here is where  i found that u can use NAT

    http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/82a84cac-0e41-4e6f-be8c-84db2beadb83

    http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/d29b4570-6513-4595-9458-9250af1f918b


    Tarek Khairy

    Tuesday, July 31, 2012 8:52 AM
  • ok,

    You cannot install DirectAccess with non public IP's. The assistant needs to detect the public IPv4 addresses configured in the external interface. If there is not two consecutive public IPv4 addresses available in the interface the assistant will not let you enable DA :(and will not let you progress. So you would have to NAT from one public address to another. both of the linked topics state these are not supported.

    You can have a external firewall in front of the UAG server but it must route the traffic but you can lock the incoming ports down to HTTPS (TCP443), Teredo (UDP3544) and 6to4 (Protocol 41). I have done this a number of times and works well.

    Also UAG has TMG installed on the server to protect itself. Which is a full firewall.

    If you network guy has that many concerns then you might be better of looking at Server 2012 and DirectAccess.


    Regards, Rmknight



    • Edited by rm_knight Tuesday, July 31, 2012 9:17 AM
    Tuesday, July 31, 2012 9:09 AM
  • Thanks for the reply u made it clear now but can u clarify more about putting the UAG behind the firewall as i can understand from the network engineer if i want to use Public IP v4 he must connect the server directly to the router coming from the ISP

    Thanks


    Tarek Khairy

    Tuesday, July 31, 2012 9:38 AM
  • another thing why we need 2 consecutive IP addresses ?


    Tarek Khairy

    Tuesday, July 31, 2012 9:40 AM
  • A Windows Server 2008 R2 DirectAccess server requires two network interfaces with two consecutive public IPv4 addresses assigned to the external interface. This is required so that it can act as a Teredo server. In order for clients behind a NAT to determine the Teredo server and the type of NAT device, the Teredo server requires two consecutive IPv4 addresses.

    As for the UAG server behind a external firewall. It would require a publicly addressed DMZ. So the external connection of the UAG will sit in here and have the two public IP's. The Firewall guy would need to route the 3 ports as defined above. and can block all other traffic.


    Regards, Rmknight

    Tuesday, July 31, 2012 11:47 AM
  • Hi all,

    thanks for all the replies i would like to ask another question if i want to install UAG direct access with NAP and i want to use some NAP enforcements at the same time shall i install NAP on the same server with UAG and use all enforcements i want or install it in a separate server \

    Thanks


    Tarek Khairy

    Saturday, August 4, 2012 7:35 AM