locked
Migration from ISA 2006 to UAG 2010 RRS feed

  • Question

  • I am in the process of planning a migration from ISA server 2006 to UAG 2010 in an array. I have the array setup and NLB set to use a public VIP. The portal is working as expected and am in the process of determing how to move my published resources from ISA to UAG with minimal impact to my end users. The first question I have is around the IP addressing of the internal resources I wish to publish to the portal.

    Currently all WWW requests to an internal website from the public internet resolve in DNS to an additional IP that is on the external interface and listener of my ISA server. This holds true for other internal resources that I currently have published via ISA. Do I need to move all the public resolvable IPs to the network interfaces of my UAG boxes for them to answer off properly?

    The reason I ask is if I monitor my rule base in ISA after publishing that same WWW site via the UAG, when I click on the app in the UAG portal I can see that my client is then being sent over to ISA for access to website. It does work without error but I was under the impression that my UAG box would proxy the request via my private network interface to the internal server?

    I'm missing something simiple I'm sure..

    Thanks in advance.

    Chris

    Thursday, January 27, 2011 5:24 PM

Answers

  • I would describe UAG as a superset of TMG, but without the network firewall or outbound proxy elements. As a reverse proxy, it has a more secure and better feature set than TMG in general.

    UAG will cover your list pretty well, the only weak area being OCS/Lync where there is no official support for UAG as a reverse proxy for the web services elements (although it can technically be achieved).

    You could consider deploying it in parallel with TMG and then moving services across one at a time, then decomission TMG once happy. This would also give you a chance to compare the differences in features and user experience...just a thought ;)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Wednesday, May 18, 2011 9:58 PM
    Friday, January 28, 2011 12:02 AM
  • Hi Chris,

    Forefront UAG is designed to publish all your applications/servers from your list, so this should be no problem. For most of your requirements, Forefront UAG offers publishing assistents when you create a new portal trunk.
    Good luck


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
    • Marked as answer by Erez Benari Wednesday, May 18, 2011 9:58 PM
    Friday, January 28, 2011 6:29 AM

All replies

  • Hi,

    you cannot migrate from ISA Server 2006 to UAG. UAG requires a clean installation and installs Forefront TMG during the UAG installation process. You also cannot use UAG as a replacement for your ISA Server because not all scenarios are supported with UAG:
    http://technet.microsoft.com/en-us/library/ee522953.aspx


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
    Thursday, January 27, 2011 7:00 PM
  • Marc,

    Thanks again for the reply and I understand that I cannot "migrate" to UAG from ISA and used the term losely for which I apologize. However, I'm certain that I can provide access to internal resources securely via a UAG portal, no? Are you insinuating that to do the following, UAG will not allow or give me even greater flexability over TMG?

    • CITRIX - Already running using XenApp 5 web interface
    • RDS 2008 R2 Gateway services
    • Sharepoint 2010
    • DirectAccess
    • Exchange services
    • OCS / Lync
    • A few intranet websites -

    Where would you see me getting hung up with these or in the future?

    Thanks,

    Chris

    Thursday, January 27, 2011 9:27 PM
  • I would describe UAG as a superset of TMG, but without the network firewall or outbound proxy elements. As a reverse proxy, it has a more secure and better feature set than TMG in general.

    UAG will cover your list pretty well, the only weak area being OCS/Lync where there is no official support for UAG as a reverse proxy for the web services elements (although it can technically be achieved).

    You could consider deploying it in parallel with TMG and then moving services across one at a time, then decomission TMG once happy. This would also give you a chance to compare the differences in features and user experience...just a thought ;)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Wednesday, May 18, 2011 9:58 PM
    Friday, January 28, 2011 12:02 AM
  • Hi Chris,

    Forefront UAG is designed to publish all your applications/servers from your list, so this should be no problem. For most of your requirements, Forefront UAG offers publishing assistents when you create a new portal trunk.
    Good luck


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
    • Marked as answer by Erez Benari Wednesday, May 18, 2011 9:58 PM
    Friday, January 28, 2011 6:29 AM
  • Ok. So my next question is around external DNS a records.

    Currently I have www.whatever.com resolving to say 215.87.X.X.. And 215.87.X.X is residing on my ISA server and bound to an listener for www.whatever.com.

    When I want to move access to www.whatever.com to UAG from ISA for my external users, do I need to bind 215.87.X.X to my UAG array? Or simple modify my external DNS to point www.whatever.com to the VIP of the UAG array? When done, all internal resources published by UAG will resolve to the same external VIP in public DNS.

    so external dns for domain.com would look like the below table if VIP of array is 210.98.11.7

    abc.domain.com        A       210.98.11.7

    123.domain.com        A       210.98.11.7

    so on and so on..

    thanks again for your time,

    Chris

    Friday, January 28, 2011 1:10 PM