locked
UAG behind TMG firewall RRS feed

  • Question

  • So after learning the hardway about the differences between UAG and TMG, i'm now in a bit of a quandary, i want to deploy a TMG frontline firewall and have UAG with DirectAccess behind it, but i know UAG needs two public IP's,how does that work if TMG is infront? not to mention i'm not sure who will handle the publishing of exchange stuff, TMG or UAG. How would this work, are there any guides that have this sought of setup.

    Stupid Question.. does this mean i'll need three IP addresses ?o_O. 

    Thanks in advance.

    Thursday, March 31, 2011 3:24 PM

Answers

  • Hey Radray, I posted this same thing in the other thread that we had running but will place it here as well: :)

    If you have a separate server dedicated to TMG, then you could use either to publish your mail. I would recommend UAG because it does positive logic filtering on Exchange traffic.

    Keep in mind, you don't need to place a UAG device behind a firewall, because it has TMG built in to act as its own firewall. You don't need a separate TMG box unless you have other intended purposes for it as well. We have customers place our UAG and DirectAccess Concentrator appliances directly "on the edge" all the time (granted our appliances are hardened much further than a standard server would be, so they are built specifically to do this).

    To answer your IP question, if you end up running a UAG box and a separate TMG box, then you'll definitely need 3 IPs. If you run only UAG, it's really your call. You'll need at least 2 IPs for DirectAccess to work, and technically you can run an SSLVPN protal on one of those IPs at the same time, though in my experience most of the time a third IP address is added to the appliance to ensure a separation of the traffic. We do have a demo environment running here at IVO that runs a "shared" configuration with DA and an SSLVPN portal running on two IPs and it works just fine.

    • Marked as answer by Erez Benari Thursday, May 5, 2011 6:01 PM
    Friday, April 1, 2011 11:50 AM

All replies

  • Hi radray,

    Don't quite get the point of having UAG behind another TMG firewall, as the UAG is already equiped with the TMG components onboard.

    There is a great blog for UAG DirectAccess Server Deployment Scenarios (http://blogs.technet.com/b/tomshinder/archive/2010/04/01/uag-directaccess-server-deployment-scenarios.aspx)

    Plus have a look see at related posts public IP NAT queries .. http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/ee25c32e-01f4-4781-8348-811027675c31

    In short, it should work provided you have the two  public IP on the UAG external interface.

    Exchange stuff you will be able to publish via both, but seems like an overkill. I typically prefer to use the UAG for publishing :)
    Hope this helps.

    Thursday, March 31, 2011 7:43 PM
  • A couple of options:

    a) Place UAG and TMG in parallel - this will require at least three public IP addresses; one for TMG and two for UAG. If you want to use a UAG portal, you will also need another public IP address.

    b) Create a public IP addressed DMZ (perimeter network) using TMG and then place the UAG external network interfaces into this DMZ network and configure the firewall as per here: http://technet.microsoft.com/en-us/library/ee809062.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, April 1, 2011 1:02 AM
  • Hey Radray, I posted this same thing in the other thread that we had running but will place it here as well: :)

    If you have a separate server dedicated to TMG, then you could use either to publish your mail. I would recommend UAG because it does positive logic filtering on Exchange traffic.

    Keep in mind, you don't need to place a UAG device behind a firewall, because it has TMG built in to act as its own firewall. You don't need a separate TMG box unless you have other intended purposes for it as well. We have customers place our UAG and DirectAccess Concentrator appliances directly "on the edge" all the time (granted our appliances are hardened much further than a standard server would be, so they are built specifically to do this).

    To answer your IP question, if you end up running a UAG box and a separate TMG box, then you'll definitely need 3 IPs. If you run only UAG, it's really your call. You'll need at least 2 IPs for DirectAccess to work, and technically you can run an SSLVPN protal on one of those IPs at the same time, though in my experience most of the time a third IP address is added to the appliance to ensure a separation of the traffic. We do have a demo environment running here at IVO that runs a "shared" configuration with DA and an SSLVPN portal running on two IPs and it works just fine.

    • Marked as answer by Erez Benari Thursday, May 5, 2011 6:01 PM
    Friday, April 1, 2011 11:50 AM
  • Thanks guys, i'll let you know how it goes.
    Friday, April 1, 2011 1:50 PM