locked
client IP used when accessing published application RRS feed

  • Question

  • I have UAG deployed in an environment where there is no firewall so there is not a distinction between "internal" and "external" network.  I have found some documentation on how to deploy in this enviroment and it seems to be working.  In verifying the connections I ran a netstat on my sharepoint server that has an application published and I notice my client ip as the ip accessing the sharepoint machine.  My understanding with UAG, is that when I access the sharepoint application via UAG portal the internal nic should be used, so the ip accessing the sharepoint server should indeed be the internal ip of UAG not the client ip that is accessing the UAG server.  Since my client ip seems to be accessing the sharepoint server, do I have something incorrectly configured?  I hope this makes sense.  Please let me know if I need to expand further on my setup.

     

    Thanks

    Friday, April 15, 2011 3:19 PM

All replies

  • Hi,

    What you are describing seems to indicate that your clients are accessing the SharePoint application directly, not through UAG. Otherwise, if access would have been through UAG, you would indeed have seen the IP of the UAG shown on your SharePoint server.

    Regards,


    -Ran
    Friday, April 15, 2011 3:26 PM
  • Thanks for your quick response.  So I am correct in thinking the UAG internal nic should be used.  That's good to know because that seemed like one main function of UAG.  My confusion now is, registering with DNS in my environment is a slow process so I am using my hosts file on my UAG server.  I put my sharepoint server in my hosts file on my UAG server and not on my client.  When I try accessing the SharePoint site directly from my client in errors.  When I access it via the UAG portal it works.  So something in UAG is directing my client correctly, but the internal nic isn't being used.  I guess I'm confused on how to make the internal nic do the connecting, instead of it using my client through UAG?

    Thanks

    Friday, April 15, 2011 3:44 PM
  • I think we may need some additional details on your networking config. You say there is no distinction between the Internal and External networks, but in a (supported) UAG deployment there has to be. You will have one NIC plugged into your internal network where it's able to access your Sharepoint server, and the other NIC will be plugged into the internet, whether through a firewall or not. Any details you can provide will help, thanks!
    Friday, April 15, 2011 4:25 PM
  • No problem.  First, I used these links as references:

    http://blog.concurrency.com/infrastructure/uag-directaccess-ip-addressing-the-server/

    http://social.technet.microsoft.com/wiki/contents/articles/how-to-install-uag-for-application-publishing-on-a-single-network.aspx

    My environment is public, higher ed.  So there is no true "internal", which is why I am using the above links. Here are my settings:

    Internal:

    IP: xxx.xxx.xxx.x3, mask: 255.255.255.0, gateway: blank, DNS: set to the DNS servers in my environment, Netbios over TCP/IP is enabled

    set a static route to the gateway server for this IP and to the sharepoint server.  The gateway is separate from the gateway on the external nic.

    External:

    IP: xxx.xxx.xxx.xx1, mask: 255.255.255.0, gateway: set, DNS: blank, Netbios over TCP/IP is disabled, Interface Metric: 500

    Unfortunately, this setup may not be a supported setup.  Is that true?

    Thanks for your help

    Friday, April 15, 2011 4:45 PM
  • I'll have to leave the official decision on whether or not its supported to Ran or one of the other Microsoft guys on here. The answer used to be no, but the Technet article you provided indicates that it may now be. I have done UAG installs in this way a couple of times for customers in the past, but assumed I was on my own if I ran into trouble.

    So all in all, it seems from your description like it is actually working, but I agree that the client IP address showing up on the Sharepoint server doesn't make sense. Unfortunately I don't have readily-available access into my installations that are running like this so I can't cross-check those for you.

    Friday, April 15, 2011 5:54 PM
  • Hi Anon,

    Is it not possible to use variable-length subnet masks on the interfaces to differentiate between inside and outside (trusted and untrusted)?

    Regards,

    Mylo

    Saturday, April 16, 2011 3:23 PM
  • Mylo and Jordan thank you both for your responses.

    The concept of variable-length subnet masks was new to me so I had to do some research.  From my limited understanding of it I can't use that method.  The ip's of the machines that need to be "internal" are not consecutive and are spread across different gateways.  My thought process was I can do static routes for the internal nic to all the ip's that I need.  Maybe that thinking is wrong?

    Thanks

    Monday, April 18, 2011 12:53 PM
  • Hi Anon,

    Post the static routes you have in mind with interface information and necessary interface information and will have a look. 

    Regards,

    Mylo

    Monday, April 18, 2011 3:28 PM
  • Mylo,

    Basically, I am using static routes to my authentication servers.  I have 5 authentication servers that are spread across different gateways.  So basically I have:

    IP:xxx.xxx.xxx.62, mask: 255.255.255.255, gateway: the gateway of my internal nic

    Originally I had my SharePoint server as a static route just like my auth servers, but have been testing today and I'm not sure that's the right avenue?  The metric setting on the external nic, from my understanding, should actually cause the internal nic to be used. (If this is true shouldn't this be the case for the authentication servers as well?)

    I do the above for all 5 different auth servers.  This seems to be working.  When running a few netstats simultaneously and accessing the server, I see my client traffic coming in to the external nic and when I authenticate that traffic occurs on the internal nic.  However, when I click on my published sharepoint app in the trunk that somehow reverts back to my client as opposed to using the uag internal nic.

    Thanks

    Monday, April 18, 2011 8:15 PM
  • I got it to work.  My authentication servers have to be static routes as I described above, as well as my sharepoint server.  The key to all the pieces for me was the dns being set for the SharePoint application.  It just took a while to get to that point with all the different variables in play setting up UAG this way.  Thank you all for your help.

    • Proposed as answer by Ran [MSFT] Wednesday, April 27, 2011 12:43 PM
    Tuesday, April 19, 2011 9:07 PM