locked
UAG DirectAccess not work with backend firewall RRS feed

  • Question

  • Good morning!

    I am implementing UAG with backend firewall. In the document Tom Shinder describe it is necessary to allow all traffic ipv4 and ipv6 internal interface in internal firewalls.
    Is there any official document specifying this?

    http://blogs.technet.com/b/tomshinder/archive/2010/04/01/uag-directaccess-server-deployment-scenarios.aspx

    The back-end firewall must be configured to:

    • Allow IP protocol 41 inbound to and outbound from the UAG DA server’s internal interface (this is to allow ISATAP messages to be communicated between the UAG DA server and machines on the corpnet)
    • Allow all IPv4 and IPv6 traffic inbound to and outbound from the UAG DA server’s internal interface (this should be thought of a starting place, because most organizations aren’t aware of their traffic profile, and limiting the protocols could cause service disruptions)

    Thanks

                      

    Robson Hasselhoff - Follow me @Robk9e

    Monday, April 2, 2012 12:26 PM

Answers

  • I don't know of an official place in the documentation that specifies it, but I also make the same recommendation. When using a backend firewall you must allow for:

    1. Any traffic that might flow between the DA client computers and application servers
    2. Any traffic that might flow between the DA servers and the infrastructure servers like DCs, DNS, WSUS, etc
    3. Any traffic that might flow between the DA servers if you are running an array. This one is especially tricky as UAG creates virtual MAC addresses to communicate between the nodes and a firewall on the internal side of the connection can interfere with this communication and cause load balancing failures.

    This is why it is recommended to open the firewall for everything, then make sure that DirectAccess works. Then once you have that established, you can try locking down certain things in the firewall and basically test along the way to see what breaks.

    Monday, April 2, 2012 1:07 PM
  • This document describe requiriments of firewalls backend

    http://technet.microsoft.com/en-us/library/gg502559.aspx

    Backend intranet firewall

    • All IPv4 and IPv6 traffic to and from the Forefront UAG DirectAccess server

    All IPv4 and IPv6 traffic— The Forefront UAG DirectAccess server must reach and be reachable by Active Directory domain controllers, management servers, and other intranet resources. You can begin with this initial filter, and then refine the filter over time to allow the subset of traffic needed by the Forefront UAG DirectAccess server.

    Protocol 41— ISATAP encapsulates IPv6 packets with an IPv4 header. In the IPv4 header, the Protocol field is set to 41 to indicate an IPv6 packet payload. Use this packet filter if you are using ISATAP to send IPv6 traffic across your IPv4-only intranet.

    Thanks again


    Robson Hasselhoff - Follow me @Robk9e

    Tuesday, April 3, 2012 1:43 PM

All replies

  • I don't know of an official place in the documentation that specifies it, but I also make the same recommendation. When using a backend firewall you must allow for:

    1. Any traffic that might flow between the DA client computers and application servers
    2. Any traffic that might flow between the DA servers and the infrastructure servers like DCs, DNS, WSUS, etc
    3. Any traffic that might flow between the DA servers if you are running an array. This one is especially tricky as UAG creates virtual MAC addresses to communicate between the nodes and a firewall on the internal side of the connection can interfere with this communication and cause load balancing failures.

    This is why it is recommended to open the firewall for everything, then make sure that DirectAccess works. Then once you have that established, you can try locking down certain things in the firewall and basically test along the way to see what breaks.

    Monday, April 2, 2012 1:07 PM
  • This document describe requiriments of firewalls backend

    http://technet.microsoft.com/en-us/library/gg502559.aspx

    Backend intranet firewall

    • All IPv4 and IPv6 traffic to and from the Forefront UAG DirectAccess server

    All IPv4 and IPv6 traffic— The Forefront UAG DirectAccess server must reach and be reachable by Active Directory domain controllers, management servers, and other intranet resources. You can begin with this initial filter, and then refine the filter over time to allow the subset of traffic needed by the Forefront UAG DirectAccess server.

    Protocol 41— ISATAP encapsulates IPv6 packets with an IPv4 header. In the IPv4 header, the Protocol field is set to 41 to indicate an IPv6 packet payload. Use this packet filter if you are using ISATAP to send IPv6 traffic across your IPv4-only intranet.

    Thanks again


    Robson Hasselhoff - Follow me @Robk9e

    Tuesday, April 3, 2012 1:43 PM
  • What's the point having a back-end firewall if you are the end you need to open everything :)

    Here you need to make a difference between your DA server and the DA clients.

    The DA server will always use the IANA recommendation, unless you specify manually something else with netsh. They are port 49152 to 65535 as source while destination are know endpoint ports like DNS, RPCEMAP, etc, etc

    DA clients traffic won't use the IANA range as base. All communication from the DA server of a DA client will start from source point 16000 and growing. Right now I am find out to figure out if the developers fixed a maximum or they just allow communication till 65353 like Exchange 2007 on a 2008 did by opening port from 1025 to 65535.

    I made this observation with DA 2.0 on Windows 2012 but I am pretty sure it share the same specification as DA 1.0 / UAG

    Monday, June 18, 2012 12:39 PM