locked
DirectAccess and firewall bridging RRS feed

  • Question

  • Hi,

    Please could someone clarify what IP configuration would be required if we were to bridge the external firewall to support UAG/DA (in the DMZ).

    So on the external firewall we would have 2 public IPv4 addresses e.g. 1.1.1.1 and 1.1.1.2

    These would then be bridged to the external interfaces on the UAG/DA server, correct? but what IPs do we then configure on the UAG/DA server?

    Would the UAG/DA server simply have DMZ segment IP addresses?

    Thanks,

    SK



    • Edited by D Wind Monday, November 14, 2011 7:10 AM
    Monday, November 14, 2011 7:08 AM

Answers

  • You firewall needs to be capable of doing this - essentially it will be "routing" or passing through the public IPs to the external NIC. When you setup a public IP to go through a firewall, you typically set it up as a "NAT" or a "route" - NAT meaning that the IP changes from a public to an internal while passing through the firewall, and route meaning that it simply passes the actual public IP through. Some firewalls can do a "route", and some cannot.

    No NAT allowed with DA :)

    Depending on your firewall, sometimes there is no choice but to run the UAGDA server right on the edge. I have plenty of customers doing this with our hardened appliances, a general purpose server would not be as secure but with the existence of TMG on each UAG server it is essentially its own firewall and was designed to be an edge device.

    • Marked as answer by D Wind Thursday, November 17, 2011 10:05 AM
    Wednesday, November 16, 2011 2:00 PM

All replies

  • The UAG server would need those same addresses configured on its NIC - 1.1.1.1 and 1.1.1.2

    The requirement is that the UAG server needs to have real public IP addresses configured directly onto its interface.

    Tuesday, November 15, 2011 3:57 PM
  • Thanks Jordan...and in this way there should be now IP conflicts?

     

    Wednesday, November 16, 2011 4:14 AM
  • You firewall needs to be capable of doing this - essentially it will be "routing" or passing through the public IPs to the external NIC. When you setup a public IP to go through a firewall, you typically set it up as a "NAT" or a "route" - NAT meaning that the IP changes from a public to an internal while passing through the firewall, and route meaning that it simply passes the actual public IP through. Some firewalls can do a "route", and some cannot.

    No NAT allowed with DA :)

    Depending on your firewall, sometimes there is no choice but to run the UAGDA server right on the edge. I have plenty of customers doing this with our hardened appliances, a general purpose server would not be as secure but with the existence of TMG on each UAG server it is essentially its own firewall and was designed to be an edge device.

    • Marked as answer by D Wind Thursday, November 17, 2011 10:05 AM
    Wednesday, November 16, 2011 2:00 PM
  • thank you!
    Thursday, November 17, 2011 10:05 AM