locked
UAG in the DMZ RRS feed

  • Question

  • Hi,

    Just wanted to get an idea of how to configure UAG in the DMZ in the following scenario:

    We have hardware front-end and back-end firewalls; in between them is the DMZ. In that DMZ we are planning to deploy UAG.
    UAG will fulfil the purpose of web application publishing (e.g. Sharepoint).
    In addition, UAG will also publish a TS Server Farm via the TS RemoteApp concept - publish the remote-apps directly in UAG portal.
    There will be end-point compliance detection (not enforcement).
    No DirectAccess at this stage.
    We would like to NLB & array enable the solution.

    So a pretty much basic and standard UAG deployment.

    My question are as follows:
    1) Will I need 2 network cards in UAG; or 1 is sufficient for app publishing?
    2) If I need two NICs, and since the UAG device will sit in the DMZ (already defined by the hardware firewalls) - can I give UAG 2 IP addresses on the same subnet? Do they need to be different?

    Thank you,
    TZ
    Thursday, November 26, 2009 6:06 AM

Answers

  • TZ,

    To the best of my knowledge, a single-NIC configuration is definitely not supported and a two-NIC-with-same-subnet configuration was not tested and is therefore not supported either.

     

    W.r.t. UAG array – yes and no. Yes – UAG leverages the underlying TMG for storing its configuration and for array capabilities, but No – EMS is not supported by UAG. UAG arrays work in AMS mode, where one of the UAG array members is also the array manager.

     

    -Ran

    • Marked as answer by Erez Benari Saturday, November 28, 2009 11:54 PM
    Thursday, November 26, 2009 9:17 AM

All replies

  • Hi TZ,

    UAG requires two NICs and they must be on separate subnets, in order to be able to define on UAG (actually for TMG on the UAG box) two different networks: "Internal" and "External".

    BTW, note that for UAG's array functionality, you need to domain-join the UAG array members.

    HTH,
    -Ran
    Thursday, November 26, 2009 6:55 AM
  • Ran,

    Hmm, this could prove rather difficult in a single subnet DMZ scenario.
    What would you normally recommend to clients in such a setup?

    w.r.t UAG array - that in essence means a TMG array?

    so can we use EMS with UAG/TMG array, is that still require a domain?

    Regards,
    TZ
    Thursday, November 26, 2009 7:06 AM
  • TZ,

    To the best of my knowledge, a single-NIC configuration is definitely not supported and a two-NIC-with-same-subnet configuration was not tested and is therefore not supported either.

     

    W.r.t. UAG array – yes and no. Yes – UAG leverages the underlying TMG for storing its configuration and for array capabilities, but No – EMS is not supported by UAG. UAG arrays work in AMS mode, where one of the UAG array members is also the array manager.

     

    -Ran

    • Marked as answer by Erez Benari Saturday, November 28, 2009 11:54 PM
    Thursday, November 26, 2009 9:17 AM
  • Thanks Ran,

    I will propose deploying the UAG device parallel to the back-end firewall:

    Front-End Firewall ----DMZ --- Back-end Firewall & UAG on the same level (1 NIC in DMZ & 1 NIC in Intranet).

    Also, thanks for the array explanation.

    Regards,
    TZ
    Thursday, November 26, 2009 12:02 PM