none
Multiple sites UAG/DA RRS feed

  • Question

  • Does anyone know if it is impossible to install direct access with UAG in multiple sites with a single AD domain?

    How do you register ISATAP in dns for the different UAG servers then you only have on domain on all sites?

     

    We have 14 sites there we are trying to replace our ordinary VPN solution with Direct Access/UAG instead. All of these sites are "almost" fully routed ipv4 to each other. Today we only have one AD domain which during our initial setup was best practice from Microsoft. That we want, is to be able to install 3 DA/UAG servers, one in China, one in US and one in Europe because of latency problems. Is this possible to do with ISATAP? (We don't have native ipv6)

    Today we have on DA/UAG installed in Europe, but we do not want all of our global users to connect to Europe and from there be routed via our internal tunnels. I already know that I can export the script from DA configuration and manually import it to AD. But how do I configure ISATAP router within the same domain? I haven't found any documentation about this issue.

    Thanks

    Mikael

     

     

     


    Olsson
    Thursday, October 21, 2010 12:35 PM

Answers

  • If you can meet the networking requirements of using a stretched VLANs across data centres, you can use a single UAG array combined with NLB to support DA across multiple sites.

    I have just deployed this HA model for a customer who has two separate physcial data centres.

    I am pretty sure this is not a supported scenario (yet) but it works really well and will allow DA clients to be balanced across data centres and also provides redundancy in the event of data centre failure (or just individual UAG server failures).

    The benefit with this approach is that is also allows for ISATAP to exist across both locations as the DNS records are based upon NLB VIPs (and dedicated IP addresses) which cover both locations.

    I plan to write up the deployment detail in an upcoming blog article...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Monday, October 25, 2010 10:37 PM
    Friday, October 22, 2010 7:07 PM
    Moderator
  • Hi Jason,

    Nice one. But is there anything that guarantees the client connects to the closest entry point?

    Mikael, the solution will not be a part of SP1. But we are planning it.


    Hey Yaniv,

    No, it is not geocentric - NLB is not clever enough for that...I guess you would need to add some sort of geocentric network device like the Cisco GSS or similar for that...

    My solution was more about data centre redundancy using DA as a logical entity across two different data centre ingress points.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Monday, October 25, 2010 10:37 PM
    Saturday, October 23, 2010 11:08 PM
    Moderator

All replies

  • Hi,

    Currently there is no public solution for this problem when using ISATAP.

    You can do this solution if you only use NAT64, or have native IPv6 in your organization.

    Thursday, October 21, 2010 5:16 PM
  • Thanks for your answer,

    Do you think there will be a solution with SP1 of UAG/DA?

    /Mikael


    Olsson
    Friday, October 22, 2010 8:01 AM
  • If you can meet the networking requirements of using a stretched VLANs across data centres, you can use a single UAG array combined with NLB to support DA across multiple sites.

    I have just deployed this HA model for a customer who has two separate physcial data centres.

    I am pretty sure this is not a supported scenario (yet) but it works really well and will allow DA clients to be balanced across data centres and also provides redundancy in the event of data centre failure (or just individual UAG server failures).

    The benefit with this approach is that is also allows for ISATAP to exist across both locations as the DNS records are based upon NLB VIPs (and dedicated IP addresses) which cover both locations.

    I plan to write up the deployment detail in an upcoming blog article...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Monday, October 25, 2010 10:37 PM
    Friday, October 22, 2010 7:07 PM
    Moderator
  • Hi Jason,

    Nice one. But is there anything that guarantees the client connects to the closest entry point?

    Mikael, the solution will not be a part of SP1. But we are planning it.

    Friday, October 22, 2010 9:41 PM
  • Hi Jason,

    Nice one. But is there anything that guarantees the client connects to the closest entry point?

    Mikael, the solution will not be a part of SP1. But we are planning it.


    Hey Yaniv,

    No, it is not geocentric - NLB is not clever enough for that...I guess you would need to add some sort of geocentric network device like the Cisco GSS or similar for that...

    My solution was more about data centre redundancy using DA as a logical entity across two different data centre ingress points.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Monday, October 25, 2010 10:37 PM
    Saturday, October 23, 2010 11:08 PM
    Moderator