UAG 2010 - 3 external IPs - we need DA, SSL VPN and applications RRS feed

  • Question

  • I've inherited UAG licensing from the previous IT Manager and I want to get it working - he gave up after realising he needed external IPs on UAG. I can do that no problem.

    The UAG box can happily have 3 of our external IPs (2 for DA, 1 for everything else).

    Can I setup the SSL VPN and publish applications on the 1 remaining IP? Do I need more? I know more will make it easier but that's not really an option.

    I'll initially be looking to publish:





    Monday, January 23, 2012 1:34 PM

All replies

  • Yes, you have the correct amount. You can use two (they have to be consecutive) for DirectAccess as you stated, and use the third for a UAG portal that you can add all kinds of applications to. Then you can decide in the settings of those applications who has access to which based on users/groups, and then your users will only see the apps that you want them to see when they log into that portal.
    Monday, January 23, 2012 4:36 PM
  • Thanks for that however I thought the SSL-VPN (which is for non-DA users) would override the portal? I read somewhere that to have the SSL VPN and DA that I needed 3 IPs and another for publishing?
    Monday, January 23, 2012 4:38 PM
  • Your SSLVPN will actually be launched from inside the portal. VPN users will log into the portal just like a user accessing OWA for example, except that the VPN user will have a "VPN" (or whatever you name the app link) button that they can click on to launch the VPN tunnel. Alternatively, you can also set the VPN to launch automatically when the user logs in.


    Monday, January 23, 2012 4:49 PM
  • Which type of SSL VPN are you talking about, SSL Network Tunneling or SSL Network Tunneling (SSTP)?

    Be aware that SSL Network Tunneling (formerly known as Network Connector) is not supported on a UAG DirectAccess server: http://technet.microsoft.com/en-us/library/ee522953.aspx

    Apart from that, Jordan is spot on ;)




    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, January 23, 2012 4:54 PM
  • Great reminder, yes you cannot run Network Connector at the same time as DirectAccess. You can run SSTP VPN at the same time, but keep in mind that SSTP VPN will only work for your Windows 7 clients.

    If you are intending to use UAG as an SSLVPN for downlevel clients (WinXP, etc) you would have to run a separate UAG server to publish that.

    Thanks Jason!

    Monday, January 23, 2012 5:01 PM
  • Thanks very much.

    I think the best to do now is intall it and have a play...

    My ISP is happy to give me some additional IPs so I may have one UAG for DA (and SSTP VPN and publishing as we don't have that many DA clients) and another for Network Connector. That way we have some failover too.

    Monday, January 23, 2012 5:07 PM