locked
UAG in DMZ Web publishing and direct access RRS feed

  • Question

  • Hello,

    Have a very basic general question.

    Setting up UAG in DMZ of Cisco firewall. UAG will be for web publishing and direct access.

    What are the correct NIC settings? For example;

    Internal NIC;

    address: 10.1.1.10 

    Mask: 255.255.255.0

    DNS: 10.1.1.16

    No gateway

     

    External Nic;

    Address: 172.1.1.10

    Mask 255.255.255.0

    Gateway: 172.1.1.1

    DNS: None

     

    The firewll is doing NAT. I cannot get to the internet on the server. I also cannot reach the server from the outside.

    I understand that the Cisco may be getting in the way, but I want to verify my settings.

     

    Thanks

    Tuesday, April 6, 2010 1:21 PM

Answers

  • Hi J,

    After adding the static route, you will need to run the Network Interfaces wizard in UAG and add the new subnet (based upon your route entry) to the address ranges. This will automatically update the TMG internal network definiton and allow correct traffic flow.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    Tuesday, April 13, 2010 4:56 PM

All replies

  • Hi J,

    If you want the UAG server to act as a DirectAccess server, you will need to bind two consecutive public IP addresses to the external interface of the UAG server. The firewall in front of the UAG server can be configured not to NAT addresses. If might be configured as a "transparent" firewall, or you might have to route to the public addresses on the external interface of the UAG server. You cannot use private IP addresses on the external inteface of the UAG server if you want to use it as a DirectAccess server.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, April 6, 2010 4:46 PM
  • The network configuration looks okay. You can check TMG live logging (under Logs and Reports > Logging) with appropriate filter to see why you are not able to go out or access UAG from outside. based on what you see in live logging you may have to investigate further. 

    For DirectAccess, UAG Server cannot be placed behind a NAT device and intermediate firewall(s) should allow: UDP 3544 for Teredo, Protocol 41 for 6to4, TCP 443 for IP-HTTPS,
    Forefront UAG DirectAccess prerequisites provides addtional details.

    For Web Publishing, intermediate firewall(s) should allow TCP 80/443 (for HTTP/HTTPS trunks) and trunks should be configured correctly on UAG Server
     


    Tarun
    Tuesday, April 6, 2010 4:53 PM
  • Your NIC doesnt have a second IP and if you have currently placed it behind a NAT, then you need to reconfigure it so that you use two consecutive public IP addresses on the external NIC and there is no NAT in from of UAG...as Tom suggested.   

     


    Tarun
    Tuesday, April 6, 2010 4:59 PM
  • Thanks for the replies.

    I had issues with the server and had to rebuild. I have the "firewall" guys going over their config to eliminate NAT in front of UAG.

    Have an issue/question

    If I put a gateway on the internal interface and not the external, configuration changes work fine. If I put the gateway on the external interface and NOT on the internal, I get messages about accessing the TMG storage.

    Any ideas? What IS the recommended NIC settings (i.e. DNS inside, no gateway, gateway outside, no DNS)?

    Also can't web browse from the UAG server

    Tuesday, April 13, 2010 12:59 PM
  • Hi J,

    I recommend using the following:

    Internal Network

    Default Gateway should not be defined
    DNS Servers should be defined
    Register this connection’s address in DNSEna
    bled
    File and Print Sharing for Microsoft Networks – En
    abled
    Client for Microsoft Networks – Enabled
    NetBIOS over TCP/IPEnabled

    External Network

    Default Gateway should be defined
    DNS Servers should not be defined
    Register this connection’s address in DNS
    Disabled
    File and Print Sharing for Microsoft Networks –
    Disabled
    Client for Microsoft Networks – Disabled
    NetBIOS over TCP/IPDisabled

    In order to access your internal networks, you will need to define persistent static routes using 'route add -p' commands.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    Tuesday, April 13, 2010 1:13 PM
  • Hi Jason,

    Nice list!

    Thanks!

    J - don't browse the Web from the UAG server to reduce security issues. There shouuld be no reason to browse from the UAG.

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, April 13, 2010 3:45 PM
  • Hi J,

    Based upon this subject, I was inspired to create a new blog post based upon one of my previous blog articles:

    Recommended Network Card Configuration for Forefront UAG Servers

    Enjoy!

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    Tuesday, April 13, 2010 4:07 PM
  • Jason,

    Thanks

    for the reply. Configured as you suggest and added static route for inside. Received error activating configuration. Rebooted and now getting error that configuration cannot be loaded.

    Tuesday, April 13, 2010 4:39 PM
  • Spoke too soon. Waited a couple of minutes and now it loads. Will continue testing and let you know.

     

    Thanks for your help!!

    Tuesday, April 13, 2010 4:41 PM
  • Hi J,

    After adding the static route, you will need to run the Network Interfaces wizard in UAG and add the new subnet (based upon your route entry) to the address ranges. This will automatically update the TMG internal network definiton and allow correct traffic flow.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    Tuesday, April 13, 2010 4:56 PM