none
DA + UAG pilot setup RRS feed

  • Question

  • Hi everyone,

    I've been researching and reading up quite a fair bit on the mentioned topic for some time now (until i chanced upon this forum). To be honest, reading through the various articles and documentations has proved to be challenging as each article lists the requirements differently. The discussions in this forum has sort of relighted my energy in research.

    As much as I'm having a little difficulty in understanding the basic requirements of setting up a test lab, I have drawn up a network/requirements design: http://www.mediafire.com/?g5eqozzxxw53csz (pw: dauag)


    Would like to request for some assistance in reviewing the design, and if it's adequate for me to initiate a Direct Access implementation (for non IPv6 environment) based on this.

    Appreciate any inputs. TIA!.

    Tuesday, October 19, 2010 7:20 AM

Answers

  • Hi Zirc,

    Firewall does not equal NAT. I'm not quite sure when NAT and firewall got mixed up. :)

    You can put a firewall in front of the UAG device and route through the firewall.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Monday, October 25, 2010 10:17 PM
    Thursday, October 21, 2010 12:42 PM
    Moderator
  • Hi Zirc,

    Firewall does not equal NAT. I'm not quite sure when NAT and firewall got mixed up. :)

    You can put a firewall in front of the UAG device and route through the firewall.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    ahh! Now that makes sense. Thanks for pointing in the right direction!
    • Marked as answer by Erez Benari Monday, October 25, 2010 10:17 PM
    Friday, October 22, 2010 6:26 AM

All replies

  • Seems to be ok. Try to add something that acts as a standard gateway that could be reached by the UAG. Your test environment looks good so far.

    Bye

    Andreas


    Andreas Hecker - Blog: http://microsoft-iag.blogspot.com/
    Tuesday, October 19, 2010 9:25 AM
  • Hi,

     

    Your design may work, depending on your firewall configuration. If your firewall is configured in bridge mode, then yes it will work for the Internet side. On the LAN side, it's another problem. You can put a DirectAccess/UAG server between a front-end and a back-end firewall but you must absolutely configure your backend without Network Address Translation.

    Your UAG server will always requires two network adapters, one connected to the Internet and one connected to your LAN. And there is no need for an Enterprise edition of Windows 2008 R2 unless you want to use special ADCS features only available in this edition.

     

    Unless your PKI hosted on UAG will be used for other purposes, there is no need to publish CRL. You can use the excellent article written by Om on this subject : http://blogs.technet.com/b/tomshinder/archive/2010/08/03/how-to-configure-uag-to-publish-your-private-certificate-revocation-list.aspx

    And finally, you can co-locate the Network Location server with Sharepoint if you have dedicated URL for each one.

     

    NAT1 can be replaced y any router. I would recommand an real firewall such as ISA Server or TMG to experiment IP-HTTPS without having to disable interface on the client side.

    And finally yes, you can remove INET if you expeiment directly on the Internet.

     

    I hope this help.

     

    Have a nice day. 

     


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Tuesday, October 19, 2010 9:27 AM
  • Seems to be ok. Try to add something that acts as a standard gateway that could be reached by the UAG. Your test environment looks good so far.

    Bye

    Andreas


    Andreas Hecker - Blog: http://microsoft-iag.blogspot.com/

    hi Andreas,

    Could you elaborate on the standard gateway methodology? Don't really understand the concept.

    Tuesday, October 19, 2010 10:58 AM
  • Hi,

    Your design may work, depending on your firewall configuration. If your firewall is configured in bridge mode, then yes it will work for the Internet side. On the LAN side, it's another problem. You can put a DirectAccess/UAG server between a front-end and a back-end firewall but you must absolutely configure your backend without Network Address Translation.

    Your UAG server will always requires two network adapters, one connected to the Internet and one connected to your LAN. And there is no need for an Enterprise edition of Windows 2008 R2 unless you want to use special ADCS features only available in this edition.

     

    Unless your PKI hosted on UAG will be used for other purposes, there is no need to publish CRL. You can use the excellent article written by Om on this subject : http://blogs.technet.com/b/tomshinder/archive/2010/08/03/how-to-configure-uag-to-publish-your-private-certificate-revocation-list.aspx

    And finally, you can co-locate the Network Location server with Sharepoint if you have dedicated URL for each one.

     

    NAT1 can be replaced y any router. I would recommand an real firewall such as ISA Server or TMG to experiment IP-HTTPS without having to disable interface on the client side.

    And finally yes, you can remove INET if you expeiment directly on the Internet.

     

    I hope this help.

     

    Have a nice day. 

     


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Hi BenoitS,

    I realized that my design is most clearly explained with one of the deployment scenarios documented here:

    http://blogs.technet.com/b/tomshinder/archive/2010/04/01/uag-directaccess-server-deployment-scenarios.aspx

    (Figure 3: UAG server placed behind front-end firewall with no back-end firewall)

     

    Will there be issues if it is deployed in the DMZ (since it is most likely going to be NATed by the firewall)?

    For my design, the EDGE box is configured to take on the roles of Direct Access and UAG thus i slated it for Server 2008 R2 Enterprise. Will there be issues combining both roles together?

    PKI and CRL were included in coz I read about them being part of the requirements in the Microsoft Step-by-Step setup guide. So I guess this is not necessary if there's no other apps utilizing PKI at the moment?

    Tuesday, October 19, 2010 11:09 AM
  • Hi,

     

    You can deploy DirectAccess without additional firewall as UAG rely on TMG to keep the bad guys out but it is not possible to have a Network Address Translation device in front of UAG of behind. This scenario will not work.

     

    Concerning you EDGE box, there is no issue. My question is, do you really need an additional certificate authority in your environment and do you have a need to publish your CRL. IPSEC tunnels rely on certificates that's true but by default, there is no need to access CRL because there is no revocation check for IPSEC tunnels.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Tuesday, October 19, 2010 11:49 AM
  • To use IPHTTPS you will want the CRL published but you won't be able to publish it via IIS on the UAG server because UAG will wipe the IIS configuration for it's own use as an IPHTTPS access point.  You'd need to host the CRL someplace else, like APP1 perhaps.

    For that matter you may want to put the PKI somewhere else too since, again, any IIS sites that UAG did not create will get blown away when you activate the UAG configuration.  APP1 could be a good place for it.  I recommend assigning a secondary IP address to the APP1 server and bind the IIS site to a new DNS record for that role.

    I describe in detail the process of setting up the NLS as a secondary site on an existing IIS server below.  You could follow similar steps for the CRL.

    http://blog.concurrency.com/infrastructure/uag-directaccess-network-location-server-nls/


    MrShannon | TechNuggets Blog | Concurrency Blogs
    Tuesday, October 19, 2010 1:38 PM
  • In addition, you can publish your CRL using the UAG server. Check out:

    http://blogs.technet.com/b/tomshinder/archive/2010/08/03/how-to-configure-uag-to-publish-your-private-certificate-revocation-list.aspx

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Tuesday, October 19, 2010 3:28 PM
    Moderator
  • Hi everyone,

    I've been researching and reading up quite a fair bit on the mentioned topic for some time now (until i chanced upon this forum). To be honest, reading through the various articles and documentations has proved to be challenging as each article lists the requirements differently. The discussions in this forum has sort of relighted my energy in research.

    As much as I'm having a little difficulty in understanding the basic requirements of setting up a test lab, I have drawn up a network/requirements design: http://www.mediafire.com/?g5eqozzxxw53csz (pw: dauag)


    Would like to request for some assistance in reviewing the design, and if it's adequate for me to initiate a Direct Access implementation (for non IPv6 environment) based on this.

    Appreciate any inputs. TIA!.

    Start with Tom's test lab guides and you can't really go wrong: http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, October 19, 2010 10:50 PM
    Moderator
  • Hi Jason,

    Thanks! And I want to let you know that I'm revving the current guides and creating new ones as we speak! The new Test Lab Guides will highlight the new features and capabilities in UAG Service Pack 1 - some very cool stuff.

    Actually, as an MVP, you're welcome to review them if you like. I have several of them ready (although I don't have one for the subject you're most interested in, becasue I don't have the hardware/software to test and demonstrate it), plus I can't promote one solution over another :)

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Wednesday, October 20, 2010 11:22 AM
    Moderator
  • Hi Jason,

    Thanks! And I want to let you know that I'm revving the current guides and creating new ones as we speak! The new Test Lab Guides will highlight the new features and capabilities in UAG Service Pack 1 - some very cool stuff.

    Actually, as an MVP, you're welcome to review them if you like. I have several of them ready (although I don't have one for the subject you're most interested in, becasue I don't have the hardware/software to test and demonstrate it), plus I can't promote one solution over another :)

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx

    Maybe I can provide a community TLG extension, as I should be able to test the things you cannot and I am allowed to be vendor biased ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, October 20, 2010 11:33 AM
    Moderator
  • To use IPHTTPS you will want the CRL published but you won't be able to publish it via IIS on the UAG server because UAG will wipe the IIS configuration for it's own use as an IPHTTPS access point.  You'd need to host the CRL someplace else, like APP1 perhaps.

    For that matter you may want to put the PKI somewhere else too since, again, any IIS sites that UAG did not create will get blown away when you activate the UAG configuration.  APP1 could be a good place for it.  I recommend assigning a secondary IP address to the APP1 server and bind the IIS site to a new DNS record for that role.

    I describe in detail the process of setting up the NLS as a secondary site on an existing IIS server below.  You could follow similar steps for the CRL.

    http://blog.concurrency.com/infrastructure/uag-directaccess-network-location-server-nls/


    MrShannon | TechNuggets Blog | Concurrency Blogs

    Ah ha, thanks for the enlightenment on the CRL + PKI role combination scenario. Will go read up on the article.
    Wednesday, October 20, 2010 5:57 PM
  • Hi,

     

    You can deploy DirectAccess without additional firewall as UAG rely on TMG to keep the bad guys out but it is not possible to have a Network Address Translation device in front of UAG of behind. This scenario will not work.

     

    Concerning you EDGE box, there is no issue. My question is, do you really need an additional certificate authority in your environment and do you have a need to publish your CRL. IPSEC tunnels rely on certificates that's true but by default, there is no need to access CRL because there is no revocation check for IPSEC tunnels.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx


    Hi BenoitS, if the UAG cannot exist behind a NAT device (e.g firewall), then do we set up the scenarios 1 and 3 as listed in here? (UAG is sited behind firewalls)
    http://blogs.technet.com/b/tomshinder/archive/2010/04/01/uag-directaccess-server-deployment-scenarios.aspx 

    Perhaps Tom might be able to shed some light on this? :)

    Wednesday, October 20, 2010 6:04 PM
  • In addition, you can publish your CRL using the UAG server. Check out:

    http://blogs.technet.com/b/tomshinder/archive/2010/08/03/how-to-configure-uag-to-publish-your-private-certificate-revocation-list.aspx

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx

    Excellent documentation! So this is considered a work around without using the IIS (due to the technical limitation as mentioned by MrShannon earlier) ?
    Wednesday, October 20, 2010 6:06 PM
  • Start with Tom's test lab guides and you can't really go wrong: http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Hi Jason,

    Yea, that's where I started from. But considering that I'm quite hindered by hardware resources that aren't available in my local office. Therefore I've been trying to lockdown the exact requirements and h/w resources to the minimum.

    As you may know, working with resources deployed remotely adds to the challenge thus the modification of the network topology provided by Tom. :)

    Wednesday, October 20, 2010 6:13 PM
  • I would save yourself a whole world of pain and use an IP-HTTPS certificate from a public CA; this negates the needs to worry about external CRL publishing at all...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, October 20, 2010 7:11 PM
    Moderator
  • Hi Jason,

    That would be fantastic! If you put the extension on your blog, I'll put a link to it in the wiki TLG clearinghouse page at http://social.technet.microsoft.com/wiki/contents/articles/test-lab-guides.aspx

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Thursday, October 21, 2010 12:39 PM
    Moderator
  • Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Thursday, October 21, 2010 12:41 PM
    Moderator
  • Hi Jason,

    That would be fantastic! If you put the extension on your blog, I'll put a link to it in the wiki TLG clearinghouse page at http://social.technet.microsoft.com/wiki/contents/articles/test-lab-guides.aspx

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx

    Ok, but will need to wait for NDA clearance ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, October 21, 2010 12:41 PM
    Moderator
  • Hi Zirc,

    Firewall does not equal NAT. I'm not quite sure when NAT and firewall got mixed up. :)

    You can put a firewall in front of the UAG device and route through the firewall.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Monday, October 25, 2010 10:17 PM
    Thursday, October 21, 2010 12:42 PM
    Moderator
  • That should be coming very soon! :)

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Monday, October 25, 2010 10:17 PM
    • Unmarked as answer by Erez Benari Monday, October 25, 2010 10:17 PM
    Thursday, October 21, 2010 12:44 PM
    Moderator
  •  I would save yourself a whole world of pain and use an IP-HTTPS certificate from a public CA; this negates the needs to worry about external CRL publishing at all...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Ok, will take note of this!
    Friday, October 22, 2010 6:26 AM
  • Hi Zirc,

    Firewall does not equal NAT. I'm not quite sure when NAT and firewall got mixed up. :)

    You can put a firewall in front of the UAG device and route through the firewall.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    ahh! Now that makes sense. Thanks for pointing in the right direction!
    • Marked as answer by Erez Benari Monday, October 25, 2010 10:17 PM
    Friday, October 22, 2010 6:26 AM