locked
Simple UAG Deployment Behind a Front End Cisco Small Business Router RRS feed

  • Question

  • Hi all,

    UAG newbie here. I've read through the documentation in the library for UAG and I'm still a little confused about how to setup my UAG infrastructure, specifically, how to set the IP addresses on the two interfaces in the UAG box.

    Network Topology

    Internet => (Public IP Assigned via DHCP) Cisco Firewall (192.168.1.1) => Internal network (192.168.1.0/24)

    Currently all internal clients and servers use 192.168.1.1 as the default gateway. DNS servers are internal and forward all lookups that are not for my internal AD forest to my ISP's DNS servers.

    Desired UAG Topology

    As I said, pretty basic. I want to put my UAG box behind the Cisco device and use it to publish Exchange, a couple of web sites, etc. All I know for sure at the present is that I'd need to setup 2 port forwarding rules on my Cisco device, one for 80 and one for 443, both point to the UAG box. Note that while I'd like to also deploy DirectAccess, the two consecutive public, static IP addresses puts that out of my reach currently.

    Assumptions

    From my reading I think I understand the following:

    1. UAG does not allow for outbound access for clients. IOW, I can't simply change the default gateway on my clients to point to the UAG box and be done with things.
    2. The internal and external interfaces on the UAG box need to be in different networks.

    Questions

    My real confusion here is how do I setup the networking on the UAG box, and internal clients and servers? If I want to keep on using 192.168.1.0/24 on my internal network then I can keep using 192.168.1.1 (internal interface IP of the Cisco device) as the default gateway and assign an IP address in that range to the "external" interface of the UAG box but then what do I do with the "internal" interface of the UAG box? If I assign it an address in a different network, how will it find the servers and apps I want to publish?

    Any help here? My head is beginning to hurt thinking about all of this stuff.

    As an aside to the UA/UE folks in the UAG group, while I think the current documentation is great, a Visio diagram showing a sample deployment with a single UAG box behind a single front end firewall and no back end firewall would go a long way towards helping someone like me. There are lots of references to this topology but I couldn't find anything that gave me a concrete example of how to set it up.

    Thanks for any assistance
    Paul Adare CTO IdentIT Inc. ILM MVP
    Friday, March 12, 2010 12:50 PM

Answers

  • Hi Paul,

    As UAG is only supported with two network interfaces, and you want to avoid network re-design, I would suggest you have the following options:

    * Place UAG in parallel with you Cisco firewall; as you probably know, UAG runs TMG under the covers to provide an 'edge ready' solution.
    * Connect the external UAG interface to a DMZ/perimeter interface on your Cisco firewall and then connect the internal UAG interface to the LAN.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    • Marked as answer by Paul Adare Friday, March 12, 2010 3:07 PM
    Friday, March 12, 2010 2:22 PM
  • Hi Paul,

    I agree with Jason and you should go with his recommendations.

    RE: documentation, good point. I've heard this from a few other people and we'll work on updating the content with some sample diagrams that can get you up and running. I think maybe we took for granted that people had already been working with ISA/IAG for a while and that they already had these issues handled with previous installations. I'll run this up the flagpole.

    Thanks!
    Tom
    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Paul Adare Friday, March 12, 2010 3:07 PM
    Friday, March 12, 2010 3:05 PM

All replies

  • Hi Paul,

    As UAG is only supported with two network interfaces, and you want to avoid network re-design, I would suggest you have the following options:

    * Place UAG in parallel with you Cisco firewall; as you probably know, UAG runs TMG under the covers to provide an 'edge ready' solution.
    * Connect the external UAG interface to a DMZ/perimeter interface on your Cisco firewall and then connect the internal UAG interface to the LAN.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    • Marked as answer by Paul Adare Friday, March 12, 2010 3:07 PM
    Friday, March 12, 2010 2:22 PM
  • Hi Paul,

    I agree with Jason and you should go with his recommendations.

    RE: documentation, good point. I've heard this from a few other people and we'll work on updating the content with some sample diagrams that can get you up and running. I think maybe we took for granted that people had already been working with ISA/IAG for a while and that they already had these issues handled with previous installations. I'll run this up the flagpole.

    Thanks!
    Tom
    MS ISDUA/UAG DA Anywhere Access Team
    • Marked as answer by Paul Adare Friday, March 12, 2010 3:07 PM
    Friday, March 12, 2010 3:05 PM
  • Thanks Jason and Tom! I would have likely eventually come to this conclusion on my own, but it is nice to have it come via experts. Parallel it shall be.
    Paul Adare CTO IdentIT Inc. ILM MVP
    Friday, March 12, 2010 3:09 PM
  • Hi Paul,

    You bet! Let me know if you have any issues with your DA deployment. I'd like to make it go as smoothly as possible for you and turn you into a DA evangelista! :)

    Thanks!
    Tom
    MS ISDUA/UAG DA Anywhere Access Team
    Monday, March 15, 2010 7:03 PM