locked
UAG 2010 setup in front of a current 3 vLAN web enviroment RRS feed

  • Question

  • We want to setup UAG 2010 to take advantage of SSO and pre-authentication (to get away from our custom Form/SQL based roles in our web apps).

    Our current web facing environment is (3) VMware 4.1 hosts in a cluster setup in (3) vLANs call them 20/30/40
    20 is for web front ends (Apache/Tomcat/IIS)
    30 is for middle teir (not really used now)
    40 is for SQL and AD etc (ie the secure zone)

    each vLAN is it own class-C address space
    each vLAN talks to each other via a Cisco ASA and the rules defined there.

    At this time I was planning to setup a vLAN 10 and pass 80/443 from the internet to this vLAN which  UAGs 'External' vNIC would live.

    However,  I seem to need the INTERNAL vNIC on vLAN20 where the current web apps live, so they can be published.  But If I do this I would have to build a ton of Cisco ASA rules as the INTERNAL vNIC would be able to talk to (ie vLAN20 to vLAN40 rules) ActiveDirectory, Join the Domain, etc.  I assume networking would then have to build the 40+ system rules that INTERNAL NIC assumes it can talk to in the ASA.  Is that correct?

    It seems UAG (and its TMG FW) sorta and is designed to have the INTERNAL NIC right in the same network as AD and the Apps. But our current web design is more of a classic setup that 'just everythign on the inside' that UAG seems to perfer.

    Am I making it too complex on myself?... Should I just put the INTERNAL NIC on vLAN 40 (where AD is)? If I do this how could I publish the apps we already have on vLAN20? Seems putting the INTERNAL nic behind the Cisco ASA would just be a real pain?... Would this be supported by MS anyway?

    We also plan to build a trust from vLAN40 to our inside AD, so apps could be published to users that live in the web domain, as well as our inside domain? Another other points of contention I need to consider?


    Thanks.
    Jonathan Reininger

    MCSE+I, MCSA, VCP 3.5/4

    Tuesday, August 9, 2011 3:46 PM

Answers

  • Hi Jonathan,

    my last recommendation was fucused to meet your requirements to not have the UAG traverse your ASA for backend communications. Well, if your your networking guys don't trust UAG, then you may also put UAG into two additional VLANs (e.g. vlan50 and vlan60) and filter both the internal and external network interfaces of UAG. On this way you will have full control of the allowed UAG network communication.

    But please ask your networking guy where the benefits are in this case? I mean, they put their ASA in between UAG and AD, and later they will nevertheless open almost every port which is available on your DCs (including the dirty ones). So if you're planning to make UAG a Domain Member there will be virtually no additional security benefit exept to fulfill some "regulations".

    > Anyway I assume, even if I put a vNIC on vLAN20 and the older apps (form

    > based login one that we plan to leave accessaible from the internet direclty,

    > ie not behind UAG) or the new apps live (UAG preauthenticed/SSO enabled)

    > live vLAN20 are 'hacked' and 'owned' they would then have access to one

    > of UAGs inside NIC which is inside the ASA firewall and would then have that

    > vNIC talking to AD (in vLAN40 direclty)..

    This would be a very advanced and difficult hack, since in my outlined scenario the vlan20 would be treated as an "external" UAG interface with restrictive paket filters enabled. The only thing what the vlan20 interface does in this case, is to terminate internet request (only 80/443 is opened) and after validation forward the request back to vlan20. So basically the UAG attack surface in direction to vlan20 will be identical to an attack launched from the internet.

    -Kai

    Wednesday, August 10, 2011 8:53 PM

All replies

  • Humm.. maybe I put the inside NIC on vLAN40, so it can talk w/ AD... then just open rules in the ASA from the UAG intenral NIC to the web apps in vLAN20. 

     

    SO I would just need to open on the Cisco ASA

      UAG Internal NIC IP  >> Port-80/443 >> vLAN20 front end web app IPs....

     

    That woud be easier right?

     

     


    Tuesday, August 9, 2011 3:58 PM
  • Hi Jonathan,

    personally I would put the internal network on vlan40 (AD) and external + DefGateway on vlan20 (web front ends).

    On this way you could access the AD with UAG default settings and you would be still able to publish the "external" web sites. UAG acts as a full proxy, so it doesn't matter where the destination web sites are^^

    Warning: Keep in mind that this scenario may have some "dual homed" routing issues when "clients" on vlan40 access the UAG Portal on vlan20. If the relationship between those networks is routed (i assume) then i'm pretty sure you'll end in an asymetric routing/firewall scenario and also see some spoofed packets in the TMG logs. To avoid this, you have "at least" implement a NAT releationship on your Cisco ASA between vlan40 (All Client IPs) and the external UAG IPs on vlan20.

    -Kai


    Tuesday, August 9, 2011 4:12 PM
  • Kai

    I understand almost all doc I read re: UAG says use '2 NICs, no more, no less'..  But why in this MS video here:

    http://technet.microsoft.com/en-us/forefront/ff793469


    This video --
    Module 2: Forefront Unified Access Gateway Setup and Upgrade Presentation
    http://dlbmodigital.microsoft.com/videos/wmv/8042_Dnl_L.wmv

    This particual video, at time=~13:40, suggests that one can configure with multiple intenral network cards.  If so, could I put a vNIC on my vLAN 20 and vNIC on vLAN40.  This way it has a direct vNIC to the apps, and a direct vNIC to ActiveDirectory? 

    But my team seems to have some concerns re: the not trusting the inside NIC of the UAG box.  Yes, I understand in most cases UAG is on a corporat edge..!  Anyway I assume, even if I put a vNIC on vLAN20 and the older apps (form based login one that we plan to leave accessaible from the internet direclty, ie not behind UAG) or the new apps live (UAG preauthenticed/SSO enabled) live vLAN20 are 'hacked' and 'owned' they would then have access to one of UAGs inside NIC which is inside the ASA firewall and would then have that vNIC talking to AD (in vLAN40 direclty)..  ie I would it be a bad idea to put Inet apps and a inside interface of UAG on the same vLAN?

     

    Wednesday, August 10, 2011 3:02 PM
  • Hi Jonathan,

    my last recommendation was fucused to meet your requirements to not have the UAG traverse your ASA for backend communications. Well, if your your networking guys don't trust UAG, then you may also put UAG into two additional VLANs (e.g. vlan50 and vlan60) and filter both the internal and external network interfaces of UAG. On this way you will have full control of the allowed UAG network communication.

    But please ask your networking guy where the benefits are in this case? I mean, they put their ASA in between UAG and AD, and later they will nevertheless open almost every port which is available on your DCs (including the dirty ones). So if you're planning to make UAG a Domain Member there will be virtually no additional security benefit exept to fulfill some "regulations".

    > Anyway I assume, even if I put a vNIC on vLAN20 and the older apps (form

    > based login one that we plan to leave accessaible from the internet direclty,

    > ie not behind UAG) or the new apps live (UAG preauthenticed/SSO enabled)

    > live vLAN20 are 'hacked' and 'owned' they would then have access to one

    > of UAGs inside NIC which is inside the ASA firewall and would then have that

    > vNIC talking to AD (in vLAN40 direclty)..

    This would be a very advanced and difficult hack, since in my outlined scenario the vlan20 would be treated as an "external" UAG interface with restrictive paket filters enabled. The only thing what the vlan20 interface does in this case, is to terminate internet request (only 80/443 is opened) and after validation forward the request back to vlan20. So basically the UAG attack surface in direction to vlan20 will be identical to an attack launched from the internet.

    -Kai

    Wednesday, August 10, 2011 8:53 PM
  • Thanks for your insight... 
    Wednesday, August 10, 2011 9:04 PM