Design for UAG placement in network, replacing TMG RRS feed

  • Question

  • Hi,

    I am confused for the placement of UAG in the network. Actually we are replacing TMG and want UAG to perform proxy. As UAG is not a FW in itself thus we need a back-end FW ofcourse along with a DMZ network where we can place edge servers.

    I am not getting idea where to place UAG so that I can publish exchange/lync/sharepoint servers via it. It will be Natting to Internet. Could someone please guide me where would I place UAG and the traffic flow?




    Monday, September 2, 2013 8:38 AM

All replies

  • Hi,

    UAG is using TMG underlying as firewall. In your case you refer to the reverse proxy functionality and not to the web proxy functionality. TMG supported both scenarios, UAG is only a reverse proxy. So you you place the UAG in exact the same way into the network as you probably did it before. 1 leg to the Internet, 1 leg to the internal network.

    So even yoo see the TMG management console after the UAG installation has finished you should be aware of the support boundaries for TMG with a UAG installation. http://technet.microsoft.com/en-us/library/ee522953.aspx



    Tuesday, September 3, 2013 4:05 AM
  • Thanks! Yes I know UAG is only a reverse proxy, and TMG in UAG box is to protect itself, I can't use UAG box TMG as a back end firewall. My question is I am surely gonna deploy a back end firewall...may be ASA, I have one DMZ where I have kept my exchange/lync edge servers, Now I know UAG can't work with one NIC so I have to place it in between something, may be between backend FW and front end FW/NAT, but then UAG's both NIC will be in same subnet. I am not getting how the flow will work?
    Can you let me know of a design where I can have backend FW -- DMZ -- Frontend FW .......and I can place UAG somewhere with 2 NICs. Please note Backend FW external Interface and Frontend FW internal Interface are on same subnet, thus if I place UAG in between these then both NIC of UAG will be in same subnet, which I guess is not supported.



    Tuesday, September 3, 2013 4:25 AM
  • I do not see how this should work either, if both NICs are in the same subnet.

    Might an option would be to create an VLAN with a new subnet, what will be assigned to the UAG server's internal NIC and the Frontend FW gets this as an second interface as well.

    I hope I got that right from your description of your firewalls, if not, please adapt the idea to the correct firewall in your environment.

    Tuesday, September 3, 2013 5:07 AM