none
UAG in a DMZ RRS feed

  • General discussion

  • I want to use UAG in a DMZ to publish OWA.

    How do I configure the NICs?

    Do I still need two NICs? If so the gateway must be set to the backend/inner firewall?

    Monday, March 29, 2010 1:07 PM

All replies

  • No need for a back end firewall.

    You will need two NICs on the UAG server.

    The default gateway will be configured on the external interface of the UAG server, and that will be in the internal interface of the firewall in front of the UAG server.

    The internal interface of the UAG server can be connected to the LAN, no need for a  back-end firewall.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, March 29, 2010 3:00 PM
    Moderator
  • Tom,

    Thank you very much for you reply,

    Yes, that is the way I have it configure now in our test environment.

    basically multi homed around the inner firewall.

    The follow link leads me to believe that it can be configured between a front end and backend firewall.  A true DMZ. I'm going to have a little issue explaining that it need to be multi homed around the inner firewall.

     

    http://technet.microsoft.com/en-us/library/dd857258.aspx

     

    Thanks!

    Monday, March 29, 2010 3:26 PM
  • Tom,

    Thank you very much for you reply,

    Yes, that is the way I have it configure now in our test environment.

    basically multi homed around the inner firewall.

    The follow link leads me to believe that it can be configured between a front end and backend firewall.  A true DMZ. I'm going to have a little issue explaining that it need to be multi homed around the inner firewall.

     

    http://technet.microsoft.com/en-us/library/dd857258.aspx

     

    Thanks!

    Monday, March 29, 2010 3:27 PM
  • I have recently deployed UAG connected between a front DMZ and a back DMZ sitting within a back-to-back firewall topology.

    If you want to do DA, you will need the front DMZ to be using public IP addresses (e.g. routeable Internet addresses, not NAT'd), but the back DMZ can use private addresses but will also need to be routeable to meet the demands for AD domain membership.

    Shout if you have specific questions :)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    Monday, March 29, 2010 3:50 PM
    Moderator
  • Jason,

    Thank you very much for you're reply.

    I'm trying to securely publish OWA.

    So this is what I'm thinking

     

    Internet >Outer Firewall> UAG> Inner Firewall>Exchange CAS> Exchange MB

     

    Is this configuration possible? Or does the UAG act as the backend gateway with one nic in the DMZ vlan and the other in our intranet?  

     

    Thanks!

    Monday, March 29, 2010 4:00 PM
  • Yes, but you need to use two UAG interfaces which cannot be on the same network; hence you need two discrete networks in your DMZ. This can be done with seperate physical DMZ networks or you could use VLANs on the same physcial fabric...

    There is no reason why UAG cannot connect between you DMZ and LAN, it runs its own firewall (TMG) after all; essentially running in parallel to you Inner Firewall. However, people often prefer the above approach if they already have a back-to-back setup, but YMMV :) 

     


    Jason Jones | Forefront MVP | Silversands Ltd

    Monday, March 29, 2010 4:04 PM
    Moderator
  • Got it, I think I will run UAG in parallel with our  inner firewall. This seems to be the easiest configuration and the MS intended (supported) solution to publish OWA.

     

    Thanks Jason! also thanks Tom.

     

     

    Monday, March 29, 2010 4:23 PM
  • "where the legs go..." is up to you, not MS and both would be supported as long as the necessary communications can take place! :)

    The role of the back firewall often becomes greatly "swiss cheesed" once UAG moves into production (especially once DA is engaged) and hence doens't add a lot of value; however some people feel more comfortable with this tolopolgy and a single ingress point from the gateway...

    As long as though traffic passes via the gateway, to reach the Exchange environment, you should be good to go ;)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    Monday, March 29, 2010 4:50 PM
    Moderator
  • That's an excellent point Jason. In our documentation we say that the back end firewall needs to allow all UDP and TCP IPv4 and IPv6 traffic from the UAG DA server to the internal network.

    It's important to note that this is not a requirement, but instead is the easiest way to get things working. The problem is that most organizations aren't that aware of their traffic profile, so they can't determine, in advance, what protocols should be allowed from the UAG DA server to the corpnet. Since the DA clients are going to act in the same way as corpnet clients, the changes are that there are a great number of protocols that are required, both simple and "complex" protocols. Then take into account any traffic initiated by corpnet hosts to the DA clients, and things get pretty complex.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, March 30, 2010 2:03 PM
    Moderator
  • Jason,

    One last questions about ports. I am testing UAG between two firewall, utilizing two Vlans in the dmz. I have the following ports opened

     

    Outer/front firewall

    80 and 443 in to the UAG Server

     

    Inner/Back firewall

    443 out from UAG

    80 and 443 in to CAS server

    53,88,123,135,389,445,636,3268,3269 in to DC

    What other ports do I need to open on the back end? I'm having some issues authenticating the UAG server to the domain and checking GP results.

    At this time I think the issue is the dynamically assigned ports RPC uses.

    Did you have to open ports for RPC other then 135?

    Wednesday, April 7, 2010 3:27 PM
  • Hi,

    Have a look at this and the links contained therein:

    http://blog.msfirewall.org.uk/2009/02/resource-guide-for-microsoft-active.html

    Cheers

    JJ

     


    Jason Jones | Forefront MVP | Silversands Ltd
    Thursday, April 8, 2010 9:42 AM
    Moderator
  • Hello Thomas,

    We are currently exploring this same scenario. So does this mean that the UAG becomes the only egress for all traffic going out? It is my understanding that UAG does not support mulitple gateways or policy based routing(not sure if this is valid in UAG but was in ISA).

    Currently our internal router 10.10.4.1 is the default gateway for all traffic. Our dmz is a 192.168.3.x

    We want to publish owa, sharepoint, file servers(home drive file access) on internal 10.x.x.x will this work?

    I understand we can run them in paralell but that would mean manually setting a different gateway on our Sharepoint and OWA and file servers.

     

    tia,

    GmFlanagan

    Tuesday, April 27, 2010 4:15 PM
  • Hi GM,

    No, the situation is different from ISA. The UAG server is for inbound access only, so no outbound traffic is allowed through the UAG server (except as response traffic to inbound responses).

    You are correct that UAG does not support multiple gateways. Routing table entries can be used, and reserve the default gateway address as the gateway of last resort.

    So, you can leave the gateway address as it is. As long as the UAG server has a path to the published servers, and the published servers know the path to the internal interface of the UAG server, then you're in good shape.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Wednesday, April 28, 2010 12:21 PM
    Moderator
  • Thanks. so are the static routes added on the UAG box or our internal router?

     

    thanks again,

    GmFlanagan

    Wednesday, April 28, 2010 2:56 PM
  • Hi GM,

    You will need to enter routing table entries on the UAG server so that it knows which gateway to use for your subnet IDs. Most likely the router right behind the UAG server. The hosts on your network will need to know the route to take to reach the network ID on which the internal interface of the UAG server sits.

    That's about it.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Thursday, April 29, 2010 2:13 PM
    Moderator
  • Hello,

    Understood, when you say hosts are you referring to published OWA, SharePoint?

    Are requests coming from the internet to published SharePoint or OWA encrypted end to end, assuming SSL is DA is not in play here, or is it in the clear "after" UAG and then re-encrypted on the way back out?

     

    thanks,

    GmFlanagan

    Thursday, April 29, 2010 2:26 PM
  • This may help with regard to static routes on UAG:

    http://blog.msedge.org.uk/2010/04/threat-management-gateway-tmg.html

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, April 29, 2010 11:11 PM
    Moderator
  • Hello,

    Understood, when you say hosts are you referring to published OWA, SharePoint?

    Are requests coming from the internet to published SharePoint or OWA encrypted end to end, assuming SSL is DA is not in play here, or is it in the clear "after" UAG and then re-encrypted on the way back out?

     

    thanks,

    GmFlanagan


    Hi GM,

    Yes, that is correct. The published site need to have a route available to reach the internal IP address(es) of the UAG Server. If you use the default settings, so-called "SSL offloading" is the default. So the connection between the client and the UAG server is protected by SSL/TLS and from the UAG server to the published server is unencrypted. You can configure it to use SSL from end to end.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Friday, April 30, 2010 12:39 PM
    Moderator
  • Great, thanks so much for your assistance through out these forums.

     

    GmFlanagan

    Friday, April 30, 2010 6:38 PM
  • You bet!

    Between Jason and me, I hope you can get everything working ;)

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, May 3, 2010 2:29 PM
    Moderator