locked
Best placement of DirectAccess UAG RRS feed

  • Question

  • Hi,

    Just wondering if anyone could give some pointers as to what would be the best placement of a 2 node UAG DirectAccess cluster. I'm thinking in the DMZ and second NIC in LAN (current DMZ is 3rd leg in a 3 leg perimeter setup om main FW).

    Also i wonder: Is it really neccessary to place the UAGs in the DMZ? How about i NIC to ISP and one to LAN? I mean, I know that adds another point of entry into our corporate net, but UAG does come with TMG, which is an enterprise grade FW (actually more feature rich than our current main FW).

    Thursday, May 3, 2012 1:10 PM

Answers

  • That is exactly why TMG comes with UAG, to make it "edge-ready". UAG is designed so that it can sit behind a firewall, or directly on the internet. Most of the time the decision on where to place it comes down to your standards (you may have written standards dictating that nothing goes directly on the internet), or firewall capabilities. To utilize DirectAccess on a UAG box, there must be actual public IP addresses on the external NIC. This mean that if you are placing it in a DMZ behind a firewall, that firewall must be capable of passing through (routing) the true public IP addresses, it cannot do a NAT, DA will not work if the UAG is behind a NAT. Some firewalls are able to route public IPs, and some are not.

    Disclaimer: Shameless plug coming up :) Many network and security admins will not allow a general purpose Windows server to sit directly on the edge of the network, even if it has TMG running. That is one of the purposes behind the specialty appliances on the market, such as the IVO Networks DirectAccess Concentrator hardened appliances that I install every day.

    • Marked as answer by i686 Tuesday, December 18, 2012 1:24 PM
    Thursday, May 3, 2012 2:28 PM