none
Integrating Direct Access without using private IP´s RRS feed

  • Question

  • Hi everybody,

    I´m currently working on integrating Forefront UAG and Direct Access to my companys network.

    But at the moment im stuck.

    We have a huge stack of public IPv4 Addresses and every server and client has an public, non NAT Ipv4 Address.The IP´s of the servers and computers are bound to the MAC-Address by DHCP.

    My first question is now: When connecting from a notebook from outside the network to the internal network, which IP address is used? A NAT-address from the UAG-server? Its defined DHCP Address?

    My second question is, how i should do the routing. The UAG-server is located in a seperate server-subnet. But there are many other subnets, where Servers are running, that provide services to which the DA-User should have access to. Do i need to add each single Server as a static route to the UAG-Server or each subnet? Or is there another possibility to establish this connection?

    Greetings,

    PhiBu

    Tuesday, March 15, 2011 7:57 AM

Answers

  • The UAG server does not hand out IP addresses to either inside or outside computers.  When they are connected to your private network, they should use your DHCP scope.  If you have ISATAP enabled they may also bring up an IPv6 address that is derived from that DHCP address (note: it is not assigned by UAG or DirectAccess).  When outside the network, the DirectAccess client will automatically determine if it has access to your public interface of the UAG server and attempt to bring up the IPv6 IPSec tunnels to gain access to the private network.

    As for your question about accessing other subnets, yes, you need to define static routes for all private subnets that you want the UAG server and it's DirectAccess clients to have access to.  Check out Page 2 on my guide for the details on IP Addressing the Server.

    http://blog.concurrency.com/infrastructure/uag-sp1-directaccess-configuration-guide/


    MrShannon | TechNuggets Blog | Concurrency Blogs
    • Marked as answer by PhiBu Wednesday, March 30, 2011 7:45 AM
    Tuesday, March 15, 2011 12:22 PM

All replies

  • The UAG server does not hand out IP addresses to either inside or outside computers.  When they are connected to your private network, they should use your DHCP scope.  If you have ISATAP enabled they may also bring up an IPv6 address that is derived from that DHCP address (note: it is not assigned by UAG or DirectAccess).  When outside the network, the DirectAccess client will automatically determine if it has access to your public interface of the UAG server and attempt to bring up the IPv6 IPSec tunnels to gain access to the private network.

    As for your question about accessing other subnets, yes, you need to define static routes for all private subnets that you want the UAG server and it's DirectAccess clients to have access to.  Check out Page 2 on my guide for the details on IP Addressing the Server.

    http://blog.concurrency.com/infrastructure/uag-sp1-directaccess-configuration-guide/


    MrShannon | TechNuggets Blog | Concurrency Blogs
    • Marked as answer by PhiBu Wednesday, March 30, 2011 7:45 AM
    Tuesday, March 15, 2011 12:22 PM
  • Hi,

     

    Do we have to understand that your network is only based on public IPv4 subnets. I hope your company own them. If your company is not the owner of the subnets, this is a more complex scenarion for DirectAccess.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Tuesday, March 15, 2011 1:38 PM