none
Placement of UAG 2010 DirectAccess + SSTP Server in 2-tiered DMZ network RRS feed

  • Question

  • Dear Fellows,

    What will be the location and network configuration for UAG 2010 Server if we have three networks (Internal and two-tiered DMZ networks)?

    Thanks.


    Junaid Ahmed


    Wednesday, November 7, 2012 9:56 PM

Answers

  • A UAG server needs to have 2 legs (no more, no less), one "internal" and one "external" - those can be either real internal and external addresses, or one or both legs can be inside a DMZ. So in your case, "external" could be in the DMZ and "internal" could be in perimeter, if I'm understanding you correctly. The only thing you need to be aware of is that the UAG server needs to have actual public IP addresses on its external interface, so the firewall handling your DMZ needs to be able to route the true public IPs, it can NOT be NAT. If you are unable to get public IP addresses into your DMZ to assign to the NIC, then the external leg of your UAG will have to be put in parallel to your firewall, out on the internet.
    • Marked as answer by JunaidAhmedpk Wednesday, December 19, 2012 11:30 AM
    Monday, November 26, 2012 8:02 PM

All replies

  • Dear Fellows,

    What will be the location and network configuration for UAG 2010 Server if we have three networks (Internal and two-tiered DMZ networks)?

    Thanks.


    Junaid Ahmed


    Can you clarify the network setup?

    Do you mean you have separate frontend and backend firewalls?


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Wednesday, November 7, 2012 11:07 PM
    Moderator
  • I agree, need some more information about what exactly you are trying to do with the networks. I just replied to the other thread you started but wanted to note here as well - DirectAccess and Network Connector cannot co-exist on the same UAG box. DirectAccess+SSTP is just fine, or SSTP+NC is fine, but not DA+NC. I know this thread doesn't specifically mention Network Connector, but based on your other post I thought you would want to know this.
    Wednesday, November 14, 2012 3:50 PM
  • Why ask a question and then never come back????

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Thursday, November 15, 2012 5:27 PM
    Moderator
  • Hi Jason,

    Sorry for reverting back late. I am on vacation and not able to access web much frequently.

    Client has DMZ and perimeter network. Where i should place UAG Array. What i am not able to understand is how UAG will be giving DA Clients access to Servers in perimeter network? Do i need to add another NIC in UAG Servers? or just external and internal will work?

    Thanks.


    Junaid Ahmed

    Saturday, November 24, 2012 7:18 AM
  • A UAG server needs to have 2 legs (no more, no less), one "internal" and one "external" - those can be either real internal and external addresses, or one or both legs can be inside a DMZ. So in your case, "external" could be in the DMZ and "internal" could be in perimeter, if I'm understanding you correctly. The only thing you need to be aware of is that the UAG server needs to have actual public IP addresses on its external interface, so the firewall handling your DMZ needs to be able to route the true public IPs, it can NOT be NAT. If you are unable to get public IP addresses into your DMZ to assign to the NIC, then the external leg of your UAG will have to be put in parallel to your firewall, out on the internet.
    • Marked as answer by JunaidAhmedpk Wednesday, December 19, 2012 11:30 AM
    Monday, November 26, 2012 8:02 PM
  • Hi Jason,

    Sorry for reverting back late. I am on vacation and not able to access web much frequently.

    Client has DMZ and perimeter network. Where i should place UAG Array. What i am not able to understand is how UAG will be giving DA Clients access to Servers in perimeter network? Do i need to add another NIC in UAG Servers? or just external and internal will work?

    Thanks.


    Junaid Ahmed

    Can you clarify "servers in the perimeter network"? Do you mean servers in the same network as the UAG external or internal interfaces, or perhaps another network?

    Hopefully Jordan has clarified the other areas...


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Tuesday, November 27, 2012 11:53 PM
    Moderator