locked
UAG Domain and Public Firewalls RRS feed

  • Question

  • Working through the UAG DirectAccess Step by Step Guide v2, and wanted to confirm something that doesn't look quite right.

    On Step4, H - Confirm GPO Settings on UAG, I see that in the Windows FW with Adv Security it says both the Domain and Public profiles are 'active'. And that the settings are being managed by Forefront TMG. But my Windows FW for the Domain Profile is OFF, while the Windows FW for Public Profile is ON. Should both be on? Thanks.


    Bill

    Monday, March 26, 2012 8:41 PM

Answers

  • Yes, both should be "on" as well. One of the common things I see in the field is WFAS settings being squashed or "hijacked" by existing GPOs, both for the server and the clients. It would be strange for such a thing to be happening in a secluded TLG environment, but do make sure that you don't have any GPOs that might be interfering with the firewall settings that are being applied by the DirectAccess GPOs. The best thing you can do for a UAG server in this aspect is to seclude it in AD so that it does not inherit any existing GPOs, only the DirectAccess Gateways GPO that it creates itself.
    • Marked as answer by Beachnut_ Thursday, March 29, 2012 8:58 PM
    Tuesday, March 27, 2012 1:45 PM

All replies

  • Yes, both should be "on" as well. One of the common things I see in the field is WFAS settings being squashed or "hijacked" by existing GPOs, both for the server and the clients. It would be strange for such a thing to be happening in a secluded TLG environment, but do make sure that you don't have any GPOs that might be interfering with the firewall settings that are being applied by the DirectAccess GPOs. The best thing you can do for a UAG server in this aspect is to seclude it in AD so that it does not inherit any existing GPOs, only the DirectAccess Gateways GPO that it creates itself.
    • Marked as answer by Beachnut_ Thursday, March 29, 2012 8:58 PM
    Tuesday, March 27, 2012 1:45 PM
  • We stood up this particular eval in a hybrid fashion. i.e.- we walked through the TLG but used a combination of subnets in our existing lab. I found that there was in fact a GPO turning the Domain FW off. I've moved the UAG server into isolated OU and blocked inheritence. Then linked the UAG Direct Access:Gateways GPO to that OU. Seems to be working fine. thanks!


    Bill

    Thursday, March 29, 2012 8:58 PM