locked
How to publish SCOM gateway with UAG RRS feed

  • Question

  • Hi All,

     

    We have SCOM R2 up and running internally, we use it to monitor internal servers as well as our hosting servers.

    The hosting servers connect over the internet using port 5723 and certificates for authentication and encryption, standard SCOM stuff, remote agents is the SCOM term.

    At the moment we have ISA 2006 with 3 networks, internal, external & DMZ. The SCOM Gateway server resides in the DMZ. This is all up and running, no problems.

     

    Now we are implemeting UAG, with a similar network config. Internal, External and 2 DMZ's.. The SCOM gateway server will live in the DMZ.

     

    Initally i tried to configure TMG to allow 5723 from the internet to the SCOM gateway, no luck there. I did find a technet article that said when TMG & UAG are deployed you can only use TMG to publish SMTP, POP3, IMAP & OCS, everything else has to be done with UAG.

     

    I have created an HTTP trunk, changed the port from 80 to 5723 and turned off authentication and set the plocies to "always" so that policies aren't enforced/applied. I tried several different "application types", when using the add application wizard, without any luck.

     

    So what is the best way to publish port 5723 for a SCOM gateway, the SCOM gateway is on a DMZ of the UAG server.

    Esentially how to turn off all the goodness of UAG and let SCOM do it's thing.

     

    Thanks.

    Tuesday, April 20, 2010 8:48 PM

Answers

  • Hi Martin,

    To quote from the UAG support boundaries document and I have highlighted the more relevant items:

    Forefront UAG uses Forefront TMG, as follows:

    • Forefront TMG acts as a firewall, protecting the Forefront UAG server.

    • Forefront UAG uses Forefront TMG infrastructure and functionality in some deployment and monitoring scenarios.

    and

    Although you can configure Forefront TMG running on Forefront UAG using the Forefront TMG Management console, Forefront TMG is intended for use of the Forefront UAG infrastructure only. Specifically, the following is not supported:

    • Forefront TMG is installed automatically during Forefront UAG Setup, and removed automatically if Forefront UAG is uninstalled. Installing and uninstalling only Forefront TMG is not supported.

    • Forefront TMG as a forward proxy for outbound Internet access.

    • Forefront TMG application publishing, except for the publishing scenarios listed in the Supported Forefront TMG configurations section that follows.

    • Forefront TMG as a site-to-site VPN.

    • Forefront TMG as an intrusion protection system.

    • Forefront TMG as a network perimeter firewall. Forefront TMG running on Forefront UAG is only intended to protect the Forefront UAG local host server.

    • Publishing Forefront TMG via Forefront UAG.

    • Any other scenarios not specifically listed in the Supported Forefront TMG configurations section below.

    UAG is not 'TMG + Extra functionality' and both products still sit side by side. TMG is deployed on UAG specifically for its own use, not as a fully blown TMG deployment that can be used for general TMG functionality.

    Keeping ISA is the easiest route as you cannot use the TMG functionality of UAG (and remain supported) in the way that you are trying to. If you want to use the latest technology then by all means upgrade from ISA Server to TMG, but deploying UAG to achieve this is not a good approach.

    UAG is focused on remote access and depends on client interaction; it is not designed to do what you want as you are talking about protecting system level communications which require a layer 3/7 firewall. If you wanted to publish the SCOM management console to trusted Internet clients (access to the console for external users) then UAG would be ideal to provide non-web publishing using 5723 with the SSL Wrapper component. 

    Ultimately, it sounds to me like you need two deployments, one using TMG as a network firewall and one using UAG as a remote access solution. I agree there is some overlap in functionality (they can both web publish for example) but UAG should be complimentary to your existing network firewall, not a replacement. 

    This might be worth a read too: http://social.technet.microsoft.com/Forums/en/forefrontedgeiag/thread/b8d0e1fe-9ab6-4b88-a2cc-4ad016c45196

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by m12w345 Wednesday, April 21, 2010 8:59 PM
    Wednesday, April 21, 2010 7:34 AM

All replies

  • Do you realise that using UAG as a network firewall is not supported?

    If I were you , I would keep ISA Server 2006 'as is' and deploy UAG as a complimetary technology specificaly for remote access rather than try and reverse engineer UAG to become a dual role TMG/UAG solution. 

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Tuesday, April 20, 2010 9:23 PM
    • Unmarked as answer by m12w345 Wednesday, April 21, 2010 4:46 AM
    Tuesday, April 20, 2010 9:17 PM
  • Hi Jason,

    I really do appreciate you taking the time to answer, but don’t think that’s an answer to the question.  During my research pre TMG/UAG implementation there was not anything in any Microsoft documentation (that I found) to indicate this situation would require retaining ISA 2006. If this is truly the case, why is UAG bundled with TMG, when in fact they should be deployed separately?

    I don’t see why we should have to retain ISA 2006, we want to upgrade to the new versions for higher security and greater functionality, but having to retain old infrastructure as the new product does not do what the old product does. Crazy!

    To me, the question posed is also accurate for publishing any non-web applications. The Microsoft web site states “Publish Web and non-Web applications by means of Forefront UAG trunks here is the link http://www.microsoft.com/forefront/unified-access-gateway/en/us/features.aspx

    So the question, how to publish non-web applications (e.g. SCOM gateway) still remains?

    Thanks,

    Martin

    Wednesday, April 21, 2010 4:47 AM
  • Hi Martin,

    To quote from the UAG support boundaries document and I have highlighted the more relevant items:

    Forefront UAG uses Forefront TMG, as follows:

    • Forefront TMG acts as a firewall, protecting the Forefront UAG server.

    • Forefront UAG uses Forefront TMG infrastructure and functionality in some deployment and monitoring scenarios.

    and

    Although you can configure Forefront TMG running on Forefront UAG using the Forefront TMG Management console, Forefront TMG is intended for use of the Forefront UAG infrastructure only. Specifically, the following is not supported:

    • Forefront TMG is installed automatically during Forefront UAG Setup, and removed automatically if Forefront UAG is uninstalled. Installing and uninstalling only Forefront TMG is not supported.

    • Forefront TMG as a forward proxy for outbound Internet access.

    • Forefront TMG application publishing, except for the publishing scenarios listed in the Supported Forefront TMG configurations section that follows.

    • Forefront TMG as a site-to-site VPN.

    • Forefront TMG as an intrusion protection system.

    • Forefront TMG as a network perimeter firewall. Forefront TMG running on Forefront UAG is only intended to protect the Forefront UAG local host server.

    • Publishing Forefront TMG via Forefront UAG.

    • Any other scenarios not specifically listed in the Supported Forefront TMG configurations section below.

    UAG is not 'TMG + Extra functionality' and both products still sit side by side. TMG is deployed on UAG specifically for its own use, not as a fully blown TMG deployment that can be used for general TMG functionality.

    Keeping ISA is the easiest route as you cannot use the TMG functionality of UAG (and remain supported) in the way that you are trying to. If you want to use the latest technology then by all means upgrade from ISA Server to TMG, but deploying UAG to achieve this is not a good approach.

    UAG is focused on remote access and depends on client interaction; it is not designed to do what you want as you are talking about protecting system level communications which require a layer 3/7 firewall. If you wanted to publish the SCOM management console to trusted Internet clients (access to the console for external users) then UAG would be ideal to provide non-web publishing using 5723 with the SSL Wrapper component. 

    Ultimately, it sounds to me like you need two deployments, one using TMG as a network firewall and one using UAG as a remote access solution. I agree there is some overlap in functionality (they can both web publish for example) but UAG should be complimentary to your existing network firewall, not a replacement. 

    This might be worth a read too: http://social.technet.microsoft.com/Forums/en/forefrontedgeiag/thread/b8d0e1fe-9ab6-4b88-a2cc-4ad016c45196

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by m12w345 Wednesday, April 21, 2010 8:59 PM
    Wednesday, April 21, 2010 7:34 AM
  • Hi Jason.

    Thanks very much, that explains things.

    A note, SCOM port 5723 is for remote agent communication, not the management console.

    Cheers,

    Martin

    Wednesday, April 21, 2010 9:03 PM