locked
UAG Portal and DA IPHTTPS url RRS feed

  • Question

  • What have people typically been doing when implementing UAG portals and also supporting the iphttps tunnel?  What is a best practice, to use the first public IP for DA and the second for UAG Portal?  Bind another IP and use it as the Portal?
    Tuesday, August 3, 2010 4:52 PM

Answers

  • The best practise is to use a 3rd IP address for the UAG portal. When you move your deployment to use NLB, a VIP is reserved for a single service. So once you choose 2 virtual IP addresses for DA, none of these IP addresses can be used for the UAG portal.

    However, in a single server configuration there's nothing that prevents you from configuring the UAG portal with the 2nd IP address allocated for DA. Since DirectAccess doesn't need to bind on port 443 for this address. (Only the first IP address is used for IP-HTTPS)

    Wednesday, August 4, 2010 2:56 PM

All replies

  • The best practise is to use a 3rd IP address for the UAG portal. When you move your deployment to use NLB, a VIP is reserved for a single service. So once you choose 2 virtual IP addresses for DA, none of these IP addresses can be used for the UAG portal.

    However, in a single server configuration there's nothing that prevents you from configuring the UAG portal with the 2nd IP address allocated for DA. Since DirectAccess doesn't need to bind on port 443 for this address. (Only the first IP address is used for IP-HTTPS)

    Wednesday, August 4, 2010 2:56 PM
  • Hi Yaniv,

    That is interesting information!

    Just to confirm, when we use NLB, we have to dedicate services to addresses - which means we need two VIPs for the DA deployment and one VIP for the Portal/SSTP deployment - add that to one DIP and we need a total of four addresses on each array member.

    If we use a single server configuration, then we can assign two addresses to the DA deployment, and we can use the second address for the Portal/SSTP deployment, since we don't have to reserve addresses for a single services. That is to say, we don't need to reserve both of the consecutive public IPv4 addresses to DA and we can use the second one for the Portal/SSTP deployment.

    Right?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Thursday, August 5, 2010 12:56 PM