locked
Deployment of UAG behind frontend (edge) firewall (TMG) RRS feed

  • Question

  • Hi,
    Please, could anyone help me to understand how to set IP interfaces on UAG server in situation where UAG is behind TMG as edge frontend firewall of organization.
    1. If UAG require two network interface and must define one as internal and another as external, network between UAG external and TMG internal could be DMZ (perimeter network) ?
    2. Clients and servers in internal network does NAT-ing or routing on UAG server ?
    3. If on UAG set internal and external networks on its interfaces, on TMG, where is likewise two interfaces, must set in same mode: internal and external interface ? The TMG server does NAT for all internals subnets ?
    4. Assume that I publish Exchange Server in UAG, I must publish again in TMG the portal of UAG if TMG has on internal interface private IP ?
    5. Could I put UAG server in parallel with TMG server ? TMG and UAG with one interface in internal network and another in external (internet) ?

    Thanks
    Thursday, February 11, 2010 7:58 AM

Answers

  • Hi,

    As UAG runs TMG underneath, it is fully capable of being placed at the edge; this could be in parallel to a TMG edge firewall, yes. I guess most people will place it behind an existing edge firewall though...

    This info may help:

    http://technet.microsoft.com/en-us/library/ee428826.aspx

    If you want to use UAG for DirectAccess (you don't say), it must have at least two, consecutive public Internet Protocol version 4 (IPv4) addresses assigned to the interface that is connected to the perimeter network, or in the absence of an Internet firewall, it must be connected directly to the Internet. Addresses in the ranges 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 are private IPv4 addresses and cannot be used.

    This means that your perimeter network must be running a non-NAT'd public IP subnet (a supernet of your edge public IP subnet perhaps?)

    Some good info here:

    http://technet.microsoft.com/en-us/library/ee809089.aspx

    If you want to place UAG behind a firewall and use DA you need to consider this:

    http://technet.microsoft.com/en-us/library/ee809062.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    • Proposed as answer by Erez Benari Thursday, February 11, 2010 11:03 PM
    • Marked as answer by Erez Benari Wednesday, February 17, 2010 11:59 PM
    Thursday, February 11, 2010 9:21 PM
  • Hi,
    Please, could anyone help me to understand how to set IP interfaces on UAG server in situation where UAG is behind TMG as edge frontend firewall of organization.
    1. If UAG require two network interface and must define one as internal and another as external, network between UAG external and TMG internal could be DMZ (perimeter network) ?
    2. Clients and servers in internal network does NAT-ing or routing on UAG server ?
    3. If on UAG set internal and external networks on its interfaces, on TMG, where is likewise two interfaces, must set in same mode: internal and external interface ? The TMG server does NAT for all internals subnets ?
    4. Assume that I publish Exchange Server in UAG, I must publish again in TMG the portal of UAG if TMG has on internal interface private IP ?
    5. Could I put UAG server in parallel with TMG server ? TMG and UAG with one interface in internal network and another in external (internet) ?

    Thanks

    1. It could be, but remember that you need to use public IP addresses on the external interface of the UAG server. So, you can NAT public to public (in which case you'll need to configure a special netsh entry) or you can route from the TMG firewall to the UAG server

    2. Internal clients can't use the UAG server for outbound access. UAG is for inbound access only, so you'll need to bypass UAG for outbound access from the internal networks

    3. TMG will NAT or route, depending on how you configure your Network Rules.

    4. You can use a Server Publishing Rule on TMG to publish TCP 443 inbound

    5. This would be my preferred configuration.

    HTH,
    Tom
    MS ISDUA Anywhere Access Team
    • Marked as answer by Erez Benari Wednesday, February 17, 2010 11:59 PM
    Friday, February 12, 2010 1:31 PM

All replies

  • Hi,

    As UAG runs TMG underneath, it is fully capable of being placed at the edge; this could be in parallel to a TMG edge firewall, yes. I guess most people will place it behind an existing edge firewall though...

    This info may help:

    http://technet.microsoft.com/en-us/library/ee428826.aspx

    If you want to use UAG for DirectAccess (you don't say), it must have at least two, consecutive public Internet Protocol version 4 (IPv4) addresses assigned to the interface that is connected to the perimeter network, or in the absence of an Internet firewall, it must be connected directly to the Internet. Addresses in the ranges 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 are private IPv4 addresses and cannot be used.

    This means that your perimeter network must be running a non-NAT'd public IP subnet (a supernet of your edge public IP subnet perhaps?)

    Some good info here:

    http://technet.microsoft.com/en-us/library/ee809089.aspx

    If you want to place UAG behind a firewall and use DA you need to consider this:

    http://technet.microsoft.com/en-us/library/ee809062.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd
    • Proposed as answer by Erez Benari Thursday, February 11, 2010 11:03 PM
    • Marked as answer by Erez Benari Wednesday, February 17, 2010 11:59 PM
    Thursday, February 11, 2010 9:21 PM
  • Hi,
    Please, could anyone help me to understand how to set IP interfaces on UAG server in situation where UAG is behind TMG as edge frontend firewall of organization.
    1. If UAG require two network interface and must define one as internal and another as external, network between UAG external and TMG internal could be DMZ (perimeter network) ?
    2. Clients and servers in internal network does NAT-ing or routing on UAG server ?
    3. If on UAG set internal and external networks on its interfaces, on TMG, where is likewise two interfaces, must set in same mode: internal and external interface ? The TMG server does NAT for all internals subnets ?
    4. Assume that I publish Exchange Server in UAG, I must publish again in TMG the portal of UAG if TMG has on internal interface private IP ?
    5. Could I put UAG server in parallel with TMG server ? TMG and UAG with one interface in internal network and another in external (internet) ?

    Thanks

    1. It could be, but remember that you need to use public IP addresses on the external interface of the UAG server. So, you can NAT public to public (in which case you'll need to configure a special netsh entry) or you can route from the TMG firewall to the UAG server

    2. Internal clients can't use the UAG server for outbound access. UAG is for inbound access only, so you'll need to bypass UAG for outbound access from the internal networks

    3. TMG will NAT or route, depending on how you configure your Network Rules.

    4. You can use a Server Publishing Rule on TMG to publish TCP 443 inbound

    5. This would be my preferred configuration.

    HTH,
    Tom
    MS ISDUA Anywhere Access Team
    • Marked as answer by Erez Benari Wednesday, February 17, 2010 11:59 PM
    Friday, February 12, 2010 1:31 PM