none
Website in DMZ RRS feed

  • Question

  • UAG 2010 -

    I am trying to figure out how from my Direct Access client to access our company's web page that is hosted on web server in the DMZ (UAG external NIC is in DMZ also).  We also host a few web sites (http and https) in the DMZ.  I am drawing a blank on how to get this to work.

    I have tried to find some sort of UAG Publishing for Dummies web site/blog with no luck.

    Chris

    Wednesday, March 16, 2011 6:32 PM

Answers

All replies

  • I am thinking that the way to do this is via a http trunk.  I am fumbling my way though, with all of the great documentation on the setup of UAG and Direct Access, I  am drawing blanks on finding similar documentation on this specific issue.

     

    I believe I created a portal, but I cant open the browser in IIS Manager, I get a "You cannot access this site due to an internal error"  So, I am thinking I didn't make it through the trunk wizard with the correct info.

     

    Thursday, March 17, 2011 6:06 PM
  • You could add the web site FQDNs to the DirectAccess NRPT exemption list as discussed here: http://blogs.technet.com/b/tomshinder/archive/2010/04/02/directaccess-client-location-awareness-nrpt-name-resolution.aspx

    This would negate the need to publish them via UAG.

    I am a little confused what you are trying to achieve, is this for DA users or external users?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, March 18, 2011 3:25 PM
    Moderator
  • or....  can I add my iis server (that is in my DMZ) IP address to the Internal Network settings on UAG?
    Friday, March 18, 2011 3:41 PM
  • I thought you said your UAG external interface was in the DMZ?
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, March 18, 2011 4:01 PM
    Moderator
  • Jason, the last post was after to many Little Debbies and Cokes........ not thinking clearly.

    What I am trying to achieve is:

    My Direct Access clients need to access web applications on servers that are located in our DMZ (you are correct, the UAG external NIC is in the same DMZ). 

    I will look at adding the FQDN's to teh NRPT as you suggested.  I am in training this week, so it may be next week before I can test.

     

    In other good news, the testing group is giving excellent reviews on applications/resources working in my pilot test of UAG/Direct Access. 

    Monday, March 21, 2011 4:27 PM
  • How do external users access servers in the DMZ?

    What happens for DA clients at the moment?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, March 22, 2011 12:20 AM
    Moderator
  • If your internal and external domain names are different, then you shouldn't need to do anything.  But if your internal and external dns names are the same, then Jason's right, you'll just want to exclude those specific hostnames from DNS and your DirectAccess clients should ask their external DNs servers and get their public addresses and be able to reach those web sites without trying to tunnel over DirectAccess.

    You make an exclusion in the Infrastructure Servers wizard and you can read about it here.

    http://blog.concurrency.com/infrastructure/uag-sp1-directaccess-config-wizard-infrastructure-servers/


    MrShannon | TechNuggets Blog | Concurrency Blogs
    Tuesday, March 22, 2011 12:31 AM
  • Jason,

    They access the server/applications in the DMZ by - https://www.dnr.state.oh.us/appname, internal domain is dnr.state.oh.us

    With my DA clients (at the HQ location) I cannot access, I get timed out.  No user account prompting.

    My thoughts are with Shannon, that the DA clients would go outside the tunnel to access the DMZ servers.  But I am wondering if I am having problems due to my internet provider.  For example, When NOT USING DA, when I nslookup dc1.mydomain I get a reply back with the Internet Providers DNS servers IP address, we have Wide Open West as our Internet provider at work. I would expect to get a message that the name cannot be resolved.  This happens with any name that Wide Open West cannot resolved.  I can type mickeymouse.com and get the same result. I am in training (using Time Warner Telecomm) and when ping dc1.mydomain I get the expected name cannot be resolved when I do a nslookup.

    I have my Direct Access testers attempting to hit the DMZ servers as they using varying Internet providers in their remote locations.

    Tuesday, March 22, 2011 5:15 PM
  • That very well could be a "feature" that your ISP is providing.  For example, OpenDNS does something similar.  If you type a non-existent domain name it will resolve to one of OpenDNS's web servers and use the domain name as a search query.  It is intended to prevent you from seeing the "host not found" error messages, and I assume generate some clicks on banner ads and sponsors.

    If you like, you can try changing the DNS settings on your network adapter to try to using another provider's DNS services.  Here's a couple you can try:

     

    Level3: 4.2.2.4 and 4.2.2.2

    OpenDNS: 208.67.222.222 and 208.67.220.220

    Google: 8.8.8.8 and 8.8.4.4


    MrShannon | TechNuggets Blog | Concurrency Blogs
    Saturday, March 26, 2011 1:36 AM
  • Shannon,

    After I read yours and Jasons articles, that certaintly made sense.  I added www.dnr.state.oh.us to the nrpt and it works.

    But, I spent nearly a day troubleshooting a "Group Policy" issue.  I finally talked the network guys into checking my cabling and after repunching the cables, My group policies miraclously started to update.  Not sure how cabling can go bad when you are out for a week in training.....

     

    Anyway BIG Thanks to you and Jason for your help!

     

    Chris

    Wednesday, March 30, 2011 7:42 PM
  • Good news :)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, March 31, 2011 8:58 AM
    Moderator