locked
UAG 2010 trial can not get servers to list in file access RRS feed

  • Question

  • I have a virtual doamin operating under VMware ESI 4.1 it is configured as follows:

    1 primary DC windows 2008 Enterprise SP1

    1 backup DC Windows 2008 Enterprise SP1 also have a share on it with everyone full control access

    1 Email server Windows 2008 SP1 Exchange 2007 standard

    1 Forefront UAG server Windows 2008 Enterprise SP1

    I have my ESX server connected with 2 NIC's to a 1 GB 3com switch which is connected to my router.

    I am not able to browse the network on the UAG server by clicking Network in windows or when I try to set up File access in UAG I get a message that says. "Saving data...Please wait...server error.Please refresh the page.

    I have made the appropiate local security policy changes listed in technet listed below

    • Domain member: Digitally encrypt or sign secure channel data (always): Disabled

    • Domain member: Require strong (Windows 2000 Server or later) session key: Disabled

    • Microsoft network client: Digitally sign communications (always): Disabled

    • Microsoft network server: Digitally sign communications (always): Disabled

    • Microsoft network server: Digitally sign communications (if client agrees): Disabled

    • Network Security: LAN Manager Authentication Level: Send LM and NTLM responses

     

    If I uninstall UAG everything work fine.  If I bring down the TMG firewall I still can not browse the network.

    I have also installed UAG on a server which is no under ESX and I get the same results.

    Internal NIC is configured

    IP=192.168.0.8

    SM=255.255.255.0

    DG=none

    DNS=192.168.0.2  (Primary DC)

    External NIC is configured

    IP=192.168.0.10

    SM=255.255.255.0

    DG=192.168.0.1

    DNS1=204.15.185.22 (External DNS)

    DNS2=204.15.184.2

    I have configured UAG as an Edge Firewall.

     

    I for can not figure out what is going on 1 virtual UAG and 1 physical UAG same results Please help.

    Tuesday, April 12, 2011 5:13 PM

Answers

  • UAG and TMG need you to define for them your "Internal" network. This is done by establishing the correct routes, and by defining the network within the UAG wizards. First you will have to add any routes that you need to application servers into Windows. You want these routes to flow through the "Internal" NIC. After routing is worked out, you then run through the "Network Interfaces..." wizard which is launched from the "Admin" menu inside UAG Management. This will ask you to choose which NIC is External and which is Internal, and then you can define the IP ranges that consist of your "Internal" network.

    It is unclear whether or not this is a Microsoft supported installation scenario, but here is a post that details out setting up UAG on a single network like you are trying to accomplish:

    http://social.technet.microsoft.com/wiki/contents/articles/how-to-install-uag-for-application-publishing-on-a-single-network.aspx

    Like I said before, even if you get it working you are definitely setting yourself up to be restricted in what you will be able to do with UAG. If you haven't tried DirectAccess yet you should (it's awesome!), but this configuration will not allow you to test DA.

    • Marked as answer by Erez Benari Wednesday, May 4, 2011 11:47 PM
    Wednesday, April 20, 2011 12:39 PM

All replies

  • Your network configuration is interesting, and I think you may need to change some things around before you're going to get normal results in a lot of different areas of UAG.

    The first thing you should change is to remove the DNS servers from your External NIC, you should have DNS entries listed only on your Internal NIC. Also check your NIC binding order and make sure Internal is listed first.

    The biggest problem I see with your configuration is that your Internal and External NICs appear to be installed on the same subnet. This is not supported and could definitely cause you many strange symptoms. UAG/TMG needs to know what internal networks to "trust" and by placing both NICs on the same subnet, you are confusing the core network definitions. That being said, I do have one customer who is doing this as well, with both NICs on the same subnet, but they are limited to very particular ways of using UAG, and they can definitely not get DirectAccess to work in that configuration. If you are interested in checking out DA in the future, you need to get the External NIC connected to some public IPs.

    Wednesday, April 13, 2011 1:51 PM
  • Thank you for your suggestion about the external IP address.  I only have one static IP address available to me as I am running this as a test environment.  I also to not have a router that is capable of handling two subnets.  Also if I remove the DNS from my external NIC then I will have not internet access rom the External NIC.  The Internal NIC is configured with no default gateway as per best practices by microsoft. therefor there will be no interet access from the uag server.

    Please advise

    Tuesday, April 19, 2011 6:05 PM
  • UAG and TMG need you to define for them your "Internal" network. This is done by establishing the correct routes, and by defining the network within the UAG wizards. First you will have to add any routes that you need to application servers into Windows. You want these routes to flow through the "Internal" NIC. After routing is worked out, you then run through the "Network Interfaces..." wizard which is launched from the "Admin" menu inside UAG Management. This will ask you to choose which NIC is External and which is Internal, and then you can define the IP ranges that consist of your "Internal" network.

    It is unclear whether or not this is a Microsoft supported installation scenario, but here is a post that details out setting up UAG on a single network like you are trying to accomplish:

    http://social.technet.microsoft.com/wiki/contents/articles/how-to-install-uag-for-application-publishing-on-a-single-network.aspx

    Like I said before, even if you get it working you are definitely setting yourself up to be restricted in what you will be able to do with UAG. If you haven't tried DirectAccess yet you should (it's awesome!), but this configuration will not allow you to test DA.

    • Marked as answer by Erez Benari Wednesday, May 4, 2011 11:47 PM
    Wednesday, April 20, 2011 12:39 PM