locked
IAG design questions RRS feed

  • Question

  • Greetings all,

     

    I've read most of the public documentation on IAG, but seems to miss some relevant information for enterprise setup’s.  The documentation cover most for small corporations, but for enterprise corporations it’s seems that they only write that it can be done, but now how.

     

    This area troubles me a bit:

     

    -       IAG placement (DMS,Internal and in what contries)

       Load balancing/Global Load Balancing

    -    Multiple portals

       Auditing/Domain member

    -       Use the ISA firewall

     

    To put the questions in perspective, let’s make a simple scenario:

     

    Scenario:

    An enterprise corporation with head office in US and branch offices in China and Holland

    In US there’s 20.000 employees’, while there is 6.000 in China and 2.500 in Holland.

    Economic systems are all placed in US, while email, file and SharePoint servers are placed in all countries.

    The connectivity from US to China is 2 MB and to Holland 512 KB.

    It’s estimated that there will be around 600 concurrent users (Just be sure it can be covered with one appliance box).

     The corporation intends to let partners access some business applications through the IAG and empleeyes will use it as a VPN solution.

     

    My questions in regarding the design of an IAG solution are:

     

    IAG placement:

    In the document “Intelligent Application Gateway 2007: A Technology and features overview” in the appendix it mention the cons about placing the IAG on the DMZ and on the internal network. Personal I prefer to place it in the DMZ out of old habits, though this setup often ends in slow response time for new ports that need to be opened in the internal firewall.

    A suggestion could be to place it on the DMZ with the inside leg connected directly to the internal network?

     

    My other question in the same area (it also covers load balancing) is in what countries the IAG should be placed. Should there be placed 2 IAG server in the US office or is it better with 5 IAG server, two in  US and 2 in China and only 1 in Holland. Any one knows a paper that describe an environment, where there is branch offices and applications servers multiple places?

     

     

    Load Balancing:

    In the document “Intelligent Application Gateway 2007: A Technology and features overview” it’s mentioned that IAG can be used with an external load balancer and it “fully” supports global load balancing.

    In a design, for the above mentioned corporation, how would you design the solution and with what equipment?  

    If a design ends up with a placement of 2 IAG servers in US and 2 AIG servers in China what kind of equipment would you suggest using for load balancing. Would the load balancing equipment need a certificate (to open the traffic) and then an internal certificate could be used on the IAG servers. And can it make intelligent decision on where the users are from and what country they should be directed to? (this migth give more meaning if read with the next section:Multiple portals)

     

    Multiple portals:

    Is it best practice to just make one portal and let both US, China and Holland access the same url and then just give them access to the applications they need for the servers in the diffrent cointries?  (Some in China migth need access to both applications in US and China, while US only needs access to applications placed in US)

    Or is it better to make two portals one for US and one for China (and then make two public DNS entries one for portal.com and portal.cn)?

     

    For business partners, would you create a third portal partners.com or let them access the employees portal?

     

    Auditing/Domain member:

    Is it supported to install a MOM agent on the IAG servers? I know that KCD only works if the IAG server is a domain member and in the papers it says that the reasons are the same as for the ISA. So my conclusion would be that it should be a domain member for group policies, auditing etc.?

     

    Use the ISA firewall:

    Is it ok to use the ISA forwall on the IAG server as a proxy for internal users? I’ve found papers there say yes and others there say no (think its mostly a licensing issue).

     

    Well that was just some of my questions. But overall most of my troubles are designing it for enterprise corporations and im sure there will come some information when the product starts to take off.

     

    In advance thanks to those who read this post :-)

    • Moved by Keith Alabaster Tuesday, June 16, 2009 5:45 PM Wrong Forum (From:Forefront Edge Security - General)
    Tuesday, March 25, 2008 8:35 AM

Answers

  • Hi Benji,

     

    Perhaps I can answer some of these. we have done a number of deployments, so I hope I can assist...

     

    IAG Placement:

    DMZ with one connection to the LAN, great, much easier than any other way as it needs to know about the internal network as well, like ISA Server.

     

    On the LAN is also good, but again, like ISA, its always good to have an internal and external interface.

     

    Load Balancing:

    It doesn't exist. You need a hardware based load balancer that does keep server affinity, you can't log on to one IAG, have it fail and automatically have seemless failover to the other. it keeps session ID's with the server the client is using and therefore if one goes down you will have to log on again.

     

    No, you don't need a cert for the equipment, just make sure you configure forwarding of port 443 correctly.

     

    Multiple portals:

    I suggest you use different portals for each location depending on what they need and where there servers are. If there are slow links between, rather have one physical IAG at each location. This of course depends on your environment and therefore entirely up to your judgement.

     

    Auditing/Domain member:

    Make it a domain member, makes your life much easier and IMO its no less secure than if it wasn't! I don't think there is a MOM Agent for IAG yet, but I would take a flyer its not supported. But you are right, domain member for sure!

     

    ISA:

    Don't use it. When you apply changes through the IAG console, it wipes out your ISA setting changes, bad, just get another ISA Server for that purpose and use the IAG for what it was made for. Smile

     

    HTH.

     

    Dave.

     

     

     

     

     

    Monday, March 31, 2008 8:20 PM

All replies

  • Hi Benji,

     

    Perhaps I can answer some of these. we have done a number of deployments, so I hope I can assist...

     

    IAG Placement:

    DMZ with one connection to the LAN, great, much easier than any other way as it needs to know about the internal network as well, like ISA Server.

     

    On the LAN is also good, but again, like ISA, its always good to have an internal and external interface.

     

    Load Balancing:

    It doesn't exist. You need a hardware based load balancer that does keep server affinity, you can't log on to one IAG, have it fail and automatically have seemless failover to the other. it keeps session ID's with the server the client is using and therefore if one goes down you will have to log on again.

     

    No, you don't need a cert for the equipment, just make sure you configure forwarding of port 443 correctly.

     

    Multiple portals:

    I suggest you use different portals for each location depending on what they need and where there servers are. If there are slow links between, rather have one physical IAG at each location. This of course depends on your environment and therefore entirely up to your judgement.

     

    Auditing/Domain member:

    Make it a domain member, makes your life much easier and IMO its no less secure than if it wasn't! I don't think there is a MOM Agent for IAG yet, but I would take a flyer its not supported. But you are right, domain member for sure!

     

    ISA:

    Don't use it. When you apply changes through the IAG console, it wipes out your ISA setting changes, bad, just get another ISA Server for that purpose and use the IAG for what it was made for. Smile

     

    HTH.

     

    Dave.

     

     

     

     

     

    Monday, March 31, 2008 8:20 PM
  • Hi David,

     

    Thanks for your answers on the topic and sorry my reply comes a little bit late (Actually forgot I had posted it in here, until today)  (Yeap, getting old)

     

     

    I would go for the same as you, with one leg on the DMZ and on the internal network. The reason for this, instead of placing it in a DMZ between and internal and external firewall, is mostly convenience. Often it takes a lot time to get the internal firewall configured with the right ports from the IAG server to the applications server either because a RFC has to be filled out or the firewall administrators are too busy.  It just to see if any had some reasons why not to do it.

     

    According the load balancing part, I was mostly interesting in the part, the whitepaper mentioned about have at page 8 under the section Load balancing/Global Load Balancing (its only 3 lines). I was just curious what MS describe as a global load balancer and if there was any who had experience with an implementation of IAG and a product for load balancing.

     

    Have not tested to make rules on the ISA server, but it sounds bit badly if the rules are wiped. But like you I that the IAG should just be used to internal access and then use a second ISA for external access and as a firewall. I was just a bit confused since the hardware appliance I've received, in the introduction paper wrote how to enable VPN on the ISA and not through the IAG installed on it  so I thought perhaps the ISA on the IAG can be used at the same time.

     

    But thanks for taking the time to answer my post David.

     

    Yours Sincerely,

    Benjamin

     

    Tuesday, April 1, 2008 9:41 AM
  • No problem at all.

     

    You were also right about the licencing issue. From what I understand, the ISA software on the box is also not licensed for use.

     

    Been through the mill trying to organise that version of ISA, does it work? Yes, does it work for long? Not when you make a config change to IAG Smile

     

    HTH,

     

    Dave.

     

    Tuesday, April 1, 2008 9:48 AM
  • I am somewhat confused by the posts that suggest that IAG Activation will wipe out any customized ISA rules that you have developed.  From my experience this is simply not the case.  If you open up the ISA console and in the firewall rules you will see a disabled rule that says something like "Whale Rules End" (can't remember the exact wording).  I simply placed my custom rules underneath those rules and to date they have never been erased by the IAG activation.

    The only other part of your post that I have had some direct involvement with is with global load balancing.  We have multiple IAG appliances deployed in different data centers with identical trunk configurations.  So for a given trunk, a DNS resolve would bring you back  two IP addresses (one for each data center) using DNS global load balancing.  What we found though was that sometimes the requests would end up being split and because the two IAG appliances do not share any session information the user would see things like clicking on a SharePoint document and being prompted to log in again. 

    Right now we have some trunks configured active in one data center and other trunks active in the other.  All are still configured but is more of an active/passive configurating at the moment.

    Hope this helps.
    Saturday, February 7, 2009 4:28 PM