locked
UAG - Internal and External NIC's on the same subnet? RRS feed

  • Question

  • Is this a supported scenario?  I have always been under the impression that the Internal and External NIC's need to be on different subnets, but it doesn't seem to be stated in the documentation:

    http://technet.microsoft.com/en-us/library/ee428826.aspx#Bkmk_topology

    Between a frontend firewall and a backend firewall─The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network.

    I am deploying UAG for a client with this scenario, a perimeter network comprised of a single subnet, and need to clarify this as soon as possible. Any advice would be much appreciated!

    Thanks
    Tony 


    Friday, November 11, 2011 6:00 PM

Answers

  • Not supported.   Would be insecure, cause routing issues, TMG confusion with internal network vs external, etc.
    • Proposed as answer by Mark Resnik Monday, November 14, 2011 10:01 PM
    • Marked as answer by TKroukamp Tuesday, November 15, 2011 6:00 PM
    • Unmarked as answer by TKroukamp Tuesday, November 15, 2011 9:17 PM
    • Marked as answer by TKroukamp Tuesday, November 15, 2011 9:18 PM
    Friday, November 11, 2011 6:08 PM

All replies

  • Not supported.   Would be insecure, cause routing issues, TMG confusion with internal network vs external, etc.
    • Proposed as answer by Mark Resnik Monday, November 14, 2011 10:01 PM
    • Marked as answer by TKroukamp Tuesday, November 15, 2011 6:00 PM
    • Unmarked as answer by TKroukamp Tuesday, November 15, 2011 9:17 PM
    • Marked as answer by TKroukamp Tuesday, November 15, 2011 9:18 PM
    Friday, November 11, 2011 6:08 PM
  • Is this officially documented anywhere by Microsoft?  I really need to be able to show this to the client.

    Thanks
    Tony

    Tuesday, November 15, 2011 9:19 PM
  • This article both explains how to do it, and has a big yellow "note" near the top that says it is unsupported..

    http://social.technet.microsoft.com/wiki/contents/articles/how-to-install-uag-for-application-publishing-on-a-single-network.aspx

    • Proposed as answer by Thomas [T] Monday, August 19, 2013 6:07 PM
    • Unproposed as answer by Thomas [T] Monday, August 19, 2013 6:07 PM
    Tuesday, November 15, 2011 9:26 PM
  • Hi Mark, the link is dead do you know the updated link to the article, we run into the situation but our client insist there are no official document saying the internal and external network can be in one subnet :(

    Toms

    Friday, May 31, 2013 4:32 AM
  • not sure why that link is dead.  Best I can find is the actual UAG system requirements document:  http://technet.microsoft.com/en-us/library/dd903051.aspx

    It says:

    Two network adapters that are compatible with the computer operating system. These network adapters are used for communication with the internal corporate network, and the external network (Internet). Deploying Forefront UAG with a single network adapter is not supported. In addition, Forefront UAG supports configuration of two networks (internal and external). Connecting to different network switches for network redundancy is supported, providing that both are defined as part of the internal or external network. Using Forefront TMG running on the Forefront UAG server to provide multiple network routing is not supported.

    So this, to me, clearly indicates must 2 NIC's not one, and that the two NIC's are on "two networks (internal and external)".    This isn't to say that technically you couldn't make it work in TMG and windows routing if the 2 networks were the same network, but it would be confusing, insecure, and officially it would be unsupported.

    Friday, May 31, 2013 3:41 PM