locked
UAG with DirectAccess in a hosted/multi-tenant environment RRS feed

  • Question

  • Hi,

    Does anybody know of any documentation that may be useful for planning a deployment of UAG with DirectAccess in a hosted/multi-tenant environment?

    I'd like to have UAG set up in a way that all tenants can connect via VPN / DirectAccess to their companies resources.

    Thanks,

    Paul.

    Wednesday, August 10, 2011 4:49 AM

Answers

  • Hi Paul,


    You should be able to follow the standard guides for UAG DirectAccess deployment.
    It does of course depend on how your current infrastructure is designed.
    Do you have separate domains/forests for each tenant? Any trusts in place between the domains/forests?

    As long as the requirements below are filled you should be able to follow the standard guides.
    Just make sure that you add all the domainnames to the NRPT and that the UAG server(s) have full connectivity to all the internal networks.

    Domains containing DirectAccess client computers can be any of the following:
    1. Domains that belong in the same forest as the Forefront UAG DirectAccess server.
    2. Domains that belong to forests with a two-way trust with the Forefront UAG DirectAccess server forest.
    3. Domains that have a two-way domain trust to the Forefront UAG DirectAccess server domain.


    Link with the above requirements: http://technet.microsoft.com/en-us/library/gg502556.aspx

    A good way to start is to setup a lab environment representing your infrastructure and use the Test Lab Guide for UAG DirectAccess (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=1770) as a PoC.


    Best wishes,
    Jonas Blom

    • Marked as answer by Paul_Wegs Thursday, August 11, 2011 1:14 AM
    Wednesday, August 10, 2011 8:03 AM

All replies

  • Hi,

     

    There is no detailed documentation on this scenario. The only requirement is to have a bidirectional trust relationship between the domain your UAG box belong and others forests. Of course, External trust cannot be used becuse relying on NTLMv2 and not NTLM. Forest trust will be required. Additionaly, you will have to configure your UAG server for each DNS domain to cover. These informations must be registred in the clients NRPT.

     

    Cheers.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Wednesday, August 10, 2011 8:00 AM
  • Hi Paul,


    You should be able to follow the standard guides for UAG DirectAccess deployment.
    It does of course depend on how your current infrastructure is designed.
    Do you have separate domains/forests for each tenant? Any trusts in place between the domains/forests?

    As long as the requirements below are filled you should be able to follow the standard guides.
    Just make sure that you add all the domainnames to the NRPT and that the UAG server(s) have full connectivity to all the internal networks.

    Domains containing DirectAccess client computers can be any of the following:
    1. Domains that belong in the same forest as the Forefront UAG DirectAccess server.
    2. Domains that belong to forests with a two-way trust with the Forefront UAG DirectAccess server forest.
    3. Domains that have a two-way domain trust to the Forefront UAG DirectAccess server domain.


    Link with the above requirements: http://technet.microsoft.com/en-us/library/gg502556.aspx

    A good way to start is to setup a lab environment representing your infrastructure and use the Test Lab Guide for UAG DirectAccess (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=1770) as a PoC.


    Best wishes,
    Jonas Blom

    • Marked as answer by Paul_Wegs Thursday, August 11, 2011 1:14 AM
    Wednesday, August 10, 2011 8:03 AM
  • Hi Paul,

    the UAG DirectAccess Framework / VPN functionality is not not really designed to run in a multi-tenant environment, since its too tightly integrated into Active Directory. 

    In addition to that, UAG has some additional limitations which will have impact on multi-tenant environment (e.g. required PKI deployment, IPv6 and IPv4 interconnectivity between the customers (overlapping IPs?), one DNS64 server for every customer, lack of fine grained IPv4/IPv6 packet filtering, etc...).

    So my best advice would be using a dedicted UAG for each of your customers. Those UAGs can be virtualized to optimize your hardware ressource usage.

    Edit: Removed C/P mistake.

    -Kai

    Wednesday, August 10, 2011 8:25 AM