locked
Strange Issue in UAG 2010 DirectAccess RRS feed

  • Question

  • Hi Guys..

     

    I have recently installed UAG 2010 with SP1 in my test environment with 2 physical NIC on Win2008 R2 with all security hot-fixes.  When I run the wizard in UAG and after giving Interface IP etc… and once I Click on “Direct Access” in the console I am getting the following error message.  Despite after giving 2 different IP on 2 physical NIC I am getting this error continues..

     

    Forefront UAG DirectAccess Configuration

     

    “The UAG DirectAccess server must be configured with two, static, consecutive, public, IPv4 address, on the Internet-facing physical interface.  Configure the IPv4 address, and then try again”   

     

    Note: I have given IPv4 (192.168.x.x)

     

    Second issue is that if TMG firewall is running I can’t perform RDP neither PING – I have given my machine IP in “Remote Management” and PING – but still same issue but once I stop the Firewall service for TMG it works fine..

     

    Even the internet won’t be accessible unless the TMG firewall is stop..

     

    Do I need to add any static route if YES then would you kindly assist how can I add these routes..

     

    Our Network IP range is 192.168.x.x

    Kindly assist me how can I resolve this strange issue –

     

    Kindly let me know if you have further any query       


    Thanks
    Monday, November 1, 2010 5:56 AM

Answers

  • Thanks Tom for your reply ..

    I am little but confused with your reply :-) - let me illustrate my eixsting setting

    ************************************************

    LAN : 192.168.1.10
    Subnet Mask: 255.255.255.0
    Default Gateway: 192.168.1.1
    DNS: 192.168.3.x
             192.168.3.x

    WAN: 111.111.111.111 (Public IP)
    Subnet Mask: 255.255.255.0
    No Default Gateway

    ************************************************

    After giving this still I am getting the above mention error..

    Would you kindly give me an expample by taking the above mention IP address on respective network Interface ?

    BTW: If i want to input 1.1.1.1 which is NAT with publich IP will this works ?

    Secondly if i am giving public IP will UAG sense that this IP is correct ? example if I am giving any teting IP 222.222.222.222 --- will it work ?

    Thanks for your assistance

     

     


    Thanks


    You need to remove the default gateway from the LAN NIC and configure it on the WAN NIC. This may help: http://blog.msedge.org.uk/2010/04/recommended-network-card-configuration_14.html You will also need to assign two public IP addresses to your WAN NIC for DirectAccess to work.

    If you have routed networks internally, you will need to add static routes to cover these as dicsussed here: http://blog.msedge.org.uk/2010/04/threat-management-gateway-tmg.html

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, November 2, 2010 9:01 AM

All replies

  • Hi,

     

    Are you sure you have a public and domain interface identified identified bu the Microsoft Firewall. I also have some strange problems with Network Location Awareness that identify my public interface as domain. I have to stop all my UAG services, disconnect and reconnect my public interface in order to solve the problem.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Monday, November 1, 2010 7:42 AM
  • Thanks for your reply -  I have resloved the second part which is RDP and Internet issue - I need to add rule in TMG and it work ..

     

    But for UAG "DirectAccess" still the problem existis i am still getting the below error message

     

    “The UAG DirectAccess server must be configured with two, static, consecutive, public, IPv4 address, on the Internet-facing physical interface.  Configure the IPv4 address, and then try again”   

    Please help me...


    Thanks
    Monday, November 1, 2010 8:23 AM
  • Hi MSadmin,

    You need to add two consectutive public IP addresses to the external interface of the UAG server. It looks like you're using 192.168.0.0/24, which won't work, as that is a private address range.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, November 1, 2010 2:48 PM
  • Thanks Tom for your reply ..

    I am little but confused with your reply :-) - let me illustrate my eixsting setting

    ************************************************

    LAN : 192.168.1.10
    Subnet Mask: 255.255.255.0
    Default Gateway: 192.168.1.1
    DNS: 192.168.3.x
             192.168.3.x

    WAN: 111.111.111.111 (Public IP)
    Subnet Mask: 255.255.255.0
    No Default Gateway

    ************************************************

    After giving this still I am getting the above mention error..

    Would you kindly give me an expample by taking the above mention IP address on respective network Interface ?

    BTW: If i want to input 1.1.1.1 which is NAT with publich IP will this works ?

    Secondly if i am giving public IP will UAG sense that this IP is correct ? example if I am giving any teting IP 222.222.222.222 --- will it work ?

    Thanks for your assistance

     

     


    Thanks
    Tuesday, November 2, 2010 5:06 AM
  • Thanks Tom for your reply ..

    I am little but confused with your reply :-) - let me illustrate my eixsting setting

    ************************************************

    LAN : 192.168.1.10
    Subnet Mask: 255.255.255.0
    Default Gateway: 192.168.1.1
    DNS: 192.168.3.x
             192.168.3.x

    WAN: 111.111.111.111 (Public IP)
    Subnet Mask: 255.255.255.0
    No Default Gateway

    ************************************************

    After giving this still I am getting the above mention error..

    Would you kindly give me an expample by taking the above mention IP address on respective network Interface ?

    BTW: If i want to input 1.1.1.1 which is NAT with publich IP will this works ?

    Secondly if i am giving public IP will UAG sense that this IP is correct ? example if I am giving any teting IP 222.222.222.222 --- will it work ?

    Thanks for your assistance

     

     


    Thanks


    You need to remove the default gateway from the LAN NIC and configure it on the WAN NIC. This may help: http://blog.msedge.org.uk/2010/04/recommended-network-card-configuration_14.html You will also need to assign two public IP addresses to your WAN NIC for DirectAccess to work.

    If you have routed networks internally, you will need to add static routes to cover these as dicsussed here: http://blog.msedge.org.uk/2010/04/threat-management-gateway-tmg.html

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, November 2, 2010 9:01 AM
  • Thanks for your glipmse -

     

    A quick query, If I remove Default gateway from LAN NIC then how the machine will communicate with internal rescources , such AD, RDP etc ?

    After removing the DG.. I cant able to ping to my AD and to other internal servers >>

     


    Thanks
    Tuesday, November 2, 2010 12:41 PM
  • Thanks for your glipmse -

     

    A quick query, If I remove Default gateway from LAN NIC then how the machine will communicate with internal rescources , such AD, RDP etc ?

    After removing the DG.. I cant able to ping to my AD and to other internal servers >>

     


    Thanks

    You need to define static routes as detailed in the web link I gave you ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, November 2, 2010 12:43 PM
  • Thanks Jason for your quick response ..

    Final query...

    Our testing Enviroment have the following IP segmet - would you kindly let me know how can i add the static route once i remove the default gatway from Internal NIC.

    Internal NIC:
    192.168.3.x

     

    Thanks for your great support - :-)

     

     

     


    Thanks
    Tuesday, November 2, 2010 12:57 PM
  • Try this: route add -p 192.168.3.0 mask 255.255.255.0 192.168.1.x

    where 192.168.1.x is the IP Address of the internal layer 3 Switch or internal LAN router.


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Tuesday, November 2, 2010 1:02 PM
  • Hi MSadmin,

    Follow Jason's advice and you'll be in good shape.

    Also, for the second public IP address, if you're using 111.111.111.111, then the other IP address must be:

    • 111.111.111.110, or
    • 111.111.111.112

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Tuesday, November 2, 2010 1:41 PM
  • Further to the implementation I have some quick queries – I would be glad if you can assist me in this :

     

    1.    Rather than using two NIC (Internal/External) Can I use single NIC adapter and MAP public IP with the internal IP for UAG -         

    2.    How the users will interact I mean communication do there machine needs to have valid SSL certificate which is published by UAG , can we use wild card certificate *.domain.com

    3.    How the clients machine gets IP ? do I need to define separate network segment I mean some IP range for the users who will be connecting remotely

    4.    What are the configuration which needs apply on client side in order to communicate with UAG server  


    Thanks
    Saturday, November 6, 2010 10:15 AM
  • Hi

     

    Having two network interface is a mandatory requirement of DirectAccess implementation. Merging two interface is not possible.

     

    DirectAccess implementation requires a WebServer certificate for IP-HTTPS protocol (also used for Network Access Protection HRA). On client side, Certificates are also required. They can be provided by an internal ADCS using the computer certificate template. Theses certificates will be used as primary authentication method of IPSEC tunnels.

    At last, clients computers will be configured for DirectAccess because of the Group policy generated by UAG during activation.

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Saturday, November 6, 2010 10:21 AM
  • Thanks BenoitS for your quick reply :-)

    Here we dont want to merge two NIC - what i mean is we will have only one physical NIC and MAP public IP with UAG internal IP

    Has you mention GPO - this there any specific GPO or template avaiable in Win2008 R2? if YES would you kindly share with me...

    Do you have any glipmse or ste-by-step guide in implementing UAG - since this is new technology so i am facing some obstcles ...I found one but not much informatic :-(

    http://blog.msedge.org.uk/2010/04/recommended-network-card-configuration_14.html

    Thanks once again for your quick reply...

     

     

     


    Thanks
    Saturday, November 6, 2010 10:31 AM
  • Hi

    Jason blog is a good point to start with DirectAccess and UAG!

    UAG will require two dedicated network interfaces because each one will have it's own firewall profile and dedicated configuration, especially for IPSEC Tunnels. 

    For sure i have a step by step guide, : http://danstoncloud.com/blogs/simplebydesign/archive/2010/08/11/directaccess-high-availability-with-uag-2010-part-1.aspx. This is a step by step guide for DirectAccess in high availability.

    Group policies are generated by UAG DirectAccess activation process. At least two group policies will be generated. A third one exists if you enable the selected end to edge scenario.

    Take a look to the UAG DirectAccess Design guide. It's a very detailled document : http://technet.microsoft.com/en-us/library/ee406191.aspx

     

    Have a nice day.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Saturday, November 6, 2010 11:25 AM
  • Thanks BenoitS for your quick reply :-)

    Here we dont want to merge two NIC - what i mean is we will have only one physical NIC and MAP public IP with UAG internal IP

    Has you mention GPO - this there any specific GPO or template avaiable in Win2008 R2? if YES would you kindly share with me...

    Do you have any glipmse or ste-by-step guide in implementing UAG - since this is new technology so i am facing some obstcles ...I found one but not much informatic :-(

    http://blog.msedge.org.uk/2010/04/recommended-network-card-configuration_14.html

    Thanks once again for your quick reply...

     

     

     


    Thanks


    UAG DirectAccess Test Lab Guides are a great way to get some practice setting up DirectAccess and learning about the front-end and back-end requirements.

    Check them out at:

    http://social.technet.microsoft.com/wiki/contents/articles/uag-directaccess-test-lab-guide-portal-page.aspx

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, November 8, 2010 3:24 PM