locked
UAG DA Array on public subnet RRS feed

  • Question

  • Doing a UAG array for use in DA.

    Normally when doing these deployments I'd have the external IP's as public & then an "internal network" on a private IP range. In this scenario the entire organisation runs from public subnets.

    My question is, when deploying UAG with two NIC's do they need to be in separate subnets, or can both "internal" and "external" be the same subnet. It would be possible to configure "internal" and "external" as separate public subnets but that would make things harder from an infrastructure positioning point of view!

    (its worth noting there is a front firewall protecting all the internal public subnets)

    At least having  the required number of public IP's for the VIP & DIP's will be simple!

    Thanks,

    Ben.

    Thursday, June 17, 2010 9:22 AM

Answers

All replies

  • Yeah, they need to be on discrete subnet/networks.
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Bibbleq Thursday, June 17, 2010 11:06 AM
    Thursday, June 17, 2010 10:52 AM
  • Hi Ben,

    As Jason said, the external interface must be on a different Network than the internal interface.

    However, TMG drives the concept of "Network" for UAG - the definition of a TMG Network is a collection of IP addresses directly reachable from a specific NIC on the UAG server. So, you could use addresses that technically belong to the network ID behind the UAG server, but exclude a IP addresses from that network ID when you define the addresses for the default Internal Network - then assign one of those addresses to the external interface of the UAG server (actually, two of them to support DA) and one of them for the default gateway assigned to the UAG server.

    Whether this is supported or not, I'm not sure - it's definitely a corner case and stretches the capabilities of the TMG definition of Networks. However, it's something you might want to test and if it works, it'll possible save you time and effort in other areas :)

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, June 22, 2010 2:48 PM