locked
UAG and TMG and intranet clients NAT-ing RRS feed

  • Question

  • Hi

    I want to install Forefront UAG along with TMG on my edge server to meet the following goals:

    1- Allow remote users to connect to my intranet and access the servers in the corporate network.
    2- Allow intranet users to connect to the internet

    Is it possible for TMG to provide the NAT service while it has UAG installed along itself on the same server?
    Since some of my remote user do not run Windows 7, I need to give them VPN access to the corporate network and as I have read UAG gives them this ability to connect using VPN, however is it only SSTP VPN or L2TP is also alowed?

    Thanks
    Friday, February 19, 2010 9:44 AM

Answers

  • Hi Amigo. The diagram above should be completed with another NIC from UAG to the intranet and that's all. Regarding the publication, TMG just NATs the UAG's external interface (it is not a secure-web-publishing rule, just a server-publishing rule using "HTTPS inbound" protocol. You could use the secure-web server publishing rule but this will prevent using a certificate authentication scheme in UAG). Other option is to put UAG in paralell with TMG with UAG owning the public IP. In fact, you will need this if you want to use DirectAccess

    Hope it helps
    // Raúl - I love this game
    • Marked as answer by Erez Benari Monday, March 1, 2010 9:26 PM
    Friday, February 26, 2010 10:36 AM

All replies

  • Hi Amigo. The TMG that comes with UAG is aimed to support the UAG functionality but not to be used a general purpose TMG. This means there are some scenarios not supported and one of them is to use TMG as an "Internet access control" gateway for internal users. Take a look at the support boundaries http://technet.microsoft.com/en-us/library/ee522953.aspx

    Regarding the VPN access, UAG will provide with SSL VPN funcionality by publishing applications in a web portal (web and client-server) eliminating the need to give the users full network access. If this doesn't fit your scenario, the traditional VPN connection can be achieved through another application also published in the portal that we call the "network connector". When the client operating system is Windows 7 the network connector will open an SSTP connection through UAG (really through the underlying TMG) but the user doen't need to configure a dial-up connection, it is automatically created and launched. If the operating system is older than Windows 7 the network connector will install a virtual netork adapter in the workstation (ActiveX component) that will open the connection to the internal network

    Have a nice weekend
    // Raúl - I love this game
    Friday, February 19, 2010 11:22 AM
  • Hi Raul,

    Thnks for your great help. By the way, regarding SSTP and network remote access, some questions came into my mind:

    1- By publishing servers through Forefron UAG, are we posing any security risks to the network?

    2- Do you think it's a good idea to put the published servers in a DMZ?

    3- If we put the servers in a DMZ, we still need to establish connectivity between some of the DMZ servers and the internal servers. like the connectivity between DC and UAG. don't you think it brings security risks for the network? However maybe I am wrong and the whole publishing task does not bring any security risk for the corporate network since the user only has access to some specific servers.



    Thanks
    Friday, February 19, 2010 3:38 PM
  • The other question regarding the network topology is that:

    Given that we need to give internet access to our internal users, we will definitely need to do some NAT implementation, however I really do not have any idea where to put the other TMG which is going to NAT my entire internal network.
    there are two ways that come to my mind:

    1-

    internet ----------- TMG (NAT Server) ------------- Forefront UAG ----------- intranet

    This way UAG is behind the nat which is not our desired implementation and as long as I can tel, it would not work. would it?

    2-

    internet ----------- Forefront UAG ------------ TMG (NAT Server) ---------- intranet

    in this implementation UAG is put after NAT Server which again is not what we desire, because UAG needs to have one NIC in the internal network with a private IP Address.

    So what am I gonna do?

    I would appreciate your help
    Regards

    Saturday, February 20, 2010 8:38 AM
  • Hi Amigo. You shouldn't include UAG in your routing infrastructure. I would put a TMG with three legs. One Internal, one external and one perimeter. UAG would have two legs, one internal and the other one in the perimeter. TMG handles all the public addresses. TMG NATs the external address of UAG with a HTTPS Server Publishing Rule. TMG NATs the internal addresses with Access Rules

    Hope it helps
    // Raúl - I love this game
    Monday, February 22, 2010 10:06 AM
  • Hi Amigo. Well, one of the most accepted principles in security is that the only one secured system is one with no operating system installed, turned off and kept buried under the ground, so in the very initial moment that you put it in production it will be some kind unsecure. UAG is more secure than a traditional NAT publication because the application servers are not directly exposed to the Internet. There is no way to reach your FTP server unless you get authenticated to UAG and you comply with the security policies in place. This makes UAG also a more secure way to access internal resources than a traditional network-connection-oriented VPN solution because the end-users are not granted access at the network level to the whole intranet in a indiscriminated way, just to the application servers they need. Regarding the location of application servers, from my point of view they should be in the internal network. Putting a second level of network-traffic-filtering doesn't enhance or improve the protection that UAG offers.

    Hope it helps
    // Raúl - I love this game
    Monday, February 22, 2010 11:15 AM
  • Hi Raul,

    Thanks for your answer. So as you explained, I will have to keep my UAG behind the nat in a three-edge TMG scenario, in the sense that TMG has three interfaces:

    1- connected to the external network (Internet)
    2-connceted to the internal network
    3-connected to the perimeter network in which we have our UAG

    but the question is that, in a perimeter network which is connected to one of the interfaces of TMG (As our three edge firewall) how could we have our UAG because UAG needs to have two interfaces as you even said (One connected to the internal network and the other one connceted to the internet)

    this is your scenario:

    internet ---------------------- TMG (NAT Server) ------------------ intranet (Private IP Addresses)
                                                         |
                                                         |
                                                         |
                                                         |
                                                         |
                                                         |
                                                         |
                                                         |
                                  Forefront UAG (Private IP Address)


    As you said, we publish the UAG Portal using TMG to the outside users. and when outside users are connected to the UAG, we will redirect them to the other section of network which is the internal. Taken that we do publishing on UAG, can we say that we are publishing twice?? once on TMG and once on UAG....

    can we clraify you rsolution more on the ip addressing scheme and also network interfaces that each server would require???

    Appreciated much
    Monday, February 22, 2010 2:50 PM
  • Hi Amigo. The diagram above should be completed with another NIC from UAG to the intranet and that's all. Regarding the publication, TMG just NATs the UAG's external interface (it is not a secure-web-publishing rule, just a server-publishing rule using "HTTPS inbound" protocol. You could use the secure-web server publishing rule but this will prevent using a certificate authentication scheme in UAG). Other option is to put UAG in paralell with TMG with UAG owning the public IP. In fact, you will need this if you want to use DirectAccess

    Hope it helps
    // Raúl - I love this game
    • Marked as answer by Erez Benari Monday, March 1, 2010 9:26 PM
    Friday, February 26, 2010 10:36 AM
  • Hi again,

    Is it generally possible for UAG to have one network interface only?

    how about this scenario?
    Is it possible to have a one-NIC UAG in the DMZ in this scenario ?

    thanks
    Monday, March 8, 2010 4:50 PM
  • Hi Amigo, UAG needs two interfaces. It is possible to have TMG with only one NIC acting as proxy (forward or reverse) but for UAG two interfaces are needed.

    Regards
    // Raúl - I love this game
    Monday, March 8, 2010 5:22 PM
  • Hi Amigo. The diagram above should be completed with another NIC from UAG to the intranet and that's all. Regarding the publication, TMG just NATs the UAG's external interface (it is not a secure-web-publishing rule, just a server-publishing rule using "HTTPS inbound" protocol. You could use the secure-web server publishing rule but this will prevent using a certificate authentication scheme in UAG). Other option is to put UAG in paralell with TMG with UAG owning the public IP. In fact, you will need this if you want to use DirectAccess

    Hope it helps
    // Raúl - I love this game
    Hi Raul,

    Thanks for your replies. Would you clarify a bit more on how to use TMG and UAG in parallel? because I need to use Directaccess on my UAG Server.

    Thanks
    Sunday, March 14, 2010 4:32 PM
  • Hi Esmaeil,

    Parallel configurations we when both the TMG firewall and the UAG server are both on the edge of the network, so they both have public IP addresses. This is recommended in your setup because you need TMG for firewall and outbound access protection and the UAG for DA.

    HTH,
    Tom
    MS ISDUA/UAG DA Anywhere Access Team
    Monday, March 15, 2010 7:00 PM