locked
UAG Functionality RRS feed

  • Question

  • Hi,

    Sorry for this dumb question, but can a single UAG deployment publish these service:

    • Portal access
    • DirectAccess
    • Exchange ActiveSync
    • Outlook Web Access
    • Outlook Anywhere
    • Lync 2010
    • Windows Sharepoint Services (WSS 3.0)

    These services will require different public IP address, different SSL certificates, etc.  Can a single UAG deployment in a DMZ configuration be conifgured to route appropriately to many different internal servers?  Do you simply bind multiple public IP addresses to a single external facing NIC on the UAG?  Do the SSL certificates need to be installed on the UAG and if so, are they applied to the single external facing NIC?

    Just trying to figure out what I can accomplish with a single UAG deployment.

    Thanks.

    Thursday, November 8, 2012 7:40 PM

All replies

  • Also, what is better a UAG appliance like the "nAppliance nUAG 1500U" or a typical Win2008R2 server with UAG installed?  What are the pros and cons?  I like the idea of a pre-hardened appliance, but not sure if there are limitations to be aware of.

    Thanks.


    • Edited by BillBrosius Thursday, November 8, 2012 8:32 PM
    Thursday, November 8, 2012 8:32 PM
  • Yes i actually tried publishing the portal with sharepoint 2010, Outlook anywhere, OWA, Active Sync, File sharing, Lync, remote apps and RDP) and on top of them you can also publish the UAG DirectAccess.

    In my case i used a SAN (Subject Alternative Name) certificate and it worked fine.


    Friday, November 9, 2012 9:05 AM
  • From an application publishing perspective, I would recommend you review the following information to understand the levels of supportability for UAG published applications:

    http://technet.microsoft.com/en-us/library/ee522953.aspx

    http://blogs.technet.com/b/ben/archive/2012/11/09/uag-lync-mobility-and-other-lync-clients.aspx

    Most of the apps you list should be fine, but Lync needs to be thought about carefully as full support is not included.

    As for the other questions...

    Q: Can a single UAG deployment in a DMZ configuration be conifgured to route appropriately to many different internal servers? 

    A: Yes, you define a destination as part of the application configuration. Each app can have its own independant public URL or you can hide all applications behind a single portal URL.

    Q: Do you simply bind multiple public IP addresses to a single external facing NIC on the UAG? 

    A: It depends; you can only assign a single IP address to each trunk so you will either need to create multiple trunks or get multiple extermal DNS names to point to a single public IP address and then use a wildcard or SAN cert on the trunk. Often UAG is behind a firewall which is NAT'ing inbound which may change the approach slightly.

    Q: Do the SSL certificates need to be installed on the UAG and if so, are they applied to the single external facing NIC?

    A: Yes, you install server certificates on each UAG server; certificates are then bound to one or more UAG trunks.

    Cheers

    JJ


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Friday, November 9, 2012 10:13 AM
  • Hi Ahmed,

    Thanks for the reply.  Did you have one SAN cert or a combination of different certificates?

    Bill

    Friday, November 9, 2012 2:36 PM
  • Hi Jason,

    Thanks for the information.  As far as Lync is conerned, would an acceptable solution be to simply put a multi-homed Lync Front Edge server in the DMZ?  I don't know if I can afford to deploy a UAG and a separate TMG (or alternative reverse proxy).

    I like what the UAG solution can provide, but I also need to accomodate my existing Lync deployement that is currently not available from outside my corporate network.

    Thanks for any advice and/or guidance you can provide.

    Bill

    Friday, November 9, 2012 2:47 PM
  • Hi Jason,

    Thanks for the information.  As far as Lync is conerned, would an acceptable solution be to simply put a multi-homed Lync Front Edge server in the DMZ?  I don't know if I can afford to deploy a UAG and a separate TMG (or alternative reverse proxy).

    I like what the UAG solution can provide, but I also need to accomodate my existing Lync deployement that is currently not available from outside my corporate network.

    Thanks for any advice and/or guidance you can provide.

    Bill


    From what I understand, there are several apsects of the Lync feature set that cannot be handled by the edge server alone and you have to have a reverse proxy to accomodate those needs. That reverse proxy can be TMG or UAG, but UAG appears to only officially support a subset of Lync features. The Lync edge gets you some of the external connectivity features, but not all. This may help: http://ucken.blogspot.co.uk/2011/07/configuring-lync-for-external-access.html

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Friday, November 9, 2012 2:58 PM
  • Hi Ahmed,

    Thanks for the reply.  Did you have one SAN cert or a combination of different certificates?

    Bill


    This is worth a read: http://blogs.technet.com/b/ben/archive/2012/02/13/lync-publishing-on-uag.aspx

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Friday, November 9, 2012 3:00 PM
  • Hi Jason,

    I was reading one of the links you provided above: http://technet.microsoft.com/en-us/library/ee522953.aspx

    Based on the below exerpt, does it appear that I could use the underlying instance of TMG on the UAG deployment to publish Lync services?  Doesn't the last bullet point below imply that you could use TMG/UAG to handle Lync?  If I didn't have to buy them separately, that would be great.

    Thanks again.

    Bill

    *************************************************************************
    You can use Forefront TMG running on the Forefront UAG server, as follows:

    • Creating access rules using the Forefront TMG Management console, for the purpose of limiting users, groups, and networks for granular access when deploying Forefront UAG for VPN remote network access.
    • Monitoring with the Forefront TMG Management console.
    • Limiting users, groups, sources and destinations on Forefront TMG system policy rules, with the purpose of enabling access to corporate servers and remote management to and from the Forefront UAG local host server.
    • You can publish the following applications via Forefront TMG:

      • Exchange SMTP/SMTPS
      • Exchange POP3/POP3S
      • Exchange IMAP/IMAPS
      • Office Communications Server (OCS)—Only Communicator Web Access should be published using Forefront UAG. Other OCS features should be published using the Forefront TMG console running on the Forefront UAG server.

    **************************************************************************************

    Friday, November 9, 2012 3:09 PM
  • Hi Jason,

    I was reading one of the links you provided above: http://technet.microsoft.com/en-us/library/ee522953.aspx

    Based on the below exerpt, does it appear that I could use the underlying instance of TMG on the UAG deployment to publish Lync services?  Doesn't the last bullet point below imply that you could use TMG/UAG to handle Lync?  If I didn't have to buy them separately, that would be great.

    Thanks again.

    Bill

    *************************************************************************
    You can use Forefront TMG running on the Forefront UAG server, as follows:

    • Creating access rules using the Forefront TMG Management console, for the purpose of limiting users, groups, and networks for granular access when deploying Forefront UAG for VPN remote network access.
    • Monitoring with the Forefront TMG Management console.
    • Limiting users, groups, sources and destinations on Forefront TMG system policy rules, with the purpose of enabling access to corporate servers and remote management to and from the Forefront UAG local host server.
    • You can publish the following applications via Forefront TMG:

      • Exchange SMTP/SMTPS
      • Exchange POP3/POP3S
      • Exchange IMAP/IMAPS
      • Office Communications Server (OCS)—Only Communicator Web Access should be published using Forefront UAG. Other OCS features should be published using the Forefront TMG console running on the Forefront UAG server.

    **************************************************************************************

    I have tried to get that statement improved for quite a while as it is a bit vague - it also doesn't mention Lync specifically. From my understanding, you can only use the underlying TMG instance for publishing non-web protocols like SIP. You cannot use the underlying TMG instance for publishing any Lync web services.

    Confusing?, yes! :)

    P.S. Ben's recent blog post about UAG/Lync is probably about as verbose/accurate as you are going to get at the moment...


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Friday, November 9, 2012 3:16 PM
  • Tell me about it.  I feel like what I am trying to accomplish shouldn't be that complicated.  I just don't want to spend $10,000 or more on something that won't deliver.

    Here is what I need to do:

    • Sharepoint
    • OWA
    • File Shares
    • Remote Desktop
    • EAS
    • Outlook Anywhere
    • Lync (IM, Audio/Video, Screen Sharing, etc.)
    • DirectAccess (an alternative to VPN client connections)

    Seems like Lync is my only issue when looking at UAG.  My goal is to be able to provide access for the Lync Mobile client apps for smartphones and tablets. Also, it would be nice to be able to incorporate Lync via the OWA interface.

    One of my other challenges is that we have several branch office locations that connect to our corporate office via point-to-point vpn.  Lync works over the VPN, but the VPN overhead can cause issues.  I was hoping to be able to figure out a way that my branch office employees could access Lync over the internet so that the Lync traffic doesn't have the VPN overhead getting in the way.

    Simple, right?

    Bill

    Friday, November 9, 2012 3:42 PM
  • Tell me about it.  I feel like what I am trying to accomplish shouldn't be that complicated.  I just don't want to spend $10,000 or more on something that won't deliver.

    Here is what I need to do:

    • Sharepoint
    • OWA
    • File Shares
    • Remote Desktop
    • EAS
    • Outlook Anywhere
    • Lync (IM, Audio/Video, Screen Sharing, etc.)
    • DirectAccess (an alternative to VPN client connections)

    Seems like Lync is my only issue when looking at UAG.  My goal is to be able to provide access for the Lync Mobile client apps for smartphones and tablets. Also, it would be nice to be able to incorporate Lync via the OWA interface.

    One of my other challenges is that we have several branch office locations that connect to our corporate office via point-to-point vpn.  Lync works over the VPN, but the VPN overhead can cause issues.  I was hoping to be able to figure out a way that my branch office employees could access Lync over the internet so that the Lync traffic doesn't have the VPN overhead getting in the way.

    Simple, right?

    Bill

    If TMG wasn't EOL, I would probably recommend that and use SSTP for painless-style SSL VPN. If you did want DA you could then add a Windows Server 2012 DirectAccess server for a reasonable price.

    The other option is to go with UAG and accept that some of the configuration to make Lync work would be unsupported; not ideal, and I can't officially recommend that, but it is a technically viable option...you are correct that UAG will get you pretty close to your 'wish list' and who knows, support for additional Lync scenarios may be added in future updates/service packs if MS feel it is of value to customers...


    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Friday, November 9, 2012 4:08 PM
  • Thanks guys for all the great information.  Do you have any recommendation for UAG appliance vendors?
    Friday, November 9, 2012 5:48 PM
  • I work for one :) - http://www.ivonetworks.com

    Feel free to contact me directly and I'll get you any information you need on the appliances, particularly the ways that they are better than the others. ;)

    jordan.krause@ivonetworks.com

    Tuesday, November 13, 2012 5:01 PM