locked
DirectAccess with UAG RRS feed

  • Question

  • I tried to install DirectAccess on an UAG 2010 Hotfix 2 server.

    I use public IP-Addresses for the internal and external interface from the same Supernet range (they are out of a /16 range), but they are subnetted into two class-c networks. Nethertheless I have configured 2 consecutive IPs on the public interface with a default gateway mentioned and one ip address on the private interface without any gateway the installation wizard for the UAG directaccess server configuration failed with the error: "there must be configured two, static, consecutive, public ips" and with anouther error "at least two network interfaces must be configured with a static ip". If i try the same configuration with an ip address out of the  10.0.0.0/24 range on the private network, everything goes fine. The binding order of the network interfaces is correct, first internal, than external.

    Any ideas?

    thank you in advance!

    Thursday, October 14, 2010 2:18 PM

Answers

  • The default Internal Network can contain any collection of IP addresses, regardless of class or private/public status. What it must not include is any address that should be considered part of the defauult external network, esp. the IP addresses bound to the external interface of the UAG server.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Monday, October 25, 2010 10:12 PM
    Friday, October 15, 2010 1:23 PM

All replies

  • Hi Amig@. UAG needs to identifiy two consecutive IP addresses to be used with DirectAccess. The most common scenario seems to be one with public IP addresses in the External interface and private addresses in the internal one. It seems that, in your scenario, UAG is getting confused when selecting the public addresses as there are Public IPs in both interfaces. Your workaround sounds suitable.

    Regards


    // Raúl - I love this game
    Friday, October 15, 2010 8:37 AM
  • Can you check the internal network properties in TMG to ensure it has created the correct address range and not assumed a default class B range? Do you also see the correct entries in the windows routing table?

    I assume the portal features of UAG work ok? (as a test of the current network setup)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, October 15, 2010 10:41 AM
  • Thank you for your answer!

    I have checked both, and yes, in TMG Networks both are entered as a Class-C Network und the Routing Table for IPv4 ist correct.

    Yes the UAG Portal is working fine, as expected.

    thank you!

    Friday, October 15, 2010 11:21 AM
  • Ok, sounds like the DA wizard is getting confused...let me try and ask around...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, October 15, 2010 12:31 PM
  • The default external network doesn't have any addresses assigned to it - that's the definition of the default External Network.

    Confirm that you have configured the correct addresses as part of the definition of the default Internal Network.

    Also, make sure that the addresses on the external interface are not RFC 1918 addresses.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Friday, October 15, 2010 12:40 PM
  • ...in TMG Networks both are entered as a Class-C Network


    The internal network should only contain a single class C range; this should be the supernet address range for your internal network.
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, October 15, 2010 12:48 PM
  • The default Internal Network can contain any collection of IP addresses, regardless of class or private/public status. What it must not include is any address that should be considered part of the defauult external network, esp. the IP addresses bound to the external interface of the UAG server.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    • Marked as answer by Erez Benari Monday, October 25, 2010 10:12 PM
    Friday, October 15, 2010 1:23 PM