Deploying UAG Direct Access behind a NAT


  • Our current network does not allow for us to deploy a UAG on the Public internet.   Our network is behind a nat, in order to get internet ip's our internal ip's are nat'd to public addresses. (the public nats are done in another city so we can't do much about it)  I have found a couple posts with people having the same issue.  As reported in most of the posts, deploying at UAG DA behind a NAT is not supported.


    However to get around this, we used a little trickery.

    Here is what I tried.

    1. have two internal ip's nat'd to the two public ip;'s you want to use.

    2 .Give the internal interface on the DA server an ip from your internal network

    2. Give the external interface the two public addresses you will use.

    3. put the external interface on a new vlan

    4. make the gateway for the new vlan an ip in the same range as your public ip

    5. nat your external ip to the internal ip that is nat'd to your public ip

    This setup is working great for me, we trick the UAG server into thinking it is on the public internet, but in reality it is going from public-internal-public.


    Now I'm sure this is not supported by MS, but it does seem to work.


    Hope this helps the people who want to test out UAG DA without direct access to the internet.

    Wednesday, August 18, 2010 3:20 AM


All replies

  • I have dicsussed this topology with Tom, so like this:

    Client => Public IP => NAT => Private IP => NAT => Public IP => UAG

    I would guess it is not supported at the moment...



    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: and
    • Proposed as answer by Lionel LEPERLIER Wednesday, August 18, 2010 9:34 AM
    • Marked as answer by Erez Benari Sunday, August 22, 2010 8:43 AM
    Wednesday, August 18, 2010 8:13 AM
  • So the public IP is the same on the external NAT device and the extenral interface of the UAG server?



    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides!
    Wednesday, August 18, 2010 4:22 PM
  • Jason,

    I'm checking on this to see if it falls within supportability boundaries.



    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides!
    Wednesday, August 18, 2010 4:32 PM
  • Hello,


    does it works finally ? (I mean having a DirectAccess server behind a NAT/router) ??

    And is it a supported solution by MS ?



    Thursday, April 28, 2011 12:43 PM
  • Hi Xavier,

    This is not a supported solution by MSFT because we didn't test it. It should work, but there might be performance and other issues that are unanticipated.

    It does work in small test deployments, but I can't say what would happen in an enterprise deployment - therefore, we can't really support it.


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides!
    Tuesday, May 3, 2011 2:38 PM
  • Thanks.

    To bypass NAT issues, is-it possible to setup my router DMZ dedicated port in bridge mode ?


    Tuesday, May 3, 2011 2:50 PM
  • Hi Xavier,

    That should work - as long as we have the public IP addresses, the core requirement is met.



    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides!
    Tuesday, May 3, 2011 2:56 PM
  • feds08 you will be my hero if you help me figure this out.

    I work in a school where our network is behind a NAT. i cannot touch the NAT but have got the company to forward 2 public ip's to 2 private ip's. i have setup on my server the following.

    1 physical network card 2x ipv4 address which are the public ones.

    1 physical network card 2x ipv4 address which are private ones.

    i have then used routing and remote access to make a nat with my external and internal card in it.

    through cmd i added static routes where all public ip's go to the private ip's

    couple of questions. i don't think putting the external interface on a new vlan is going to help as the router pumps all internet to all machines. as in the router is just plugged into a switch. i think you said that to get uag to recognise the network interface as external but mine is already recognised as external.

    2. how do i set the gateway?

    to be more specific; forwards to and forwards to

    the server card is setup as 1 physical with addresses and

    the server card is setup as 1 physical with addresses and

    routing and remote access with nat containing the 2 cards.

    ran cmd command: route add mask -p

    ran cmd command: route add mask -p

    is this going to work with uag because i don't think it will?

    Monday, June 27, 2011 8:39 AM
  • Hi Amig@. Not sure if it is worth to invest time in testing what you suggest because the first blocking step is the UAG DA wizard. The assistant needs to detect the public IPv4 addressess configured in the external interface. If there is not two consecutive public IPv4 adressess available in the interface the assistant will not let you enable DA :(

    // Raúl - I love this game
    Monday, June 27, 2011 1:12 PM
  • by applying the external ip's to the card i have managed to get passed that wizardard. It seems to be all setup i am just trying to test the external connections. i'm not hopefully though.
    Monday, June 27, 2011 1:29 PM
  • Here is what you need to do;


    UAG External NIC -( --------------- GW -------NAT to (I use a Cisco FWSM so my interfaces are virtual)

    This way your UAG server has an Internet IP on the external interface, but you still allow the traffic on your internal network.

    I can try to make a visio drawing if anyone wants.  

    Tuesday, June 28, 2011 10:50 PM
  • Hi Feds08,

    Thanks for getting back to me, ive been busy moving new computers around for a while but i am slowly getting back onto this project again.

    I am finding it really difficult to wrap my head around all these nat's. i understand how a laptop from outside connects to which is then forwarded to but i don't understand how to get the traffic back to for example if laptop pinged it will be forwarded to but how do i tell the server to respond back through

    I have ripped everything out again and started from scratch. my setup now is 2 physical network cards.

    1 = and - no gateway or dns server

    2 = and - gateway dns

    you see what i don't get is is that the and .2 addresses are connected to the internal network but oviously won't work or do anything because from outside it is getting routed to the address. so how do i get eveything to route through the

    do i add a route like this; route add mask -p

    which means on that server all address go to ip but how do i tell the physical card to then nat to

    maybe a visio drawing would help me.

    thanks in advance


    Thursday, July 7, 2011 10:33 AM
  • That is the tricky part.  We have a Firewall Service Module from Cisco, it allows us to spin up virtual firewalls for all our VLANs.

    This is what I did;

    Create a subnet range for NATing your two IP's are,2 so use as your virtual firewall IP

    Have your public addresses NATed to two internal addresses 10.0.02

    Create New VLAN 80 (NATing VLAN)

    Create a Firewall Interface on Vlan 80 give it the IP

    Add the External NIC for the Direct Access Server into VLAN 80, apply both the public IPs to it.,2

    Create Static entries on the Firewall to NAT your VLAN 80 IP's,2 to,2

    That should be it, your real IP's are already NATed from,2 to,2.


    So this is the process DASERVER_EXTERNAL(,2)--------(

    NAT FROM 217 to 10 NAT FROM 10 to 217


    If you don't have virtual firewalls, you will need a physical firewall to do the NATing/STATIC's


    Hope this helps.

    Tuesday, July 19, 2011 8:27 PM
  • Hi,

    I have just stumbled over this quite old and long post.

    The problem with NAT is that IPv6 and 6to4 do not support NAT. However Teredo and IP-HTTPS (using HTTPS) are supporting NAT, i.e. these protocols are especially built to support NAT. I guess the DA wizard checks in general whether the IPs are official in order to make sure no NAT is used (it could be used anyway but is not very likely that you would NAT official IPs into other official IPs). So I guess if the wizard would not be so strict you could in fact use NAT but only Teredo and IP-HTTPS would be supported. That would be my guess if I only look on the technical facts (not at the UAG/W2K8 R2 source code) and Feds08 proves that this should work.

    Best regards


    Wednesday, July 20, 2011 7:44 AM
  • 1 = and - no gateway or dns server

    2 = and - gateway dns


    For starters, the Gateway needs to be assigned to the External Interface, not the internal.


    Monday, July 25, 2011 11:24 PM