none
Deploying UAG Direct Access behind a NAT

    Question

  • Our current network does not allow for us to deploy a UAG on the Public internet.   Our network is behind a nat, in order to get internet ip's our internal ip's are nat'd to public addresses. (the public nats are done in another city so we can't do much about it)  I have found a couple posts with people having the same issue.  As reported in most of the posts, deploying at UAG DA behind a NAT is not supported.

     

    However to get around this, we used a little trickery.

    Here is what I tried.

    1. have two internal ip's nat'd to the two public ip;'s you want to use.

    2 .Give the internal interface on the DA server an ip from your internal network

    2. Give the external interface the two public addresses you will use.

    3. put the external interface on a new vlan

    4. make the gateway for the new vlan an ip in the same range as your public ip

    5. nat your external ip to the internal ip that is nat'd to your public ip

    This setup is working great for me, we trick the UAG server into thinking it is on the public internet, but in reality it is going from public-internal-public.

     

    Now I'm sure this is not supported by MS, but it does seem to work.

     

    Hope this helps the people who want to test out UAG DA without direct access to the internet.

    Wednesday, August 18, 2010 3:20 AM

Answers

All replies

  • I have dicsussed this topology with Tom, so like this:

    Client => Public IP => NAT => Private IP => NAT => Public IP => UAG

    I would guess it is not supported at the moment...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Proposed as answer by Lionel LEPERLIER Wednesday, August 18, 2010 9:34 AM
    • Marked as answer by Erez Benari Sunday, August 22, 2010 8:43 AM
    Wednesday, August 18, 2010 8:13 AM
    Moderator
  • So the public IP is the same on the external NAT device and the extenral interface of the UAG server?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Wednesday, August 18, 2010 4:22 PM
    Moderator
  • Jason,

    I'm checking on this to see if it falls within supportability boundaries.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Wednesday, August 18, 2010 4:32 PM
    Moderator
  • Hello,

     

    does it works finally ? (I mean having a DirectAccess server behind a NAT/router) ??

    And is it a supported solution by MS ?

    Thanks.

     



    Thursday, April 28, 2011 12:43 PM
  • Hi Xavier,

    This is not a supported solution by MSFT because we didn't test it. It should work, but there might be performance and other issues that are unanticipated.

    It does work in small test deployments, but I can't say what would happen in an enterprise deployment - therefore, we can't really support it.

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Tuesday, May 3, 2011 2:38 PM
    Moderator
  • Thanks.

    To bypass NAT issues, is-it possible to setup my router DMZ dedicated port in bridge mode ?

     

    Tuesday, May 3, 2011 2:50 PM
  • Hi Xavier,

    That should work - as long as we have the public IP addresses, the core requirement is met.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Tuesday, May 3, 2011 2:56 PM
    Moderator
  • feds08 you will be my hero if you help me figure this out.

    I work in a school where our network is behind a NAT. i cannot touch the NAT but have got the company to forward 2 public ip's to 2 private ip's. i have setup on my server the following.

    1 physical network card 2x ipv4 address which are the public ones.

    1 physical network card 2x ipv4 address which are private ones.

    i have then used routing and remote access to make a nat with my external and internal card in it.

    through cmd i added static routes where all public ip's go to the private ip's

    couple of questions. i don't think putting the external interface on a new vlan is going to help as the router pumps all internet to all machines. as in the router is just plugged into a switch. i think you said that to get uag to recognise the network interface as external but mine is already recognised as external.

    2. how do i set the gateway?

    to be more specific;

    217.179.53.1 forwards to 10.0.0.1 and 217.179.53.2 forwards to 10.0.0.2.

    the server card is setup as 1 physical with addresses 217.179.53.1 and 217.179.53.2

    the server card is setup as 1 physical with addresses 10.0.0.1 and  10.0.0.2

    routing and remote access with nat containing the 2 cards.

    ran cmd command: route add 217.179.53.1 mask 255.255.255.255 10.0.0.1 -p

    ran cmd command: route add 217.179.53.2 mask 255.255.255.255 10.0.0.2 -p

    is this going to work with uag because i don't think it will?

    Monday, June 27, 2011 8:39 AM
  • Hi Amig@. Not sure if it is worth to invest time in testing what you suggest because the first blocking step is the UAG DA wizard. The assistant needs to detect the public IPv4 addressess configured in the external interface. If there is not two consecutive public IPv4 adressess available in the interface the assistant will not let you enable DA :(


    // Raúl - I love this game
    Monday, June 27, 2011 1:12 PM
  • by applying the external ip's to the card i have managed to get passed that wizardard. It seems to be all setup i am just trying to test the external connections. i'm not hopefully though.
    Monday, June 27, 2011 1:29 PM
  • Here is what you need to do;

     

    UAG External NIC -(217.179.53.1/2 --------------- GW 217.179.53.3 -------NAT 217.179.53.1/2)VLAN to 10.0.0.1/2 (I use a Cisco FWSM so my interfaces are virtual)

    This way your UAG server has an Internet IP on the external interface, but you still allow the traffic on your internal network.

    I can try to make a visio drawing if anyone wants.  

    Tuesday, June 28, 2011 10:50 PM
  • Hi Feds08,

    Thanks for getting back to me, ive been busy moving new computers around for a while but i am slowly getting back onto this project again.

    I am finding it really difficult to wrap my head around all these nat's. i understand how a laptop from outside connects to 217.179.53.1 which is then forwarded to 10.0.0.1 but i don't understand how to get the traffic back to 217.179.53.1. for example if laptop pinged 217.179.53.1 it will be forwarded to 10.0.0.1 but how do i tell the server to respond back through 217.179.53.1.

    I have ripped everything out again and started from scratch. my setup now is 2 physical network cards.

    1 = 217.179.53.1 and 217.179.53.2 - no gateway or dns server

    2 = 10.0.0.1 and 10.0.0.2 - gateway 10.0.0.254 dns 10.0.0.3

    you see what i don't get is is that the 217.179.53.1 and .2 addresses are connected to the internal network but oviously won't work or do anything because from outside it is getting routed to the 10.0.0.1 address. so how do i get eveything to route through the 10.0.0.1.

    do i add a route like this; route add 217.179.53.1 mask 255.255.255.255 10.0.0.1 -p

    which means on that server all 217.179.53.1 address go to ip 10.0.0.1 but how do i tell the physical card to then nat to 217.179.53.1

    maybe a visio drawing would help me.

    thanks in advance

     

    Thursday, July 7, 2011 10:33 AM
  • That is the tricky part.  We have a Firewall Service Module from Cisco, it allows us to spin up virtual firewalls for all our VLANs.

    This is what I did;

    Create a subnet range for NATing your two IP's are 217.179.53.1,2 so use 217.179.53.3 as your virtual firewall IP

    Have your public addresses NATed to two internal addresses 10.0.0.1 10.0.02

    Create New VLAN 80 (NATing VLAN)

    Create a Firewall Interface on Vlan 80 give it the IP 217.179.53.3

    Add the External NIC for the Direct Access Server into VLAN 80, apply both the public IPs to it. 217.179.53.1,2

    Create Static entries on the Firewall to NAT your VLAN 80 IP's 217.179.53.1,2 to 10.0.0.1,2

    That should be it, your real IP's are already NATed from 10.0.0.1,2 to 217.179.53.1,2.

     

    So this is the process DASERVER_EXTERNAL(217.179.53.1,2)--------(217.179.53.3)FW(10.0.0.x)------------(OTHER_FW)------------INTERNET

    NAT FROM 217 to 10 NAT FROM 10 to 217

     

    If you don't have virtual firewalls, you will need a physical firewall to do the NATing/STATIC's

     

    Hope this helps.

    Tuesday, July 19, 2011 8:27 PM
  • Hi,

    I have just stumbled over this quite old and long post.

    The problem with NAT is that IPv6 and 6to4 do not support NAT. However Teredo and IP-HTTPS (using HTTPS) are supporting NAT, i.e. these protocols are especially built to support NAT. I guess the DA wizard checks in general whether the IPs are official in order to make sure no NAT is used (it could be used anyway but is not very likely that you would NAT official IPs into other official IPs). So I guess if the wizard would not be so strict you could in fact use NAT but only Teredo and IP-HTTPS would be supported. That would be my guess if I only look on the technical facts (not at the UAG/W2K8 R2 source code) and Feds08 proves that this should work.

    Best regards

    Thomas

    Wednesday, July 20, 2011 7:44 AM
  • 1 = 217.179.53.1 and 217.179.53.2 - no gateway or dns server

    2 = 10.0.0.1 and 10.0.0.2 - gateway 10.0.0.254 dns 10.0.0.3

     

    For starters, the Gateway needs to be assigned to the External Interface, not the internal.

     


    Monday, July 25, 2011 11:24 PM