none
UAG behing a firewall, can't enabled 6to4 interface

    Question

  • hi,

    i am getting error "time out occured. the 6to4 network interface cannot be enabled".

    i know that cause of that error is IP of internet facing network adapter. i am using 172.16.5.x IPs.

    but, i have to use these IPs , because i have to use my firewall for security reasons.

    so when i go through internet, these IPs are translated to some public IPs. and it is not permitted for UAG.

    as a result, i don't know what to do to implement my directaccess configuration.

    is there any alternative and secure way to do that?

     

    thanks in advance


    regards
    Tuesday, August 17, 2010 10:13 AM

Answers

  • You need public IP addresses on the UAG external interfaces; period.

    If you have an existing edge firewall, your only option is to create a public IP addressed DMZ to host the UAG server(s).

    Don't forget that UAG runs TMG which provides edge ready firewall protection for the host if you do want to place it in parallel to your existing firewall; this may not work for you, but is a supported option...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, August 17, 2010 10:34 AM
    Moderator
  • As Jason said, for a DirectAccess deployment, putting the UAG server on the edge is no problem. TMG is protecting it and there are no security issues with that.

    Another viable option is to enable transparent firewalling in front of the UAG server, then you can assign public IP addresses to the UAG DA server behind the firewall.

    NAT is not supported.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Tuesday, August 17, 2010 12:50 PM
    Moderator

All replies

  • You need public IP addresses on the UAG external interfaces; period.

    If you have an existing edge firewall, your only option is to create a public IP addressed DMZ to host the UAG server(s).

    Don't forget that UAG runs TMG which provides edge ready firewall protection for the host if you do want to place it in parallel to your existing firewall; this may not work for you, but is a supported option...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, August 17, 2010 10:34 AM
    Moderator
  • as you say

    it seems that the only secure solution is public IP addressed DMZ interface on the firewall. 

    all ports are in use on my firewall,in that case i am going to buy a new one:)

    thank you for your help Jason. 


    regards
    Tuesday, August 17, 2010 12:01 PM
  • I like that approach :)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, August 17, 2010 12:25 PM
    Moderator
  • You could attach a small, even inexpensive switch to one of the ports on your firewall and move some of your public devices onto that.  It would save you the hassle of duplicating your configuration on a new firewall/router.
    MrShannon | TechNuggets Blog | Concurrency Blogs
    Tuesday, August 17, 2010 12:34 PM
  • As Jason said, for a DirectAccess deployment, putting the UAG server on the edge is no problem. TMG is protecting it and there are no security issues with that.

    Another viable option is to enable transparent firewalling in front of the UAG server, then you can assign public IP addresses to the UAG DA server behind the firewall.

    NAT is not supported.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Tuesday, August 17, 2010 12:50 PM
    Moderator
  • Transparent firewalling?

    Do you mean using an additional public IP address space and then getting the edge firewall to simply route packets as opposed to packet filtering them?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, August 17, 2010 1:08 PM
    Moderator
  • Thomas,

    by saying "transparent firewalling", what do you mean exactly? can you give some detailed info?or could you provide any link that including details?


    regards
    Tuesday, August 17, 2010 2:52 PM
  • Actually, it's secure to put the UAG DA server on the edge. There no need to put it behind a firewall to make it secure.

    However, if you're also going to use it for web publishing, I would put it behind a firewall (like a TMG firewall).

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Thursday, August 19, 2010 2:43 PM
    Moderator
  • However, if you're also going to use it for web publishing, I would put it behind a firewall (like a TMG firewall).

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx

    Tom, can you elaborate on this scenario?
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, August 19, 2010 4:12 PM
    Moderator
  • Yes! Please do Tom.

    IMHO UAG is fully edge secured no matter what features you use in it.

    IF cu's for some reason feal they need to put dual layers of firewall in front of UAG you should explain to them that only a very intelligent layer 7 application, ssl bridging firewall would add any security.

    The only scenario where i see a dual layer firewall add some use is to act as filtering router to take the internet "noice" away from the TMG in UAG.

    Just my 2c :-)

    /Kent Nordström

    Friday, August 20, 2010 5:40 AM
  • Don't forget, UAG is not supported as a network firewall, even though it runs TMG...

    Also, some of the networking features of TMG are not as developed as other vendors, full NAT manipulation is a good example...


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, August 20, 2010 12:36 PM
    Moderator
  • As Jason said - our messaging is very careful to say tha UAG is not a network firewall.

    Now to be clear, when we say that TMG on UAG is designed to protect the UAG server itself, that also means that it's going to prevent external intruders from reaching the intranet - so in that respect, it acts as a network firewall.

    However, since UAG is not designed and doesn't support outbound access control, you can make the claim that it's a network firewall.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Friday, August 20, 2010 1:15 PM
    Moderator
  • Hmmm....isn't that a bit like saying the Windows 7 firewall protects your network if you have it conencted to your corp network whilst also being connected to an untrusted Internet connection via 3G ;)
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, August 20, 2010 4:28 PM
    Moderator
  • Hi,

     

    some firewall reference this as bridge mode. IP trafic for some public IPv4 addresses can bypass firewall engine and go to UAG. I've tested this scenarioduring a french DirectAccess deployment at the begining of the year. This is very helpfull because clients can put their own firewall in front UAG.

     

    Benoît


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
    Saturday, August 21, 2010 8:59 PM
  • Well, except Win7 doesn't provide remote access to the network, although I guess if you put TMG on it, it could :)

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, August 23, 2010 2:03 PM
    Moderator
  • I'm confused by this. You must be assuming that an edge firewall must allow outbound access as well thus by using UAG in that way it is not supported on the edge.

     

    In other words, UAG is fine on the edge a long as it is used for the things it was intended for like publishing websites, VPN, Direct Access etc etc? Is this correct?

    Friday, January 21, 2011 2:27 AM
  • Kind of...

    UAG is supported on the Edge (as it runs TMG for protection) but it is still recommended to deploy it behind a firewall if you can. However, you cannot use the TMG instance on UAG to make it your edge firewall or outbound proxy server. This doc may help clarify: http://technet.microsoft.com/en-us/library/ee522953.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, January 21, 2011 9:34 AM
    Moderator
  • For the most part, this recommendation comes from the fact that everyone already has a firewall - though there are other good reasons for putting the UAG server behind a TMG (or other) firewall. Most importantly, it reduces the processing overhead for "junk" traffic, which is important since the IPsec and IP-HTTPS tunnels take so much processor time.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Friday, January 21, 2011 11:18 AM
    Moderator