Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Microsoft UAG configuration

Status
Not open for further replies.

disturbedone

Vendor
Sep 28, 2006
781
AU
I'm in the process of setting up Microsoft UAG for the first time and am looking for some guidance on the best configuration.

Scenario:
[ul]
[li]VMware vCentre 5.1[/li]
[li]W2K8R2 servers are all VMs[/li]
[li]Cisco ASA5520 firewall[/li]
[li]VLAN11 (10.11.0.0/16) is for most VMs including 2x DCs[/li]
[li]VLAN172 (172.20.95.0/24) is for servers in DMZ[/li]
[/ul]

I've configured 2x vNICs on the UAG VM. One on VLAN172 and one on VLAN11. My first question is around that - the documentation I've found for setting up an HTTPS trunk is that the external NIC should be a public IP address rather than an internal one eg 172.20.95.x/24. Is that correct? If so, in a virtual environment where the NIC cannot be physically connected to the external world how can that be achieved? Or would I giev it a DMZ address and port forward on the firewall like I do with everything else?

That's the first step. Once I've got that sorted I'll work my way through the rest of it.
 
This has been outsourced to be completed. I'll post after completion to let others know how it went.
 
The contractor has been reading about UAG and has struck an issue. It appears that Microsoft want us to throw out out perfectly good Cisco ASA firewall and replace it with UAG!

UAG requires public IP addresses. It cannot have internal ones.

Surely Microsoft don't expect everyone in the world to replace their existing perfectly good, reliable, and (sometimes) expensive firewalls and use their product?!?!

Anyone come across this and have a way to get it to work?
 
Nothing wrong with using the Cisco as long as the necessary port exceptions are implemented...


"Or would I give it a DMZ address and port forward on the firewall like I do with everything else" yep



........................................
Chernobyl disaster..a must see pictorial

"Computers in the future may weigh no more than 1.5 tons."
Popular Mechanics, 1949
 
You can still use the ASA for firewalling and not use NAT. In fact I would insist as exposing a Windows Server directly to the internet would not be my first (or even ever) choice...

Andy
 
So just stick a switch in front of your Cisco to the internet, give the UAG a public IP address out of your public network range, and have stuff IP'd for the UAG setup in your external DNS to go to that new IP address. Did this myself, but had a Sonicwall that I use. Currently use the UAG to proxy for Exchange and Lync.
 
@cajuntank, this is a completely virtual environment. It's not possible to "just stick a switch in front of your Cisco to the internet".

I have finally found someone within Microsoft who actually knows the product (it appears that knowledge is pretty scarce) and they are confirming which of the 3 possible options we came up with is the best. Once it has all been confirmed I will post the solution here.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top