Setting up a UAG server array provides organizations with the ability to provide higher availability, but it also brings up a common question of how many IP addresses does one need. The confusion usually revolves around two topics – internal vs. external IPs, and NLB vs external LB. Let’s try to clear up some misconceptions here.
NLB – Load balancing facilitated by Windows, as opposed to regular LB. Also known as “Integrated NLB”
LB – Load Balancing facilitated by a 3rd party device, such as F5’s BigIP range of load balancing appliances or Citrix’s NetScaler. Also known as “External LB” or “Non-integrated NLB”
DIP – Dedicated IP. An IP address assigned to a resource that is unique to every server, as opposed to a VIP.
VIP – Virtual IP. An IP address shared by several resources, either directly (such as with NLB) or indirectly (such as with external LB)
External Network – The network through which UAG receives client requests, and replies to them. It could be the DMZ network, but is referred to as “External” for clarity.
Internal Network - The network through which UAG forwards requests from clients to internal (corporate) servers, and receives a response. It could be the DMZ network, but is referred to as “Internal” for clarity.
DA – DirectAccess, one of UAG’s two primary deployment scenarios.
Application Publishing – The second of UAG’s two primary deployment scenarios.
APDA Mode – A UAG Server configured for both Application Publishing and DirectAccess simultaneously
Single Server scenario
If you use a single UAG Server, then you need:
1. one IP address for each portal or ADFS trunk
2. If you have redirect trunks (from HTTP to HTTPS), then they use the same IP as their counterpart HTTPS trunk, and there’s no need for additional IPs
3. The Trunk IPs can be either public IP addresses, or NAT IP Addresses*
4. For DA, you need two IP addresses, which must be public and consecutive, to serve the DA component.
5. If you are in APDA mode, you would need at least 3 IPs – 2 for DA, and one for each trunk. Note that in this situation, you should use the lowest IPs available for the DA connection (for example, if you have the IPs 22.214.171.124, 126.96.36.199 and 188.8.131.52, Use the .1 and .2 for DA, and .3 for the trunk).
* If you are using NAT, keep in mind that NAT devices often perform connection optimization, which could cause problems for clients. For example, this might cause a user to be “dropped” into another user’s session, because the NAT device reuses an existing connection to UAG for the 2nd user’s request. As a precaution, make sure your NAT device is not optimizing connections.
Array scenario, with integrated NLB
In an array with NLB, you need DIPs and VIPs, like this:
1. One Internal DIP for each server in the array (these can be NAT IPs)
2. One external DIP for each server in the array (These must be public IPs)
3. For Application publishing, one external VIP**, used by all array members
4. For DirectAccess, one internal VIP**, used by all array members
5. For DirectAccess, two consecutive external VIPs**, used by all array members
6. If you are in APDA mode, you would need at least 4 VIPs – one internal, two externals for DA, and one external for each trunk. Note that in this situation, you should use the lowest VIPs available for the DA connection (for example, if you have the IPs 184.108.40.206, 220.127.116.11 and 18.104.22.168, Use the .1 and .2 for DA, and .3 for the trunk).
** Note that with NLB, the Virtual IPs are added using UAG’s NLB configuration screen (under Admin/Network Load Balancing). The NLB configuration within TMG or within Windows should NOT be used to configure these under any circumstance.
Array mode, with external Load Balancer (a.k.a. “non integrated LB”)
With an array, the VIPs are configured on the load balancer, and not on UAG. You still need the virtual IPs, but UAG is not aware of them, so you need to configure DA with the IPs like this:
2. For DA, Two consecutive external DIPs for each server in the array (These must be public IPs)
3. For Application publishing, one additional DIP for each member for each trunk
4. For DA, two consecutive external VIPs, routed to the multiple DIPs
5. For DA, one internal VIP, routed to the multiple internal DIPs
6. For application publishing, one external VIP, routed to the multiple DIPs used by the trunk
7. The VIPs are assigned and configured on the load balancer, and routed to the DIPs configured on the array members, with UAG not being aware of them
When using an array, we recommend load balancing to be configured both on the internal side, and the external side. It’s possible, though, to have DA run without internal load balancing. If that is your plan, be sure to read the documentation for this scenario, to be sure your server meets the required configuration and that the impacted scenarios and features are acceptable to your organization.