This sounds quite strange, but the possibility exists. We know that a UAG array consists of one Array Manager and one or more Array Members. So how can we have multiple Array Managers? Well of course, we cannot. But under certain circumstances, you may find that the Array Management Wizard informs you that you have multiple Array Managers…and possibly even Array Members that you’re not aware of.

Symptoms:

When preparing to create your array, the first step is to specify the Array Manager. On the UAG server that will be the Array Manager, you start the Array Management Wizard. In the wizard, you select “Set this server as the array manager” and then specify the Array Credentials. However, in “Step 3 – Defining Array Member Computers”, you may see that there is more than one Array Manager listed.

Capture1

You also find that you’re unable to remove the “rogue” Array Manager that’s listed. The possibility also exists that you may see an Array Member listed that you have not added yourself. Although you will be able to remove this “unknown” array member in this screen, it’s best to cancel the Wizard at this point.

If you discover such a situation, you should not continue through the Array Management Wizard. Who knows what condition you may end up in?

More information:

During the UAG installation, TMG (Threat Management Gateway) is also installed. TMG is a Firewall and is installed to “protect” the UAG deployment and only allows traffic designated by the UAG configuration. When you configure UAG’s Network Interfaces via the “Network Configuration Wizard”, TMG is automatically configured with the appropriate Network settings to support the UAG configuration. Likewise, when you configure Portals/Applications in UAG, TMG is configured with the appropriate Firewall Policy rules.

There are certain situations where you may need to manually configure TMG settings directly (i.e. allow RDP connections, etc.)…but for the most part, you should not need to make many configuration changes directly in TMG.

Cause:

The issue described above can happen if the TMG “Managed Server Computers” Computer Set contains inadvertent/invalid entries. For example:

clip_image002

 

In this scenario, UAG01 is the name of the UAG server that is our intended Array Manager. If the TMG “Managed Server Computers” Computer Set contains other entries with the same IP address, they will most likely appear as additional Array Managers in UAG’s Array Management Wizard. Additionally, if the “Managed Server Computers” Computer Set includes other entries with different IPs, they will show up as unintended Array Members in UAG’s Array Management Wizard.

On a “Stand Alone” UAG server that you intend to promote to an Array Manager, TMG’s “Managed Server Computers” Computer Set should only contain itself.

Resolution:

On the “stand alone” UAG server that you intend to promote to an Array Manager, edit TMG’s “Managed Server Computers” Computer Set by removing all entries but the intended UAG Array Manager. Then apply the change in TMG and wait for TMG to Sync…then Activate UAG.

Now, when you run the UAG Array Management Wizard, Step 3 should only show your intended Array Manager server. You can then safely add your intended Array Members.

Author

Richard Barker - Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team