Its seems like we’ve run into a little confusion recently regarding how to deploy the UAG DA server in a firewalled environment.
If you look at our documentation for Packet Filtering for the Internet Firewall (http://technet.microsoft.com/en-us/library/ee809062.aspx) you’ll see that we fully support putting a firewall in front of the UAG DA server.
To quote Packet Filtering for the Internet Firewall:
“Most organizations use an Internet firewall between the Internet and the computers on their perimeter network. The firewall is typically configured with packet filters that allow specific types of traffic to and from the perimeter network computers. When you add a Forefront UAG DirectAccess server to your perimeter network, you must configure additional packet filters, to allow the traffic to and from the Forefront UAG DirectAccess server for all the traffic that a DirectAccess client uses to obtain IPv6 connectivity to the Forefront UAG DirectAccess server.
The following describes the type of traffic you can configure on your Internet firewall depending on whether the Forefront UAG DirectAccess server is on an IPv4 or IPv6 Internet.
Configure packet filters on your Internet firewall to allow the following types of IPv4 traffic for the Forefront UAG DirectAccess server:
Configure packet filters on your Internet firewall to allow the following types of IPv6 traffic for the Forefront UAG DirectAccess server:
=====================================
However, there has been a cause for confusion in this documentation because some admins confuse firewalling with NAT. While it is true that most firewalls are deployed with NAT enabled, that doesn’t mean you must NAT connections coming through the firewall. In fact, the UAG Infrastructure and Planning Guide (http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=110b4c77-b411-4845-9b82-40a733b17003) states:
“Are you deploying Forefront UAG as a DirectAccess server?─A Forefront UAG DirectAccess server can be located behind a firewall or between a frontend and backend firewall, but note that a public IPv4 address is required, and therefore the server should not be located behind a NAT (Network Address Translation) device” [italics mine]
So to answer the question - “can you put the UAG DA server” behind a front-end firewall, the answer is yes. However, that firewall cannot NAT connections between the DirectAccess clients and the UAG DirectAccess Server.
HTH,
Tom
Tom Shinder tomsh@microsoft.com Microsoft ISDiX/SCDiX UAG Direct Access/Anywhere Access Team The “Edge Man” blog (DA all the time): http://blogs.technet.com/tomshinder/default.aspx Follow me on Twitter: http://twitter.com/tshinder Facebook: http://www.facebook.com/tshinder
Hi Tom;
I'll ask the obvious question....
Can a UAG DA device sit behind a TMG firewall? If yes, how?
Thanks for all the good info!
Don
Hi Don,
Sure, TMG firewalls are like any other kind of firewall. Just make a ROUTE Network Rule
Source: Network that the UAG DA server's external interface is connect to
Destination: External (the default external Network)
Hi Tom,
Is it so necessary to exclude NAT at all? I'm using simple d-link ADSL router to connect to Internet. Isn't it sufficient to forward proto 41 and UDP 3544 port in and out to DirectAccess server behind firewall?
Really detailed info but why NAT is so bad and how overcome this!
Ilya
hypothesis, As the UAG server will require a public IP address you may have to change your simple d-link ADSL router.
NAT, in lamens terms, allows devices behind your firewall to utilize public IP's whilst having a none-public IP address.
Tom.
If I have a customer that is doing some kinds of fancy NAT on their ASA - still giving me a public IP address but having a NAT entry for the IP in their rules - will this likely give me some strange niggly issues?
Thanks,
Stephen
Other commenters, please read the closing statement, "that firewall cannot NAT connections between the DirectAccess clients and the UAG DirectAccess Server."