http://blogs.technet.com/b/tomshinder/archive/2010/05/06/directaccess-and-firewalls-and-nat.aspxIts seems like we’ve run into a little confusion recently regarding how to deploy the UAG DA server in a firewalled environment. If you look at our documentation for Packet Filtering for the Internet Firewall ( http://technet.microsoft.com/en-us/libraryen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/tomshinder/archive/2010/05/06/directaccess-and-firewalls-and-nat.aspx#3492455Mon, 16 Apr 2012 19:14:17 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3492455Bry<p>Other commenters, please read the closing statement, &quot;that firewall cannot NAT connections between the DirectAccess clients and the UAG DirectAccess Server.&quot;</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3492455" width="1" height="1">http://blogs.technet.com/b/tomshinder/archive/2010/05/06/directaccess-and-firewalls-and-nat.aspx#3458068Sat, 08 Oct 2011 22:16:41 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3458068Geekcroft<p>Tom.</p> <p>If I have a customer that is doing some kinds of fancy NAT on their ASA - still giving me a public IP address but having a NAT entry for the IP in their rules - will this likely give me some strange niggly issues?</p> <p>Thanks,</p> <p>Stephen</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3458068" width="1" height="1">http://blogs.technet.com/b/tomshinder/archive/2010/05/06/directaccess-and-firewalls-and-nat.aspx#3458067Sat, 08 Oct 2011 22:12:15 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3458067Geekcroft<p>hypothesis, As the UAG server will require a public IP address you may have to change your simple d-link ADSL router.</p> <p>NAT, in lamens terms, allows devices behind your firewall to utilize public IP&#39;s whilst having a none-public IP address.</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3458067" width="1" height="1">http://blogs.technet.com/b/tomshinder/archive/2010/05/06/directaccess-and-firewalls-and-nat.aspx#3447376Tue, 16 Aug 2011 14:10:24 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3447376hypothesis<p>Hi Tom,</p> <p>Is it so necessary to exclude NAT at all? I&#39;m using simple d-link ADSL router to connect to Internet. Isn&#39;t it sufficient to forward proto 41 and UDP 3544 port in and out to DirectAccess server behind firewall?</p> <p>Really detailed info but why NAT is so bad and how overcome this!</p> <p>Ilya</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3447376" width="1" height="1">http://blogs.technet.com/b/tomshinder/archive/2010/05/06/directaccess-and-firewalls-and-nat.aspx#3330947Thu, 06 May 2010 19:56:03 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3330947Thomas W Shinder - MSFT<p>Hi Don,</p> <p>Sure, TMG firewalls are like any other kind of firewall. Just make a ROUTE Network Rule</p> <p>Source: Network that the UAG DA server's external interface is connect to</p> <p>Destination: External (the default external Network)</p> <p>Tom</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3330947" width="1" height="1">http://blogs.technet.com/b/tomshinder/archive/2010/05/06/directaccess-and-firewalls-and-nat.aspx#3330937Thu, 06 May 2010 19:10:44 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3330937BigDon86<p>Hi Tom;</p> <p>I'll ask the obvious question....</p> <p>Can a UAG DA device sit behind a TMG firewall? &nbsp;If yes, how?</p> <p>Thanks for all the good info!</p> <p>Don</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3330937" width="1" height="1">