• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Welcome to the UAG 2010 Installation Section

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Forefront Unified Access Gateway 2010] >> Installation >> Welcome to the UAG 2010 Installation Section Page: [1]
Login
Message << Older Topic   Newer Topic >>
Welcome to the UAG 2010 Installation Section - 18.Aug.2009 8:39:10 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Welcome to the UAG 2010 Installation Section!

Post your issues with installation UAG 2010 here. If you have non-installation related questions, then please post to the UAG 2010 General Section.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: Welcome to the UAG 2010 Installation Section - 12.Apr.2010 12:09:15 PM   
Werthnerb

 

Posts: 1
Joined: 12.Apr.2010
Status: offline
Tom, Hi this is my first time on ISAServer find the site to be great I do have a question about install of UAG 2010?

How would I go about getting the UAG deployed with Cisco ASA 5520?
I have a SSM 4g card in the ASA and was wondering what is the best way to get this to the outside world the ASA is in routed mode with 4 DMZ's at this time we have TMG in one of the DMZ'z doing back to back FW config. Any help would be great.

(in reply to tshinder)
Post #: 2
RE: Welcome to the UAG 2010 Installation Section - 16.Apr.2010 7:30:59 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The best configuration, in my opinion, is to put the ASA in front of the UAG server, and then just connect the internal interface of the UAG server to the corpnet. No need for an internal firewall behind the UAG server, because the TMG firewall is on the same box as the UAG server, thus providing the UAG server protection from the corpnet - no need to put in a back-end firewall to protect the UAG server from the corpnet because of the on-box TMG firewall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Werthnerb)
Post #: 3
RE: Welcome to the UAG 2010 Installation Section - 11.Oct.2010 11:27:42 AM   
mohammad_ziad

 

Posts: 1
Joined: 2.Aug.2008
Status: offline
Hi , am looking for the steps of installing UAG 2010 using array

Many Thanks

(in reply to tshinder)
Post #: 4
RE: Welcome to the UAG 2010 Installation Section - 12.Jan.2011 12:29:40 PM   
ryechz

 

Posts: 2
Joined: 12.Jan.2011
Status: offline
Tom,

I am in the process of doing the exact same thing with UAG SP1 with DirectAccess and a Cisco ASA 5510 and 2 physical servers setup in a NLB array. The DirectAccess wizard will not let you continue because it does not detect an external IP address. I was planning on relying on NAT to send the traffic to the external adapter(s) vlan. No luck. I am a noob, so bare with me on this one. I need to setup a kind of DMZ that uses a class A address, but behind the ASA and use NAT along with it? Or is there just a simple pass-through mechanism that uses packet filtering so that I can achieve some sort of firewall protection. MS says that installing a UAG array behind a front end firewall is not only supported, but recommended, they just don't provide any examples as to how to exactly make this happen.

_____________________________

Ryan

(in reply to tshinder)
Post #: 5
RE: Welcome to the UAG 2010 Installation Section - 12.Jan.2011 8:14:06 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
You will need to use public IP addresses on the UAG external interfaces; this means you need a public IP addressed DMZ. The ASA will then need to be configured to use routing (as opposed to NAT) for this public IP subnet. Inbound firewall policies (stateful packet filtering) will still be employed, just no NAT.

You will need to obtain a new public IP subnet from your ISP to achieve the above or supernet you existing range in smaller subnets to create several usable ranges.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to ryechz)
Post #: 6
RE: Welcome to the UAG 2010 Installation Section - 13.Jan.2011 1:17:01 PM   
ryechz

 

Posts: 2
Joined: 12.Jan.2011
Status: offline
Thank you Jason, it is nice to have some one actually spell it out for me. Everywhere else is full of vagueries.

So, as a follow-up, I have another question. We currently have 2 5510 ASA's setup with a BGP configuration and we have been given a /24 block of addresses from our provider. So we have a plethora of addresses to work with. I hadn't heard things quite as you put it. I heard that I would have to use what is called transparent filtering and I would need to configure my firewall to be in a different mode. To achieve this, and keep current functionality (IPSEC VPN & FIREWALL), I would have to create multiple contexts within the ASA. The catch is that when this is done, the VPN functionality is removed because the firewall does not support running VPN with this new mode. In your post you call it simply to have my firewall configured for routing, is this the same thing as transparent mode (where it acts as a bridge)?

FYI, we do not have a DMZ currenty, just the two firewalls working in BGP mode.

This link takes you to the list of unsupported things when running in context mode: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146747

_____________________________

Ryan

(in reply to Jason Jones)
Post #: 7
RE: Welcome to the UAG 2010 Installation Section - 13.Jan.2011 5:56:12 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi Ryan

No that is different to using a different public IP address range and getting the firewall to route, but if it allows you to define the external UAG interfaces with public IP addresses and receive inbound connections, you should be good to go...

Check this: http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/db69492e-8f44-44b5-b3db-7f284cb35e4f/

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to ryechz)
Post #: 8
RE: Welcome to the UAG 2010 Installation Section - 14.Dec.2011 3:02:04 PM   
cwwilliams@co.hanove

 

Posts: 1
Joined: 14.Dec.2011
Status: offline
I have tested the UAG in a lab connected to the Internet.  I am looking to now place the UAG on an Hyper-V host in our DMZ.  It appears from your forum the external nic needs to be a public facing IP and the internal nic a private IP.
Is this true for just Direct Access or does this also apply SSTP VPN?

Also are there any articles around about setting the UAG up on Hyper-V?

(in reply to Jason Jones)
Post #: 9
RE: Welcome to the UAG 2010 Installation Section - 14.Dec.2011 6:28:49 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: cwwilliams@co.hanove

I have tested the UAG in a lab connected to the Internet.  I am looking to now place the UAG on an Hyper-V host in our DMZ.  It appears from your forum the external nic needs to be a public facing IP and the internal nic a private IP.
Is this true for just Direct Access or does this also apply SSTP VPN?

Also are there any articles around about setting the UAG up on Hyper-V?



No SSTP VPN does not have the same limitations and can use DMZ private IP address which are NAT'd by an edge firewall.

Setting UAG on a Hyper-V guest should be no different that a standard server

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to cwwilliams@co.hanove)
Post #: 10
RE: Welcome to the UAG 2010 Installation Section - 29.May2013 12:13:23 AM   
guylaine

 

Posts: 1
Joined: 28.May2013
Status: offline
I try to install UAG 2010 without success, I get the following error:"failed to install tmg"
the installation is done on a clean virtual machine with server 2008 r2 sp1 standard

i need your help

(in reply to Jason Jones)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Forefront Unified Access Gateway 2010] >> Installation >> Welcome to the UAG 2010 Installation Section Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts