Tom, Hi this is my first time on ISAServer find the site to be great I do have a question about install of UAG 2010?
How would I go about getting the UAG deployed with Cisco ASA 5520? I have a SSM 4g card in the ASA and was wondering what is the best way to get this to the outside world the ASA is in routed mode with 4 DMZ's at this time we have TMG in one of the DMZ'z doing back to back FW config. Any help would be great.
The best configuration, in my opinion, is to put the ASA in front of the UAG server, and then just connect the internal interface of the UAG server to the corpnet. No need for an internal firewall behind the UAG server, because the TMG firewall is on the same box as the UAG server, thus providing the UAG server protection from the corpnet - no need to put in a back-end firewall to protect the UAG server from the corpnet because of the on-box TMG firewall.
I am in the process of doing the exact same thing with UAG SP1 with DirectAccess and a Cisco ASA 5510 and 2 physical servers setup in a NLB array. The DirectAccess wizard will not let you continue because it does not detect an external IP address. I was planning on relying on NAT to send the traffic to the external adapter(s) vlan. No luck. I am a noob, so bare with me on this one. I need to setup a kind of DMZ that uses a class A address, but behind the ASA and use NAT along with it? Or is there just a simple pass-through mechanism that uses packet filtering so that I can achieve some sort of firewall protection. MS says that installing a UAG array behind a front end firewall is not only supported, but recommended, they just don't provide any examples as to how to exactly make this happen.
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
You will need to use public IP addresses on the UAG external interfaces; this means you need a public IP addressed DMZ. The ASA will then need to be configured to use routing (as opposed to NAT) for this public IP subnet. Inbound firewall policies (stateful packet filtering) will still be employed, just no NAT.
You will need to obtain a new public IP subnet from your ISP to achieve the above or supernet you existing range in smaller subnets to create several usable ranges.
Thank you Jason, it is nice to have some one actually spell it out for me. Everywhere else is full of vagueries.
So, as a follow-up, I have another question. We currently have 2 5510 ASA's setup with a BGP configuration and we have been given a /24 block of addresses from our provider. So we have a plethora of addresses to work with. I hadn't heard things quite as you put it. I heard that I would have to use what is called transparent filtering and I would need to configure my firewall to be in a different mode. To achieve this, and keep current functionality (IPSEC VPN & FIREWALL), I would have to create multiple contexts within the ASA. The catch is that when this is done, the VPN functionality is removed because the firewall does not support running VPN with this new mode. In your post you call it simply to have my firewall configured for routing, is this the same thing as transparent mode (where it acts as a bridge)?
FYI, we do not have a DMZ currenty, just the two firewalls working in BGP mode.
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi Ryan
No that is different to using a different public IP address range and getting the firewall to route, but if it allows you to define the external UAG interfaces with public IP addresses and receive inbound connections, you should be good to go...
I have tested the UAG in a lab connected to the Internet. I am looking to now place the UAG on an Hyper-V host in our DMZ. It appears from your forum the external nic needs to be a public facing IP and the internal nic a private IP. Is this true for just Direct Access or does this also apply SSTP VPN?
Also are there any articles around about setting the UAG up on Hyper-V?
I have tested the UAG in a lab connected to the Internet. I am looking to now place the UAG on an Hyper-V host in our DMZ. It appears from your forum the external nic needs to be a public facing IP and the internal nic a private IP. Is this true for just Direct Access or does this also apply SSTP VPN?
Also are there any articles around about setting the UAG up on Hyper-V?
No SSTP VPN does not have the same limitations and can use DMZ private IP address which are NAT'd by an edge firewall.
Setting UAG on a Hyper-V guest should be no different that a standard server
I try to install UAG 2010 without success, I get the following error:"failed to install tmg" the installation is done on a clean virtual machine with server 2008 r2 sp1 standard
I have tested the UAG in a lab connected to the Internet. I am looking to now place the UAG on an Hyper-V host in our DMZ. It appears from your forum the external nic needs to be a public facing IP and the internal nic a private IP. money