Does UAG 2010 contain all of TMG 2010? I read one page that said when you install UAG, you also are installing TMG, inferring that it comes with it. How does one order UAG 2010? Are there versions (Standard and Enterprise)? Do I need to order both products, TMG and UAG? I see that UAG 2010 is the way to go if you plan on doing DirectAccess with Windows Server 2008 R2 and Windows 7 (apparently only 7 Ultimate or 7 Enterprise are capable of this). If someone currently has ISA Server 2006 loaded (edge scenario, 2 NICs only), what will my experience be in setting up UAG 2010? Does it also do Access rules, or is UAG reserved for remoting in, while TMG is reserved for requesting out? As you can tell, I'm a bit confused by the product lines coming out under the ForeFront name...
There was a white paper that we are waiting from the UAG Team, that will illustrate what features from TMG can be used in UAG, and what is not supported.
Thanks for the feedback...that link was definitely helpful, especially seeing that others are in the same boat as me. Does anyone know the list price of a UAG 2010 install? I'm trying to budget for next year, and I know the cost of TMG, but UAG is a new beast to me...
Would it be better to just run TMG, and do DirectAcces WITHOUT UAG involved? Would TMG get in the way?
There was a white paper that we are waiting from the UAG Team, that will illustrate what features from TMG can be used in UAG, and what is not supported.
HTH, Tarek
This is the current published supportability standpoint in using 'TMG underneath UAG':
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:
ORIGINAL: tad_braun
Thanks for the feedback...that link was definitely helpful, especially seeing that others are in the same boat as me. Does anyone know the list price of a UAG 2010 install? I'm trying to budget for next year, and I know the cost of TMG, but UAG is a new beast to me...
Would it be better to just run TMG, and do DirectAcces WITHOUT UAG involved? Would TMG get in the way?
UAG will probably have a similar license model and price structure as it's predecessor IAG. IAG is based upon a 'server + CAL' model. For budgetary purposes this should be a good indication for UAG.
You can use DirectAccess with TMG as discussed here:
The key problem without UAG is that your intranet servers need to be configured for IPv6 which is often not the case.
UAG has specific NAT64 and DNS64 technology to allow DirectAccess to work when intranet servers are using IPv4.
UAG is also pretty much mandatory if you want a highly-available DirectAccess deployment...
Based upon the benefits of UAG and the likely support stance of MS on using TMG underneath UAG, the likely scenario will be the use of two dedicated solutions; one using TMG and one using UAG. TMG is more likely for outbound with UAG more likely for inbound services.
It all depends on what you need, but as soon as you mention DirectAccess, the need for UAG is very compelling, even if you already have TMG installed/available...
Does TMG offer the same type of access control for DirectAccess connections (control by security groups, control over which servers can be accessed, and with which protocols) as with a "normal" VPN client connection?
Does UAG secure DirectAccess connections in any way that exceeds WS2008 through TMG?
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
As part of the DA configuration, you define a group of computers that are authorised to use DA. In terms of access control, UAG feature an option called end-to-end which allows you to limit the destinations servers. I don't think there is any option to limit protocols.
UAG provides enhancements for IPv4 intranet resources using NAT64/DNS64 and centralised management/high availability that are not included in native DirectAccess.
Thanks for your replies, Jason. "If money is no object, then given the two options, UAG is the only real choice for DA..."
There. Fixed it for ya.<g>
So with TMG only, we can't limit the destination servers like we can with ISA and VPN Classic? Uh-oh...client's not gonna like that.
I'm still trying to get a handle on DA so please forgive my newbiness...my dim recollection of end-to-end is that you have to be IPv6 end-to-end. Correct? That's not likely at this point in history, so UAG doesn't get us any closer.
The other question was: Do you know what's involved with a domain change for UAG? Is it as trivial for UAG as it is for ISA & TMG? Because this project will be postponed indefinitely if it's a big uninstall/change domain/reinstall/reconfigure deal.
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
How about TMG with SSTP, not good enough?
TMG for DA is gonna be an issue if they run IPv4 only services internally; in this case, you will need UAG for the NAT64/DNS64 elements anyhow...even if they have no money
I've not used end-to-end yet (only end-to-edge) so not sure if this is IPv6 only or not.
DirectAcces will be impacted by a domain change certainly. Also if you are using the File Access feature, this too. In theory you should be able to install a new server in the new domain/forest and then import the UAG config.
Let me see if I can get some MS input on this thread
As it happens, the servers they want to make available to VPN clients are running WS2008, so we're all set there. No internal IPv6 infrastructure yet beyond WS2008 DNS Server/DHCP Server defaults, but that will be part of the DA project.
It looks like non-end-to-end hosts fallback to end-to-edge (skimming) which I guess is not what you want.
How about placing a TMG firewall array between the UAG servers and the intranet server??? You could then use end-to-edge and let TMG do all the IPv4 firewalling...
Cheers
JJ
< Message edited by Jason Jones -- 19.Jan.2010 9:27:47 PM >
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [Forefront Unified Access Gateway 2010] >> General >> UAG/TMG relationship...? 
UAG/TMG relationship...? - 
You could then use end-to-edge and let TMG do all the IPv4 firewalling... 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread