What's the Best DA Deployment Configuration? (Full Version)

All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess


tshinder -> What's the Best DA Deployment Configuration? (19.Apr.2010 9:43:00 AM)

If you decide to deploy a UAG DirectAccess solution, you'll want to consider whether or not you want to use the other features included in UAG, such as web and portal publishing and VPN (SSTP and Network Connector). You can't put DA and Network Connector on the same array, so that's the first thing you need to be aware of. In general, it's a good idea to separate your DA/SSTP arrays from your web and portal publishing arrays. This is a wise decision from both a management and performance perspective, because DA takes a lot of processor cycles, which will be more noticiable for your web proxy connections than your DA connections.


BigDon86 -> RE: What's the Best DA Deployment Configuration? (19.Apr.2010 11:30:30 AM)

Hi Tom;

Good advice... What is your recommendation for the following customer scenario (let's say there are about 100 remote users).

1. Direct Accress Portal
2. Network Connector Access
3. Publish OWA, CRM 4.0 and Sharepoint for Domain Users
4. Publish Sharepoint for non-Domain Users
5. Provide outbound Web Filtering
6. Provide inbound SPAM filtering

Based on your advice, it appears that #1 is a dedicated UAG server.

Since Web / SPAM filtering is not supported on UAG I assume #5 and #6 would be a TMG server.

Would a second UAG server handle the remaining options or are you recommending a dedicated server for the Network Connector?



BigDon86 -> RE: What's the Best DA Deployment Configuration? (19.Apr.2010 1:02:02 PM)

Replying to my own Post ...

It appears that the best way to answer my question below is to look at the UAG / TMG support boundries - http://technet.microsoft.com/en-us/library/ee522953.aspx


tshinder -> RE: What's the Best DA Deployment Configuration? (20.Apr.2010 10:54:32 AM)

Hi Don,

Yep - it's always good to look at the support boundaries - they define what we can support and not support. That isn't to say that it won't work, but that the scenarios called out in the support boundary document represent tested configurations (although they may not be documented).

In general, you can run all the roles on the same UAG server or array, with the exception of the Network Connector. You can't run the Network Connector on the same server or array that has the DA server role running on it.

In addition, UAG doesn't do any spam filtering. You can't install the FPE/email protection features included with TMG on the UAG.

Network Connector can run with all the Web proxy/portal related roles.

The DA server can be co-located with the SSTP VPN server.

That's how I'd split up the roles in a production environment.


Page: [1]