Default Network binding order
Before installing UAG, the network binding order of network cards on UAG servers must be properly configured, in the following order : LAN then Internet. This measure will preserves us from configuration problems of the UAG (the ADLDS instance must be reachable on the private interface).
Network cards configuration
By default, my first UAG server will be reachable by it’s internal interface. Note that this interface do not have a Default gateway. This is a requirement because the Windows IP stack do not allow default gateway configuration on two different interfaces (public and private). The public interface is only configured with a dedicated public IPV4 address.
Note that a 6to4 interface is automatically created because the server is directly connected to Internet. In a real world deployment, it is not a good practice.
The same configuration with my second UAG server.
The internal interface must be configured with one or more internal DNS servers. The external interface should be left empty in order to avoid DNS64 performance issue (see the Forefront UAG DirectAccess perquisites for additional information).
Required KB before next step
Before installing UAG, please install the KB977342 on Each UAG node. This is a mandatory requirement in the DirectAccess UAG wizard in NLB scenario, unless you want to see the UAG Wizard block you while configuring DirectAccess.
The initial setup process is straight forward (next, next, finish). The only required information is the installation path :
Rebooting the UAG server after initial setup because the process introduce many things, especially on the firewall.
Final Network binding order
The final network bind order must be configured as illustrated bellow. We have no need of the SSL Network Tunneling interface.
On a standard UAG DirectAccess scenario, the Global Query Block List must be configured to allow ISATAP queries. This can be performed using a simple DNSCMD.EXE command line and a restart on the DNS service (Operation must be performed on each DNS server declared in the infrastructure tunnel. Then, we can create the ISATAP host record that will point to the future Internal NLB VIP address.
Required updates :
For more information about UAG perquisites, please see the Forefront UAG DirectAccess perquisites. Next blog, initial configuration for our future UAG array.
BenoîtS – Simple and Secure by Design (I emphasize on “Secure”)