Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Design for MS UAG (YIKES)

Believe it or not, the push from the top of our Organization is to deploy MS UAG.  I've been through the security concerns and ramifications with every Executive, but to no avail.  So I'm going to ask some of the experts about how to design this technology behind a firewall successfully.  MS recommends that it sit outside the firewall on the perimeter and also tie itself to the trusted network, in other words, totally leave it on an island outside the security in place to protect the trusted data resources.  I'm not sure if anyone has any experience with this MS technology or not, but I'm hoping someone out there has found a way to secure this technology behind a firewall successfully.  I've attached the document that explains this (MS network design, GOD HELP US).  Any help is appreciated.  I am not a fan of this by any means, but I do want to keep my job, so I need to devise a solution that protects my trusted network with this MS technology.


However, there has been a cause for confusion in this documentation because some admins confuse firewalling with NAT. While it is true that most firewalls are deployed with NAT enabled, that doesnt mean you must NAT connections coming through the firewall. In fact, the UAG Infrastructure and Planning Guide ( states:

Are you deploying Forefront UAG as a DirectAccess server?A Forefront UAG DirectAccess server can be located behind a firewall or between a frontend and backend firewall, but note that a public IPv4 address is required, and therefore the server should not be located behind a NAT (Network Address Translation) device [italics mine]

So to answer the question - can you put the UAG DA server behind a front-end firewall, the answer is yes. However, that firewall cannot NAT connections between the DirectAccess clients and the UAG DirectAccess Server.



Tom Shinder

CreatePlease to create content