Believe it or not, the push from the top of our Organization is to deploy MS UAG. I've been through the security concerns and ramifications with every Executive, but to no avail. So I'm going to ask some of the experts about how to design this technology behind a firewall successfully. MS recommends that it sit outside the firewall on the perimeter and also tie itself to the trusted network, in other words, totally leave it on an island outside the security in place to protect the trusted data resources. I'm not sure if anyone has any experience with this MS technology or not, but I'm hoping someone out there has found a way to secure this technology behind a firewall successfully. I've attached the document that explains this (MS network design, GOD HELP US). Any help is appreciated. I am not a fan of this by any means, but I do want to keep my job, so I need to devise a solution that protects my trusted network with this MS technology.
“Are you deploying Forefront UAG as a DirectAccess server?─A Forefront UAG DirectAccess server can be located behind a firewall or between a frontend and backend firewall, but note that a public IPv4 address is required, and therefore the server should not be located behind a NAT (Network Address Translation) device” [italics mine]
So to answer the question - “can you put the UAG DA server” behind a front-end firewall, the answer is yes. However, that firewall cannot NAT connections between the DirectAccess clients and the UAG DirectAccess Server.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...