Wednesday, 14 April 2010

Recommended Network Card Configuration for Forefront UAG Servers

A common question from my ISA Server days that is also relevant for Forefront UAG deployments is:

How should I configure the network interfaces on my Forefront UAG Server?

A high-level overview of NIC configuration best practice is provided below:

  • The network card name used within the operating system should (ideally) be changed to closely match the associated Windows server network name. This clarifies assignment and improves supportability.
  • Only one network interface should be configured with a default gateway.
  • Only one network interface should be defined with DNS servers.
  • Unused or unnecessary bindings should be removed from all interfaces, where possible, to improve security. This is often termed ‘interface hardening’.
  • The default bind order should be amended to define a specific customised order.

Based upon these best practices, the configuration shown below is the standard approach that I normally use as part of my usual Forefront UAG server build process.

Rename NICs:

Rename all NICs to descriptive names that ideally match the connection type and UAG wizard/console names.

UAG interface connected to the trusted network becomes:
Internal Network

UAG interface connected to the untrusted network becomes: External Network

Please Note: Matching the names is not essential, it just makes mapping networks between UAG, TMG and Windows much easier when troubleshooting…

You should then have something like this:

image

Configure NICs:

NIC: Internal Network

The Internal Network NIC will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using a back firewall.

Default Gateway should not be defined
DNS Servers should be defined
Register this connection’s address in DNSEna
bled
File and Printer Sharing for Microsoft Networks – Enab
led
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IPDefault or Enabled

A more detailed view of these settings is provided in the following example screenshots.

Networking items enabled for the Internal Network NIC:

image image

Please Note: The above examples are for a non-NLB enabled system. If NLB is enabled within UAG, the ‘Network Load Balancing (NLB)’ items would be shown as selected in the NIC properties and should not be disabled.

General properties of the Internal Network NIC:

image 

Advanced properties of the Internal Network NIC:

image image

NIC: External Network

The External Network NIC will normally be connected to your untrusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using a front firewall.

Default Gateway should be defined
DNS Servers should not be defined
Register this connection’s address in DNS
Disabled
File and Printer Sharing for Microsoft Networks –
Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IPDisabled

A more detailed view of these settings is provided in the following example screenshots.

Networking items enabled for the External Network NIC:

imageimage

Please Note: The above examples are for a non-NLB enabled system. If NLB is enabled within UAG, the ‘Network Load Balancing (NLB)’ items would be shown as selected in the NIC properties and should not be disabled.

General properties of the External Network NIC:

image

Advanced properties of the External Network NIC:

image image

Amend Bind Order:

Edit the bind order (Alt|Advanced|Advanced settings…) to place the Internal Network above the External network as shown below (note bindings too):

 imageimage 

UAG Configuration:

When running the UAG Network Interfaces wizard, you should now see the following:

image 

By taking a peek in the TMG console, you should see that these settings are consequently inherited as follows:

image

You should now have correctly configured network interfaces for Forefront UAG!

Important! As you have configured the default gateway on the External Network NIC, it is necessary to add static routes to define internal network subnets that are reached via the Internal Network NIC but located behind routers (including VLANs on layer 3 switches) on the internal network. The use of multiple default gateways is not supported and static routes are the recommended solution. Once you have defined the appropriate static routes, you will then need to run the UAG Network Interfaces wizard to add the new subnets (called address ranges) to the internal network definition; this will consequently be inherited by TMG and allow correct traffic flow…

Hope this helps…

14 comments:

  1. Hey Jason,
    Great article. We are currently testin UAG 2010. If we wanted to just publish SharePoint20007/2010 and OWA2003 and a few forms based webapps would a single network card setup suffice. Obviously we need one network card for the array.
    thanks,
    GmFlanagan

    ReplyDelete
  2. @GMFlanagan

    TMG is *only* supported with two network cards, as discussed here: http://blog.msedge.org.uk/2010/04/threat-management-gateway-tmg.html

    In general, one is connected to the trusted (internal) network and the other is connected to the untrusted (internet) network.

    ReplyDelete
  3. The above comment should say *UAG* and not TMG...doh!

    ReplyDelete
  4. Good article very informatry and helpful

    ReplyDelete
  5. Hi Jason,

    Very good article - thanks for sharing this info.
    One question though: Why would you bind IPv6 on both NICs? Is it in order to support DA? If the scenario doesn't include DA, would you say that this should be ticked off?

    Cheers!

    ReplyDelete
  6. Yes, DA requires the IPv6 bindings.

    I believe you can disable IPv6 for other scenarios, but I don't see any specific reason to do so that I am aware of...

    Cheers

    JJ

    ReplyDelete
  7. Thanks for this! - This sort of info should be included in the step by step instructions provided by Microsoft!!

    ReplyDelete
  8. I want configure UAG with 3 network cards
    one is connected to the trusted (internal) network, other is connected to the untrusted (internet) network and other conected to DMZ


    UAG support it?

    ReplyDelete
  9. No, UAG is not a firewall and has no concept of a DMZ zone. The UAG interfaces can however be placed into the DMZ zones of another firewall.

    ReplyDelete
  10. Jason,

    I followed your post and configured UAG server NICs (Internal and External). However, when I start the UAG installation - it throws error "This computer is a domain member, but a connection to the domain controller cannot be established. Verify that connectivity is working, and then rerun the setup."

    I am able to ping DC's from UAG server, but not the other way around.

    Could you please let me know what I am missing?

    Thanks,
    -
    Aj

    ReplyDelete
  11. I must add to my previous post (question) - I have added static route to my internal network as well.

    Route add -p mask

    -Aj

    ReplyDelete
    Replies
    1. Hi Ajay,

      What result do you get when you run nltest /dsgetdc: from the UAG server?

      Maybe you cannot access ALL DC's?

      Cheers

      JJ

      Delete
  12. In a LAN, two Ether NIC happened to have exactly same addresse then How do think the network will behave? can any one suggest me this ....thanks in advance

    ReplyDelete
    Replies
    1. That would cause an IP address conflict - no?

      Delete