Planning a Forefront UAG DirectAccess array

  • Article

Updated: February 15, 2013

Applies To: Unified Access Gateway

This topic is designed to help you understand the elements required in planning a Forefront Unified Access Gateway (UAG) DirectAccess array and load balancing design. For general array planning information, see Array planning guide.

The following sections describe:

  • General Forefront UAG DirectAccess requirements

  • Planning for an array with integrated NLB

  • Planning for an array with a hardware load balancer

General Forefront UAG DirectAccess requirements

A number of general Forefront UAG DirectAccess prerequisites are required regardless of whether you are deploying a single server or an array. These include infrastructure requirements, domain requirements, DNS configuration, certificate infrastructure requirements, client requirements, and network and routing requirements. For a complete list, see Forefront UAG DirectAccess prerequisites, or Forefront UAG DirectAccess prerequisites for SP1.

Planning for an array with integrated NLB

You can deploy an array of Forefront UAG DirectAccess servers and load balance traffic between them, using Forefront UAG integrated Network Load Balancing (NLB) or a hardware load balancer. For more information about load balancing, see Load balancing design.

To plan for an array that is load balanced with integrated NLB, you need to understand the prefix requirements, and VIP and DIP requirements.

Prefix requirements

Forefront UAG enables load balancing of SSL-based traffic in addition to Forefront UAG DirectAccess based traffic. To load balance all Forefront UAG DirectAccess traffic, which is IPv6 based, Forefront UAG NLB must examine the IPv4 tunneling for all transition technologies. Because IP-HTTPS traffic is encrypted, examining the content of the IPv4 tunnel is not possible. To enable IP-HTTPS traffic to be load balanced, you must allocate a wide enough IPv6 prefix to enable Forefront UAG to assign a different IPv6 /64 prefix to each of the nodes. For example, 2 array members require a /63 prefix (which enables Forefront UAG to define a /64 address for each array member); 8 array members require a /61 prefix (which enables Forefront UAG to define a /64 address for each array member). This prefix must be routable to the Forefront UAG DirectAccess array, and is configured during the Forefront UAG DirectAccess configuration.

VIP and DIP requirements

When planning a Forefront UAG DirectAccess NLB array, you must plan for the following DIPs and VIPs that will be configured on the array manager server:

  • An Internet-facing static IPv4 address (DIP).

  • An internal network facing static IPv6 address (DIP).

  • An internal network facing static IPv4 address (DIP).

  • Two Internet-facing consecutive public IPv4 addresses (VIPs).

  • An internal network facing IPv6 address (VIP).

  • An internal network facing IPv4 address (VIP).

For more information about deploying an array with integrated NLB, see Configuring NLB for a Forefront UAG DirectAccess array.

Planning for an array with a hardware load balancer

There are a number of considerations for planning and deploying a Forefront UAG array with a hardware load balancer. For more information, see Configuring external load balancing for a Forefront UAG DirectAccess array.