Forefront Unified Access Gateway 2010 and PIX Firewall and SharePoint

I need help with Forefront Unified Access Gateway 2010 for a SharePoint Environment.. I have a primary PIX 515e firewall which handle both DMZ and Internal zones.. now I want to implement the UAG server in the DMZ layer and I want our clients to access the UAT server so it can route them to the SharePoint sites.. how can i accomplish this.. Please help me out i am new to the UAG.  Please see attached pic
uag.png
Abi_003Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

chosmerCommented:
Oy Vey....

Well,  It looks like this UAG 2010 is a combination of RRAS and ISA...so it does applicaiton layer firewalling and vpn termination...as well as layer 3 filtering and the whole 9 yards.

The PIX 515 mostly does layer 3 and some app filtering as well as VPN termination, but not the same kind.

The first decision you have to make is which device will do what part.

My suggestion is:

A) Configure your 515e to handle the NATS and the Routing between the Outside, DMZ and Internal network.  Make sure that works first paying close attention to the ports and protocols used by clients who access the UAG, and the UAG to the Sharepoint box.  After you get those basic things working, I would remove the protocol fixups in the ASA config, since it may step on the protocol filtering handeled by the UAG.

B) After you get the plumbing working...insert the UAG and see if you can access the sharpoint from the DMZ, and then from the outside...

Without more specifics, I can only give you the broad strokes.....
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Amit BhatnagarSystems Development Principal - Security and InfrastructureCommented:
Do a port forwarding on PIX for SSL to UAG and then put everything in DMZ behind UAG. This way, you will only be required to open SSL on PIX for DMZ and the rest would be taken care by UAG. Unless ofcourse, you are thinking about DirectAccess which is a different ball game altogether....LOL. UAG just like IAG is a very good solution for publishing anything and everything behind SSL but it comes at a good price..:)
-Amit.
0
dstwinsCommented:
Hello,

I'd like to object to the solutions above and offer in UAG specific terms how this should be done.

1)  Your PIX should serve only as your edge firewall to protect your DMZ.   You will also publish a 1-to-1 NAT from a public IP address to your DMZ IP address.   You should only need to open 80 and 443 through and ACL.

2)  UAG is a Dual Network card system.  One network card goes into your DMZ to listen for inbound traffic.   The other network card goes right into your LAN where your internal resources such as AD and SharePoint site.

3) Configure AD authentication on UAG.   and follow the wizard to publish SharePoint with Alternative Access mapping.

4) Activiate and save your changes.!

Your good to go!
Thanks
~UAG Expert
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.