Ummm... Doesn't this then assume you're only using DA or another remote access technology since you are limited in what you can publish through UAG?
If you have an SSL site (or anything else you can publish) for external (non-corporate) users, wouldn't you need a different TMG infrastructure to provide that protected access?
I mean, you wouldn't be able to use UAG to provide access to internal resources for non-corporate, anonymous users, yeah?
What about OWA access if you're not on a corporate computer? What about CWA if you're not on a corporate computer?What about that corporate expense system if you're not on a corporate computer?
As I understand what's been written so far, UAG can only provide remote access to devices that are part of the corporate network...?
iPhoneから送信On Dec 23, 2009, at 9:46 PM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> wrote:
There is no need for an “edge firewall” with UAG since TMG is already on board – and since you *must* have two public IP addresses on the UAG’s external interface for DA, it would lead to useless wa stage of public addresses.From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- bounce@xxxxxxxxxxxxx] On Behalf Of Jason JonesSent: Wednesday, December 23, 2009 6:36 PM To: isapros Subject: RE: [isapros] Re: FW: TMG Unsupported Hey Jerry,Yeah, I’ve seen the blog; that’s why I asked if it was only localhost support for IPv6 and DA. From what I have seen in the IAG docs, they talk about UAG being in a perimeter network, so I was cur ious about what would be providing the edge firewall role if TMG doe sn’t support IPv6???I am running UAG DA in production since RC0, but thanks for the links ;)Someone asked the question of “why two products…” at TechEd Berlin; the answer from David Cross was “there just wasn’t time to amalgamate the products into a single version for this release …”Cheers JJJason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: jason.jones@xxxxxxxxxxxxxxxxxFrom: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- bounce@xxxxxxxxxxxxx] On Behalf Of Jerry YoungSent: 23 December 2009 17:42 To: isapros Subject: [isapros] Re: FW: TMG Unsupported Jason,You can install TMG on a DA server but the assumption is that the DA server is straddling your edge. For specifics, see the following link.http://blogs.technet.com/isablog/archive/2009/09/23/forefront-tmg-and-windows-7-directaccess.aspxI don't think, however, that you'll be able to put TMG in front of UAG. Keep in mind that UAG installs a gimped, full version of TMG, and UAG is used for providing a highly available DA edge (as I understand it so far) and centralized management.The following links have information regarding UAG/DA. http://technet.microsoft.com/en-us/library/dd772157.aspx#BKMK_DA http://technet.microsoft.com/en-us/library/ee522953.aspxThe following is a thread I started on the IAG/UAG forum regarding this.http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/b8d0e1fe-9ab6-4b88-a2cc-4ad016c45196While Ben Ari responded to my post, he never addressed a core, unspoken question I presented (among others): Why separate the functionality of managing remote and protected access into two separate products? I mean, we already have the complete TMG product installed on UAG, right...? (o.O)I had been hoping the posting would have generated more discussion but it doesn't look as if that's going to happen, which is a shame.JerryOn Wed, Dec 23, 2009 at 10:37 AM, Jason Jones <Jason.Jones@xxxxxxxxxxxxxxxxx > wrote:Hey Jim, The "not so nice": HTTPS Inspection limitationsIssue: There are a number of limitations you should be aware of when enabling the HTTPS Inspection feature on Forefront TMG.Cause: The following features are not supported: * Extended Validation (EV) SSL certificates.EV certs are getting quite popular now, so I see the exclusion list having to grow quite quickly and an unpleasant admin overhead :(Forefront TMG does not support IPv6 trafficIssue: IPv6 traffic is not supported by Forefront TMG (except for DirectAccess). Cause: Filtering of IPv6 traffic is not supported, and all IPv6 traffic is blocked by default. Solution: It is recommended that you disable IPv6 traffic on the Forefront TMG computer or array members. To disable the IPv6 stack on the Forefront TMG computer or array member, see Knowledge Base article KB929852<http://go.microsoft.com/fwlink/?LinkId=179983> (http://go.microsoft.com/fwlink/?LinkId=179983 ). This is a real shame as a lot of "hardware vendors" now provide this out of the box; this could make it hard to introduce TMG as a 'proper firewall' if customers are seriously looking at deploying IPv6 :(Can you expand on the "except for DirectAccess"? E.g. could TMG be a dedicated edge firewall in front of UAG running DA? Or is it only when DA is installed on the TMG host itself?A lot of other statements fall into "same as ISA" or "glad to see them listed" :)One that I think should be included (that isn't) is a statement about the lack of support for stateful session failover when using NLB/HLB, as I believe TMG EE still cannot do this. A lot of people seem to assume it does, especially when comparing to 'da competition'.Cheers JJJason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- bounce@xxxxxxxxxxxxx] On Behalf Of Jim HarrisonSent: 23 December 2009 15:19 To: isapros Subject: [isapros] Re: TMG Unsupported As in...?From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- bounce@xxxxxxxxxxxxx] On Behalf Of Jason JonesSent: Wednesday, December 23, 2009 7:15 AM To: isapros Subject: [isapros] FW: TMG UnsupportedCool, nice to see some in there and not so nice to see others I hoped would be supported...handy doc though :)Jason Jones | Forefront MVP | Security | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: jason.jones@xxxxxxxxxxxxxxxxx <mailto:jason.jones@xxxxxxxxxxxxxxxxx>From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros- bounce@xxxxxxxxxxxxx] On Behalf Of Jim HarrisonSent: 23 December 2009 14:30 To: isapros Subject: [isapros] TMG Unsupported We just published the "unsupported stuff" for TMG on TechNet.http://technet.microsoft.com/en-us/library/ee796231.aspx is your link of reference.-- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer
