[isalist] Re: UAG now "officially" in production at HoG
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sat, 2 Jan 2010 13:39:46 -0600
Dude,
UAG is all about DirectAccess. Do you have that working in your "off
label" config?
While I admit that UAG is the preferred publishing platform and is more
secure for publishing (in general) than TMG, without DA - you're not
getting all it has to offer.
Of course, I could argue that a DA + SSTP deployment should be separate
from the publishing deployment. The publishing deployment is for
unmanaged hosts, while the SSTP + DA deployment is for managed hosts.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Saturday, January 02, 2010 12:07 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] UAG now "officially" in production at HoG
So on the heels of our previous conversations, I've finally "officially"
replaced TMG with UAG at HoG.
Jerry, this is where you might want to reiterate your
questions/concerns. Thing is, I really DO seem to remember you saying
something about the "dual network/separate infrastructure" bit, but you
apparently have message ninja skills.
I think I see why MSFT has chosen not to support typical TMG deployments
on UAG, but man - it seems like a TOTAL waste to have so much "power" in
TMG seemingly "wasted" on a UAG install. For what UAG expects, it seems
like Windows Firewall could have done the job. Having a full install of
TMG doesn't make sense to me, other than the fact that Whale was an
acquisition and built on top of TMG.
That said, though completely unsupported, I've got UAG/TMG doing
everything and more that TMG was doing. One just has to be careful in
the way you group your rules, but only because of all the local protocol
access rules UAG builds. They get rebuilt every time a UAG
configuration is "activated" so I've got my logically located after the
UAG rules. In this way, I've been able to easily build my perimeter
DMZ, publish SMTP, etc in the TMG instance of UAG.
Additionally, I now have a single point of access to get OWA and other
applications via the UAG portal, while simultaneously accessing
RPC/HTTP(s) for OA and Remote Desktop services (RDP over RPC/HTTP(s))
all on the same "trunk" (listener). TMG can't do that by itself.
Further, for non-win7 clients wishing to utilize Remote Desktop Gateway
functionality, I can tunnel RDP over SSL using UAG as the gateway. To
be sure, MSFT *could* have made it possible for non-win 7 clients to use
RDG (TSG) but I think they chose not to on purpose.
My only "real" issue now is the absence of "listener" type configuration
options in UAG, such as requiring a client-side certificate for a
connection. I'm going to have to figure a way to "hork" that config -
as it is now, there is no way to require a client certificate in order
to access the UAG portal, which I think is poo. That was a very strong
multiple-authentication measure to have available.
The final step is to create the super-secret HoG authenticated external
proxy publishing config on UAG so Steve and Greg can bypass
international copyright laws, but that's another story and wholly
inappropriate for me to discuss here. Oh, the things I do for Greg
just so that he can watch that stupid NCIS show (we won't get into what
Steve watches).
Jerry, so far I've been able to recreate all the functionality of TMG on
UAG, so the "dual networks" and such are not necessary unless you want
to be supported. I'm not worried about it because I have you guys.
____________________
Timothy (Thor) Mullen
thor@xxxxxxxxxxxxxxx
www.hammerofgod.com
"Gandhi grills Tom Shinder's steaks."
Other related posts:
