From checking all the docs it would seem that the connection flow for Horizon w/ UAG would be:
Client -> UAG -> Connection Server : ?Verify where to connect .. then
Client -> UAG -> Desktop
But that means you have to have a 1 to many firewall rule, mapping inbound connections from the UAG (in DMZ) to the Desktop (in LAN).
I was wondering if it makes more sense to add another 'internal' layer of UAGs, so that it would be...
Client -> UAG (DMZ) -> UAG (LAN) -> Connection Server: ?Verify where to connect .. then
Client -> UAG (DMZ) -> UAG (LAN) -> Desktop
This would give you a 1 to 1 mapping in the DMZ rule into LAN, and the Desktop connection is now not in the rule.
Would that lead to some sort of instability ?
I know there's a doc talking about a two layer DMZ model, so you can handoff one UAG to another.
Just all the docs refer to the first scenario, if you're doing it the 'normal' way.
Anyone try this ?
Hello
From what I understand your idea is to have an external DMZ and an internal DMZ, where the external DMZ is the one on which I natted the Public ip, while the internal DMZ talks on the Client / Server vLAN.
If that's what you want to do I have deployed to this configuration several times without problems.
The only thing remember to put the Gateway of the external DMZ and the static routes for the internal network.
Bye
Fabio
.... and you need deploy the UAG with 2 nic, the deploy with 1 nic is not supported in production enviroment.
Thank you
Nah .. That's what I am referring to with a two layer DMZ. You can get that info from this document.
What I am thinking here is to reduce the amount of DMZ-LAN overhead, by putting a set of UAGs in the LAN; so the ruleset is easy.
I'm thinking it may cause issues, though I guess the only way is to test it.