Charles_R
Contributor
Contributor

Internal DMZ and External DMZ

Hello,

I've been trying to figure out the networking part of Unified Access Gateway.
To me it's still not clear what some terminology means and how I have to address them in the configuration of UAG.
I've done quite some reading and the things that keep popping up are:
Internal DMZ and External DMZ
Our network is not that complicated. It has a firewall on which some network segments reside: e.g DMZ, Management VLAN, Server VLAN and Client VLAN. So, to get from one zone to another, traffic has to pass through the firewall.
Do we have to create an extra DMZ VLAN for UAG? How does that work?
How do I setup the UAG for that, when I only have three interfaces: Internet side, Management and back-end?

You are probably shaking your head in disbelieve, like: another one.
I'm sorry. I hope someone will give me some advice on this.

0 Kudos
4 Replies
Mickeybyte
Enthusiast
Enthusiast

@Charles_R 

You could go for the 1-NIC setup. Then you place the UAG in the DMZ VLAN.

If you really want to split up the interfaces in different segments, you would indeed need to create a second segment on your firewall for NIC-2 and then (optionally) add NIC-3 to the MGMT VLAN. 

 

Regards,
Mickeybyte
0 Kudos
fabio1975
Expert
Expert

Ciao 

UAG with a single NIC is recommended by VMware in test environments only.

I would advise you to deploy with two network cards where one is on the segment in the DMZ and one on the vLAN of the servers (where I assume the connection servers are).

Configure the Gateway on the network card in DMZ, and on the card that is located in the network segment of the servers configure static routes to allow the communication with the client vLAN. (Where I imagine there are the client VMs for the VDI)

Then proceed to open the communication ports as per VMware documentation depending on the protocol used (PCoIP or Blast)

if you need support for configuring files to deploy with scripts please ask.

 

Fabio
BLOG: https://vmvirtual.blog

if satisfied give me a kudos
Charles_R
Contributor
Contributor

Hi Fabio,

Thank you for your reply!
I hope I understood your advice correctly.
When I follow your advice, but use 3 instead of 2 NIC's, I would create a situation like I drew in the attached picture.
Is that right?
In that case the UAG handles the traffic from the internet instead of the firewall between DMZ and the other networks.
That looks a bit strange to me, can you please confirm that this is the right way to handle this?

Regards
Charles

0 Kudos
fabio1975
Expert
Expert

Ciao 

Yes, but in nic2 and nic3 you cannot specify a gateway, the communication from nic2 and nic3 to the networks vlan that you call Management, Server and Client must be done only with static routes.

So in the static routes of NIC3 you have to add the route for communication with the client vLAN (if there are the VDI clients that must be reached from the outside) and you have to remove the gateway (172.16.10.1) from NIC 2 and NIC 3

 

Fabio
BLOG: https://vmvirtual.blog

if satisfied give me a kudos