ITVisionIT
Enthusiast
Enthusiast

UAG 2NIC Deployment - Routing/Forwarding Assistance

Jump to solution

I am looking to deploy a 2NIC UAG 3.1 to replace my security server.

During the initial deployment of the OVF deployment properties, it wants the following inputs.  These are the first 3 inputs in the list.

DNS Servers

Gateway

Netmask

Are these for the Internet facing interface or the Mgmt/Backend Interface?

Also, would anyone be able to post a sample of the custom routes needed for NIC1 and NIC2 along with the forwarding rules?  I realize this will be based on what IP settings I am using but just wanting to understand it a bit more by seeing an example.

When I initially deployed it without inputting the routes and forwarding settings, I was able to access the UAG mgmt interface internally and config the connection settings back to my Connection server, but when I attempted to connect from the outside using a client I was getting a timeout.  Monitoring the firewall I could observe the internet facing interface getting hit, but nothing after that.  I am assuming I need some type of routes on the UAG configure to pass the traffic from the Internet to the MGMT/Backend interface within the UAG regardless of my firewall rules.

If some one could provide a sample I could following that would be helpful.

0 Kudos
1 Solution

Accepted Solutions
iforbes
Hot Shot
Hot Shot

I just did all of this yesterday Smiley Happy. The DNS server should be your "internal" DNS, so uag can resolve internal names like your connection server(s). The gateway is a choice between which one of the 2 nics you choose. I chose to use my internet facing nic0 as the interface for default gateway. That means that nic1 will be the mgmt\back-end interface and you will require static routes using this interface to successfully route to "inside" networks (i.e. connection server, VDI desktops, dns). Netmask is the mask needed for the internet facing interface (nic0).

Take a look at this kb for required firewall ports. Scroll down to the bottom where it discusses the rules for UAG (front-end and back-end). It's pretty clear what you need to define as your static routes. For example, you'll need a static route for getting to your connection servers. Another one for getting to your desktops. Another for getting to dns.

I preferred deploying the UAG via powershell script as outlined here:

Using PowerShell to Deploy VMware Unified Access Gateway

Good luck.

View solution in original post

0 Kudos
3 Replies
iforbes
Hot Shot
Hot Shot

I just did all of this yesterday Smiley Happy. The DNS server should be your "internal" DNS, so uag can resolve internal names like your connection server(s). The gateway is a choice between which one of the 2 nics you choose. I chose to use my internet facing nic0 as the interface for default gateway. That means that nic1 will be the mgmt\back-end interface and you will require static routes using this interface to successfully route to "inside" networks (i.e. connection server, VDI desktops, dns). Netmask is the mask needed for the internet facing interface (nic0).

Take a look at this kb for required firewall ports. Scroll down to the bottom where it discusses the rules for UAG (front-end and back-end). It's pretty clear what you need to define as your static routes. For example, you'll need a static route for getting to your connection servers. Another one for getting to your desktops. Another for getting to dns.

I preferred deploying the UAG via powershell script as outlined here:

Using PowerShell to Deploy VMware Unified Access Gateway

Good luck.

View solution in original post

0 Kudos
ITVisionIT
Enthusiast
Enthusiast

iForbes,

Thank you for the response.

After deploying via Powershell everything seemed to go pretty smoothly.  I did run into an issue with the UAG version 3.1.0 not picking up my static routes from the .ini file.  After I downloaded and deployed UAG 3.1.1 all my routes appeared when running the route -n via the UAG console view.

Thank you again.

0 Kudos
BenFB
Commander
Commander

We've also configured it this way. NIC0 is the Internet NIC and default gateway. It has static routes to reply to our load balancer for health monitoring (You must do health monitoring on the Internet NIC). We then have a single static route on NIC1 for our internal network (e.g. routes1=10.0.0.0/8 10.0.1.1).

0 Kudos