VMware Horizon Community
vmmaj
Enthusiast
Enthusiast
‎08-11-2020 08:31 AM

UAG two NIC setup

Hi all,

Looking at deploying UAG in place of the security servers. Right now our security serer sits in the DMZ and has FW rules for access to the internet and internal networks.

I have looked at and setup a simple UAG setup with one NIC. Was relatively easy, lots of youtube instruction etc, but single NIC is not recommended for a production environment.

I am now attempting to setup a two NIC UAG but running into issues with routes etc. Have a couple questions that i hope can be answered by the brains here.

Does the 2nd NIC that is the backend internal\managment NIC - Does this NIC bypass the DMZ? Does that NIC actually sit on the LAN? Does the UAG itself route to this NIC and vice versa?

Does anyone have some routes they can share. Is it just one way routes that are necessary.

My setup will be a UAG in a DMZ that is NAT'd by the FW to the internet.

as you can see advanced networking isn't my thing at the moment, but i'm learning.

thanks.

0 Kudos
11 Replies
vBritinUSA
Hot Shot
Hot Shot
‎08-11-2020 01:34 PM

Check this document out, I could ask you a ton of questions but this has it all.

DMZ Design for VMware Unified Access Gateway and the use of Multiple NICs

Let us know if you have anything after

Please mark helpful or correct if my answer resolved your issue.
0 Kudos
nburton935
Hot Shot
Hot Shot
‎08-11-2020 07:25 PM

The number of NICs really depends on your network security requirements around the DMZ. Things you should consider:

- Do DMZ devices require a separated / secured management network?

- Do you have a two-tier DMZ?

You can certainly have a single NIC deployment in production if your DMZ constraints and security requirements allow for it. For example, if you have a one-tier DMZ and deployed a dual NIC UAG (one in DMZ one in internal), your firewall to the internal network is being bypassed completely and you could potentially be less secure than going the single NIC route.

That aside, if going to dual NIC route, you would typically have your default route pointing toward the DMZ next-hop which goes to the internet. Then your internal routes would point to the next-hop of the internal network. Usually these are the “default gateways” of those networks.

-Nick

0 Kudos
vmmaj
Enthusiast
Enthusiast
‎08-12-2020 05:02 AM

Hi Nick, Thanks for the reply. I definitely do not want to make things less secure.

Our DMZ is single layer - one gateway.

it is has a private address scheme - Internet Faced applications and web sites are NAT'd to public addresses through the FW.

I was able to setup the UAG as you described in testing with the bypass of the internal firewall but if that makes things less secure than I will probably just opt for the single NIC setup.

Do you know if it is possible to have the Two NIC setup and have the second NIC ONLY for management and not backend servers?

Thank you

0 Kudos
vmmaj
Enthusiast
Enthusiast
‎08-12-2020 05:03 AM

very good article, thank you.

0 Kudos
vmmaj
Enthusiast
Enthusiast
‎08-12-2020 06:09 AM

Is this another option\design that is "secure" for a simple DMZ.

If I choose the three NIC solution, Have the Internet NIC and the Backend NIC on our DMZ network and the Management NIC on our Management vLAN outside the DMZ.

This way the UAG is still discarding Unauthorized traffic and the UAG NICs dealing with horizon are both in the DMZ. Does this give me a more secure environment over a single NIC setup, Plus my management NIC is separate and accessible from inside.

Thanks.

M.

0 Kudos
vBritinUSA
Hot Shot
Hot Shot
‎08-12-2020 06:30 AM

Personally when I do deployments I strong encourage the 3 leg approach. It’s a little harder to get working due to static routing, but you have defined inbound and outbound flows and Management is on its own vLAN, again added protection. When I hard off to customers and I show them the front end vs back end firewall rules everyone gets it. I only like to use the 1 leg for POC as its much simpler to setup.

I am also being asked a lot more about dual UAG's in series in the DMZ for added protection.

Unified Access Gateway Appliances Deployed in a Double DMZ

To your point, yes it does give a more secure setup

Good luck

Please mark helpful or correct if my answer resolved your issue.
0 Kudos
vmmaj
Enthusiast
Enthusiast
‎08-12-2020 07:40 AM

Thanks for your input, greatly appreciated

0 Kudos
Abhiaaxx
Contributor
Contributor
‎06-14-2023 10:13 PM

Already running environment of single NIC want to change it into dual NIC. Is it possible?

0 Kudos
Mickeybyte
Hot Shot
Hot Shot
‎06-14-2023 10:33 PM

@Abhiaaxx 

If you need to change the number of nics, you have to redeploy the UAG.


Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
0 Kudos
Abhiaaxx
Contributor
Contributor
‎06-14-2023 10:35 PM

Then there will be a downtime. Is there any way other than that ? Can we upgrade single nic to multi nic or export configuration?

0 Kudos
Mickeybyte
Hot Shot
Hot Shot
‎06-14-2023 10:40 PM

@Abhiaaxx 

If you have currently 2 UAGs in HA, there should be no downtime. You put 1 down, the other one stays active.

If you only have 1, then you could setup the new one using other IP settings and once tested and ready, change NAT rules or external IP to switch over.

You can export the current config of your existing UAG and import it in the new UAG once deployed (the config won't import NIC settings!)


Regards,
Mickeybyte (ITPro blog)

If you found this comment useful or an answer to your question, please mark as 'Solved' and/or click the 'Kudos' button, please ask follow-up questions if you have any.
0 Kudos