Forefront Unified Access Gateway 2010

Array Planning Guide

Microsoft Corporation Published: January, 2010

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2009 Microsoft Corporation. All rights reserved. Microsoft, and MS-DOS, Windows, Windows Server, and Active Directory are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Contents
Array design guide..........................................................................................................................5 About this guide...........................................................................................................................5 Introduction to array design............................................................................................................5 Single server or array deployment...............................................................................................5 About arrays................................................................................................................................6 Next steps in planning your array design.....................................................................................8 Identifying your array deployment goals.........................................................................................8 Next steps in planning your array design.....................................................................................9 Mapping your deployment goals to an array design.......................................................................9 Array design....................................................................................................................................9 Placing array servers in your corporate infrastructure...............................................................10 Planning domain requirements..................................................................................................10 Planning network and routing requirements..............................................................................10 Planning account requirements.................................................................................................11 Next steps..................................................................................................................................11 Load balancing design..................................................................................................................11 Selecting a load balancing method............................................................................................11 Next steps.................................................................................................................................12 Forefront UAG DirectAccess array and load balancing design.....................................................12 General Forefront UAG DirectAccess requirements..................................................................13 Planning for an array with integrated NLB.................................................................................13 Prefix requirements................................................................................................................13 VIP and DIP requirements......................................................................................................13 Planning for an array with a hardware load balancer.................................................................14 Planning for an array with a hardware load balancer

Array design guide

Forefront Unified Access Gateway (UAG) provides a gateway for remote employees, mobile workers, partners, and other third-parties to access corporate applications and resources via a Forefront UAG Web site or portal.

About this guide

This Array design guide is designed to help you to identify your array deployment goals, and to map your goals to a design. The guide is intended for the system administrator or system architect who is responsible for the design and deployment of multiple Forefront Unified Access Gateway (UAG) servers. It is assumed that the reader of this guide is familiar with the concepts of high availability, network design and setup, and load balancing. To begin the Forefront Unified Access Gateway (UAG) array design process, you must first identify your array deployment goals. After evaluating these goals, you can select an array design that meets your deployment objectives. Use this guide to: Understand array and load balancing concepts. For information, see Introduction to array design. Identify your array deployment goals from a predefined list of possible deployment goals. For information, see Identifying your array deployment goals. Understand the array design requirements for each deployment goal. For information, see Mapping your deployment goals to an array design.

Introduction to array design

This topic provides an overview of Forefront Unified Access Gateway (UAG) features that affect your array and load balancing design. Depending on your requirements, you can deploy a single Forefront UAG server or an array of Forefront UAG servers.

Single server or array deployment

Your decision to deploy a single Forefront UAG server or an array of Forefront UAG servers, depends on a number of factors, including: 1. Scalability requirementsBy grouping multiple Forefront UAG servers into an array, you increase capacity for throughout and number of users. Endpoint requests are serviced by all 4

servers in the array; thus, if you deploy an array with three servers, you can support three times as many endpoints as a single Forefront UAG server. 2. Fault tolerance requirementsA single Forefront UAG server does not provide fault tolerance. If the server is unavailable, client endpoints cannot connect to portals provided by Forefront UAG trunks. If fault tolerance is required, you should consider the deployment of a load balanced array. In an array configuration, each array member has the same configuration, and provides the same service to client endpoints. If one array member fails, the remaining array members are still available and remote endpoints can continue to access trunks via another array member. 3. Failover requirementsTo provide high availability for remote endpoints, you can load balance traffic in an array. If load balancing is enabled for the array, failover is automatic, as remote endpoints connect to a trunk using a virtual IP address (VIP) and requests for the trunk can be handled by any available array member. Note that in the case of an array member failing, a user might need to reauthenticate. If an array is not load balanced, each array member has a separate IP address. To provide transparent failover, you need a method for updating name resolution so that client requests for portal names resolve to the IP address of the correct array member.

About arrays
After installing Forefront UAG, you can join a server to an array using the Array Management Wizard. An array has the following characteristics: All array members share the same configuration, including trunks, published applications, permissions files, custom files, and VPN settings. Some server-specific settings are maintained, including passwords. All array members provide the same service to client endpoints. A separate server is not required for array management. You configure one of the array members to act as the array manager. The array manager acts as the main repository for the array configuration, and array members connect to the array manager to read from and write to the array storage. Forefront UAG settings can only be configured and activated on the array manager. On array members, you can only run the Array Management Wizard when you open the Forefront UAG Management console.

The following diagram illustrates an array configuration setup.

The following steps are required to set up an array: 1. Configure an array managerThe first step in array configuration is to configure one of the array members as the array manager. 2. Join servers to the arrayAfter configuring the array manager, you connect Forefront UAG servers to the array manager in order to join them to the array. 3. Configure load balancing for the arrayIt is recommended that you load balance requests to an array to provide high availability and failover. For Forefront UAG DirectAccess, you must configure an array to use Forefront UAG integrated NLB, or use a hardware load balancer. The following procedures are optional during day-to-day array management: Remove array members from an arrayIn some circumstances, you might want to remove a server from an array. During removal from the array, you can assign to the server a configuration that is stored in an export configuration file. If you dont assign a configuration to the server, following removal from the array, the server will be assigned the same configuration that it had before joining the array. Changing the array manager serverIf the array manager is unavailable, or you want to remove the array manager server from the array, you can configure an alternative array member to act as the array manager. Changing the credentials used by the array manager to connect to array members, or by array members to connect to the array managerWhen you configured the array manager and array members you specify an account used for array communications. If this account expires or you no longer want to use it, you can configure an alternative account.

In an array, all changes to the array configuration are made using the Forefront UAG Management console on the array manager. Changes are synchronized on all array members, as follows: 6

1. When configuration changes are activated in the Forefront UAG console on the array manager, the updated configuration is marked as active and sent to all array members. 2. Forefront UAG array members periodically poll the array manager server for the configuration, and apply new configuration settings locally, as required. 3. If the connection from an array member to the array is interrupted, the array member continues to run using its local configuration settings. When the array member reconnects to the array manager server, the configuration settings are updated.

Next steps in planning your array design

Identifying your array deployment goals

Identifying your array deployment goals

The first step in planning and documenting your array design is to identify your deployment goals. You can prioritize and combine your deployment goals so that you understand what planning is involved in each goal, and know who in your organization should be involved in the Forefront Unified Access Gateway (UAG) deployment planning. The following table lists the possible deployment goals and their design requirements. Deployment goal Deploy multiple Forefront UAG servers Design requirements Design requirements include: 1. Deciding where to place the Forefront UAG servers in your corporate topology. 2. Planning domain requirements. 3. Planning network and routing requirements. 4. Planning array account requirements. Load balance traffic between Forefront UAG array servers Design requirements include: Deciding whether to use a hardware load balancer or integrated Network Load Balancing (NLB).

Deploy multiple load-balanced Forefront UAG DirectAccess servers

Design requirements include: 1. Deciding where to place the Forefront UAG DirectAccess servers in your corporate topology. 2. Planning domain requirements. 3. Planning how to configure any corporate firewalls to allow traffic to and from the Forefront UAG DirectAccess servers. 7

4. Planning network and routing requirements. 5. Planning DNS requirements. 6. Planning a certificate infrastructure. 7. Planning for load balancing. Forefront UAG DirectAccess arrays must be load balanced, with identical DirectAccess configuration settings.

Next steps in planning your array design

Mapping your deployment goals to an array design

Mapping your deployment goals to an array design

After you have identified your Forefront Unified Access Gateway (UAG) array deployment goals (see Identifying your array deployment goals), select an array design that meets each of your deployment objectives, as shown in the following table. Deployment goal Deploy multiple Forefront UAG servers Load balance array traffic between Forefront UAG array servers Deploy multiple load-balanced Forefront UAG DirectAccess servers Design guide Array design Load balancing design Forefront UAG DirectAccess array and load balancing design

Array design
This topic is designed to help you understand the planning requirements for a Forefront Unified Access Gateway (UAG) array design. For additional information about a Forefront UAG DirectAccess array design, see Forefront UAG DirectAccess array and load balancing design. Array planning requirements include: Placing array servers in your corporate infrastructure Planning domain requirements Planning network and routing requirements Planning account requirements

Placing array servers in your corporate infrastructure

The most common topology locations for Forefront UAG array members are: 1. Behind a frontend firewallThe Forefront UAG server is placed in the internal network, behind a frontend firewall at the corporate edge. The Forefront UAG server has one network adapter that routes to the frontend firewall, and the other is in the internal network. 2. Between a frontend firewall and a backend firewallThe Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network. If Forefront UAG is located behind an edge or perimeter firewall, verify that the required ports and protocols are open on the firewall.

N o t e s :

A list of ports and protocols is available in the Multiple server infrastructure design section of the Infrastructure design guide. For Forefront UAG DirectAccess arrays, the perimeter network should use public IPv4 addresses. For more information, see Planning the placement of a Forefront UAG DirectAccess Server.

Planning domain requirements

Install as a domain member, each Forefront UAG array member or each Forefront UAG server that you want to join to an array. Note the following: 1. All array members must belong to the same domain. 2. You can install Forefront UAG array servers in an existing domain, or create a domain specifically for Forefront UAG. If you set up a separate domain, configure a one-way or twoway trust between the Forefront UAG domain and the main corporate domain.

Planning network and routing requirements

1. Each Forefront UAG array member requires two enabled network adapters. During Forefront UAG installation and initial deployment, you will associate one adapter with the internal corporate network and the other with the external network (Internet). A default gateway

should only be installed on one adapter, usually the adapter connected to the external network. 2. You should note all subnets that are reachable from the adapter that you will associate with the internal network. When you define the Forefront UAG internal network during deployment, it will include all reachable subnets. 3. The adapter that you associate with the internal network must have a static IP address. 4. All Forefront UAG servers that you want to join to an array must belong to the same subnet. 5. For a complete list of Forefront UAG DirectAccess requirements, see Forefront UAG DirectAccess prerequisites.

Planning account requirements

Array deployment requires using the following credentials: 1. Credentials used by an array member when connecting to the array manager server. These credentials are used when initially joining the array, and subsequently each time the array member connects to the array. 2. Credentials used by the array manager server when connecting to array members. Note the following account credential requirements: 1. Forefront UAG array servers must be installed in the same domain, and domain accounts must be used. 2. You can use the same account for both sets of credentials. 3. The domain account should have local administrator permissions on the array manager server, and on all array members. 4. After setting up the array, you can subsequently modify the credentials used. To avoid having to do this too frequently, it is recommended that you use an account with a long expiry period.

Next steps
After you have completed the planning of your array design, see the Array deployment guide for deployment instructions.

Load balancing design

You can load balance traffic between Forefront Unified Access Gateway (UAG) array members using a hardware load balancer, or using Forefront UAG integrated Network Load Balancing (NLB), which uses the NLB features provided by Windows Server 2008 R2. This topic provides information to help you plan your deployment of integrated NLB in Forefront UAG.

10

Selecting a load balancing method

You can load balance requests to Forefront UAG array members as follows: Using a hardware load balancerYou can use a hardware load balancer to balance servers configured as Forefront UAG array members. The hardware load balancer must support IP affinity. The main advantage of using a hardware load balancer is scalability. Using integrated NLB supports up to approximately 8 array members. For partner information on Forefront UAG and Forefront UAG DirectAccess hardware load balancing solutions, see Find a partner at the Microsoft site. Using integrated NLBForefront UAG provides integrated NLB. This is the recommended method for implementing load balancing for Forefront UAG arrays, and provides a number of advantages: Cost savings; no NLB hardware device needs to be purchased. Simplified management; NLB can be managed directly in the Forefront UAG Management console. You can easily apply the NLB configuration to all array members. Simplified monitoring; NLB status can be monitored using the Forefront UAG Web Monitor. Ease of node management; nodes can be managed and drained using the Web Monitor. Forefront TMG is automatically installed and runs as a firewall to protect the Forefront UAG server. When you use configure integrated NLB, Forefront TMG firewall rules and settings are configured automatically.

Next steps
After you have completed the planning of your load balancing design, see the Array deployment guide for deployment instructions.

Forefront UAG DirectAccess array and load balancing design

This topic is designed to help you understand the additional elements required in planning a Forefront Unified Access Gateway (UAG) DirectAccess array and load balancing design. For general array planning information, see Array design guide. The following sections describe: General Forefront UAG DirectAccess requirements Planning for an array with integrated NLB Planning for an array with a hardware load balancer

11

General Forefront UAG DirectAccess requirements

A number of general Forefront UAG DirectAccess prerequisites are required regardless of whether you are deploying a single server or an array. These include infrastructure requirements, domain requirements, DNS configuration, certificate infrastructure requirements, client requirements, and network and routing requirements. For a complete list, see Forefront UAG DirectAccess prerequisites.

Planning for an array with integrated NLB

You can deploy an array of Forefront UAG DirectAccess servers and load balance traffic between them, using Forefront UAG integrated Network Load Balancing (NLB) or a hardware load balancer. For more information about load balancing, see Load balancing design. To plan for an array that is load balanced with integrated NLB, you need to understand the prefix requirements, and VIP and DIP requirements.

Prefix requirements
Forefront UAG enables load balancing of SSL-based traffic in addition to Forefront UAG DirectAccess-based traffic. To load balance all Forefront UAG DirectAccess traffic, which is IPv6 based, Forefront UAG NLB must examine the IPv4 tunneling for all transition technologies. Because IP-HTTPS traffic is encrypted, examining the content of the IPv4 tunnel is not possible. To enable IP-HTTPS traffic to be load balanced, you must allocate a wide enough IPv6 prefix to enable the Forefront UAG to assign a different IPv6 /64 prefix to each of the nodes. For example, 2 array members require a /63 prefix (which enables Forefront UAG to define a /64 address for each array member); 8 array members require a /61 prefix (which enables Forefront UAG to define a /64 address for each array member). This prefix must be routable to the Forefront UAG DirectAccess array, and is configured during the Forefront UAG DirectAccess configuration.

VIP and DIP requirements

When planning a Forefront UAG DirectAccess NLB array, you must plan for the following DIPs and VIPs that will be configured on the array manager server: An Internet-facing static IPv4 address (DIP). An internal network facing static IPv6 address (DIP). An internal network facing static IPv4 address (DIP). Two Internet-facing consecutive public IPv4 addresses (VIPs). An internal network facing IPv6 address (VIP). An internal network facing IPv4 address (VIP).

12

For more information about deploying an array with integrated NLB, see Configuring a network load balanced array for Forefront UAG DirectAccess.

Planning for an array with a hardware load balancer

There are a number of considerations for planning and deploying a Forefront UAG array with a hardware load balancer. For more information, see Configuring an external load balanced array for Forefront UAG DirectAccess.

13