Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2009 Microsoft Corporation. All rights reserved. Microsoft, and MS-DOS, Windows, Windows Server, and Active Directory are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Contents
Array design guide..........................................................................................................................5 About this guide...........................................................................................................................5 Introduction to array design............................................................................................................5 Single server or array deployment...............................................................................................5 About arrays................................................................................................................................6 Next steps in planning your array design.....................................................................................8 Identifying your array deployment goals.........................................................................................8 Next steps in planning your array design.....................................................................................9 Mapping your deployment goals to an array design.......................................................................9 Array design....................................................................................................................................9 Placing array servers in your corporate infrastructure...............................................................10 Planning domain requirements..................................................................................................10 Planning network and routing requirements..............................................................................10 Planning account requirements.................................................................................................11 Next steps..................................................................................................................................11 Load balancing design..................................................................................................................11 Selecting a load balancing method............................................................................................11 Next steps.................................................................................................................................12 Forefront UAG DirectAccess array and load balancing design.....................................................12 General Forefront UAG DirectAccess requirements..................................................................13 Planning for an array with integrated NLB.................................................................................13 Prefix requirements................................................................................................................13 VIP and DIP requirements......................................................................................................13 Planning for an array with a hardware load balancer.................................................................14 Planning for an array with a hardware load balancer
servers in the array; thus, if you deploy an array with three servers, you can support three times as many endpoints as a single Forefront UAG server. 2. Fault tolerance requirementsA single Forefront UAG server does not provide fault tolerance. If the server is unavailable, client endpoints cannot connect to portals provided by Forefront UAG trunks. If fault tolerance is required, you should consider the deployment of a load balanced array. In an array configuration, each array member has the same configuration, and provides the same service to client endpoints. If one array member fails, the remaining array members are still available and remote endpoints can continue to access trunks via another array member. 3. Failover requirementsTo provide high availability for remote endpoints, you can load balance traffic in an array. If load balancing is enabled for the array, failover is automatic, as remote endpoints connect to a trunk using a virtual IP address (VIP) and requests for the trunk can be handled by any available array member. Note that in the case of an array member failing, a user might need to reauthenticate. If an array is not load balanced, each array member has a separate IP address. To provide transparent failover, you need a method for updating name resolution so that client requests for portal names resolve to the IP address of the correct array member.
About arrays
After installing Forefront UAG, you can join a server to an array using the Array Management Wizard. An array has the following characteristics: All array members share the same configuration, including trunks, published applications, permissions files, custom files, and VPN settings. Some server-specific settings are maintained, including passwords. All array members provide the same service to client endpoints. A separate server is not required for array management. You configure one of the array members to act as the array manager. The array manager acts as the main repository for the array configuration, and array members connect to the array manager to read from and write to the array storage. Forefront UAG settings can only be configured and activated on the array manager. On array members, you can only run the Array Management Wizard when you open the Forefront UAG Management console.
The following steps are required to set up an array: 1. Configure an array managerThe first step in array configuration is to configure one of the array members as the array manager. 2. Join servers to the arrayAfter configuring the array manager, you connect Forefront UAG servers to the array manager in order to join them to the array. 3. Configure load balancing for the arrayIt is recommended that you load balance requests to an array to provide high availability and failover. For Forefront UAG DirectAccess, you must configure an array to use Forefront UAG integrated NLB, or use a hardware load balancer. The following procedures are optional during day-to-day array management: Remove array members from an arrayIn some circumstances, you might want to remove a server from an array. During removal from the array, you can assign to the server a configuration that is stored in an export configuration file. If you dont assign a configuration to the server, following removal from the array, the server will be assigned the same configuration that it had before joining the array. Changing the array manager serverIf the array manager is unavailable, or you want to remove the array manager server from the array, you can configure an alternative array member to act as the array manager. Changing the credentials used by the array manager to connect to array members, or by array members to connect to the array managerWhen you configured the array manager and array members you specify an account used for array communications. If this account expires or you no longer want to use it, you can configure an alternative account.
In an array, all changes to the array configuration are made using the Forefront UAG Management console on the array manager. Changes are synchronized on all array members, as follows: 6
1. When configuration changes are activated in the Forefront UAG console on the array manager, the updated configuration is marked as active and sent to all array members. 2. Forefront UAG array members periodically poll the array manager server for the configuration, and apply new configuration settings locally, as required. 3. If the connection from an array member to the array is interrupted, the array member continues to run using its local configuration settings. When the array member reconnects to the array manager server, the configuration settings are updated.
Design requirements include: 1. Deciding where to place the Forefront UAG DirectAccess servers in your corporate topology. 2. Planning domain requirements. 3. Planning how to configure any corporate firewalls to allow traffic to and from the Forefront UAG DirectAccess servers. 7
4. Planning network and routing requirements. 5. Planning DNS requirements. 6. Planning a certificate infrastructure. 7. Planning for load balancing. Forefront UAG DirectAccess arrays must be load balanced, with identical DirectAccess configuration settings.
Array design
This topic is designed to help you understand the planning requirements for a Forefront Unified Access Gateway (UAG) array design. For additional information about a Forefront UAG DirectAccess array design, see Forefront UAG DirectAccess array and load balancing design. Array planning requirements include: Placing array servers in your corporate infrastructure Planning domain requirements Planning network and routing requirements Planning account requirements
N o t e s :
A list of ports and protocols is available in the Multiple server infrastructure design section of the Infrastructure design guide. For Forefront UAG DirectAccess arrays, the perimeter network should use public IPv4 addresses. For more information, see Planning the placement of a Forefront UAG DirectAccess Server.
should only be installed on one adapter, usually the adapter connected to the external network. 2. You should note all subnets that are reachable from the adapter that you will associate with the internal network. When you define the Forefront UAG internal network during deployment, it will include all reachable subnets. 3. The adapter that you associate with the internal network must have a static IP address. 4. All Forefront UAG servers that you want to join to an array must belong to the same subnet. 5. For a complete list of Forefront UAG DirectAccess requirements, see Forefront UAG DirectAccess prerequisites.
Next steps
After you have completed the planning of your array design, see the Array deployment guide for deployment instructions.
10
Next steps
After you have completed the planning of your load balancing design, see the Array deployment guide for deployment instructions.
11
Prefix requirements
Forefront UAG enables load balancing of SSL-based traffic in addition to Forefront UAG DirectAccess-based traffic. To load balance all Forefront UAG DirectAccess traffic, which is IPv6 based, Forefront UAG NLB must examine the IPv4 tunneling for all transition technologies. Because IP-HTTPS traffic is encrypted, examining the content of the IPv4 tunnel is not possible. To enable IP-HTTPS traffic to be load balanced, you must allocate a wide enough IPv6 prefix to enable the Forefront UAG to assign a different IPv6 /64 prefix to each of the nodes. For example, 2 array members require a /63 prefix (which enables Forefront UAG to define a /64 address for each array member); 8 array members require a /61 prefix (which enables Forefront UAG to define a /64 address for each array member). This prefix must be routable to the Forefront UAG DirectAccess array, and is configured during the Forefront UAG DirectAccess configuration.
12
For more information about deploying an array with integrated NLB, see Configuring a network load balanced array for Forefront UAG DirectAccess.
13