Skip Ribbon Commands
Skip to main content
Mark E. Smith's Brain Dump > Posts > Securely Publishing Microsoft Exchange Server With Forefront Unified Access Gateway (UAG) - Part 1
June 23
Securely Publishing Microsoft Exchange Server With Forefront Unified Access Gateway (UAG) - Part 1

Introduction

Microsoft Forefront Unified Access Gateway (UAG) replaces Microsoft IAG (Intelligent Application Gateway). UAG incorporates various remote access technologies including VPN, SSL-VPN (SSTP), DirectAccess, and Remote Desktop Service.  First let's examine a bit of product history because, well when it comes to ISA, IAG, TMG, and UAG, it's hard to understand the differences.

The last version of Microsoft Internet Security and Acceleration Server (ISA) was ISA 2006. ISA server evolved from its ancestor Microsoft Proxy Server in 1997. In late 2009 Microsoft changed the name of ISA server to align with the Forefront suite and thus ISA became Forefront Threat Management Gateway 2010 (TMG). TMG is a native 64 bit solution based on the features of ISA -- it can be a router, firewall, VPN server, NAT server, and proxy server. With regard to its firewall features it will perform network inspection at the application layer detecting malware, security policy enforcement, content filtering, edge authentication, etc.

Microsoft Intelligent Application Gateway 2007 (IAG) is a VPN solution which was based on Microsoft's purchase of Whale Communications. Whale's original product was developed was called the Air Gap and the idea was to secure the inside network from the outside network with two different computers that shared a memory bank through a SCSI interface. Microsoft IAG dropped the Air Gap technology and released IAG 2007 as a single VPN product that used ISA server's firewall functionality.

Enter UAG. UAG 2010 has replaced IAG and uses the firewall features of TMG server and extends the remote access functionality of IAG server.

When it comes to TMG and UAG the first question I'm asked by many customers is what's the difference? Well, to quote Microsoft, "Forefront Threat Management Gateway is a comprehensive, secure Web gateway that helps protect employees from Web-based threats. It provides multiple layers of continuously updated protections, including URL filtering, antimalware inspection, and intrusion prevention. These technologies are integrated with core network protection features, to create a unified, easy-to-manage gateway that reduces the cost and complexity of Web security. Forefront UAG, on the other hand, delivers secure, anywhere access to messaging, collaboration, and other resources, increasing productivity while maintaining compliance with policy. Integrating a deep understanding of the applications published, the state of health of the devices being used to gain access, and the user's identity—UAG enforces granular access controls and policies to deliver comprehensive remote access, ensure security, and reduce management costs and complexity."

For the purposes of this article I will show you how to install and configure Microsoft UAG server for the purposes of securely publishing Microsoft Exchange Server. This series of articles is not intended to show how to use the VPN functionality of UAG, endpoint enforcement, or many other features of UAG. The scope is just narrowed to securely publishing Exchange.

Finally I wanted to give a special thanks to Greg Taylor for his assistance! You can review Greg's whitepaper on this topic here. Now I just hope he can get that Exchange 2010 SP1 Mailbox calculator completed!

Machine Prerequisites

     

UAG server requires Windows Server 2008 R2, two network adapters, a minimum of 4GB RAM. In my lab I've configured a machine with these specifications and have labeled the network adapters "Internal" and "External"

The Internal interface is configured with a private/internal network IP address and NO DEFAULT GATEWAY. The External Interface is assigned a public IP address and contains a default gateway. This default gateway will be the default route for all traffic, i.e. all traffic except our defined internal traffic will be routed to the Internet. Additionally, I've UNCHECKED the "Register this connection's address in DNS" option on the External Interface's IPv4 DNS options.

Next we'll add a static route to define a path to our other internal networks. For the purposes of our lab the entire 10.0.0.0/8 network will be considered "internal". Use the command:

Netsh interface ipv4 add route 10.0.0.0/8 "Internal" 10.8.10.1

Translated: Route all traffic to any 10.x network to gateway 10.8.10.1 using the "Internal" interface.

Issuing a route print shows the result of this command:

On both network interfaces, define your INTERNAL Active Directory's DNS servers. This is important for the next step:

Join UAG to the domain.

"What? Join a machine that's externally facing to the domain?!!" you ask?

Yes. We'll get to why we'll want to do this later.

Now that we've completed the prerequisites let's install UAG!

Installing UAG

     

Pop the disk in (or mount that ISO) and let's get started.

The splash screen should come up, select Install UAG (after you read all of the release notes, deployment checklist, and other things everyone always does in a lab).

and go grab a cup of coffee….

Now that you're back from the coffee machine and UAG is still installing, let's take some time to create a domain user account that will be used by UAG. This user account just needs to be a domain user i.e. no special Active Directory permissions. My UAG user account is called "FUAGArray". Next make the domain account a member of the local administrators group on the UAG server.

Now that UAG is installed and the machine is rebooted, let's run the UAG Management console which will launch the network configuration wizard for the first time. Before we do that you'll probably notice that Forefront TMG is also installed. As I stated earlier, UAG is based on the firewall and security features of TMG. Generally speaking you should NOT create any rules within the TMG management firewall rule set.

UAG will automatically run the Getting Started Wizard. First let's configure our Network Settings.

Next we'll define our Network Adapters. This is where it really helps that we properly named our network adapters before we installed UAG.

Next we'll define what our internal network range is. This is used by TMG to define what network sets are considered internal and what are external for the purposes of the firewall rules.

Once we've completed the Network Settings, we'll define the Server Topology.

At this point we have the option to setup UAG as a single server or an array member. This is similar to configuring ISA server as a load balancing array. I almost always recommend that you select "Array member" even if you're just going to have a single UAG server. This is because an Array member can operate as a single server but it can later be expanded if you would choose to scale out UAG. The single server option locks to into always operating as a single server. We'll select the Array member option.

I should also mention that configuring the server as an Array requires domain membership. This is the first reason why UAG needs to be domain joined.

Since this server is the first server in the Array we'll set it to be the array manager.

Enter the domain username that you created and added to the local administrators group while UAG was installing. If you missed that step you either don't drink coffee or fell asleep while UAG was taking its time to install.

Since we're only going to have a single member in our array we'll just click next.

Next we'll finish the Server Management Wizard, complete the last option in the Getting Started Wizard which is to configure Windows Updates – after all PATCH THOSE MACHINES!

Once we're complete we can activate the configuration.

You'll be prompted to enter a password for the backup configuration files. Enter a password, click next and then activate the configuration.

The next step that is sometimes required is to disable IP Spoofing. If you are configuring UAG for the first time in your lab I would recommend you disable this just to get things going. Before you deploy in a production environment, I would first examine the TMG logs to see if any packets are being dropped due to IP spoofing. To disable IP spoofing see Microsoft KB Article 838114 -- http://support.microsoft.com/kb/838114

For simplicity sake the steps are:

  1. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/FwEng/Parameters
    If the Parameters subkey is not displayed, follow these steps to create this subkey:
  2. Click the FwEng subkey.
  3. On the Edit menu, point to New, and then click Key.
  4. To name the key, type Parameters, and then press ENTER.
  5. Right-click Parameters, point to New, and then click DWORD Value.
  6. To name the value, type DisableSpoofDetection, and then press ENTER.
  7. Right-click DisableSpoofDetection, and then click Modify.
  8. In the Value data box, type 1, and then click OK.

    Warning This setting disables IP Spoof Detection. To enable IP Spoof Detection, set the DisableSpoofDetection value to 0. This is the default value.

Congratulations Forefront UAG server is installed! In the next articles we'll begin installing certificates, configuring Authentication Servers, adding a trunk and publishing Exchange.

Other parts of this series:

Comments

There are no comments for this post.