Any UAG/Direct Access ninjas here?

lsud00dlsud00d Member Posts: 1,571
I'm working on a rather complex situation and was wondering if anyone happens to be on Microsoft's payroll or is a UAG/DA ninja :)

Essentially assessing the feasibility of expanding an existing UAG/DA 2010 (on Wink28r2) single-site array (2 member NLB'd) into a multi-site UAG (on Win2k8r2) & DA (on Win2k12r2) configuration. There's a few wrenches in the spokes:
  • No global server load balancer
  • DA Clients are mixed Win7/Win8/Win8.1 (mostly 7 though)
  • UAG trunks will be resultant of PFO (planned failover) + IP injection via Hyper-V
This is essentially a two-site setup (HQ and DR) with separate /16 spaces and DC's at each site (multiple forests/domains auth'ing via ADFS). Again, this will be a failover situation so the UAG/DA services will be switched places, essentially. I know this makes things weird with the DA entry points + GPO configuration...

I anticipate the VIP DNS (externally resolvable) will be HQ+DR format, i.e. webapp1-dr.domain.com...DNS is another big thing in this whole project. IP addressing from all perspectives isn't a big deal, rather the technologies required are. Anyways, just seeing if anyone on TE has done tricky things with UAG/DA. I haven't seen it come up much so I'm not expecting anything, just thought I'd throw it out there.

Comments

  • lsud00dlsud00d Member Posts: 1,571
    This never had any responses so I'm assuming the ninjas didn't come out of hiding :)

    The solution (if anyone is curious) is what I was leaning towards being a side-by-side migration from DA on UAG 2010 to DA on Win2K12 R2. Since each can publish separate GPO's (the way DA config's get pushed to clients), simply using separate OU's, Security Groups, DNS, and IP addressing can allow both instances to exist simultaneously and affords a smooth (and hopefully seamless) transition from one to the next.

    The new setup will be a multi-site configuration using VM's NAT'd behind an ASA, vs. the current single-site configuration of 2 physical multi-homed/clustered boxes in a NLB array. It's a lot easier than I thought, however 2 sets of GPO's will be required for the Windows 7 clients since they don't support multi-site configurations.
  • lsud00dlsud00d Member Posts: 1,571
    Final follow up. Executed this project with a stroke of ease and the transition from one DirectAccess system to the other was transparent to the user, simply requiring a reboot to pull the new GPO's that get pushed depending on their OS and location which is how the security groups were configured.

    DA on Win2k12 R2 is super duper easy to setup, much moreso than combined with UAG 2010. It's a great product and works well not only for user remote access but for remote device management (when coupled with something like SCCM).

    Edit: To clarify, the original two-fold problem was solved by breaking DirectAccess out of UAG into it's own R2 role (Remote Access). UAG is still being used for reverse-proxy functionality at both sites (to support Hyper-V replication failover), however its EOL is on the horizon so I'm looking at moving RP'ing to most likely a hardware appliance.
  • ZartanasaurusZartanasaurus Member Posts: 2,008 ■■■■■■■■■□
    Never done DirectAccess on either UAG or 2K12. IMO, UAG is going away with 2K16 and its features will be rolled into that. They've already moved a lot of its features into 2012R2 and discontinued a lot of other Forefront Products. When Ben Ari blogged that he was leaving UAG to join the IIS team, it was pretty obvious to me what they have planned for their next server release.

    It's a really nice product if you're looking for an easy reverse proxy/VPN solution that integrates well with MS products.

    Not nearly enough of a ninja/guru to have helped you with your problem though. I think it's kind of a niche product as most admins would look for "real" VPN appliances.
    Currently reading:
    IPSec VPN Design 44%
    Mastering VMWare vSphere 5​ 42.8%
Sign In or Register to comment.