Forefront Unified Access Gateway 2010
Array Deployment Guide
Microsoft® Corporation
Published: January, 2010
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, and MS-DOS, Windows, Windows Server, and Active Directory are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Contents
Array deployment guide
About this guide
Overview of arrays and load balancing
Benefits of array deployment
About arrays
About load balancing
Planning to deploy arrays and load balancing
Implementing an array and load balancing design
Configuring the array manager server
Configuring the array manager server
Joining a server to an array
Joining the server to an array
Removing an array member from an array
Changing the array manager server
Configuring an array member as the new array manager
Configuring array members to use the new array manager
Removing the original array manager from the array members list
Reconfiguring the original array manager as an array member
Next Steps
Modifying credentials used by an array member
Modifying credentials used by the array manager
Configuring network load balancing
Configuring NLB in a virtual environment
Defining virtual IP addresses (VIPs)
Load balancing trunks
Starting NLB services
Configuring affinity stickiness time-out
Next Steps
Verifying the array and load balancing deployment
Array deployment guide
Using Forefront Unified Access Gateway (UAG), you can publish internal applications and resources and allow remote users to access these resources from a diverse range of endpoints and locations. Forefront UAG can act as a consolidated gateway, providing access to multiple internal applications via a single portal, or to a single Web application. You can verify the identity of remote endpoints accessing published resources using identity and access control mechanisms, such as, endpoint access policies, user authentication, and authorization for access to portal applications.
For ease-of-management, scalability, and high availability, you can deploy a single Forefront UAG server, or gather a group of servers into a Forefront UAG array. This deployment guide walks you through the process of setting up an array, and load balancing traffic across array members.
About this guide
This Array deployment guide is intended for use by network and Forefront UAG administrators. It provides detailed guidance for deploying multiple Forefront UAG servers in an array configuration, and describes how to configure load balancing using Forefront UAG integrated network load balancing (NLB) between array members.
The following topics describe:
Overview of arrays and load balancing—Describes the benefits, and provides an overview of arrays and load balancing in Forefront UAG.
Planning to deploy arrays and load balancing—Provides a summary of the required planning and prerequisite tasks before beginning deployment.
Implementing an array and load balancing design—Describes deployment steps and procedures.
Verifying the array and load balancing deployment—Provides information about verifying your high availability deployment.
Overview of arrays and load balancing
Forefront Unified Access Gateway (UAG) uses the Forefront Threat Management Gateway (TMG) standalone array infrastructure when deploying multiple Forefront UAG servers in an array configuration.
Note:
Forefront TMG is automatically installed during Forefront UAG setup.
Benefits of array deployment
Deploying a Forefront UAG array provides the following benefits:
Ease-of-management─All Forefront UAG servers that belong to an array share the same configuration. During array deployment, you set one of the array members to act as the array manager. This array manager is the central repository for the array configuration. You make and activate configuration changes on the array manager only, and the updated configuration settings are propagated to all array members.
Scalability─By grouping multiple Forefront UAG servers into an array in which all servers share the same configuration, you increase the Forefront UAG capacity for throughput and number of users.
High availability─All array members share the same configuration. If one array member fails, remote users can continue to access sites, portals, and published applications, provided by another array member. If load balancing is enabled for the array, failover is automatic as remote endpoints connect to the array using a virtual IP address.
About arrays
Forefront TMG provides two types of arrays; enterprise arrays that use a separate Enterprise Management Server (EMS) for enterprise array management, and standalone arrays. Forefront UAG uses only the Forefront TMG standalone array infrastructure, and has the following characteristics:
The array consists of multiple Forefront UAG single servers joined together into an array configuration.
All array members share the same configuration, including the same trunks, portals, portal settings, endpoint policies, published applications, authentication servers, permissions, predefined and custom files, and VPN client (SSL network tunneling) settings. Some server-specific settings are maintained, including IP addresses and passwords.
An array does not require a separately installed server for array management. You configure one of the array members to act as the array manager, and then make configuration and activation changes using the Forefront UAG Management console running on the array manager server.
About load balancing
To implement load balancing across Forefront UAG array members, you can use either an external hardware load balancer or the Windows network load balancing (NLB) functionality that is integrated into Forefront UAG, known as integrated NLB. Using an external hardware load balancer, you can deploy up to 50 servers in an array. Using integrated NLB, up to eight array members is recommended.
Although it is recommended that you load balance traffic across the array, you can configure an array without load balancing, using separate IP addresses for each array member. An array without load balancing provides simplified management, and an available backup server with a mirrored configuration. However, to provide transparent failover between array members, you need a method of updating the name resolution, so that client requests for site and portal names resolve to the IP address of the correct array member.
Planning to deploy arrays and load balancing
The following lists the tasks you must do before deploying a Forefront Unified Access Gateway (UAG) array:
1.Ensure that all the Forefront UAG servers that you want to join to the array are members of the same domain, and that each server meets the hardware and software requirements described in System requirements in Forefront UAG.
2.Install Forefront UAG on each server.
3.Check array permissions—To add servers to an array, you must provide credentials with an array administrator role in Forefront Threat Management Gateway (TMG) running on the Forefront UAG server. By default, the user that installs Forefront UAG has an array administrator role. If you want to use a different account, note the following:
It must be a domain account that is recognized by all array members.
The account should have local administrator permissions on the array manager server, and on all array members.
It is recommended to use an account with a long expiry period.
Ensure that you are logged on to the server, with the credentials that you will specify when running the Array Management Wizard.
4.Configure a Forefront UAG array, as described in Implementing an array and load balancing design.
5.If you are using a Network Policy Server (NPS) and Network Access Protection (NAP) policies to check the health of client endpoints, on the NPS, you must add the array manager and all array members as trusted RADIUS clients.
Implementing an array and load balancing design
The following steps are required for implementing and managing an array and network load balancing (NLB) deployment:
1.Configuring the array manager server─On the Forefront Unified Access Gateway (UAG) server that you want to designate as the array manager, run the Array Management Wizard to add potential array members to the array member list. In addition, specify the credentials that will be used when the array manager connects to the TMG storage, and when retrieving server-specific settings from the array members.
2.Joining a server to an array─On each Forefront UAG server that you want to configure as an array member, run the Array Management Wizard to add the server to the array.
3.Configuring network load balancing—Follow the steps required for configuring integrated NLB.
The following are optional steps that you may need to do during deployment and array management:
1.Removing an array member from an array─The Array Management Wizard that runs automatically on array members when you start the Forefront UAG Management console can be used to remove a server from the array. After removal is complete, the server is configured as a single server and not as an array member. By default, it reverts back to its pre-array configuration and connects to the local TMG storage, or if required, you can import a specific configuration.
2.Changing the array manager server─In some cases, you might want to specify a different array member as the array manager; for example, if the array manager is unavailable or taken out of service.
To nominate a new array manager, do the following:
a.Run the Array Management Wizard to set the new array manager.
b.Set the array members to use the new array manager.
c.Run the wizard on the new array manager to remove the original array manager from the array members list, and activate changes.
3.Modifying credentials used by an array member─When you join a server to an array, you input the credentials that the server uses when connecting to the array manager server. If you need to update these credentials (for example, if the account expires), you must run the Array Management Wizard on all array members using those credentials.
4.Modifying credentials used by the array manager─During initial configuration of the array manager server, you input the credentials that the array manager uses when connecting the TMG storage and to array members. If you need to update these credentials (for example, if the account expires), you must run the Array Management Wizard on the array manager to specify a new set of credentials.
Configuring the array manager server
This topic describes how to configure the array manager server, which is the first step in implementing an array deployment. In a Forefront Unified Access Gateway (UAG) array, one of the array members acts as the array manager.
On the computer you want to set as the array manager, you run the Array Management Wizard in order to configure:
1.The credentials that the array manager server uses when connecting to the TMG storage and to the array members.
2.The name and IP address of each Forefront UAG server that you want to add to the array.
Configuring the array manager server
If you configure an array directly after Forefront UAG installation, you will use the Getting Started Wizard that runs automatically following Setup. Otherwise, following installation and initial deployment, you can open the Array Management Wizard directly.
To configure the array manager server
1.Configure an array as follows:To configure an array in the Getting Started Wizard, click the Define Server Topology section of the wizard, and then select Array member. The Array Management Wizard opens.
To configure an array after running the Getting Started Wizard, in the Forefront UAG Management console, on the Admin menu, click Array Management. The Array Management Wizard opens.
2.On the Configure Array Settings page, click Set this server as the array manager.
3.On the Specify Array Credentials page, enter the credentials that the array manager will use when connecting to array members.
For requirements about the credentials you need to specify, see Planning to deploy arrays and load balancing.
4.On the Defining Array Member Computers page, click Add to add the name and IP address of each server that you want to join to the array. Then, complete the wizard.
Note:
You must enter the IP address of the internal network adapter of each server.
5.Close the Forefront UAG Management console on the array manager before opening the console on other Forefront UAG servers you want to add to the array.
Note:
If you set the array manager using the Getting Started Wizard, you activate the changes after completing the wizard. If you set the array manager by opening the Array Management Wizard directly, you do not need to activate the changes.
Joining a server to an array
This topic describes how to join a Forefront Unified Access Gateway (UAG) server to an array.
Before you begin, ensure that you have completed the following:
1.Follow the instructions in Planning to deploy arrays and load balancing.
2.Configure the array manager as described in Configuring the array manager server.
Then, complete the following instructions on each Forefront UAG server that you want to add to the array. Note that you should not concurrently join servers to an array. This may corrupt array configuration storage.
Important:
When joining a server to an array, the internal network settings of the server are merged with the internal network settings of the array manager. For example, if the array manager has two internal ranges, 10.1.1.16 to 10.1.1.32 and 10.1.1.64 to 10.1.1.92, and the server that you join to the array has an internal range of 10.1.1.16 to 10.1.1.128, the resulting internal range on the array manager is 10.1.1.16 to 10.1.1.128.
Joining the server to an array
If you are joining a server to an array during Forefront UAG installation, use the Getting Started Wizard that runs automatically following Setup. Otherwise, following installation and initial deployment, you can open the Array Management Wizard directly.
To join the server to an array
1.Before joining a server to the array, you should have added the server to the managed servers list on the array manager when you completed the procedure Configuring the array manager server. After doing this, ensure that the Forefront UAG Management console is closed on the array manager server, and then join a server to an array as follows:To join a server to an array in the Getting Started Wizard, click the Define Server Topology section of the wizard, and then select Array member. The Array Management Wizard opens.
To join a server to an array after running the Getting Started Wizard, in the Forefront UAG Management console, on the Admin menu, click Array Management. The Array Management Wizard opens.
2.On the Configure Array Settings page, click Add this server to an array.
3.On the Select Array Manager page, do the following:
a.In Array manager, specify the computer name or IP address of the internal adapter of the Forefront UAG server you configured as the array manager, or click Browse to select a computer. If you are joining an array using IPv6, specify an IP address for the array manager and not the computer name.
b.In the User Credentials area, specify the credentials that the array member will use to connect to the array manager. The credentials are used during the initial connection, and subsequently when the array member connects to the array manager. For information about credential requirements, see Planning to deploy arrays and load balancing.
4.When you complete the wizard, the Forefront UAG server is joined to the array. This action may take a few minutes.
5.After joining the array, you can no longer configure Forefront UAG settings using the Forefront UAG Management console on the array member. All configuration changes must be completed using the Forefront UAG Management console running on the array manager server.
6.If load balancing is not enabled, you must manually add the IP address of each array member in the properties of each array trunk, as follows:
a.On the array manager server, open the Forefront UAG Management console. If the console is already open, on the File menu, click Reload Configuration.
b.In the left tree node, click a trunk.
c.On the main trunk properties page, add the external IP address of the Forefront UAG server you added to the array.
d.On the toolbar of the console, click the Activate configuration icon. On the Activate Configuration dialog box, click Activate.
e.Repeat the above steps for each trunk defined in the array.
Removing an array member from an array