This topic is designed to help you understand the planning requirements for a Forefront Unified Access Gateway (UAG) array design. For additional information about a Forefront UAG DirectAccess array design, see Forefront UAG DirectAccess array and load balancing design. Array planning requirements include:
- Placing array servers
in your corporate infrastructure
- Planning domain
- Planning network and
- Planning account
Placing array servers in your corporate infrastructure
The most common topology locations for Forefront UAG array members are:
- Behind a frontend firewall─The Forefront UAG server is
placed in the internal network, behind a frontend firewall at the
corporate edge. The Forefront UAG server has one network adapter
that routes to the frontend firewall, and the other is in the
- Between a frontend firewall and a backend firewall─The
Forefront UAG server is placed in a perimeter network, between a
frontend firewall protecting the edge, and a backend firewall
protecting the internal network. If Forefront UAG is located behind
an edge or perimeter firewall, verify that the required ports and
protocols are open on the firewall.
Note: A list of ports and protocols is available in the Multiple server infrastructure design section of the Infrastructure design guide. For Forefront UAG DirectAccess arrays, the perimeter network should use public IPv4 addresses. For more information, see Planning the placement of a Forefront UAG DirectAccess server.
Planning domain requirements
Install as a domain member, each Forefront UAG array member or each Forefront UAG server that you want to join to an array. Note the following:
- All array members must belong to the same domain.
- You can install Forefront UAG array servers in an existing
domain, or create a domain specifically for Forefront UAG. If you
set up a separate domain, configure a one-way or two-way trust
between the Forefront UAG domain and the main corporate domain.
Planning network and routing requirements
- Each Forefront UAG array member requires two enabled network
adapters. During Forefront UAG installation and initial deployment,
you will associate one adapter with the internal corporate network
and the other with the external network (Internet). A default
gateway should only be installed on one adapter, usually the
adapter connected to the external network.
- You should note all subnets that are reachable from the adapter
that you will associate with the internal network. When you define
the Forefront UAG internal network during deployment, it will
include all reachable subnets.
- The adapter that you associate with the internal network must
have a static IP address.
- All Forefront UAG servers that you want to join to an array
must belong to the same subnet.
- For a complete list of Forefront UAG DirectAccess requirements,
UAG DirectAccess prerequisites.
Planning account requirements
Array deployment requires using the following credentials:
- Credentials used by an array member when connecting to the
array manager server. These credentials are used when initially
joining the array, and subsequently each time the array member
connects to the array.
- Credentials used by the array manager server when connecting to
Note the following account credential requirements:
- Forefront UAG array servers must be installed in the same
domain, and domain accounts must be used.
- You can use the same account for both sets of credentials.
- The domain account should have local administrator permissions
on the array manager server, and on all array members.
- After setting up the array, you can subsequently modify the
credentials used. To avoid having to do this too frequently, it is
recommended that you use an account with a long expiry period.
After you have completed the planning of your array design, see the Array deployment guide for deployment instructions.