This topic is designed to help you understand the planning requirements for a Forefront Unified Access Gateway (UAG) array design. For additional information about a Forefront UAG DirectAccess array design, see Forefront UAG DirectAccess array and load balancing design. Array planning requirements include:

Placing array servers in your corporate infrastructure

The most common topology locations for Forefront UAG array members are:

  1. Behind a frontend firewall─The Forefront UAG server is placed in the internal network, behind a frontend firewall at the corporate edge. The Forefront UAG server has one network adapter that routes to the frontend firewall, and the other is in the internal network.

  2. Between a frontend firewall and a backend firewall─The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network. If Forefront UAG is located behind an edge or perimeter firewall, verify that the required ports and protocols are open on the firewall.

    A list of ports and protocols is available in the Multiple server infrastructure design section of the Infrastructure design guide. For Forefront UAG DirectAccess arrays, the perimeter network should use public IPv4 addresses. For more information, see Planning the placement of a Forefront UAG DirectAccess server.

Planning domain requirements

Install as a domain member, each Forefront UAG array member or each Forefront UAG server that you want to join to an array. Note the following:

  1. All array members must belong to the same domain.

  2. You can install Forefront UAG array servers in an existing domain, or create a domain specifically for Forefront UAG. If you set up a separate domain, configure a one-way or two-way trust between the Forefront UAG domain and the main corporate domain.

Planning network and routing requirements

  1. Each Forefront UAG array member requires two enabled network adapters. During Forefront UAG installation and initial deployment, you will associate one adapter with the internal corporate network and the other with the external network (Internet). A default gateway should only be installed on one adapter, usually the adapter connected to the external network.

  2. You should note all subnets that are reachable from the adapter that you will associate with the internal network. When you define the Forefront UAG internal network during deployment, it will include all reachable subnets.

  3. The adapter that you associate with the internal network must have a static IP address.

  4. All Forefront UAG servers that you want to join to an array must belong to the same subnet.

  5. For a complete list of Forefront UAG DirectAccess requirements, see Forefront UAG DirectAccess prerequisites.

Planning account requirements

Array deployment requires using the following credentials:

  1. Credentials used by an array member when connecting to the array manager server. These credentials are used when initially joining the array, and subsequently each time the array member connects to the array.

  2. Credentials used by the array manager server when connecting to array members.

Note the following account credential requirements:

  1. Forefront UAG array servers must be installed in the same domain, and domain accounts must be used.

  2. You can use the same account for both sets of credentials.

  3. The domain account should have local administrator permissions on the array manager server, and on all array members.

  4. After setting up the array, you can subsequently modify the credentials used. To avoid having to do this too frequently, it is recommended that you use an account with a long expiry period.

Next steps

After you have completed the planning of your array design, see the Array deployment guide for deployment instructions.