This topic provides an overview of Forefront Unified Access Gateway (UAG) features that affect your array and load balancing design.
Depending on your requirements, you can deploy a single Forefront UAG server or an array of Forefront UAG servers.
Single server or array deployment
Your decision to deploy a single Forefront UAG server or an array of Forefront UAG servers, depends on a number of factors, including:
- Scalability requirements─By grouping multiple Forefront
UAG servers into an array, you increase capacity for throughout and
number of users. Endpoint requests are serviced by all servers in
the array; thus, if you deploy an array with three servers, you can
support three times as many endpoints as a single Forefront UAG
- Fault tolerance requirements─A single Forefront UAG
server does not provide fault tolerance. If the server is
unavailable, client endpoints cannot connect to portals provided by
Forefront UAG trunks. If fault tolerance is required, you should
consider the deployment of a load balanced array. In an array
configuration, each array member has the same configuration, and
provides the same service to client endpoints. If one array member
fails, the remaining array members are still available and remote
endpoints can continue to access trunks via another array
- Failover requirements─To provide high availability for
remote endpoints, you can load balance traffic in an array. If load
balancing is enabled for the array, failover is automatic, as
remote endpoints connect to a trunk using a virtual IP address
(VIP) and requests for the trunk can be handled by any available
array member. Note that in the case of an array member failing, a
user might need to reauthenticate. If an array is not load
balanced, each array member has a separate IP address. To provide
transparent failover, you need a method for updating name
resolution so that client requests for portal names resolve to the
IP address of the correct array member.
After installing Forefront UAG, you can join a server to an array using the Array Management Wizard.
An array has the following characteristics:
- All array members share the same
configuration, including trunks, published applications,
permissions files, custom files, and VPN settings. Some
server-specific settings are maintained, including passwords. All
array members provide the same service to client endpoints.
- A separate server is not required for array
management. You configure one of the array members to act as the
array manager. The array manager acts as the main repository for
the array configuration, and array members connect to the array
manager to read from and write to the array storage.
- Forefront UAG settings can only be configured
and activated on the array manager. On array members, you can only
run the Array Management Wizard when you open the Forefront UAG
The following diagram illustrates an array configuration setup.
The following steps are required to set up an array:
- Configure an array manager─The first step in array
configuration is to configure one of the array members as the array
- Join servers to the array─After configuring the array
manager, you connect Forefront UAG servers to the array manager in
order to join them to the array.
- Configure load balancing for the array─It is recommended
that you load balance requests to an array to provide high
availability and failover. For Forefront UAG DirectAccess, you must
configure an array to use Forefront UAG integrated NLB, or use a
hardware load balancer.
The following procedures are optional during day-to-day array management:
- Remove array members from an array─In
some circumstances, you might want to remove a server from an
array. During removal from the array, you can assign to the server
a configuration that is stored in an export configuration file. If
you don’t assign a configuration to the server, following removal
from the array, the server will be assigned the same configuration
that it had before joining the array.
- Changing the array manager server─If
the array manager is unavailable, or you want to remove the array
manager server from the array, you can configure an alternative
array member to act as the array manager.
- Changing the credentials used by the array
manager to connect to array members, or by array members to connect
to the array manager─When you configured the array manager and
array members you specify an account used for array communications.
If this account expires or you no longer want to use it, you can
configure an alternative account.
In an array, all changes to the array configuration are made using the Forefront UAG Management console on the array manager.
Changes are synchronized on all array members, as follows:
- When configuration changes are activated in the Forefront UAG
console on the array manager, the updated configuration is marked
as active and sent to all array members.
- Forefront UAG array members periodically poll the array manager
server for the configuration, and apply new configuration settings
locally, as required.
- If the connection from an array member to the array is
interrupted, the array member continues to run using its local
configuration settings. When the array member reconnects to the
array manager server, the configuration settings are updated.