This topic provides an overview of Forefront Unified Access Gateway (UAG) features that affect your array and load balancing design.

Depending on your requirements, you can deploy a single Forefront UAG server or an array of Forefront UAG servers.

Single server or array deployment

Your decision to deploy a single Forefront UAG server or an array of Forefront UAG servers, depends on a number of factors, including:

  1. Scalability requirements─By grouping multiple Forefront UAG servers into an array, you increase capacity for throughout and number of users. Endpoint requests are serviced by all servers in the array; thus, if you deploy an array with three servers, you can support three times as many endpoints as a single Forefront UAG server.

  2. Fault tolerance requirements─A single Forefront UAG server does not provide fault tolerance. If the server is unavailable, client endpoints cannot connect to portals provided by Forefront UAG trunks. If fault tolerance is required, you should consider the deployment of a load balanced array. In an array configuration, each array member has the same configuration, and provides the same service to client endpoints. If one array member fails, the remaining array members are still available and remote endpoints can continue to access trunks via another array member.

  3. Failover requirements─To provide high availability for remote endpoints, you can load balance traffic in an array. If load balancing is enabled for the array, failover is automatic, as remote endpoints connect to a trunk using a virtual IP address (VIP) and requests for the trunk can be handled by any available array member. Note that in the case of an array member failing, a user might need to reauthenticate. If an array is not load balanced, each array member has a separate IP address. To provide transparent failover, you need a method for updating name resolution so that client requests for portal names resolve to the IP address of the correct array member.

About arrays

After installing Forefront UAG, you can join a server to an array using the Array Management Wizard.

An array has the following characteristics:

  • All array members share the same configuration, including trunks, published applications, permissions files, custom files, and VPN settings. Some server-specific settings are maintained, including passwords. All array members provide the same service to client endpoints.

  • A separate server is not required for array management. You configure one of the array members to act as the array manager. The array manager acts as the main repository for the array configuration, and array members connect to the array manager to read from and write to the array storage.

  • Forefront UAG settings can only be configured and activated on the array manager. On array members, you can only run the Array Management Wizard when you open the Forefront UAG Management console.

The following diagram illustrates an array configuration setup.

Array storage

The following steps are required to set up an array:

  1. Configure an array manager─The first step in array configuration is to configure one of the array members as the array manager.

  2. Join servers to the array─After configuring the array manager, you connect Forefront UAG servers to the array manager in order to join them to the array.

  3. Configure load balancing for the array─It is recommended that you load balance requests to an array to provide high availability and failover. For Forefront UAG DirectAccess, you must configure an array to use Forefront UAG integrated NLB, or use a hardware load balancer.

The following procedures are optional during day-to-day array management:

  • Remove array members from an array─In some circumstances, you might want to remove a server from an array. During removal from the array, you can assign to the server a configuration that is stored in an export configuration file. If you don’t assign a configuration to the server, following removal from the array, the server will be assigned the same configuration that it had before joining the array.

  • Changing the array manager server─If the array manager is unavailable, or you want to remove the array manager server from the array, you can configure an alternative array member to act as the array manager.

  • Changing the credentials used by the array manager to connect to array members, or by array members to connect to the array manager─When you configured the array manager and array members you specify an account used for array communications. If this account expires or you no longer want to use it, you can configure an alternative account.

In an array, all changes to the array configuration are made using the Forefront UAG Management console on the array manager.

Changes are synchronized on all array members, as follows:

  1. When configuration changes are activated in the Forefront UAG console on the array manager, the updated configuration is marked as active and sent to all array members.

  2. Forefront UAG array members periodically poll the array manager server for the configuration, and apply new configuration settings locally, as required.

  3. If the connection from an array member to the array is interrupted, the array member continues to run using its local configuration settings. When the array member reconnects to the array manager server, the configuration settings are updated.

Next steps in planning your array design