Thursday 3 September 2009

Single NIC deployment of IAG.....

....... is not supported!!

Another search phrase which hits this blog has been "single NIC IAG deployment", so lets clear that up.

A single NIC deployment is not supported.... why? Well IAG uses ISA to segment the LAN and WAN zones, so ISA needs to be able to differentiate the trusted LAN zone, and everything else (the WAN).

The typical deployment is to deploy the external side into the DMZ of an existing firewall. The internal side would then be deployed into the LAN, of course!

The external side can be connected directly the internet, such as an ADSL router, and again the internal side into the LAN.

I have encountered some different deployment issues, such as MPLS networks where they have externally managed firewalls, with just a single internal subnet, so no DMZ.

There are two ways around this, the suggestion from Microsoft was to either deploy a firewall, such as ISA.... or to deploy two IAG deployments.

The first IAG appliance will be just to carry out authentication, where the external side will be the existing subnet, and the internal side would be a new subnet. The second IAG appliance would then be used to deploy applications, where the external side would be the new subnet, and the internal side would be the existing subnet where the application servers are located.

Fortunately when I last encountered this, the MPLS provider supplied an additional subnet, which was accessible from the internet, but no where internally. Basically they provided me with a DMZ.

Also to reiterate that on the external side, you only need provide HTTP and HTTPS access. Why HTTP as we are deploying an HTTP solution, but we can create an HTTP redirect. This way your users only need to remember the URL, but don't need to remember the the HTTPS!!

No comments:

Post a Comment