If you would like to read the next part in this article series please go to Microsoft Forefront UAG – How to configure arrays in Forefront UAG (Part 2).
Let’s begin
In part I of this article series we will start with some basics about the Forefront UAG concepts. After that we will install a Forefront UAG with two Forefront UAG array members.
Get your copy of the German language “Microsoft ISA Server 2006 – Das Handbuch”
Forefront UAG array explained
A Forefront UAG array is a combination of two or more Forefront UAG Servers combined into one logical unit. An array can consist of a maximum of 50 array members and up to 8 array members if NLB is used. Reasons for deploying an array with Forefront UAG:
- Scalability – Multiple UAG servers in an array can increase capacity for throughput and number of users
- Fault tolerance – Multiple UAG servers provide the same configuration for clients accessing the array
- Failover – If a Forefront UAG array is load balanced with NLB (windows or Hardware Load Balancer) you have one entry point – the VIP (Virtual IP Address) which distributes traffic to all array members. In a non-load balanced array, each array member has a separate IP address – the DIP (Dedicated IP Address) and you must manually configure a Failover for example with DNS round robin
Each server in a Forefront UAG array shares the same configuration, including trunks, published applications and VPN configuration. Forefront UAG uses a Standalone array which doesn’t requires a dedicated management Server, like the EMS (Enterprise Management Server) in Forefront TMG 2010 Enterprise arrays. The UAG / TMG configuration is stored in a local Active Directory Lightweight Directory Services (AD-LDS) instance, running on the array manager. The UAG array manager is responsible for UAG configuration changes. The configuration changes will be replicated to the other array members. One of the array members is designated as the array manager and the array manager can be manually changed.
Forefront UAG configuration
Now it is time to create a new Forefront UAG array.
Start the Forefront UAG MMC and click – Array Management.
Figure 1: Start Array Management
Start the Array configuration wizard.
Figure 2: Array Management Wizard
Set this Server as the array manager.
Figure 3: Array Manager
Specify Array credentials.
Figure 4: Credentials
Add the second Forefront UAG Server to the array. This will allow later the array join from the second Forefront UAG Server.
Figure 5: Add UAG4 to allow for array join
Successful array manager configuration.
Figure 6: Sucessful array join
Join the second Forefront UAG Server to the array.
Figure 7: Join array
Make the second Forefront UAG Server an array member.
Figure 8: Become a array member
Add the Server to the array.
Figure 9: Add to array
Select the Array Manager (FQDN may be important for successful array join) and enter the credentials for array join.
Figure 10: Select array manager
The second Forefront UAG Server joins the array.
Figure 11: Array join
After array join it takes a moment until the configuration has been synced. You can see this in the Forefront UAG Activation monitor.
Figure 12: UAG Activation monitor
Sucessful array join.
Figure 13: Successful array join
The synchronization was successful.
Figure 14: All in sync
Forefront UAG management can only be done from the Forefront UAG Array manager.
Figure 15: UAG Administration only from array manager
If you want to change the array manager you can use the array manager wizard in the Forefront UAG console on the array manager.
Figure 16: UAG array management
Please, keep also an eye on the Forefront TMG configuration. Forefront UAG also synchronizes the configuration with the underlying Forefront TMG installation.
Figure 17: TMG configuration synchronized
Before we are able to change the trunk configuration in the Forefront UAG MMC to add the second Forefront UAG array member, we must export all required certificates with the private key (.PFX) option on the first Forefront UAG array member. These certificates must be imported with the private key option in the local computer certificate store on the second Forefront UAG array member. If you are unsure which certificates must be exported / imported, start the UAG console and compare the thumbprint in the console with the certificate in the certificate MMC.
Figure 18: Export certificate and import on the other array member
Now, it is time to change the external site address for the portal trunk in the Forefront UAG console. Start the console and select the required public IP address of the second Forefront UAG array member.
Figure 19: Select IP addresses for portal
Save the Forefront UAG configuration and activate the configuration.
Figure 20: Activate configuration
After the activation has been successful, you can see the Forefront UAG array status in the Forefront UAG Web Monitor.
Figure 21: UAG Web Monitor – Array Monitor
Conclusion
In this first article we discovered the steps that are necessary to create a Forefront UAG with two Forefront UAG Servers. In the next article we will be talking about how to implement Network Load Balancing (NLB) for a Forefront UAG array.
Related links
- Array deployment guide
- Configuring NLB for a Forefront UAG DirectAccess array
- Configuring NLB for a Forefront UAG array
- UAG Array and Network Load Balancing
- Microsoft Forefront UAG – Overview of Microsoft Forefront UAG
- Forefront UAG technical overview
If you would like to read the next part in this article series please go to Microsoft Forefront UAG – How to configure arrays in Forefront UAG (Part 2).