Array design guide



Forefront Unified Access Gateway 2010Array Planning GuideMicrosoft? CorporationPublished: January, 2010Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.? 2009 Microsoft Corporation. All rights reserved.Microsoft, and MS-DOS, Windows, Windows Server, and Active Directory are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.Contents TOC \o "1-5" \h Array design guide PAGEREF _Toc251709779 \h 5About this guide PAGEREF _Toc251709780 \h 5Introduction to array design PAGEREF _Toc251709781 \h 5Single server or array deployment PAGEREF _Toc251709782 \h 5About arrays PAGEREF _Toc251709783 \h 6Next steps in planning your array design PAGEREF _Toc251709784 \h 8Identifying your array deployment goals PAGEREF _Toc251709785 \h 8Next steps in planning your array design PAGEREF _Toc251709786 \h 9Mapping your deployment goals to an array design PAGEREF _Toc251709787 \h 9Array design PAGEREF _Toc251709788 \h 9Placing array servers in your corporate infrastructure PAGEREF _Toc251709789 \h 10Planning domain requirements PAGEREF _Toc251709790 \h 10Planning network and routing requirements PAGEREF _Toc251709791 \h 10Planning account requirements PAGEREF _Toc251709792 \h 11Next steps PAGEREF _Toc251709793 \h 11Load balancing design PAGEREF _Toc251709794 \h 11Selecting a load balancing method PAGEREF _Toc251709795 \h 11Next steps PAGEREF _Toc251709796 \h 12Forefront UAG DirectAccess array and load balancing design PAGEREF _Toc251709797 \h 12General Forefront UAG DirectAccess requirements PAGEREF _Toc251709798 \h 13Planning for an array with integrated NLB PAGEREF _Toc251709799 \h 13Prefix requirements PAGEREF _Toc251709800 \h 13VIP and DIP requirements PAGEREF _Toc251709801 \h 13Planning for an array with a hardware load balancer PAGEREF _Toc251709802 \h 14Array design guideForefront Unified Access Gateway (UAG) provides a gateway for remote employees, mobile workers, partners, and other third-parties to access corporate applications and resources via a Forefront UAG Web site or portal.About this guideThis Array design guide is designed to help you to identify your array deployment goals, and to map your goals to a design.The guide is intended for the system administrator or system architect who is responsible for the design and deployment of multiple Forefront Unified Access Gateway (UAG) servers. It is assumed that the reader of this guide is familiar with the concepts of high availability, network design and setup, and load balancing.To begin the Forefront Unified Access Gateway (UAG) array design process, you must first identify your array deployment goals. After evaluating these goals, you can select an array design that meets your deployment objectives. Use this guide to:?Understand array and load balancing concepts. For information, see Introduction to array design.?Identify your array deployment goals from a predefined list of possible deployment goals. For information, see Identifying your array deployment goals.?Understand the array design requirements for each deployment goal. For information, see Mapping your deployment goals to an array design.Introduction to array designThis topic provides an overview of Forefront Unified Access Gateway (UAG) features that affect your array and load balancing design. Depending on your requirements, you can deploy a single Forefront UAG server or an array of Forefront UAG servers.Single server or array deploymentYour decision to deploy a single Forefront UAG server or an array of Forefront UAG servers, depends on a number of factors, including: 1.Scalability requirements─By grouping multiple Forefront UAG servers into an array, you increase capacity for throughout and number of users. Endpoint requests are serviced by all servers in the array; thus, if you deploy an array with three servers, you can support three times as many endpoints as a single Forefront UAG server.2.Fault tolerance requirements─A single Forefront UAG server does not provide fault tolerance. If the server is unavailable, client endpoints cannot connect to portals provided by Forefront UAG trunks. If fault tolerance is required, you should consider the deployment of a load balanced array. In an array configuration, each array member has the same configuration, and provides the same service to client endpoints. If one array member fails, the remaining array members are still available and remote endpoints can continue to access trunks via another array member. 3.Failover requirements─To provide high availability for remote endpoints, you can load balance traffic in an array. If load balancing is enabled for the array, failover is automatic, as remote endpoints connect to a trunk using a virtual IP address (VIP) and requests for the trunk can be handled by any available array member. Note that in the case of an array member failing, a user might need to reauthenticate. If an array is not load balanced, each array member has a separate IP address. To provide transparent failover, you need a method for updating name resolution so that client requests for portal names resolve to the IP address of the correct array member. About arraysAfter installing Forefront UAG, you can join a server to an array using the Array Management Wizard. An array has the following characteristics:?All array members share the same configuration, including trunks, published applications, permissions files, custom files, and VPN settings. Some server-specific settings are maintained, including passwords. All array members provide the same service to client endpoints.?A separate server is not required for array management. You configure one of the array members to act as the array manager. The array manager acts as the main repository for the array configuration, and array members connect to the array manager to read from and write to the array storage.?Forefront UAG settings can only be configured and activated on the array manager. On array members, you can only run the Array Management Wizard when you open the Forefront UAG Management console.The following diagram illustrates an array configuration setup.The following steps are required to set up an array:1.Configure an array manager─The first step in array configuration is to configure one of the array members as the array manager.2.Join servers to the array─After configuring the array manager, you connect Forefront UAG servers to the array manager in order to join them to the array.3.Configure load balancing for the array─It is recommended that you load balance requests to an array to provide high availability and failover. For Forefront UAG DirectAccess, you must configure an array to use Forefront UAG integrated NLB, or use a hardware load balancer. The following procedures are optional during day-to-day array management:?Remove array members from an array─In some circumstances, you might want to remove a server from an array. During removal from the array, you can assign to the server a configuration that is stored in an export configuration file. If you don’t assign a configuration to the server, following removal from the array, the server will be assigned the same configuration that it had before joining the array.?Changing the array manager server─If the array manager is unavailable, or you want to remove the array manager server from the array, you can configure an alternative array member to act as the array manager.?Changing the credentials used by the array manager to connect to array members, or by array members to connect to the array manager─When you configured the array manager and array members you specify an account used for array communications. If this account expires or you no longer want to use it, you can configure an alternative account.In an array, all changes to the array configuration are made using the Forefront UAG Management console on the array manager. Changes are synchronized on all array members, as follows:1.When configuration changes are activated in the Forefront UAG console on the array manager, the updated configuration is marked as active and sent to all array members. 2.Forefront UAG array members periodically poll the array manager server for the configuration, and apply new configuration settings locally, as required.3.If the connection from an array member to the array is interrupted, the array member continues to run using its local configuration settings. When the array member reconnects to the array manager server, the configuration settings are updated.Next steps in planning your array designIdentifying your array deployment goalsIdentifying your array deployment goalsThe first step in planning and documenting your array design is to identify your deployment goals. You can prioritize and combine your deployment goals so that you understand what planning is involved in each goal, and know who in your organization should be involved in the Forefront Unified Access Gateway (UAG) deployment planning. The following table lists the possible deployment goals and their design requirements.Deployment goalDesign requirementsDeploy multiple Forefront UAG serversDesign requirements include:1.Deciding where to place the Forefront UAG servers in your corporate topology.2.Planning domain requirements.3.Planning network and routing requirements.4.Planning array account requirements.Load balance traffic between Forefront UAG array serversDesign requirements include:?Deciding whether to use a hardware load balancer or integrated Network Load Balancing (NLB).Deploy multiple load-balanced Forefront UAG DirectAccess serversDesign requirements include:1.Deciding where to place the Forefront UAG DirectAccess servers in your corporate topology.2.Planning domain requirements.3.Planning how to configure any corporate firewalls to allow traffic to and from the Forefront UAG DirectAccess servers.4.Planning network and routing requirements.5.Planning DNS requirements.6.Planning a certificate infrastructure.7.Planning for load balancing. Forefront UAG DirectAccess arrays must be load balanced, with identical DirectAccess configuration settings.Next steps in planning your array designMapping your deployment goals to an array designMapping your deployment goals to an array designAfter you have identified your Forefront Unified Access Gateway (UAG) array deployment goals (see Identifying your array deployment goals), select an array design that meets each of your deployment objectives, as shown in the following table. Deployment goalDesign guideDeploy multiple Forefront UAG serversArray designLoad balance array traffic between Forefront UAG array serversLoad balancing designDeploy multiple load-balanced Forefront UAG DirectAccess serversForefront UAG DirectAccess array and load balancing designArray designThis topic is designed to help you understand the planning requirements for a Forefront Unified Access Gateway (UAG) array design. For additional information about a Forefront UAG DirectAccess array design, see Forefront UAG DirectAccess array and load balancing design. Array planning requirements include:?Placing array servers in your corporate infrastructure?Planning domain requirements?Planning network and routing requirements?Planning account requirementsPlacing array servers in your corporate infrastructureThe most common topology locations for Forefront UAG array members are:1.Behind a frontend firewall─The Forefront UAG server is placed in the internal network, behind a frontend firewall at the corporate edge. The Forefront UAG server has one network adapter that routes to the frontend firewall, and the other is in the internal network.2.Between a frontend firewall and a backend firewall─The Forefront UAG server is placed in a perimeter network, between a frontend firewall protecting the edge, and a backend firewall protecting the internal network. If Forefront UAG is located behind an edge or perimeter firewall, verify that the required ports and protocols are open on the firewall. Notes: A list of ports and protocols is available in the Multiple server infrastructure design section of the Infrastructure design guide. For Forefront UAG DirectAccess arrays, the perimeter network should use public IPv4 addresses. For more information, see Planning the placement of a Forefront UAG DirectAccess Server.Planning domain requirementsInstall as a domain member, each Forefront UAG array member or each Forefront UAG server that you want to join to an array. Note the following: 1.All array members must belong to the same domain.2.You can install Forefront UAG array servers in an existing domain, or create a domain specifically for Forefront UAG. If you set up a separate domain, configure a one-way or two-way trust between the Forefront UAG domain and the main corporate domain.Planning network and routing requirements1.Each Forefront UAG array member requires two enabled network adapters. During Forefront UAG installation and initial deployment, you will associate one adapter with the internal corporate network and the other with the external network (Internet). A default gateway should only be installed on one adapter, usually the adapter connected to the external network.2.You should note all subnets that are reachable from the adapter that you will associate with the internal network. When you define the Forefront UAG internal network during deployment, it will include all reachable subnets.3.The adapter that you associate with the internal network must have a static IP address.4.All Forefront UAG servers that you want to join to an array must belong to the same subnet.5.For a complete list of Forefront UAG DirectAccess requirements, see Forefront UAG DirectAccess prerequisites.Planning account requirementsArray deployment requires using the following credentials:1.Credentials used by an array member when connecting to the array manager server. These credentials are used when initially joining the array, and subsequently each time the array member connects to the array.2.Credentials used by the array manager server when connecting to array members.Note the following account credential requirements:1.Forefront UAG array servers must be installed in the same domain, and domain accounts must be used.2.You can use the same account for both sets of credentials.3.The domain account should have local administrator permissions on the array manager server, and on all array members.4.After setting up the array, you can subsequently modify the credentials used. To avoid having to do this too frequently, it is recommended that you use an account with a long expiry period.Next stepsAfter you have completed the planning of your array design, see the Array deployment guide for deployment instructions.Load balancing designYou can load balance traffic between Forefront Unified Access Gateway (UAG) array members using a hardware load balancer, or using Forefront UAG integrated Network Load Balancing (NLB), which uses the NLB features provided by Windows Server 2008 R2. This topic provides information to help you plan your deployment of integrated NLB in Forefront UAG. Selecting a load balancing methodYou can load balance requests to Forefront UAG array members as follows:?Using a hardware load balancer─You can use a hardware load balancer to balance servers configured as Forefront UAG array members. The hardware load balancer must support IP affinity. The main advantage of using a hardware load balancer is scalability. Using integrated NLB supports up to approximately 8 array members. For partner information on Forefront UAG and Forefront UAG DirectAccess hardware load balancing solutions, see Find a partner at the Microsoft site.?Using integrated NLB─Forefront UAG provides integrated NLB. This is the recommended method for implementing load balancing for Forefront UAG arrays, and provides a number of advantages:?Cost savings; no NLB hardware device needs to be purchased.?Simplified management; NLB can be managed directly in the Forefront UAG Management console. You can easily apply the NLB configuration to all array members.?Simplified monitoring; NLB status can be monitored using the Forefront UAG Web Monitor.?Ease of node management; nodes can be managed and drained using the Web Monitor.?Forefront TMG is automatically installed and runs as a firewall to protect the Forefront UAG server. When you use configure integrated NLB, Forefront TMG firewall rules and settings are configured automatically.Next stepsAfter you have completed the planning of your load balancing design, see the Array deployment guide for deployment instructions.Forefront UAG DirectAccess array and load balancing designThis topic is designed to help you understand the additional elements required in planning a Forefront Unified Access Gateway (UAG) DirectAccess array and load balancing design. For general array planning information, see Array design guide.The following sections describe:?General Forefront UAG DirectAccess requirements?Planning for an array with integrated NLB?Planning for an array with a hardware load balancerGeneral Forefront UAG DirectAccess requirements A number of general Forefront UAG DirectAccess prerequisites are required regardless of whether you are deploying a single server or an array. These include infrastructure requirements, domain requirements, DNS configuration, certificate infrastructure requirements, client requirements, and network and routing requirements. For a complete list, see Forefront UAG DirectAccess prerequisites. Planning for an array with integrated NLBYou can deploy an array of Forefront UAG DirectAccess servers and load balance traffic between them, using Forefront UAG integrated Network Load Balancing (NLB) or a hardware load balancer. For more information about load balancing, see Load balancing design. To plan for an array that is load balanced with integrated NLB, you need to understand the prefix requirements, and VIP and DIP requirements.Prefix requirementsForefront UAG enables load balancing of SSL-based traffic in addition to Forefront UAG DirectAccess-based traffic. To load balance all Forefront UAG DirectAccess traffic, which is IPv6 based, Forefront UAG NLB must examine the IPv4 tunneling for all transition technologies. Because IP-HTTPS traffic is encrypted, examining the content of the IPv4 tunnel is not possible. To enable IP-HTTPS traffic to be load balanced, you must allocate a wide enough IPv6 prefix to enable the Forefront UAG to assign a different IPv6 /64 prefix to each of the nodes. For example, 2 array members require a /63 prefix (which enables Forefront UAG to define a /64 address for each array member); 8 array members require a /61 prefix (which enables Forefront UAG to define a /64 address for each array member). This prefix must be routable to the Forefront UAG DirectAccess array, and is configured during the Forefront UAG DirectAccess and DIP requirementsWhen planning a Forefront UAG DirectAccess NLB array, you must plan for the following DIPs and VIPs that will be configured on the array manager server:?An Internet-facing static IPv4 address (DIP).?An internal network facing static IPv6 address (DIP).?An internal network facing static IPv4 address (DIP).?Two Internet-facing consecutive public IPv4 addresses (VIPs).?An internal network facing IPv6 address (VIP).?An internal network facing IPv4 address (VIP). For more information about deploying an array with integrated NLB, see Configuring a network load balanced array for Forefront UAG DirectAccess.Planning for an array with a hardware load balancerThere are a number of considerations for planning and deploying a Forefront UAG array with a hardware load balancer. For more information, see Configuring an external load balanced array for Forefront UAG DirectAccess. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download