Forefront UAG Direct Access

L1 Bithead

Forefront UAG Direct Access

I was wondering if anyone has deployed Microsoft Direct Access or Forefront UAG behind a Palo Alto firewall, and could share their experiences.  Direct Access requires 2 consecutive public IPv4 addresses (no NAT), and we are trying to figure out the best way to route this through a PA-2020 that currently has layer 3 interfaces configured, with a public IP range assigned on the external/untrust interface and NATed RFC1918 addresses on all of the other interfaces.  Any advice would be appreciated.

L4 Transporter

Re: Forefront UAG Direct Access

If you must keep the public addresses on the Forefront and absolutely NO NAT. Then what about setting up a virtual wire pair on the paloalto device and plugging the forefront into the trust side of it...You can plug the untrust side of the virutal wire pair into what ever switch you currently have the forefront plugged in to.



Not applicable

Re: Forefront UAG Direct Access

Abelgard, just curious if you might have updated to the new version of Direct Acess? If so, have you attempted to implement user awareness on your PA of incoming DA traffic? If so, how's that working for you, and how did you do it? Thanks!

L1 Bithead

Re: Forefront UAG Direct Access

We actually decided not to deploy DA... we were never able to get it working.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!