Announcement

Collapse
No announcement yet.

Configure WebReady and Direct File access from different sources

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Configure WebReady and Direct File access from different sources

    Hi,

    Here is the setup:
    Exch 2010 SP2, 2 node CAS cluster, OWA published on TMG and also UAG.


    Is it possible to setup WebReady and Direct file access so when the request comes from the TMG, the Direct File access and WebReady are enabled but when the request comes from UAG the are not?

    TIA
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

  • #2
    Re: Configure WebReady and Direct File access from different sources

    How are your TMG and UAG configured? Is one in front of the other or are they both on the internet with external IP addresses?
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: Configure WebReady and Direct File access from different sources

      Both internet facing.
      Caesar's cipher - 3

      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

      SFX JNRS FC U6 MNGR

      Comment


      • #4
        Re: Configure WebReady and Direct File access from different sources

        I'm not hugely familiar with UAG, so the simplest way to do it would just be to remove the OWA publishing from UAG and force all users to use the TMG URL externally. Seeing as WebReady and Direct File Access both use OWA I can't think of any way to leave access to OWA but not to the other features.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          Re: Configure WebReady and Direct File access from different sources

          It probably would be the simplest way but the requirement from Information Governance in here are to have it published in both and somehow if possible to have two different policies.
          They currently have got a 2 factor authentication for UAG which is why the direct file access policy can be more relaxed.
          Whilst for TMG needs to be more strict.

          Since these are set on the CAS though I am just wondering if it is possible to create another OWA virtual directory, is this even possible??

          What I basically want to achieve is have different WebReady policies which I can do now with Private Computer File access and Public computer file access but I want to set the policies so they are not dictated by the end user.

          Any thoughts?
          Caesar's cipher - 3

          ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

          SFX JNRS FC U6 MNGR

          Comment


          • #6
            Re: Configure WebReady and Direct File access from different sources

            I think this would probably be easier to do if things were the other way round, as TMG has much better firewalling capabilities than UAG but UAG is better at application publishing.

            A sneaky way of doing this might be to send requests for OWA etc from UAG to TMG and use a TMG rule to restrict the traffic. However I think this would only work if WebReady and Direct File Access use different virtual directories in IIS. Come to think of it, I've never looked at the feature in IIS7 but IIS6 could be told which IPs were allowed to access which virtual directories, so if they are different from OWA you could just deny access to the UAG IP address.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment


            • #7
              Re: Configure WebReady and Direct File access from different sources

              Originally posted by cruachan View Post
              I think this would probably be easier to do if things were the other way round, as TMG has much better firewalling capabilities than UAG but UAG is better at application publishing.
              Hmm, Not sure about that..

              UAG uses TMG as the underlying firewall. Whilst it is fully configurable as a standalone TMG it's not recommended to be messed with as it is reserved for the rules generated by the UAG request.
              In terms of application publishing, they are both reverse proxies that publish applications slightly different with UAG having some extended capabilities such as endpoint checking.. which doesn't neccesarily make it better at publishing .. just different.

              This is the scenario we have in here and that's not changing. It could have been two TMGs side-by side but that's not the point.

              A sneaky way of doing this might be to send requests for OWA etc from UAG to TMG and use a TMG rule to restrict the traffic. However I think this would only work if WebReady and Direct File Access use different virtual directories in IIS. Come to think of it, I've never looked at the feature in IIS7 but IIS6 could be told which IPs were allowed to access which virtual directories, so if they are different from OWA you could just deny access to the UAG IP address.
              I'll look into the IIS side. Thanks
              Caesar's cipher - 3

              ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

              SFX JNRS FC U6 MNGR

              Comment


              • #8
                Re: Configure WebReady and Direct File access from different sources

                As I understood it, although the underlying technology is the same, UAG is much less customisable from a firewall point of view than TMG. TMG is primarily an outbound proxy, whereas UAG is primarily an inbound/reverse proxy.
                BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                sigpic
                Cruachan's Blog

                Comment


                • #9
                  Re: Configure WebReady and Direct File access from different sources

                  Well, a few things.
                  TMG can be equaly a forward and a proxy.
                  UAG hasn't got any Firewall capabilities, TMG handles that on its behalf.
                  TMG firewall rule also determines that UAG only acts as Reverse proxy.
                  UAG doesn't do forward proxying.
                  Anyway as we are sidetracking a bit, my query was realy around OWA virtual directories and webready policies. TMG and UAG was mentioned to give you a full picture of the setup but bears Not much importance.
                  Caesar's cipher - 3

                  ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                  SFX JNRS FC U6 MNGR

                  Comment

                  Working...
                  X