ForeFront UAG trunks stopped working
-
I'm facing a weird issue here right now: Our ForeFront UAG, which is used for SSTP VPN and SharePoint publishing (aka reverse proxy), suddenly stopped working without reporting any errors.
What I can tell so far:
- No configuration changes on the UAG for months
- No changes to our public subnet infrastructure
- Reboots once a week or so
- Traffic reaches the UAG and gets dropped there. Most probably due to a default rule, e.g. there's a rule mismatch. I can see the traffic passing the previous hop.
- The UAG itself can see the internal SharePoint sites just fine
- All HTTPS trunks and the SSTP VPN stopped responding to requests
- All Certs valid until Q3/2017
Any ideas?
-
How long ago did you update the Cert? I am assuming that was the last thing you did tot he system. I had one recently that even though it said it updated, it did not actually update. Removed the certificates (including verifying all old certificates were gone), added them back in. Check bindings.
-
Any Windows updates installed recently?
-
Any internal or external DNS changes??
-
@bsouder said in ForeFront UAG trunks stopped working:
How long ago did you update the Cert? I am assuming that was the last thing you did tot he system. I had one recently that even though it said it updated, it did not actually update. Removed the certificates (including verifying all old certificates were gone), added them back in. Check bindings.
Months ago. But thx
Configs not applying is a common problem. Same for bindings getting lost -
@jt1001001 said in ForeFront UAG trunks stopped working:
Any internal or external DNS changes??
Nope
-
@Dashrender said in ForeFront UAG trunks stopped working:
Any Windows updates installed recently?
That's what I'm currently looking for. Unfortunately, I won't have access to the system until Monday
-
I'm currently thinking about replacing the UAG with nginx or Apache. What are your thoughts about losing the pre-auth from a security point of view?
IMHO:
- it's nice to have, but not a critical component.
- A reverse proxy and some IDS/IPS between the user and the SharePoint farm is more important.
Sadly, SharePoint Online is not an option.
-
I've been told that Windows server can do the reverse proxy stuff. might be an idea.
-
@Dashrender said in ForeFront UAG trunks stopped working:
I've been told that Windows server can do the reverse proxy stuff. might be an idea.
You mean WAP, Web Application Proxy available since 2012R2. Would be an option, but I would need to buy a bunch of 2012R2 UserCALs. WAP is also very limited in functionality, not even comparable to mod_proxy.
I think I will be going the open source route here. UAG left a bad taste: Not only did they cancel the product without any recommendations, no, you can't even buy UAG CALs anymore. And to be honest, it was never running really stable.
-
We are loking at replacing our ForeFron UAG for Skype for Business reverse Proxy with Kemp Load balancers; they provide a Sharepoint config guide:
https://support.kemptechnologies.com/hc/en-us/articles/203123539-SharePointThey offer a free Load Balancer VM if you dont' need too much bandwidth:
http://freeloadbalancer.com/features/I unfortunately am not part of the project team designing and implementing the Kemp solution so I can't tell you much about its capabilities YET
-
Oh good point - though I'm not sure why you would need more CALs, don't you already have all the CALs you need for access to Sharepoint?
-
@Dashrender said in ForeFront UAG trunks stopped working:
Oh good point - though I'm not sure why you would need more CALs, don't you already have all the CALs you need for access to Sharepoint?
yup, but only 2008R2 without SA. WAP is 2012R2+
-
@jt1001001 said in ForeFront UAG trunks stopped working:
We are loking at replacing our ForeFron UAG for Skype for Business reverse Proxy with Kemp Load balancers; they provide a Sharepoint config guide:
https://support.kemptechnologies.com/hc/en-us/articles/203123539-SharePointThey offer a free Load Balancer VM if you dont' need too much bandwidth:
http://freeloadbalancer.com/features/I unfortunately am not part of the project team designing and implementing the Kemp solution so I can't tell you much about its capabilities YET
Thx for mentioning it. Unfortunately, we have some confidential (and up) data on our SharePoint. A third party reverse proxy might (in theory) copy the data using the users session. I'm not saying that Kemp is doing this, but on the other hand ... gov'd firmware on Cisco devices.
