none
UAG DirectAccess Multiple Policies RRS feed

  • Question

  • I have built a UAG NLB Array and setup DirectAccess for full access (both infrastructure and intranet tunnels come up). I'd like to know if it's possible to define a separate set of policies so that I can set some computers to get both tunnels and others to get only the infrastructure tunnel.
    Tuesday, November 15, 2011 2:19 PM

Answers

  • You can certainly create two sets of GPOs and have different settings in them - in theory you could populate the two different sets of GPOs with different settings by running through the DirectAccess wizards and then doing the "Export Script" function and tweaking the scripts so that they populate the correct GPOs with the settings. Even if you get it working it's going to be messy because every time you make a change in UAG it will try to re-push the new settings to whatever the default GPOs are in UAG. You'll have to do all of the manual work every time you make a change, and the UAG server will only keep one active set of configuration at a time, so even if you simply restart the server it's going to reactivate UAG and pull in the last settings that you entered. It will also be unsupported by Microsoft.

    It would be easier to scrap this idea and use some form of two-factor authentication. When you require 2FA with DA all computers always establish the management (infrastructure) tunnel so that they can always be managed by IT, but only those users who are able to successfully authenticate with their 2FA solution will get the 2nd Intranet tunnel.

    • Marked as answer by Driscoll, Mike Thursday, November 17, 2011 8:52 PM
    Tuesday, November 15, 2011 3:47 PM

All replies

  • You can certainly create two sets of GPOs and have different settings in them - in theory you could populate the two different sets of GPOs with different settings by running through the DirectAccess wizards and then doing the "Export Script" function and tweaking the scripts so that they populate the correct GPOs with the settings. Even if you get it working it's going to be messy because every time you make a change in UAG it will try to re-push the new settings to whatever the default GPOs are in UAG. You'll have to do all of the manual work every time you make a change, and the UAG server will only keep one active set of configuration at a time, so even if you simply restart the server it's going to reactivate UAG and pull in the last settings that you entered. It will also be unsupported by Microsoft.

    It would be easier to scrap this idea and use some form of two-factor authentication. When you require 2FA with DA all computers always establish the management (infrastructure) tunnel so that they can always be managed by IT, but only those users who are able to successfully authenticate with their 2FA solution will get the 2nd Intranet tunnel.

    • Marked as answer by Driscoll, Mike Thursday, November 17, 2011 8:52 PM
    Tuesday, November 15, 2011 3:47 PM
  • Thanks for the information. Can you explain what you mean by, "even if you simply restart the server it's going to reactivate UAG and pull in the last settings that you entered"? Is restarting the server the equivalent of clicking the activate button in the DA wizard? What does that button actually do?

    I'll take a look at 2FA and see if it's a viable alternative. That will depend on what the options for the 2nd factor are.

    Wednesday, November 16, 2011 1:28 PM
  • Yes, when you restart it reloads the configuration like when you click on the Activate button. The activation process is the final "go button" for all of the settings that you have put into place on the UAG server. It takes the information you entered into the wizards and the information that the server has received from its DirectAccess GPO and puts it all into action. When you make any changes in the UAG wizards (DirectAccess or the portals) those changes don't actually go into place until you Activate.
    Wednesday, November 16, 2011 1:42 PM