none
Quick DirectAccess Implementation Question. RRS feed

  • Question

  • General question. I have been asked to make DirectAccess available to our laptop users but am not sure of the best way to implement DirectAccess.

    We have TMG 2010 already installed on a Windows Server 2008 R2 server and thought we could just enable DirectAccess on the TMG server, but if my research is correct you have to install DirectAccess on the server before installing TMG. Is this correct, and if not any links on how to install and configure DirectAccess on a R2 server with TMG already installed would be welcome?

    Another option is to create a new server with Server 2008 R2 and install UAG, configure DirectAccess and done but this option requires a new server. Apart from benefiting from UAG's DirectAccess i don't think we will benefit from the publishing Exchange, SharePoint and mobiles via UAG as we have already configured TMG to publish these services.

    The last option is to create a new server with Server 2008 R2 and install Direct Access. once again this requires a new server.

    This there a fourth option I'm missing? if not what would you advise as the best route to implement Direct Access.

    PS, we currently only use IPv4 within our domain.

    Thanks for reading this and all advise welcome..

    • Edited by Lee Broad Wednesday, June 30, 2010 1:00 PM
    Wednesday, June 30, 2010 10:12 AM

Answers

All replies

  • The question is do you need UAG DirectAccess or Windows DirectAccess?

    In Windows DirectAccess you can only reach intranet servers that are IPv6 capable (Windows 2008/Vista and up). This means you will have to enable ISATAP transition technology in your organizations and all capable servers will have an IPv6 address.

    In UAG DirectAccess you can also reach servers that are not IPv6 capable (windows 2003/XP and below), or if you chose not to enable IPv6 in your organization using the ISATAP transition technology.

    I've never tried installing Windows DirectAccess with TMG, so I'm not sure why is it required to install DirectAccess first. but it's best that you ask that in the TMG forum or in the Windows DirectAccess forum.

    Regarding the UAG DirectAccess option, you'll have to install a new server with UAG and it will automatically install TMG.

    Wednesday, June 30, 2010 11:14 AM
  • This may help with regard to TMG: http://blogs.technet.com/b/isablog/archive/2009/09/23/forefront-tmg-and-windows-7-directaccess.aspx

    However, I would strongly recommend you consider using UAG DirectAccess as discssed here: http://blog.msedge.org.uk/2010/01/path-to-directaccess-part-1-choosing.html As you have IPv4 servers, I would say that native DirectAccess (with or without TMG) is a non-stater for you and hence UAG DirectAcces is a must.

    It may also be worth noting that UAG will do a better job with publishing both Exchange/SharePoint than TMG, especially if you are accessing these services from non-corporate (unmanaged) machines.

    Exchange: http://technet.microsoft.com/en-us/library/dd861454.aspx

    SharePoint: http://technet.microsoft.com/en-us/library/dd861393.aspx

    I can't see how you can avoid buying another server (unless you buy an appliance) to meets your requirements for DA; it would probably make sense to install it in parallel to your TMG server as DA needs public IP addresses on the external interface. A better understadning of your network topology would be needed to make a proper recommendation though ;)

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Lee Broad Wednesday, June 30, 2010 1:15 PM
    Wednesday, June 30, 2010 12:05 PM
    Moderator
  •  

     

    General question. I have been asked to make DirectAccess available to our laptop users but am not sure of the best way to implement DirectAccess.

    We have TMG 2010 already installed on a Windows Server 2008 R2 server and thought we could just enable DirectAccess on the TMG server, but if my research is correct you have to install DirectAccess on the server before installing TMG. Is this correct, and if not any links on how to install and configure DirectAccess on a R2 server with TMG already installed would be welcome?

    Another option is to create a new server with Server 2008 R2 and install UAG, configure DirectAccess and done but this option requires a new server. Apart from benefiting from UAG's DirectAccess i don't think we will benefit from the publishing Exchange, SharePoint and mobiles via UAG as we have already configured TMG to publish these services.

    The last option is to create a new server with Server 2008 R2 and install Direct Access. once again this requires a new server.

    This there a fourth option I'm missing? if not what would you advise as the best route to implement Direct Access.

    PS, we currently only use IPv4 within our domain.

    Thanks for reading this and all advise welcome..


    Hi For5six,

    There is some guidance on installing DA on a TMG firewall, which you can find at http://blogs.technet.com/b/isablog/archive/2009/09/23/forefront-tmg-and-windows-7-directaccess.aspx

    However, this solution has a lot of limitations compared to UAG. If you have a IPv6 capable network behind the TMG firewall, then it could work for you, but you will not have high availability.

    UAG, like Jason said, is the best solution for both DirectAccess and publishing Exchange and SharePoint. And since you use only IPv4 it's your only solution.

    HTH,

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Wednesday, June 30, 2010 1:33 PM
    Moderator