TechNet
Products
IT Resources
Downloads
Training
Support
Products
Windows
Windows Server
System Center
Microsoft Edge
Office
Office 365
Exchange Server
SQL Server
SharePoint Products
Skype for Business
See all products »
Resources
Channel 9 Video
Evaluation Center
Learning Resources
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Script Center
Server and Tools Blogs
TechNet Blogs
TechNet Flash Newsletter
TechNet Gallery
TechNet Library
TechNet Magazine
TechNet Wiki
Windows Sysinternals
Virtual Labs
Solutions
Networking
Cloud and Datacenter
Security
Virtualization
Updates
Service Packs
Security Bulletins
Windows Update
Trials
Windows Server 2016
System Center 2016
Windows 10 Enterprise
SQL Server 2016
See all trials »
Related Sites
Microsoft Download Center
Microsoft Evaluation Center
Drivers
Windows Sysinternals
TechNet Gallery
Training
Expert-led, virtual classes
Training Catalog
Class Locator
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
Microsoft Official Courses On-Demand
Certifications
Certification overview
Special offers
MCSE Cloud Platform and Infrastructure
MCSE: Mobility
MCSE: Data Management and Analytics
MCSE Productivity
Other resources
Microsoft Events
Exam Replay
Born To Learn blog
Find technical communities in your area
Azure training
Official Practice Tests
Support options
For business
For developers
For IT professionals
For technical support
Support offerings
More support
Microsoft Premier Online
TechNet Forums
MSDN Forums
Security Bulletins & Advisories
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
Sign in
Home
Library
Wiki
Learn
Gallery
Downloads
Support
Forums
Blogs
Resources For IT Professionals
United States (English)
Россия (Pусский)
中国(简体中文)
Brasil (Português)
Skip to locale bar
Post an article
Translate this page
Powered by
Microsoft® Translator
Wikis - Page Details
First published by
Rayne Wiselman [MSFT]
When:
18 Jul 2010 4:32 AM
Last revision by
Carsten Siemens
When:
24 May 2013 1:43 PM
Revisions:
7
Comments:
4
Options
Subscribe to Article (RSS)
Share this
Engage!
Wiki Ninjas Blog
(
Announcements
)
Wiki Ninjas on Twitter
TechNet Wiki Discussion Forum
Can You Improve This Article?
Positively!
Click Sign In to add the tip, solution, correction or comment that will help other users.
Report inappropriate content using
these instructions
.
Wiki
>
TechNet Articles
>
Forefront UAG DirectAccess FAQ
Forefront UAG DirectAccess FAQ
Article
History
Forefront UAG DirectAccess FAQ
Table of Contents
OVERVIEW
INSTALLATION AND INFRASTRUCTURE
CONFIGURING AND MAINTAINING
TROUBLESHOOTING
OVERVIEW
Where can I find basic information about Forefront UAG DirectAccess?
Take a look at the
DirectAccess portal resource page
Where can I get information about planning and designing UAG DirectAccess?
Take a look at the
UAG DirectAccess design guide
Where can I get information about deploying UAG DirectAccess?
Take a look at the
Step-by-Step guide
for setting up UAG DirectAccess in a lab, and the
UAG DirectAccess deployment guide
.
What does UAG DirectAccess provide that differs from Windows Server DirectAccess?
UAG DirectAccess provides the following:
Extends access to line of business servers with IPv4 support such as Windows 2003 and non-Windows servers by providing a built-in NAT64
Enhances scale and management through array management capabilities and integrated load balancing
Simplifies deployments and ongoing administration using wizards and automated tools
INSTALLATION AND INFRASTRUCTURE
How do I install UAG DirectAccess?
You install Forefront UAG, and then enable and configure UAG DirectAccess using the DirectAccess wizard in the UAG Management console.
Do I need an IPv6 infrastructure to run UAG DirectAccess?
Although DirectAccess uses IPv6, you don't need a complete IPv6 network to take advantage of DirectAccess. On the client side, DirectAccess clients can only communicate with DirectAccess server using IPv6-aware applications. On the server side however, UAG DirectAccess leverages IPv6 transition technologies to get DirectAccess working in an IPv4 environment. These transition technologies include:
ISATAP
to tunnel IPv6 traffic across an IUPv4-only intranet. The UAG DirectAccess server sets itself up automatically as an ISATAP router, and provides IPv6 addresses and routing information for IPv6-aware host computers.
6to4
to connect the DirectAccess client to the UAG DirectAccess server over the IPv4 Internet. 6to4 is used when the the DirectAccess client is assigned a public IP address. The IPv6 packets are encapsulated in a IPv4 header and send over the 6to4 tunnel adapter to the DirectAccess server.
Teredo
to connect the DirectAccess client to the DirectAccess server over the IPv4 Internet when the DirectAccess client is located behind a NAT device (either a NAT router or a NAT firewall), and the device allows outbound UDP port 3544. If the client has a private IP address and outbound access to UDP 3544, then the client uses Teredo to encapsulate the IPv6 messages from the DA client to the UAG DA server in an IPv4 header to send over the IPv4 Internet.
IP-HTTPS
to connect the DirectAccess client to the DirectAccess server over the IPv4 Internet. IP-HTTPS is used to encapsulate the IPv6 packets in an IPv4 header. When the client is assigned a private IP address, and the NAT device or firewall is configured to allow only HTTP/HTTPS outbound, then the DirectAccess client falls back to use IP-HTTPS. IP-HTTPS is considered as a fallback because IP-HTTPS connections are not likely to perform as well as as as 6to4 or Teredo connections, consider that SSL is added to the IPsec overhead, with HTTP as the transport protocol.
NAT64/DNS64
–to allow UAG DirectAccess to work with network resources that are not IPv6-capable (they cannot use native IPv6 or act as an ISATAP host). For example Windows 2003 servers. NAT64/DNS64 accepts DirectAccess client connections, automatically creates a IPv6 address for the name requested by the client, and provides a protocol transformation so that the IPv6 communication from the DirectAccess client is forwarded to the network IPv4-only server using IPv4. The response is returned to the DirectAccess server, which translates the IPv4 response into an IPv6 message that is returned to the client. For more detailed information, read Tom's blog over at
The Edge Man
.
What are the main server components in a UAG DirectAccess deployment?
There are 3 main components:
The DirectAccess server is a Forefront UAG server running Windows Server 2008 R2 Standard edition or Windows Server 2008 R2 Enterprise edition that is joined to a domain. It accepts connections from DirectAccess clients and facilitates communication with internal network resources.
The network location server is an intranet Web server that allows a DirectAccess client to determine if they are located on the Internet or the intranet. To function as a network location server, a computer must be able to host and service requests for a Secure Hypertext Transfer Protocol (HTTPS)-based uniform resource locator (URL).
Certificate revocation list (CRL) distribution points. DirectAccess clients use certificate revocation checking to validate the certificate for the HTTPS connection to the network location server and the DirectAccess server certificate for IP-HTTPS-based connections to the DirectAccess server over the Internet.
What are DirectAccess client requirements?
Clients must be running Windows 7 Enterprise, or Windows 7 Ultimate, or WIndows Server 2008 R2.
Clients must be joined to an Active Directory domain.
What are the DirectAccess server requirements?
DirectAccess servers must run Windows Server 2008 R2, and be joined to an AD DS domain.
What do I need to do to deploy DirectAccess transition technologies?
ISATAP
: The DirectAccess UAG server automatically configures itself as an ISATAP router. In order to use ISATAP you need DNS servers to answer queries for ISATAP. Specify ISATAP Host (A) records on your DNS servers, and make sure IPv6 is enabled on network hosts (it is on by default). Then ISATAP ensures that all IPv6 hosts on the network have IPv6 addresses, and (since ISATAP tunnels IPv6 packets within an IPv4 header), routing within your IPv4 infrastructure does not require any changes on IPv4 routers.
6to4
: 6to4 will work automatically after running the UAG DirectAccess wizard and applying the resultant group policy on DirectAccess clients, and on the DirectAccess server.
Teredo
: Teredo will work automatically after running the UAG DirectAccess wizard and applying the resultant group policy on DirectAccess clients, and on the DirectAccess server.
IP-HTTPS
: Teredo will work automatically after running the UAG DirectAccess wizard and applying the resultant group policy on DirectAccess clients, and on the DirectAccess server.
NAT64/DNS64
: Works automatically after running the UAG DirectAccess wizard
What client-side installation is required?
DirectAccess does not require any client-side installation. DirectAccess clients use Active Directory domain membership and Group Policy settings for their configuration. Once the Group Policy settings are applied while connected to the local area network (LAN) or through a VPN connection, there is no user interface on the DirectAccess client. When DirectAccess is operating effectively, it is transparent to the end user.
What are the Active Directory requirements?
The Forefront UAG DirectAccess server must be a domain member and cannot be a domain controller.
A domain controller cannot be reachable from the Internet interface of the UAG DirectAccess server (the Internet interface must not be in the domain profile of Windows Firewall). If you have a domain controller on a perimeter network and thus reachable from the Internet-facing adapter, you can prevent the UAG DirectAccess server from reaching it by adding packet filters on the domain controller to prevent connectivity to the IP address of the Internet-facing adapter. For more information, see
Designing Active Directory for UAG DirectAccess
.
You can use Windows Server 2008 or Windows Server 2003 domains and domain controllers
Clients must be domain members.
The UAG DirectAccess server must be a member of the domain the DirectAccess clients belong to, or there must be a two-way trust between the domains/forests.
What are the DNS server requirements?
UAG
DirectAccess DNS64, which performs all necessary DNS traffic conversions to support name resolution and dynamic updates. DirectAccess clients use DNS64 to resolve all intranet names. There are no special requirements for the DNS servers and they can run Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. For more information about designing DNS for UAG DirectAccess, see
Designing a DNS infrastructure for UAG DirectAccess
.
What are the PKI requirements?
UAG DirectAccess needs a public key infrastructure (PKI) to issue certificates to DirectAccess clients, the DirectAccess server, and the network location server. For more information, see
Designing a PKI for UAG DirectAccess
.
Do application servers require Windows Server 2008 R2?
No. Application servers can be running any operating system. However, if a Windows-based server is not Windows Server 2008 or later, DirectAccess cannot be configured for end-to-end IPsec protection. Windows Server 2003 does not support IPsec over IPv6. Additionally, if the server is running Windows Server 2003 or earlier, an IPv6/IPv4 translator such as a NAT64 is required. Servers running operating systems other than Windows are supported, but if the TCP/IP stack and applications on that server do not fully support IPv6, your DirectAccess deployment might require a NAT64.
Is IPsec required?
Yes. IPsec is required to authenticate and encrypt the connection between the DirectAccess client and the UAG DirectAccess server across the Internet. This is accomplished by establishing tunnel mode connections to the DirectAccess server, which terminates IPsec-protected connections at the edge of your intranet and forwards the tunneled traffic within your intranet. However, IPsec is not required within your intranet for DirectAccess. End-to-end IPsec protection between the DirectAccess client and the intranet server is optional. For more information, see
Choosing an access model
Can I scale UAG DirectAccess?
You can configure an array of UAG DirectAccess servers. For more information, see
Configuring NLB for a UAG DirectAccess array
, and
Configuring external load balancing for a UAG DirectAccess array
.
CONFIGURING AND MAINTAINING
Is there a built-in limit to the number of DirectAccess client connections?
No. There is no built-in limit.
Can UAG be deployed as a DirectAccess servers and for trunk publishing?
Yes. You can deploy UAG trunk and DirectAccess features together. There is a limitation that Network Connector cannot be published when Forefront UAG is configured as a DirectAccess server. But you *CAN* use UAG as a SSTP VPN server when it configured as a DirectAccess server (
http://technet.microsoft.com/en-us/library/ee522953.aspx
).
Can
TROUBLESHOOTING
DirectAccess clients on the intranet cannot access a network location server
Issue
: DirectAccess clients cannot connect to the network location server
Possible cause
: When connecting DirectAccess clients attempt to access a Network Location Server that is available only on the intranet. This allows DirectAccess to determine the location of the client. If a client cannot access a Network Location Server, it might not be able to resolve DNS names.
Solution
: Check the following:
Verify that clients are able to validate the SSL certificate used by the Network Location Server
Check that the NRPT has an exemption rule for the FQDN of the network location URL. This should occur by default. This ensures that the FQDN of the network location server is reachable by UAG DirectAccess clients.