OVERVIEW

  • Where can I find basic information about Forefront UAG DirectAccess?
  • What does UAG DirectAccess provide that differs from Windows Server DirectAccess?
    • UAG DirectAccess provides the following:
      • Extends access to line of business servers with IPv4 support such as Windows 2003 and non-Windows servers by providing a built-in NAT64
      • Enhances scale and management through array management capabilities and integrated load balancing
      • Simplifies deployments and ongoing administration using wizards and automated tools

INSTALLATION AND INFRASTRUCTURE

  • How do I install UAG DirectAccess?
    • You install Forefront UAG, and then enable and configure UAG DirectAccess using the DirectAccess wizard in the UAG Management console.
  • Do I need an IPv6 infrastructure to run UAG DirectAccess?
    • Although DirectAccess uses IPv6, you don't need a complete IPv6 network to take advantage of DirectAccess.  On the client side, DirectAccess clients can only communicate with DirectAccess server using IPv6-aware applications. On the server side however, UAG DirectAccess leverages IPv6 transition technologies to get DirectAccess working in an IPv4 environment. These transition technologies include:
      •  ISATAP to tunnel IPv6 traffic across an IUPv4-only intranet. The UAG DirectAccess server sets itself up automatically as an ISATAP router, and provides IPv6 addresses and routing information for IPv6-aware host computers.
      • 6to4 to connect the DirectAccess client to the UAG DirectAccess server over the IPv4 Internet. 6to4 is used when the the DirectAccess client is assigned a public IP address. The IPv6 packets are encapsulated in a IPv4 header and send over the 6to4 tunnel adapter to the DirectAccess server.
      • Teredo to connect the DirectAccess client to the DirectAccess server over the IPv4 Internet when the DirectAccess client is located behind a NAT device (either a NAT router or a NAT firewall), and the device allows outbound UDP port 3544. If the client has a private IP address and outbound access to UDP 3544, then the client uses Teredo to encapsulate the IPv6 messages from the DA client to the UAG DA server in an IPv4 header to send over the IPv4 Internet.
      • IP-HTTPS to connect the DirectAccess client to the DirectAccess server over the IPv4 Internet. IP-HTTPS is used to encapsulate the IPv6 packets in an IPv4 header. When the client is assigned a private IP address, and the NAT device or firewall is configured to allow only HTTP/HTTPS outbound, then the DirectAccess client falls back to use IP-HTTPS.  IP-HTTPS is considered as a fallback because IP-HTTPS connections are not likely to perform as well as as  as 6to4 or Teredo connections, consider that SSL is added to the IPsec overhead, with HTTP as the transport protocol.
      • NAT64/DNS64 –to allow UAG DirectAccess to work with network resources that are not IPv6-capable (they cannot use native IPv6 or act as an ISATAP host). For example Windows 2003 servers. NAT64/DNS64 accepts DirectAccess client connections, automatically creates a IPv6 address for the name requested by the client, and provides a protocol transformation so that the IPv6 communication from the DirectAccess client is forwarded to the network IPv4-only server using IPv4. The response is returned to the DirectAccess server, which translates the IPv4 response into an IPv6 message that is returned to the client. For more detailed information, read Tom's blog over at The Edge Man.
  • What are the main server components in a UAG DirectAccess deployment?
    • There are 3 main components:
      • The DirectAccess server is a Forefront UAG server running Windows Server 2008 R2 Standard edition or Windows Server 2008 R2 Enterprise edition that is joined to a domain. It accepts connections from DirectAccess clients and facilitates communication with internal network resources.
      • The network location server is an intranet Web server that allows a DirectAccess client to determine if they are located on the Internet or the intranet. To function as a network location server, a computer must be able to host and service requests for a Secure Hypertext Transfer Protocol (HTTPS)-based uniform resource locator (URL).
      • Certificate revocation list (CRL) distribution points. DirectAccess clients use certificate revocation checking to validate the certificate for the HTTPS connection to the network location server and the DirectAccess server certificate for IP-HTTPS-based connections to the DirectAccess server over the Internet.
  • What are DirectAccess client requirements?
    • Clients must be running Windows 7 Enterprise, or Windows 7 Ultimate, or WIndows Server 2008 R2. 
    • Clients must be joined to an Active Directory domain.
  • What are the DirectAccess server requirements?
    • DirectAccess servers must run Windows Server 2008 R2, and be joined to an AD DS domain.
  • What do I need to do to deploy DirectAccess transition technologies?
    • ISATAP: The DirectAccess UAG server automatically configures itself as an ISATAP router. In order to use ISATAP you need DNS servers to answer queries for ISATAP. Specify ISATAP Host (A) records on your DNS servers, and make sure IPv6 is enabled on network hosts (it is on by default). Then ISATAP ensures that all IPv6 hosts on the network have IPv6 addresses, and (since ISATAP tunnels IPv6 packets within an IPv4 header), routing within your IPv4 infrastructure does not require any changes on IPv4 routers.
    • 6to4: 6to4 will work automatically after running the UAG DirectAccess wizard and applying the resultant group policy on DirectAccess clients, and on the DirectAccess server.
    • Teredo: Teredo will work automatically after running the UAG DirectAccess wizard and applying the resultant group policy on DirectAccess clients, and on the DirectAccess server.
    • IP-HTTPS: Teredo will work automatically after running the UAG DirectAccess wizard and applying the resultant group policy on DirectAccess clients, and on the DirectAccess server.
    • NAT64/DNS64: Works automatically after running the UAG DirectAccess wizard
  • What client-side installation is required?
    • DirectAccess does not require any client-side installation. DirectAccess clients use Active Directory domain membership and Group Policy settings for their configuration. Once the Group Policy settings are applied while connected to the local area network (LAN) or through a VPN connection, there is no user interface on the DirectAccess client. When DirectAccess is operating effectively, it is transparent to the end user.
  • What are the Active Directory requirements?
    • The Forefront UAG DirectAccess server must be a domain member and cannot be a domain controller.
    • A domain controller cannot be reachable from the Internet interface of the UAG DirectAccess server  (the Internet interface must not be in the domain profile of Windows Firewall). If you have a domain controller on a perimeter network and thus reachable from the Internet-facing adapter, you can prevent the UAG DirectAccess server from reaching it by adding packet filters on the domain controller to prevent connectivity to the IP address of the Internet-facing adapter. For more information, see Designing Active Directory for UAG DirectAccess.
    • You can use Windows Server 2008 or Windows Server 2003 domains and domain controllers
    • Clients must be domain members.
    • The UAG DirectAccess server must be a member of the domain the DirectAccess clients belong to, or there must be a two-way trust between the domains/forests.
  • What are the DNS server requirements?
    • UAG DirectAccess DNS64, which performs all necessary DNS traffic conversions to support name resolution and dynamic updates. DirectAccess clients use DNS64 to resolve all intranet names. There are no special requirements for the DNS servers and they can run Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. For more information about designing DNS for UAG DirectAccess, see Designing a DNS infrastructure for UAG DirectAccess.
  • What are the PKI requirements?
    • UAG DirectAccess needs a public key infrastructure (PKI) to issue certificates to DirectAccess clients, the DirectAccess server, and the network location server. For more information, see Designing a PKI for UAG DirectAccess.
  • Do application servers require Windows Server 2008 R2?
    • No. Application servers can be running any operating system. However, if a Windows-based server is not Windows Server 2008 or later, DirectAccess cannot be configured for end-to-end IPsec protection. Windows Server 2003 does not support IPsec over IPv6. Additionally, if the server is running Windows Server 2003 or earlier, an IPv6/IPv4 translator such as a NAT64 is required. Servers running operating systems other than Windows are supported, but if the TCP/IP stack and applications on that server do not fully support IPv6, your DirectAccess deployment might require a NAT64.
  • Is IPsec required?
    • Yes. IPsec is required to authenticate and encrypt the connection between the DirectAccess client and the UAG DirectAccess server across the Internet. This is accomplished by establishing tunnel mode connections to the DirectAccess server, which terminates IPsec-protected connections at the edge of your intranet and forwards the tunneled traffic within your intranet. However, IPsec is not required within your intranet for DirectAccess. End-to-end IPsec protection between the DirectAccess client and the intranet server is optional. For more information, see Choosing an access model
  • Can I scale UAG DirectAccess?

CONFIGURING AND MAINTAINING

  • Is there a built-in limit to the number of DirectAccess client connections?
    • No. There is no built-in limit.
  • Can UAG be deployed as a DirectAccess servers and for trunk publishing?
    • Yes. You can deploy UAG trunk and DirectAccess features together. There is a limitation that Network Connector cannot be published when Forefront UAG is configured as a DirectAccess server. But you *CAN* use UAG as a SSTP VPN server when it configured as a DirectAccess server (http://technet.microsoft.com/en-us/library/ee522953.aspx).
    • Can

TROUBLESHOOTING

 DirectAccess clients on the intranet cannot access a network location server

  • Issue: DirectAccess clients cannot connect to the network location server
  • Possible cause: When connecting DirectAccess clients attempt to access a Network Location Server that is available only on the intranet. This allows DirectAccess to determine the location of the client. If a client cannot access a Network Location Server, it might not be able to resolve DNS names. 
  • Solution: Check the following:
    • Verify that clients are able to validate the SSL certificate used by the Network Location Server
    • Check that the NRPT has an exemption rule for the FQDN of the network location URL. This should occur by default. This ensures that the FQDN of the network location server is reachable by UAG DirectAccess clients.