Windows 7 or above clients - the DA client needs to have the capabilities to initiate the DA connection. The major components on the client include the new features included with the Windows Firewall with Advanced Security and Connection Security policies. Win7+ meets this requirement

Windows Server 2008 R2 - only required for the UAG DA server itself. No other machine on the network needs to be Windows Server 2008 or above. However, it would help since they are IPv6 capable, but it's definitely not required

PKI - you need certificates to DA. Computer certificates are required on the DA clients and UAG DA server. A Web site certificate is required on the Network Location Server (I'll talk about that next) and also for the UAG DA server. You should use a commercial certificate for the web site certificate on the UAG DA server, which will be used by the UAG DA server's IP-HTTPS listener.

Network Location Server - This is a Web server that the DA clients connect to using HTTPS. If the DA client can connect to this server using HTTPS, then it knows its on the corpnet and it turns off it's DA components. If the DA client can't connect to this server, then it turns on it's DA client components and connects to the UAG DA server over the Internet. The NLS should be highly available, but doesn't require any special configuration other than need to accept SSL connections. Since this is an internal server, a private certificate is fine.

Active Directory - Configuration settings and Authentication require AD. The UAG DA server and the DA clients need to belong to a AD domain. The UAG AD server and clients don't need to belong to the same forest, but if they don't, there needs to be a two-way trust between the DA server and DA client domain

There you go! Not that complicated and not stuff that you don't already work with just about every day. Make sure to check out the UAG DirectAccess when you get a chance.

For more information about UAG DirectAccess requirements, please see

(Originally posted at