The network location server is a required component of any Forefront UAG DirectAccess design. To function as a network location server, a computer must be able to host and service requests for a Secure Hypertext Transfer Protocol (HTTPS)-based uniform resource locator (URL).
The following considerations should be taken into account when planning the location of a network location server:
- Where to Place the Network
- Configuring a highly
available intranet Web server as the network location
- Planning Redundancy for
a Network Location Server
Where to Place the Network Location Server
The network location server is a critical part of a Forefront UAG DirectAccess deployment. If DirectAccess client computers on the intranet cannot successfully locate and access the secure Web page on the network location server, they might not be able to access intranet resources. Note that locating the network location server on the Forefront UAG DirectAccess server is not supported.
When DirectAccess clients obtain a physical connection to the intranet or experience a network status change on the intranet (such as an address change when roaming between subnets), they attempt an HTTPS connection to the location in a configured URL. If they can obtain an HTTPS connection to the location in the configured URL, including a revocation check of the Web server’s certificate, they determine that they are on the intranet.
To ensure that the FQDN of the network location server is reachable for a DirectAccess client with Forefront UAG DirectAccess-based rules in the NRPT, the Forefront UAG DirectAccess Configuration Wizard by default adds the FQDN of the network location server as an exemption rule to the NRPT. When the DirectAccess client attempts to resolve the FQDN of the network location server, the FQDN matches the exemption rule in the NRPT and the DirectAccess client uses interface-configured DNS servers, which are reachable to resolve the name and connect to the network location server.
|Because the FQDN of network location URL is added as an exemption rule to the NRPT, the intranet Web server at that FQDN will not be accessible across the DirectAccess connection from the Internet.|
To ensure that DirectAccess clients can correctly detect when they are on the Internet, DirectAccess clients on the Internet must not be able to successfully access the network location URL. You can achieve this by ensuring that the FQDN cannot be resolved using Internet DNS servers, configuring the Web server to deny connections from Internet-based clients, or ensuring that the certificate validation process fails when DirectAccess clients are on the Internet.
In the Forefront UAG DirectAccess Configuration Wizard, type the HTTPS-based URL for network location, specifying a network location server that is separate from the Forefront UAG DirectAccess server.
Configuring a highly available intranet Web server as the network location server
The recommended configuration for a network location server is a highly available and, depending on the number of DirectAccess clients, high-capacity intranet Web server. The Web server must be able to support HTTPS-based URLs with certificate-based authentication. Internet Information Services 7.0, included with Windows Server 2008 R2 and Windows Server 2008, can be used as a network location server. The content of the HTTPS-based URL is not important, only the DirectAccess client’s ability to successfully access the page at the URL.
The certificate used by the Web server to act as a network location server has the following requirements:
- In the Subject field, either an Internet
Protocol (IP) address of the intranet interface of the Web server
or the FQDN of the network location URL.
- In the Enhanced Key Usage field, the Server
Authentication object identifier (OID).
- In the CRL Distribution Points field, a
certificate revocation list (CRL) distribution point location that
is accessible by DirectAccess clients that are connected to the
The FQDN in the URL or the universal naming convention (UNC) path of the CRL distribution point location should either match an exemption rule or no rules in the NRPT, so that the DirectAccess client can use interface-configured intranet DNS servers to resolve the name. If the DirectAccess client cannot resolve the FQDN in the URL or UNC of the CRL distribution point, intranet detection fails. Access the CRL distribution point, and verify that the network location server’s certificate has not been revoked.
Planning Redundancy for a Network Location Server
For Internet Information Services (IIS)-based Web servers that are acting as network location servers, you can configure redundancy with Network Load Balancing. For more information, see Overview of the Network Load Balancing Deployment Process (http://go.microsoft.com/fwlink/?LinkId=169487).