Applying or exporting the Forefront UAG DirectAccess configuration

On completion of the Forefront Unified Access Gateway (UAG) DirectAccess Configuration Wizard, you can apply the configuration settings immediately or export them to an export script. In the event that the exported configuration script fails to link to the domain names, you can link to the Forefront UAG DirectAccess Group Policy objects (GPOs).

This topic describes:

Applying the configuration settings—How to apply the Forefront UAG DirectAccess configuration settings that you configured using the Forefront UAG DirectAccess Configuration Wizard.
Exporting the configuration settings—How to export the configuration to an export script.
Linking to the Group Policy objects (GPOs)—How to link to the Forefront UAG DirectAccess Group Policy objects in the event that the exported configuration script fails to link to the domain names.

Applying the configuration settings

To apply the configuration settings

After you have completed the Forefront UAG DirectAccess Configuration Wizard, from the main Forefront UAG DirectAccess Configuration screen, click Generate Policies. The Forefront UAG DirectAccess Configuration Review appears.

Select one of the following options:

Apply Now—Places the configuration settings into the Group Policy objects (GPOs). To apply the GPO on the Forefront UAG DirectAccess server, from the Windows command prompt run the command: gpupdate /force.

Note:
This can only be performed by a domain administrator. If clients from other domains are included in the client computer security groups, the domain administrator must also have link permissions to the additional domains.

Print Review—Creates a reader friendly summary of the proposed configuration settings.

In the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate to activate the configuration.

Exporting the configuration settings

To export the configuration settings

After you have completed the Forefront UAG DirectAccess Configuration Wizard, from the main Forefront UAG DirectAccess Configuration screen, click Generate Policies. The Forefront UAG DirectAccess Configuration Review appears.

To export the configuration settings, click Export Script. This exports the configuration settings to a script that can be saved, forwarded, and then applied by a domain administrator. To run a script, the domain administrator must ensure that the computer can run unsigned scripts, as follows:

On the taskbar, click Start, click All Programs, click Accessories, click Windows PowerShell, right-click Windows PowerShell, and then click Run as administrator.
From the PowerShell command prompt, type set–executionpolicy unrestricted and press ENTER twice.
From the PowerShell command prompt, run the script containing the Forefront UAG DirectAccess Configuration. Note that providing customized values for script parameters is not supported for this release.

When the script has finished running, from the Windows command prompt run the command: gpupdate /force.

Note:
Before activating the configuration in the Forefront UAG Management console, confirm that the IPsec configuration of the Forefront UAG DirectAccess server is in effect, as follows: On the taskbar, click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security. On the console, click Connection Security Rules. Forefront UAG DirectAccess rules should appear in the list of Connection Security Rules and should show Yes in the Enabled column.

Note:

Before activating the configuration in the Forefront UAG Management console, confirm that the IPsec configuration of the Forefront UAG DirectAccess server is in effect, as follows:

On the taskbar, click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security.
On the console, click Connection Security Rules.
Forefront UAG DirectAccess rules should appear in the list of Connection Security Rules and should show Yes in the Enabled column.

If you want to modify the exported file, follow the instructions in Modifying the Forefront UAG DirectAccess export script. Otherwise, in the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate to activate the configuration.

Linking to the Group Policy objects (GPOs)

The export script must be run by the domain administrator of the domain in which the Forefront UAG DirectAccess server is deployed. The script creates the GPOs on the domain in which the Forefront UAG DirectAccess server is deployed, and tries to link the GPO to any additional domains that DirectAccess clients specified in the Client security group belong.

When the domain administrator does not have link permissions to the additional domains, when the script runs, it displays a message including the domain names to which the script failed to link, and continues running.

The domain administrators of the domains to which the script failed to link to the GPO, should apply the exported script, or perform the following procedure:

To link to the Forefront UAG DirectAccess Group Policy objects

Click Start, click Administrative Tools, and then click Group Policy Management.
In the console tree, open the relevant Forest, and right-click the domain to which the script failed to link.
Click Link an Existing GPO, and in Look in this domain, select the domain in which Forefront UAG DirectAccess is deployed. This is where the GPOs reside.
In Group Policy objects, select all of the UAG DirectAccess GPOs, and click OK.