This topic describes the Active Directory requirements when designing a Forefront UAG DirectAccess deployment.
DirectAccess clients and Forefront UAG DirectAccess servers must be members of an Active Directory Domain Services (AD DS) domain. Forefront UAG DirectAccess also uses Active Directory security groups and Group Policy objects (GPOs) to identify sets of computers, and the sets of settings that are applied to them.
The Forefront UAG DirectAccess Configuration Wizard uses security groups to identify the computer accounts of DirectAccess clients (required), and the computer accounts of application servers for end-to-end server access (optional).
The Forefront UAG DirectAccess Configuration Wizard creates the following Group Policy objects (GPOs):
- A GPO for DirectAccess
clients—Contains settings for IPv6 transition technologies,
NRPT entries, and Windows Firewall with Advanced Security
connection security rules (required).
- A GPO for the Forefront UAG DirectAccess
server—Contains IPsec settings, and Windows Firewall with
Advanced Security connection security rules (required).
- A GPO for selected application
servers—Contains settings for Windows Firewall with Advanced
Security connection security rules (optional).
|When you remove a computer from a DirectAccess client or specified server security group, the next update of Group Policy removes the DirectAccess settings from the computer.|
If you want to deploy multiple Forefront UAG DirectAccess deployments in the same domain, you must change the following Group Policy object names so that they are unique in each deployment (In multiple domains this is optional):
- UAG DirectAccess:
- UAG DirectAccess:
- UAG DirectAccess:
You can do this by modifying the UAGDA_POLICY parameters in the export script that you should create after running the Forefront UAG Configuration Wizard. See, Modifying the Forefront UAG DirectAccess export script.
Active Directory and the Forefront UAG DirectAccess server
The Forefront UAG DirectAccess server must be a domain member and cannot be a domain controller. Additionally, an Active Directory domain controller cannot be reachable from the Internet interface of the Forefront UAG DirectAccess server (the Internet interface cannot be in the domain profile of Windows Firewall). If either of these is true, the Forefront UAG DirectAccess Configuration Wizard cannot run.
If you must have an Active Directory domain controller that is on the perimeter network, and therefore reachable from the Internet-facing interface of Forefront UAG DirectAccess server, you can prevent the Forefront UAG DirectAccess server from reaching it, by adding packet filters on the domain controller in the perimeter network that prevents connectivity to the IP address of the Internet-facing interface of the Forefront UAG DirectAccess server.
Using Multiple Domains
Forefront UAG DirectAccess allows you to specify within the security groups, clients and application servers from single or multiple domains, as follows:
- Client computers—The client GPO is
created at the end of the Forefront UAG DirectAccess Configuration
Wizard, when the configuration script is applied, or the exported
script is run. If at a later time, a client is added from a domain
that was not present as a client domain when the GPO was created,
it is not automatically linked to the GPO, and the client does not
automatically receive GPO settings. For more information on how to
link new client domains to the GPO, see Configuring clients for
Forefront UAG DirectAccess.
- Application servers—The application
server GPO is created at the end of the Forefront UAG DirectAccess
Configuration Wizard, when the configuration script is applied, or
the exported script is run. Applications servers that were added to
security groups after the GPO was generated, or application servers
whose IP addresses changed, are not automatically updated in the
DirectAccess client application server list. This means that any
new application server added to the security group, or any
application server whose IP address was changed after the GPO was
generated, will be inaccessible to the DirectAccess client in both
clear and encrypted modes, until manual changes are performed. For
more information on how to add application servers after the GPO
has been generated, see Identifying and
configuring application servers.
When using multiple domains the following should be noted:
- When configuring management servers in the
Forefront UAG DirectAccess Configuration Wizard you should:
- Include all domain controllers, from all the
domains that have client computers contained in the security groups
specified in the Client Configuration section of the wizard.
- Include all domain controllers from all
domains which contain users that may use client computers enabled
for Forefront UAG DirectAccess use. This enables a user from
another domain using a client computer enabled for Forefront UAG
DirectAccess use on the local domain, to be authenticated with a
domain controller in the user’s domain.
- Include all domain controllers, from all the domains that have client computers contained in the security groups specified in the Client Configuration section of the wizard.
- Where possible, common domain name suffixes
should be added to the NRPT in the DNS suffixes section of the
Wizard. For example, if you have two domains,
domain1.corp.contoso.com and domain2.corp.contoso.com, instead of
adding two entries into the NRPT, you can add a common DNS suffix
entry, where the domain name suffix is corp.contoso.com.
- The export script generated at the end of the
Forefront UAG DirectAccess Wizard, can only be applied by a domain
administrator. If clients from additional domains (in which the
domain administrator who generated the script does not have domain
administrator permissions) are included in the client computer
security groups, the domain administrator must be granted link
permissions to the additional domains.
- To create link permissions for additional
domains in multiple domain environments, see Linking to
the Group Policy objects (GPOs).
- The export script can be modified to include
additional domains. See, Modifying the Forefront
UAG DirectAccess export script.
- When WINS is deployed in a multiple domain
environment, you must configure a WINS forward lookup zone in the
DNS. For more information, see Unqualified,
single-label names and DNS search suffixes.