This topic describes how to configure end-to-end authentication and encryption.
Forefront UAG DirectAccess allows by default DirectAccess clients to connect to all resources inside the intranet, by using IPsec-based tunnel policies that require authentication and encryption until they reach the Forefront UAG DirectAccess server. By configuring end-to-end access you can extend the end–to-edge IPsec policies all the way to the specified application servers. The DirectAccess clients use an IPsec transport policy that requires that the authentication and traffic protection of IPsec sessions is terminated at the specified application servers. In this case, the Forefront UAG DirectAccess server forwards the authenticated and traffic protected IPsec sessions to the specified application servers. Additionally, you can encrypt the data payload between the DirectAccess client and an application server by changing the data protection (quick mode) settings.
|DirectAccess clients connect to all other resources inside the intranet, using the end-to-edge access model.|
To identify an application server that requires additional authentication
From the Forefront UAG DirectAccess Configuration Wizard, under Step 4, in End-to-End Access, click Edit.
To enable end-to-end authentication and encryption for specified servers:
- Select Authenticate traffic between DirectAccess clients and
selected application servers.
- Click Add, select the security group(s) containing the
application servers that you want to enable for end-to-end
authentication and encryption, click OK, and then click
Finish. Clicking Remove removes the currently
selected security group from the list.
Important: Application servers that are added to the application server security group must be running Windows 2008 or Windows 7, and have with a valid IPv6 address (native or ISATAP).
- If you want to change the IPsec cryptography settings, click
Edit IPsec cryptography settings, select the relevant
Protocol, Integrity and Encryption, and then
Note: Forefront UAG DirectAccess, supports the Suite B cryptographic algorithms that were added to IPsec in Windows Vista Service Pack 1, in Windows Server 2008, and in Windows 7
- Select Authenticate traffic between DirectAccess clients and selected application servers.
|Applications servers that are added to security groups after
the GPO has been generated, are not automatically updated in the
DirectAccess client application server list. This means that any
new application server added to the security group, or any
application server that has its IP address changed after the GPO
has been generated, is inaccessible to the DirectAccess client in
both clear and encrypted modes.To resolve this, after adding a new
application server to the specified security group, or after
changing the IP address of an application server, do the following:
For instructions on configuring the next step of the Forefront UAG DirectAccess Configuration Wizard, see Applying or exporting the Forefront UAG DirectAccess configuration in SP1.