This topic describes how to configure end-to-end authentication and encryption.

Forefront UAG DirectAccess allows by default DirectAccess clients to connect to all resources inside the intranet, by using IPsec-based tunnel policies that require authentication and encryption until they reach the Forefront UAG DirectAccess server. By configuring end-to-end access you can extend the end–to-edge IPsec policies all the way to the specified application servers. The DirectAccess clients use an IPsec transport policy that requires that the authentication and traffic protection of IPsec sessions is terminated at the specified application servers. In this case, the Forefront UAG DirectAccess server forwards the authenticated and traffic protected IPsec sessions to the specified application servers. Additionally, you can encrypt the data payload between the DirectAccess client and an application server by changing the data protection (quick mode) settings.

DirectAccess clients connect to all other resources inside the intranet, using the end-to-edge access model.

To identify an application server that requires additional authentication

  1. From the Forefront UAG DirectAccess Configuration Wizard, under Step 4, in End-to-End Access, click Edit.

  2. To enable end-to-end authentication and encryption for specified servers:

    1. Select Authenticate traffic between DirectAccess clients and selected application servers.

    2. Click Add, select the security group(s) containing the application servers that you want to enable for end-to-end authentication and encryption, click OK, and then click Finish. Clicking Remove removes the currently selected security group from the list.

      Application servers that are added to the application server security group must be running Windows 2008 or Windows 7, and have with a valid IPv6 address (native or ISATAP).
    3. If you want to change the IPsec cryptography settings, click Edit IPsec cryptography settings, select the relevant Protocol, Integrity and Encryption, and then click OK.

      Forefront UAG DirectAccess, supports the Suite B cryptographic algorithms that were added to IPsec in Windows Vista Service Pack 1, in Windows Server 2008, and in Windows 7
Applications servers that are added to security groups after the GPO has been generated, are not automatically updated in the DirectAccess client application server list. This means that any new application server added to the security group, or any application server that has its IP address changed after the GPO has been generated, is inaccessible to the DirectAccess client in both clear and encrypted modes.To resolve this, after adding a new application server to the specified security group, or after changing the IP address of an application server, do the following:
  1. From the Forefront UAG DirectAccess Configuration Wizard, in the Application Servers box, click Edit, and then click Finish.

  2. Click Apply Policy, click Apply Now, or click Export Script and run the exported script at a later time. After this is completed, any newly added application servers or application servers with changed IP addresses will be accessible to the DirectAccess clients.

For instructions on configuring the next step of the Forefront UAG DirectAccess Configuration Wizard, see Applying or exporting the Forefront UAG DirectAccess configuration in SP1.