DirectAccess settings configured when you run the DirectAccess Configuration Wizard in the Forefront UAG Management console are collected into group policy objects (GPO). Three different GPOs are populated with DirectAccess settings, and distributed as follows:

1. DirectAccess client GPO—This GPO contains client settings, including IPv6 transition technology settings, NRPT entries, and Windows Firewall with Advanced Security connection security rules. The GPO is applied to the security groups or OUs specified for the client
   
   
2. DirectAccess server GPO—This GPO contains Windows Firewall with Advanced Security connection security rules.
   
   
3. Application servers GPO—This GPO contains settings for selected application servers to which you optionally extend authentication and encryption from DirectAccess clients. If authentication and encryption are not extended then this GPO is not used.
   
   

GPOs can be configured in two ways:

1. You can specify that the Forefront UAG DirectAccess Configuration Wizard should create the GPOs automatically. A default name is specified for each GPO. As long as the GPO does not exist in the domain you can modify the domain in which the GPO will be created, and the GPO name.
   
   
2. You can use GPOs that have been predefined by the Active Directory administrator.
   
   

Automatically created GPOS are applied according to the location and link target parameter, as follows:

1. The DirectAccess server GPO, both the location and link parameters point to the domain containing the Forefront UAG DirectAccess server. This is true for a standalone server or for an array configuration.
   
   
2. When client and application servers GPOs are created, the location is set to a single domain in which the GPO will be created. The link target is set to the domains containing the client computers and application servers. The GPO is created once and links are created in the other domains. When the client and application server GPOs are filled, the link target is disabled. The location is set to all of the client and application server domains. The GPO name is looked up in each domain, and filled with DirectAccess settings if it exists.
   
   

GPO requirements are as follows:

1. To apply DirectAccess settings in GPOs, note the following permissions requirements:
   
   
   1. The administrator who runs the configuration script must have GPO create permissions for each required domain. The administrator also requires link permissions to all the selected client domain roots (in security group mode), or to all the selected OUs (in OU mode).
      
      
   2. If the Forefront UAG administrator does not have create permissions on the domain, the administrator must send the script to a user with the required permissions.
      
      
   3. It is recommended that the Forefront UAG administrator configuring DirectAccess has GPO read permissions for each required domain. If not, the Forefront UAG user interface will not be able to discover the GPOs and validations might fail.
      
      
2. If you want to load DirectAccess configuration settings into predefined GPOs, note the following:
   
   
   1. The GPOs should exist before running the wizard.
      
      
   2. When you select to use predefined GPOs, validation occurs. If the specified client GPO name does not exist in at least one client domain, or the server GPO name does not exist in the Forefront UAG DirectAccess server domain, a message appears with instructions on how to proceed.
      
      

The following limitations apply:

1. When deploying end-to-end extended authentication and encryption between DirectAccess clients and internal application servers, a GPO is applied to the internal servers. These servers must reside in the same forest as the Forefront UAG DirectAccess server.
   
   

To plan for predefined GPOs do the following:

1. Create the DirectAccess server GPO in the DirectAccess server domain, with the permissions detailed in Requirements. Create a link to the either the OU that will contain the DirectAccess server, or to the domain root if DirectAccess server will be defined using a security group.
   
   
2. Create a client GPO with the same name in each domain that contains computers that will be defined as DirectAccess clients, with the permissions detailed in Requirements. Configure links as required. Do not configure cross-domain links. Forefront UAG DirectAccess fills these GPOs with the client settings.
   
   
3. If you will deploy end-to-end extended authentication and encryption between DirectAccess clients and specified internal application servers, create an application server GPO with the same name in each domain that contains the application servers, with the permissions detailed in Requirements. Configure links as required.