Because Forefront UAG DirectAccess relies on IPsec, AuthIP, and Windows Firewall connection security rules, it is recommended that you do not disable the Windows Firewall service when using a third-party host firewall. When Windows Firewall is enabled, DirectAccess clients can use the built-in IPsec functionality and Windows Firewall connection security rules to protect DirectAccess connections and traffic.
Your third-party firewall should be certified by the Microsoft Driver Logo Program for seamless Forefront UAG DirectAccess functionality. For a list of logo requirements and certified third-party host firewalls, see Windows Quality Online Services (http://go.microsoft.com/fwlink/?LinkId=169342).
Check with your host firewall vendor to see if it supports one of the following options for seamless Forefront UAG DirectAccess functionality:
- Uses Windows Firewall functionality; for
example, Microsoft Forefront Client Security.
- Uses Windows Firewall categories and does not
replace Windows Firewall connection security (IPsec).
Windows Firewall categories allow third-party host firewalls in Windows 7 to selectively replace specific elements of Windows Firewall functionality while retaining others. Categories make it possible for third-party host firewalls to operate side-by-side with Windows Firewall.
To determine if Windows Firewall is providing connection security when a third-party host firewall is installed, type netsh advfirewall monitor show firewall at a Command Prompt. In Global Settings, in the Categories section, Windows Firewall should be listed for the ConSecRuleRuleCategory category.
Third-party host firewalls should also support edge traversal to allow intranet servers and computers to initiate connections to DirectAccess clients for remote management. Check the documentation for your third-party host firewall to determine if edge traversal is supported and how to enable it. If supported, the documentation for your third-party firewall will typically refer to this setting as NAT traversal, enabling Teredo, or IPv6 transition technologies.
For more information about Windows Firewall categories, see INetFwProduct Interface (http://go.microsoft.com/fwlink/?LinkId=169343).
For more information about third-party firewall requirements for Teredo, see Teredo co-existence with third-party firewalls (http://go.microsoft.com/fwlink/?LinkId=169344).