This topic provides information about planning management servers and authentication domains in your Forefront Unified Access Gateway (UAG) DirectAccess deployment.


DirectAccess clients initiate communications with management servers that provide services such as Windows update, NAP, and antivirus updates. DirectAccess clients also contact domain controllers to get Kerberos authentication before accessing the internal network. During remote management of DirectAccess clients, management servers communicate with client computers to perform management functions such as software or hardware inventory assessments. Forefront UAG DirectAccess can automatically discover some management servers, including:

  1. Domain controllers—Auto-discovery of domain controllers is performed on the Client domains and authentication domains specified in the Forefront UAG DirectAccess Configuration Wizard.

  2. System Center Configuration Manager (SCCM) servers

  3. Health Registration Authority (HRA) servers

In addition to management servers, you add authentication domains during DirectAccess deployment. Authentication domains contain domain controllers that are required to authenticate user accounts over the infrastructure tunnel.


  1. Management servers must be accessible over the first (infrastructure) tunnel. When you configure dashort, adding servers to the management servers list automatically makes them accessible over this tunnel.

  2. If a management computer is running Windows Vista or Windows Server 2008, and IPsec transport mode is required between the managing computer and the DirectAccess client, both computers must have the same quick mode lifetimes.

  3. Management servers that initiate connections to DirectAccess clients must fully support IPv6. The NAT64 implementation on the Forefront UAG DirectAccess does not support translation of outbound connections initiated from the intranet.

Planning steps

  1. Prepare a list of management servers required in your DirectAccess deployment.

  2. Domains specified as containing DirectAccess client computers are added automatically. Additional authentication domains must be added for the following:

    1. Domains containing user accounts that are not members of a Client domain. This enables a user from another domain using a client computer enabled for Forefront UAG DirectAccess, to be authenticated with a domain controller in the user’s domain.

    2. Domains containing management servers that require Kerberos authentication with the DirectAccess client, that are not included in the Client domains specified.

    3. The domain of the server, if it was not included as one of the client domains

  3. Because DirectAccess clients can be located behind network address translation (NAT) devices, and use Teredo for the IPv6 connectivity across the Internet, any inbound rules for Windows Firewall with Advanced Security that permit unsolicited incoming traffic from management computers, must be modified to enable edge traversal and authenticated bypass, and must have an inbound ICMPv6 Echo Request rule with edge traversal enabled. For more information, see the section Configuring firewalls for management servers in Planning for a single or multiple Forefront UAG DirectAccess servers.