This topic provides information about planning management servers and authentication domains in your Forefront Unified Access Gateway (UAG) DirectAccess deployment.
DirectAccess clients initiate communications with management servers that provide services such as Windows update, NAP, and antivirus updates. DirectAccess clients also contact domain controllers to get Kerberos authentication before accessing the internal network. During remote management of DirectAccess clients, management servers communicate with client computers to perform management functions such as software or hardware inventory assessments. Forefront UAG DirectAccess can automatically discover some management servers, including:
- Domain controllers—Auto-discovery of domain controllers is
performed on the Client domains and authentication domains
specified in the Forefront UAG DirectAccess Configuration
- System Center Configuration Manager (SCCM) servers
- Health Registration Authority (HRA) servers
In addition to management servers, you add authentication domains during DirectAccess deployment. Authentication domains contain domain controllers that are required to authenticate user accounts over the infrastructure tunnel.
- Management servers must be accessible over the first
(infrastructure) tunnel. When you configure dashort, adding servers
to the management servers list automatically makes them accessible
over this tunnel.
- If a management computer is running Windows Vista or
Windows Server 2008, and IPsec transport mode is required
between the managing computer and the DirectAccess client, both
computers must have the same quick mode lifetimes.
- Management servers that initiate connections to DirectAccess
clients must fully support IPv6. The NAT64 implementation on the
Forefront UAG DirectAccess does not support translation of outbound
connections initiated from the intranet.
- Prepare a list of management servers required in your
- Domains specified as containing DirectAccess client computers
are added automatically. Additional authentication domains must be
added for the following:
- Domains containing user accounts that are not members of a
Client domain. This enables a user from another domain using a
client computer enabled for Forefront UAG DirectAccess, to be
authenticated with a domain controller in the user’s domain.
- Domains containing management servers that require Kerberos
authentication with the DirectAccess client, that are not included
in the Client domains specified.
- The domain of the server, if it was not included as one of the
- Domains containing user accounts that are not members of a Client domain. This enables a user from another domain using a client computer enabled for Forefront UAG DirectAccess, to be authenticated with a domain controller in the user’s domain.
- Because DirectAccess clients can be located behind network
address translation (NAT) devices, and use Teredo for the IPv6
connectivity across the Internet, any inbound rules for Windows
Firewall with Advanced Security that permit unsolicited incoming
traffic from management computers, must be modified to enable edge
traversal and authenticated bypass, and must have an inbound ICMPv6
Echo Request rule with edge traversal enabled. For more
information, see the section Configuring firewalls for management
servers in Planning for a single or
multiple Forefront UAG DirectAccess servers.