If Forefront Unified Access Gateway (UAG) is not already installed, use the following procedure to install Forefront UAG as a DirectAccess server. Before you begin, review the prerequisites for deploying Forefront UAG, described in Forefront UAG DirectAccess prerequisites.

To install Forefront UAG DirectAccess

  1. Install Windows Server 2008 R2 Standard or Windows Server 2008 R2 Enterprise edition, on a server computer with two physical network adapters.

  2. Join the server to an Active Directory domain.

  3. Install a computer certificate on the server that will be used for IPsec authentication, and a Web certificate that will be used by the IP-HTTPS Web listener. For more information, see Configuring authentication options.

  4. Configure the Forefront UAG DirectAccess server to be inside the perimeter network, with one network adapter connected to the Internet and at least one other network adapter connected to the intranet.

  5. Verify that the ports and protocols (listed in Forefront UAG DirectAccess prerequisites) are open on the perimeter and Internet-facing firewalls.

  6. The DirectAccess server requires at least two consecutive, public static IPv4 addresses that are assigned to an FQDN which is externally resolvable. (Note that addresses in the ranges,, and must not be used to simulate the internet, even in a lab environment).

  7. Create a security group in Active Directory, and add the client computer accounts for the DirectAccess clients. For more information, see Create a New Group (http://go.microsoft.com/fwlink/?LinkID=154396).

  8. Install a network location server with high availability, and install the IIS role on the server. You can use any internal HTTPS server, but it must have high availability and should not be accessible from the Internet.

    You must not configure your Forefront UAG DirectAccess server as the network location server.
  9. Install Forefront UAG. For instructions, see Running an attended installation.

  10. Using the Forefront UAG Getting Started Wizard, designate one of the server network adapters as the Internet-facing interface, and the other as the internal network-facing interface. The Internet-facing interface requires two consecutive, public IPv4 addresses. Both IPv4 addresses must be assigned to the same interface.

Next Steps

After completing the installation, the next step is to configure clients to receive the Forefront UAG DirectAccess client configuration settings, as described in Configuring clients for Forefront UAG DirectAccess.

For a list of all the configuration steps you need to do after installing Forefront UAG DirectAccess, see Implementing a Forefront UAG DirectAccess deployment.