Documenting your Forefront UAG DirectAccess design will help you explain the infrastructure and policy decisions, and record the results of the deployment phases of your project. This topic is designed to help you create a document that describes your goals and proposed timeline. At the end of each phase of your Forefront UAG DirectAccess deployment, document your design according to the following:


Provide a brief description of how Forefront UAG DirectAccess works, or use the following description:

Forefront UAG DirectAccess gives users the experience of being seamlessly connected to their corporate network (intranet) any time they have Internet access. Forefront UAG DirectAccess enables users to access intranet resources (such as e-mail servers, shared folders, or intranet Web sites) securely without connecting to a virtual private network (VPN). Forefront UAG DirectAccess provides increased productivity for the mobile workforce by offering the same connectivity experience both in and out of the office. Forefront UAG DirectAccess is supported on Windows 7 Ultimate, Windows 7 Enterprise or later, and Windows Server 2008 R2 or later.


List your reasons for deploying Forefront UAG DirectAccess and state how your design plan will achieve these goals. Also, provide the following:

  • Benefits—Describe the pre-deployment state of the network and the benefits you expect to see as a result of the Forefront UAG DirectAccess deployment.

  • Requirements—List what is required to achieve your goals. Examples include operating system updates, equipment purchases, training, cross-team collaboration, and project schedules.

  • Progress—Describe your current progress.

For more information, see Identifying your Forefront UAG DirectAccess deployment goals.

Infrastructure design plan

List the names and locations of servers and other devices that you will use in your Forefront UAG DirectAccess deployment. Include current and future plans. Provide the following details:

  • IPv6 connectivity—Describe how you deployed IPv6 connectivity across your intranet. Include details on routers, default routing design, and IPv6 Internet connectivity.

  • Servers, devices, and roles—List all servers and devices, including their roles, in your Forefront UAG DirectAccess design. Include computers and other devices used for Forefront UAG DirectAccess certificate validation and connectivity.

  • Packet filtering—List the packet filters configured on Internet and intranet firewalls, across intranet hosts, and for DirectAccess clients.

  • Capacity management and redundancy—Describe your expectations for capacity management and redundancy in the Forefront UAG DirectAccess design.

  • Scaling plan—Describe changes that will be required to support the expansion of the Forefront UAG DirectAccess deployment to include additional capacity.

Custom configuration plan

Use this section to document how you customized the default configuration of Forefront UAG DirectAccess to implement specific requirements on your network.

  • Baseline configuration—List the steps in the Forefront UAG DirectAccess Configuration Wizard and the options selected for your initial configuration.

  • NRPT rules—List any additional Name Resolution Policy Table (NRPT) rules for intranet namespaces or exemptions that you needed for your deployment.

  • Connection security rules—List any changes made to the default connection security rules in the form of Network Shell (Netsh) commands, including the Group Policy object, the rule name, and the changes made.

Integration strategy

Describe your design for integrating Forefront UAG DirectAccess with the following technologies and solutions:

  • VPN—Describe the changes made to your VPN configuration to accommodate Forefront UAG DirectAccess detection of the intranet when connected, and for third-party VPN clients.

  • Network Access Protection (NAP)—Describe the changes to Forefront UAG DirectAccess settings and connection security rules for Network Access Protection (NAP) health evaluation and enforcement of DirectAccess connections.

  • Server and domain isolation—Describe changes made to your existing server and domain isolation deployment to accommodate DirectAccess client connectivity to intranet resources.

Staging strategy

Describe how you staged the deployment of Forefront UAG DirectAccess in your organization. Include the following information:

  • Staging milestones—List the set of infrastructure and deployment milestones and their requirements.

  • Timeline—Provide details of your proposed timeline to deploy Forefront UAG DirectAccess on your intranet. Include your initial timeline and any deviation from that timeline.

  • Staging results—Provide the results for each stage of your Forefront UAG DirectAccess deployment.

  • Trends—Describe any trends in connectivity issues encountered.