This topic provides information about planning for a network location server in your Forefront Unified Access Gateway (UAG) DirectAccess deployment.
The network location server is a key component of Forefront UAG DirectAccess. It is a Web site used to detect whether DirectAccess clients are located in the corporate network. Clients in the corporate network do not use DirectAccess to reach internal resources, but instead connect directly.
A DirectAccess client on the corporate network or Internet attempts to connect to the network location server over HTTPS. If any response is received from the Web site the connection is successful, and the client is presumed to be located in the internal network. The following occurs:
- The Name Resolution Policy Table (NRPT) is
disabled because DirectAccess is not required. For more information
about the NRPT, see Using DNS with Forefront UAG DirectAccess.
- The client resolves name requests using the
DNS servers configured on its network interface settings.
- The client computer connects to a domain
controller, and the Domain Profile is applied. This profile does
not contain the connection security rules required for the
DirectAccess IPsec tunnels.
If there is no response from the network location server the following occurs:
- DirectAccess IPsec tunnels are
- The NRPT is enabled, and name resolution
requests are sent over the DirectAccess tunnels
Network location server requirements include the following:
- A site with an HTTPS server certificate
- DirectAccess client computers must trust the
certification authority (CA) that issued the server certificate to
the network location server Web site.
- DirectAccess client computers on the internal
network must be able to resolve the name of the network location
- The network location server site must be
highly available to computers on the internal network.
- The network location server must not be
accessible to DirectAccess client computers on the Internet.
- Create a CRL site. The server certificate
must be checked against a Certificate Revocation List
The network location server should not be run on the Forefront UAG DirectAccess server.
Planning steps required to provide a network location server ready for Forefront UAG DirectAccess deployment are summarized in the following table.
|Planning stage||Planning steps|
Setting up the network location server site.
Set up a Web site on a highly available server. The Web site does not require any content, but when testing you might define a default page that provides a message when clients connect. For more information about scaling IIS capacity, see Web Server (IIS) role (http://go.microsoft.com/fwlink/?LinkId=169495).
Setting up the server certificate
Bind an HTTPS server certificate to the Web site. The common name of the certificate should match the name of the network location server site. Ensure that DirectAccess clients trust the issuing CA.
Set up a management and renewal mechanism to ensure that the certificate is kept valid and up-to-date.
Setting up a CRL
Set up a CRL site that is highly available from the internal network. If the CRL check fails DirectAccess clients in the internal network cannot access the HTTPS URL of the network location server site. CRL distribution points can be access through:
If the internal CRL distribution point is only reachable over IPv6, you must configure a Windows Firewall with Advanced Security connection security rule, to exempt IPsec protection from the IPv6 address space of your intranet to the IPv6 addresses of your CRL distribution points. This can also be configured by adding the IPv6 address of the CRL to the UAGDA_NID_ADDRESS static parameter in the DirectAccess configuration settings. For more information, see Modifying the Forefront UAG DirectAccess export script in SP1.
Enabling name resolution
Ensure that DirectAccess clients on the internal network can resolve the name of the network location server. Ensure that the name is not resolvable by DirectAccess clients on the Internet.
Availability of the network location server can be tested by connecting to it from a domain computer inside the internal network.