Planning a network location server for Forefront UAG DirectAccess

This topic provides information about planning for a network location server in your Forefront Unified Access Gateway (UAG) DirectAccess deployment.

Overview
Requirements
Limitations
Planning steps

Overview

The network location server is a key component of Forefront UAG DirectAccess. It is a Web site used to detect whether DirectAccess clients are located in the corporate network. Clients in the corporate network do not use DirectAccess to reach internal resources, but instead connect directly.

A DirectAccess client on the corporate network or Internet attempts to connect to the network location server over HTTPS. If any response is received from the Web site the connection is successful, and the client is presumed to be located in the internal network. The following occurs:

The Name Resolution Policy Table (NRPT) is disabled because DirectAccess is not required. For more information about the NRPT, see Using DNS with Forefront UAG DirectAccess.
The client resolves name requests using the DNS servers configured on its network interface settings.
The client computer connects to a domain controller, and the Domain Profile is applied. This profile does not contain the connection security rules required for the DirectAccess IPsec tunnels.

If there is no response from the network location server the following occurs:

DirectAccess IPsec tunnels are established
The NRPT is enabled, and name resolution requests are sent over the DirectAccess tunnels

Requirements

Network location server requirements include the following:

A site with an HTTPS server certificate
DirectAccess client computers must trust the certification authority (CA) that issued the server certificate to the network location server Web site.
DirectAccess client computers on the internal network must be able to resolve the name of the network location server site.
The network location server site must be highly available to computers on the internal network.
The network location server must not be accessible to DirectAccess client computers on the Internet.
Create a CRL site. The server certificate must be checked against a Certificate Revocation List (CRL).

Limitations

The network location server should not be run on the Forefront UAG DirectAccess server.

Planning steps

Planning steps required to provide a network location server ready for Forefront UAG DirectAccess deployment are summarized in the following table.

Planning stage	Planning steps
Setting up the network location server site.	Set up a Web site on a highly available server. The Web site does not require any content, but when testing you might define a default page that provides a message when clients connect. For more information about scaling IIS capacity, see Web Server (IIS) role (http://go.microsoft.com/fwlink/?LinkId=169495).
Setting up the server certificate	Bind an HTTPS server certificate to the Web site. The common name of the certificate should match the name of the network location server site. Ensure that DirectAccess clients trust the issuing CA.	Set up a management and renewal mechanism to ensure that the certificate is kept valid and up-to-date.
Setting up a CRL	Set up a CRL site that is highly available from the internal network. If the CRL check fails DirectAccess clients in the internal network cannot access the HTTPS URL of the network location server site. CRL distribution points can be access through: Web servers using an HTTP-based URL, such as http://crl.corp.contoso.com/crld/corp-DC1-CA.crl File servers accessed through a universal naming convention (UNC) path, such as \\crl.corp.contoso.com\crld\corp-DC1-CA.crl If the internal CRL distribution point is only reachable over IPv6, you must configure a Windows Firewall with Advanced Security connection security rule, to exempt IPsec protection from the IPv6 address space of your intranet to the IPv6 addresses of your CRL distribution points. This can also be configured by adding the IPv6 address of the CRL to the UAGDA_NID_ADDRESS static parameter in the DirectAccess configuration settings. For more information, see Modifying the Forefront UAG DirectAccess export script in SP1.
Enabling name resolution	Ensure that DirectAccess clients on the internal network can resolve the name of the network location server. Ensure that the name is not resolvable by DirectAccess clients on the Internet.

Availability of the network location server can be tested by connecting to it from a domain computer inside the internal network.