There are several tasks that you should do on an on-demand basis, in order to maintain Forefront UAG DirectAccess. All of these tasks should be performed using the Forefront UAG DirectAccess Configuration Wizard. They include:
- Maintaining DirectAccess
clients and application server security groups
- Maintaining the Name
Resolution Policy Table (NRPT)
- Checking management
servers for IP address changes
Maintaining DirectAccess clients and
application server security groups
When DirectAccess clients are disabled or removed, for example when someone leaves the company, you should remove the DirectAccess client from the computer client security groups used in the client configuration stage of the Forefront UAG DirectAccess Configuration Wizard. Similarly, when using the end-to-end access model, you should remove application servers that were entered into the application server security group, when the server ceases to exist or does not require end-to-end authentication.
 Note: |
|---|
Applications servers that are added to security groups after
the Group Policy object (GPO) was generated are not automatically
updated in the DirectAccess client application server list. This
means that any new application server that is added to the security
group, or any application server whose IP address changed after the
GPO was generated, is inaccessible to the DirectAccess client in
both clear and encrypted modes.To resolve this, after adding a new
application server to the specified security group, or after
changing the IP address of an application server, do the following:
|
Maintaining the Name Resolution
Policy Table (NRPT)
As your deployment develops and your organization changes, there may be redundant records in the NRPT. As and when required, you should remove NRPT records that are no longer used from the NRPT. For more information, see Identifying DNS servers.
Checking management servers for IP
address changes
You should add management servers and domain controllers in the Management Servers and DCs page of the Forefront UAG DirectAccess Configuration Wizard. You can do this by adding the management server or domain controller name, all the management server IP addresses, or by using the automatic discovery feature for domain controllers. IPv4 addresses are converted to IPv6 addresses. When the Forefront UAG DirectAccess configuration script is generated and applied, old IPsec rules that contain the old IPv6 addresses of the management servers are replaced with IPsec rules containing the new IPv6 addresses. When you add a server name or in the case of auto discovery, Forefront UAG gathers the IP addresses for the servers and uses these address to create the new IPsec rules.
| Note: |
|---|
| When an IP address of a server is changed, it must be reflected in the Forefront UAG DirectAccess Wizard. Until this is done, DirectAccess clients may be unable to access the management server. |
To update an IP address for management servers and domain controllers
-
From the Forefront UAG DirectAccess Configuration Wizard, in the Infrastructure Servers box, click Management Servers and DCs.
-
To refresh domain controllers, click the Refresh icon.
-
Click Finish, click Generate Policies, and then apply or export the script, by clicking Apply Now or Export Script and running the exported script, as described in Applying or exporting the Forefront UAG DirectAccess configuration.