There are several tasks that you should do on an on-demand basis, in order to maintain Forefront UAG DirectAccess. All of these tasks should be performed using the Forefront UAG DirectAccess Configuration Wizard. They include:

Maintaining DirectAccess clients and application server security groups

When DirectAccess clients are disabled or removed, for example when someone leaves the company, you should remove the DirectAccess client from the computer client security groups used in the client configuration stage of the Forefront UAG DirectAccess Configuration Wizard. Similarly, when using the end-to-end access model, you should remove application servers that were entered into the application server security group, when the server ceases to exist or does not require end-to-end authentication.

Applications servers that are added to security groups after the Group Policy object (GPO) was generated are not automatically updated in the DirectAccess client application server list. This means that any new application server that is added to the security group, or any application server whose IP address changed after the GPO was generated, is inaccessible to the DirectAccess client in both clear and encrypted modes.To resolve this, after adding a new application server to the specified security group, or after changing the IP address of an application server, do the following:
  1. From the Forefront UAG DirectAccess Configuration Wizard, in the Application Servers box, click Edit, and then click Finish.

  2. Click Generate Policies, click Apply Now, or click Export Script. For more information, see Applying or exporting the Forefront UAG DirectAccess configuration. After this is completed, any newly added application servers or application servers with changed IP addresses will be accessible to the DirectAccess clients.

Maintaining the Name Resolution Policy Table (NRPT)

As your deployment develops and your organization changes, there may be redundant records in the NRPT. As and when required, you should remove NRPT records that are no longer used from the NRPT. For more information, see Identifying DNS servers.

Checking management servers for IP address changes

You should add management servers and domain controllers in the Management Servers and DCs page of the Forefront UAG DirectAccess Configuration Wizard. You can do this by adding the management server or domain controller name, all the management server IP addresses, or by using the automatic discovery feature for domain controllers. IPv4 addresses are converted to IPv6 addresses. When the Forefront UAG DirectAccess configuration script is generated and applied, old IPsec rules that contain the old IPv6 addresses of the management servers are replaced with IPsec rules containing the new IPv6 addresses. When you add a server name or in the case of auto discovery, Forefront UAG gathers the IP addresses for the servers and uses these address to create the new IPsec rules.

When an IP address of a server is changed, it must be reflected in the Forefront UAG DirectAccess Wizard. Until this is done, DirectAccess clients may be unable to access the management server.

To update an IP address for management servers and domain controllers

  1. From the Forefront UAG DirectAccess Configuration Wizard, in the Infrastructure Servers box, click Management Servers and DCs.

  2. To refresh domain controllers, click the Refresh icon.

  3. Click Finish, click Generate Policies, and then apply or export the script, by clicking Apply Now or Export Script and running the exported script, as described in Applying or exporting the Forefront UAG DirectAccess configuration.