This topic describes how to determine which Forefront Unified Access Gateway (UAG) DirectAccess access model to use, and how to identify an application server that requires additional authentication.
Forefront UAG DirectAccess uses the following access models:
- End-to-edge—Allows DirectAccess
clients to connect to all resources inside the intranet, by using
IPsec-based tunnel policies that require authentication and
encryption until they reach the Forefront UAG DirectAccess server.
The IPsec sessions terminate by default at the Forefront UAG
DirectAccess server, which also functions as the IPsec Gateway.
Note: It is recommended that you use the end-to-edge access model for initial deployments.
- End-to-end—Extends the end–to-edge
IPsec policies all the way to the specified application servers.
The DirectAccess clients use an IPsec transport policy that
requires that the authentication and traffic protection of IPsec
sessions is terminated at the specified application servers. In
this case, the Forefront UAG DirectAccess server forwards the
authenticated and traffic protected IPsec sessions to the
application servers. Additionally, you can encrypt the data payload
between the DirectAccess client and an application server by
changing the data protection (quick mode) settings.
Note: DirectAccess clients can still connect to all other resources inside the intranet, using the end-to-edge access model.
To identify an application server that requires additional authentication
From the Forefront UAG DirectAccess Configuration Wizard, in the Application Servers box, click Configure.
To enable Require end-to-edge authentication and encryption (the default selection), click Finish.
To enable end-to-end authentication and encryption for specified servers:
- Click Require end-to-end authentication and encryption to
specified application servers.
- If you want to change the IPsec cryptography settings, click
Edit IPsec cryptography settings, select the relevant
Protocol, Integrity and Encryption, and then
Note: Forefront UAG DirectAccess (UP1 release),supports the Suite B cryptographic algorithms that were added to IPsec in Windows Vista Service Pack 1, in Windows Server 2008, and in Windows 7
- Click Add, select the security group(s) containing the
application servers that you want to enable for end-to-end
authentication and encryption, click OK, and then click
Finish. Clicking Remove removes the currently
selected security group from the list.
Important: Application servers that are added to the application server security group must be running Windows 2008 or above.
- Click Require end-to-end authentication and encryption to specified application servers.
|Applications servers that are added to security groups after
the GPO has been generated, are not automatically updated in the
DirectAccess client application server list. This means that any
new application server added to the security group, or any
application server that has its IP address changed after the GPO
has been generated, is inaccessible to the DirectAccess client in
both clear and encrypted modes.To resolve this, after adding a new
application server to the specified security group, or after
changing the IP address of an application server, do the following:
For instructions on configuring the next step of the Forefront UAG DirectAccess Configuration Wizard, see Applying or exporting the Forefront UAG DirectAccess configuration.