This checklist is designed to help you plan your Forefront Unified Access Gateway (UAG) DirectAccess deployment. It lists the tasks you should do to install and deploy Forefront UAG DirectAccess successfully. The checklist also provides links to where you can find instructions and planning information for each task.

Planning task Details More information

Step 1—Determine how many Forefront UAG DirectAccess servers you require

This will depend on the expected number of concurrent DirectAccess client connections, your DirectAccess configuration, scalability, failover, and fault tolerance requirements.

Planning for a single or multiple Forefront UAG DirectAccess servers

Verifying Forefront UAG DirectAccess hardware requirements

Step 2—Plan an array deployment

You can deploy multiple Forefront UAG DirectAccess servers in an array. All array members share the same DirectAccess settings.

Planning for a single or multiple Forefront UAG DirectAccess servers

Array planning guide

Step 3—Plan your network topology and firewall requirements

Plan the location of your Forefront UAG DirectAccess servers. If Forefront UAG DirectAccess servers are located behind or between firewalls, identify the traffic that must be allowed through the firewalls.

Planning for a single or multiple Forefront UAG DirectAccess servers

Step 4—Decide whether to deploy Forefront UAG DirectAccess for intranet access and remote management.

DirectAccess can be deployed to provide DirectAccess clients with access to the internal corporate network, and for remote client management. You can deploy Forefront UAG DirectAccess for remote management only.

Planning for Forefront UAG SP1 DirectAccess deployment

Step 5—Plan for DirectAccess group policy

You configure DirectAccess settings by running the DirectAccess Configuration Wizard in the Forefront UAG Management console. Settings are collected into two group policy objects (GPOs) that are distributed to DirectAccess servers and clients. If you optionally configure DirectAccess to extend authentication and encryption between DirectAccess clients and internal applications servers, a third GPO is applied to the servers.

Planning for GPOs in Forefront UAG DirectAccess SP1

Step 6—Plan for DirectAccess client deployment

Planning includes identifying computers you want to configure as DirectAccess clients, and gathering them into security groups or organizational units (OUs)

Planning for Forefront UAG DirectAccess client deployment

Step 7—Plan for IPsec authentication

DirectAccess clients connect to DirectAccess servers via an authenticated IPv6 IPsec tunnels. The first (infrastructure) tunnel allows clients to access internal infrastructure servers, and it is established before logon. Clients authenticate with a computer certificate and computer account NTLMv2 credentials. The second (intranet) tunnel allows clients access to the internal network. This tunnel is established after the computer certificate, and the account of the logged on user (using Kerberos) are validated.

Planning for Forefront UAG DirectAccess client authentication

Step 8—Plan server IP addresses and routing

Plan for IP addressing and routing so that the Forefront UAG DirectAccess server is reachable from the IPv4 Internet; the IPv6 intranet (if your organization has deployed native IPv6 connectivity and is connected to the IPv6 Internet through an IPv6-capable ISP); internal IPv6 resources; and internal IPv4 resources.

Planning server network settings

Step 9—Plan for IP-HTTPS

IP-HTTPS allows DirectAccess clients to connect to the DirectAccess server over the IPv4 Internet. IP-HTTPS encapsulates IPv6 packets in an IPv4 header, and is used by clients who are unable to connect to the Forefront UAG DirectAccess server using the other IPv6 connectivity methods, or if force tunneling is enabled. By default the Forefront UAG DirectAccess server is configured to act as the IP-HTTPS Web server, and uses a server certificate to authenticate to IP-HTTPS clients.

Planning for IP-HTTPS

Step 10—Planning for certificate deployment

Forefront UAG DirectAccess uses certificates in a number of scenarios, including IPsec authentication of DirectAccess servers and clients; authentication of the IP-HTTPS server and the network location server; client health verification with NAP; and two-factor authentication using smart cards and one-time passwords (OTP).

Planning CAs and certificates for Forefront UAG DirectAccess SP1

Step 11—Plan the deployment of management servers

DirectAccess clients initiate communications with management servers that provide services such as Windows update, NAP, and antivirus updates. DirectAccess clients also contact domain controllers to get Kerberos authentication before accessing the internal network. During remote management of DirectAccess clients, management servers communicate with client computers to perform management functions such as software or hardware inventory assessments.

Planning management servers in Forefront UAG DirectAccess DP1

Step 12—Plan for deployment of a network location server

The network location server is a key component of Forefront UAG DirectAccess. It is a Web site used to detect whether DirectAccess clients are located in the corporate network.

Planning a network location server for Forefront UAG DirectAccess

Step 13—Plan a DNS infrastructure

Forefront UAG DirectAccess uses DNS when resolving client requests, and requests to infrastructure servers.

Planning DNS requirements in Forefront UAG DirectAccess SP1

Step 14—Plan an Active Directory infrastructure

Forefront UAG DirectAccess uses Active Directory and group policy for IPsec authentication; for gathering DirectAccess servers and clients into security groups or OUs; and for storing DirectAccess settings in GPOs.

Planning Active Directory for Forefront UAG DirectAccess SP1

Step 15 (optional)—Plan to deploy the DirectAccess Connectivity Assistant (DCA)

You can optionally install DCA 1.5 on DirectAccess client computers, to provide information about the state of DirectAccess connectivity to corporate network resources, and to troubleshoot DirectAccess issues. During DirectAccess configuration you can specify DCA settings that will be applied when the DCA application is deployed on DirectAccess client computers.

Planning for DCA deployment in Forefront UAG SP1

Step 16 (optional)—Plan for client health verification with network access policies (NAP)

You can optionally deploy NAP with Forefront UAG DirectAccess to enforce corporate health requirements by monitoring and assessing the health of DirectAccess client computers connecting via the DirectAccess server to internal resources.

Planning for NAP health verification in Forefront UAG DirectAccess SP1

Step 17 (optional)—Plan for force tunneling

By default DirectAccess clients use split tunneling. Traffic to the intranet is sent over the IPsec intranet tunnel to the Forefront UAG DirectAccess server. Traffic to the Internet is sent directly to the Internet using IP address settings configured on the network adapter of the DirectAccess client computer. Instead of split tunneling, you can optionally configure force tunneling, which routes client requests for Internet resources via the DirectAccess server.

Planning Internet access for DirectAccess clients in Forefront UAG SP1

Step 18 (optional)—Plan for strong two-factor authentication

DirectAccess uses an authenticated IPv6 IPsec tunnel to connect DirectAccess clients to DirectAccess servers and intranet resources. By default, Forefront UAG DirectAccess supports standard user authentication using a user name and password. Optionally, you can implement two-factor authentication which provides improved security because it requires the user to meet two authentication criteria—a user name and password combination, and a token or certificate.

Planning two-factor client authentication in Forefront UAG DirectAccess SP1

Step 19 (optional)—Plan for end-to-end encryption and authentication

By default traffic between DirectAccess clients and the Forefront UAG DirectAccess server is always authenticated and encrypted. The Forefront UAG DirectAccess server acts as an IPsec gateway, and terminates the IPsec tunnels for the DirectAccess client. Traffic between the Forefront UAG DirectAccess server and intranet resources is neither encrypted nor authenticated. Optionally, you can configure end-to-end authentication and encryption settings, so the Forefront UAG DirectAccess server forwards client traffic as authenticated and encrypted, to selected internal servers.

Planning for extended authentication and encryption in Forefront UAG DirectAccess SP1