This checklist is designed to help you plan your Forefront Unified Access Gateway (UAG) DirectAccess deployment. It lists the tasks you should do to install and deploy Forefront UAG DirectAccess successfully. The checklist also provides links to where you can find instructions and planning information for each task.
| Planning task | Details | More information |
|---|---|---|
|
Step 1—Determine how many Forefront UAG DirectAccess servers you require |
This will depend on the expected number of concurrent DirectAccess client connections, your DirectAccess configuration, scalability, failover, and fault tolerance requirements. |
Planning for a single or multiple Forefront UAG DirectAccess servers |
|
Step 2—Plan an array deployment |
You can deploy multiple Forefront UAG DirectAccess servers in an array. All array members share the same DirectAccess settings. |
Planning for a single or multiple Forefront UAG DirectAccess servers |
|
Step 3—Plan your network topology and firewall requirements |
Plan the location of your Forefront UAG DirectAccess servers. If Forefront UAG DirectAccess servers are located behind or between firewalls, identify the traffic that must be allowed through the firewalls. |
Planning for a single or multiple Forefront UAG DirectAccess servers |
|
Step 4—Decide whether to deploy Forefront UAG DirectAccess for intranet access and remote management. |
DirectAccess can be deployed to provide DirectAccess clients with access to the internal corporate network, and for remote client management. You can deploy Forefront UAG DirectAccess for remote management only. |
|
|
Step 5—Plan for DirectAccess group policy |
You configure DirectAccess settings by running the DirectAccess Configuration Wizard in the Forefront UAG Management console. Settings are collected into two group policy objects (GPOs) that are distributed to DirectAccess servers and clients. If you optionally configure DirectAccess to extend authentication and encryption between DirectAccess clients and internal applications servers, a third GPO is applied to the servers. |
|
|
Step 6—Plan for DirectAccess client deployment |
Planning includes identifying computers you want to configure as DirectAccess clients, and gathering them into security groups or organizational units (OUs) |
|
|
Step 7—Plan for IPsec authentication |
DirectAccess clients connect to DirectAccess servers via an authenticated IPv6 IPsec tunnels. The first (infrastructure) tunnel allows clients to access internal infrastructure servers, and it is established before logon. Clients authenticate with a computer certificate and computer account NTLMv2 credentials. The second (intranet) tunnel allows clients access to the internal network. This tunnel is established after the computer certificate, and the account of the logged on user (using Kerberos) are validated. |
Planning for Forefront UAG DirectAccess client authentication |
|
Step 8—Plan server IP addresses and routing |
Plan for IP addressing and routing so that the Forefront UAG DirectAccess server is reachable from the IPv4 Internet; the IPv6 intranet (if your organization has deployed native IPv6 connectivity and is connected to the IPv6 Internet through an IPv6-capable ISP); internal IPv6 resources; and internal IPv4 resources. |
|
|
Step 9—Plan for IP-HTTPS |
IP-HTTPS allows DirectAccess clients to connect to the DirectAccess server over the IPv4 Internet. IP-HTTPS encapsulates IPv6 packets in an IPv4 header, and is used by clients who are unable to connect to the Forefront UAG DirectAccess server using the other IPv6 connectivity methods, or if force tunneling is enabled. By default the Forefront UAG DirectAccess server is configured to act as the IP-HTTPS Web server, and uses a server certificate to authenticate to IP-HTTPS clients. |
|
|
Step 10—Planning for certificate deployment |
Forefront UAG DirectAccess uses certificates in a number of scenarios, including IPsec authentication of DirectAccess servers and clients; authentication of the IP-HTTPS server and the network location server; client health verification with NAP; and two-factor authentication using smart cards and one-time passwords (OTP). |
Planning CAs and certificates for Forefront UAG DirectAccess SP1 |
|
Step 11—Plan the deployment of management servers |
DirectAccess clients initiate communications with management servers that provide services such as Windows update, NAP, and antivirus updates. DirectAccess clients also contact domain controllers to get Kerberos authentication before accessing the internal network. During remote management of DirectAccess clients, management servers communicate with client computers to perform management functions such as software or hardware inventory assessments. |
Planning management servers in Forefront UAG DirectAccess DP1 |
|
Step 12—Plan for deployment of a network location server |
The network location server is a key component of Forefront UAG DirectAccess. It is a Web site used to detect whether DirectAccess clients are located in the corporate network. |
Planning a network location server for Forefront UAG DirectAccess |
|
Step 13—Plan a DNS infrastructure |
Forefront UAG DirectAccess uses DNS when resolving client requests, and requests to infrastructure servers. |
|
|
Step 14—Plan an Active Directory infrastructure |
Forefront UAG DirectAccess uses Active Directory and group policy for IPsec authentication; for gathering DirectAccess servers and clients into security groups or OUs; and for storing DirectAccess settings in GPOs. |
Planning Active Directory for Forefront UAG DirectAccess SP1 |
|
Step 15 (optional)—Plan to deploy the DirectAccess Connectivity Assistant (DCA) |
You can optionally install DCA 1.5 on DirectAccess client computers, to provide information about the state of DirectAccess connectivity to corporate network resources, and to troubleshoot DirectAccess issues. During DirectAccess configuration you can specify DCA settings that will be applied when the DCA application is deployed on DirectAccess client computers. |
|
|
Step 16 (optional)—Plan for client health verification with network access policies (NAP) |
You can optionally deploy NAP with Forefront UAG DirectAccess to enforce corporate health requirements by monitoring and assessing the health of DirectAccess client computers connecting via the DirectAccess server to internal resources. |
Planning for NAP health verification in Forefront UAG DirectAccess SP1 |
|
Step 17 (optional)—Plan for force tunneling |
By default DirectAccess clients use split tunneling. Traffic to the intranet is sent over the IPsec intranet tunnel to the Forefront UAG DirectAccess server. Traffic to the Internet is sent directly to the Internet using IP address settings configured on the network adapter of the DirectAccess client computer. Instead of split tunneling, you can optionally configure force tunneling, which routes client requests for Internet resources via the DirectAccess server. |
Planning Internet access for DirectAccess clients in Forefront UAG SP1 |
|
Step 18 (optional)—Plan for strong two-factor authentication |
DirectAccess uses an authenticated IPv6 IPsec tunnel to connect DirectAccess clients to DirectAccess servers and intranet resources. By default, Forefront UAG DirectAccess supports standard user authentication using a user name and password. Optionally, you can implement two-factor authentication which provides improved security because it requires the user to meet two authentication criteria—a user name and password combination, and a token or certificate. |
Planning two-factor client authentication in Forefront UAG DirectAccess SP1 |
|
Step 19 (optional)—Plan for end-to-end encryption and authentication |
By default traffic between DirectAccess clients and the Forefront UAG DirectAccess server is always authenticated and encrypted. The Forefront UAG DirectAccess server acts as an IPsec gateway, and terminates the IPsec tunnels for the DirectAccess client. Traffic between the Forefront UAG DirectAccess server and intranet resources is neither encrypted nor authenticated. Optionally, you can configure end-to-end authentication and encryption settings, so the Forefront UAG DirectAccess server forwards client traffic as authenticated and encrypted, to selected internal servers. |
Planning for extended authentication and encryption in Forefront UAG DirectAccess SP1 |