This topic summarizes the main features of Forefront Unified Access Gateway (UAG) Service Pack 1 (SP1). For a comparison of Forefront UAG and Forefront UAG Service Pack One DirectAccess features, see Comparing Forefront UAG DirectAccess RTM and SP1.

Deployment Feature Details

Installation and network configuration

Software installation

Service Pack 1 (SP1) is provided as follows:

  1. As a service pack update that can be installed on existing Forefront UAG servers.

  2. As a complete application that includes Forefront UAG and SP1. For more information, see Installing SP1 for Forefront UAG 2010.

Modifying IP internal addresses

From SP1 onwards, modifying internal IP addresses is supported.

Application publishing

SharePoint 2010

Forefront UAG SP1 supports publishing SharePoint Server 2010 (first introduced in Forefront UAG Update 1). For more information, see the SharePoint publishing solution guide.

Rights Management Services (RMS)

In Service Pack One, any SharePoint libraries protected with Information Rights Management (IRM) using Active Directory Rights Management Services (AD RMS) can be accessed through Forefront UAG. To access IRM libraries through Forefront UAG, you must publish your SharePoint server and your AD RMS server. For more information, see Publishing an AD RMS server.In addition, Exchange mail services that you publish through Forefront UAG can also be protected by IRM using AD RMS. IRM can be used to protect e-mail messages and attachments. For more information, see Publishing an AD RMS server.

ADFS 2.0

In Service Pack 1, you can provide remote and partner employees with access to your published applications using Active Directory Federation Services (AD FS) 2.0 (in addition to AD FS 1.0). For more information, see Overview of AD FS 2.0.


Simplified deployment

You configure Forefront UAG using a series of wizards in the Forefront UAG Management Console. The wizards take you through the core tasks of setting up Forefront UAG DirectAccess, and you can then perform optional configuration tasks as required. For more information, see the Forefront UAG DirectAccess deployment guide for SP1.

Deployment mode

You can deploy Forefront UAG DirectAccess to allow DirectAccess clients to connect to internal networks and you can remotely manage these clients, or you can deploy Forefront UAG DirectAccess for remote client management only. For more information, see Selecting a deployment model in SP1.

Force tunneling

Using the DirectAccess Server Configuration Wizard you can select whether to send Internet requests from DirectAccess clients directly to the Internet, or to force the tunneling of client Internet requests via the Forefront UAG DirectAccess server. For more information, see Configuring an Internet connectivity method in SP1.

Health verification with Network Access Protection (NAP) policies

For increased access control, you can verify that DirectAccess clients are compliant with NAP health policies before allowing them access to internal networks.

You can implement NAP in enforcement mode so that only compliant clients are allowed to connect via Forefront UAG DirectAccess, or use monitoring mode that monitors client health, but allows both compliant and non-compliant DirectAccess clients to connect. For more information, see Configuring NAP in SP1.

Two-factor authentication with a one-time password (OTP)

In addition to using Kerberos to authenticate DirectAccess clients, you can optionally require authentication with smartcards or OTP. For more information, see Configuring two-factor authentication in SP1.

DirectAccess Connectivity Assistant

Forefront UAG Service Pack 1 includes a new version of the DirectAccess Connectivity Assistant application. This application can be run on Forefront UAG DirectAccess client computers to provide DirectAccess status information and troubleshooting options.

In the DirectAccess Client Configuration Wizard, you can specify application settings that are saved as client settings in the client GPO, and are then applied to client computers that have the DirectAccess Connectivity Assistant application installed. For information about configuring settings on the DirectAccess server, see Configuring the DirectAccess Connectivity Assistant (DCA) in SP1. For more client-side information, see Using DirectAccess Connectivity Assistant (DCA) 1.5.

Group Policy Objects (GPO) with organizational units (OUs)

Forefront UAGdelivers DirectAccess settings to DirectAccess clients and servers, and infrastructure servers, using GPOs. Client computers that should receive the DirectAccess client GPO were identified using Active Directory security groups.

In SP1, you can identify client computers with Active Directory OUs in addition to security groups. For more information, see Configuring DirectAccess GPOs in Forefront UAG SP1.

In addition, SP1 provides a more flexible solution for GPO provisioning. You can specify that GPOs are created automatically when you run the wizard, or provide information about predefined GPOs.

Automatic discovery of management servers

Forefront UAG DirectAccess supports the auto-discovery of management servers, including domain controllers, SCCM servers and HRA servers. For more information, see Specifying management servers in SP1.

Logging and monitoring

SP1 introduces logging and monitoring features for servers and arrays, to allow you to assess the status of Forefront UAG DirectAccess servers and clients. Features include:

  1. Web Monitor—The status of Forefront UAG DirectAccess servers, services, and client session connections is displayed using Web Monitor

  2. SQL Server logs-SQL Server logging is enabled by default, and DirectAccess client activity is stored in the SQL Server logs.

  3. PowerShell—A PowerShell command tool can be run to provide DirectAccess server and client settings.

  4. For more information, see Monitoring Forefront UAG DirectAccess SP1.

Forefront UAG Update 1 and Update 2

Forefront UAG Update 1 and Update 2 integration

Features introduced in Forefront UAG Update 1 and Update 2 are integrated into Service Pack 1. For more information, see What's new in Forefront UAG Update 1.