This topic provides information about planning Active Directory requirements in your Forefront Unified Access Gateway (UAG) DirectAccess deployment.
Forefront UAG DirectAccess uses Active Directory and Active Directory group policy objects, as follows:
- Authentication—Active Directory is
used for authentication. The infrastructure tunnel uses NTLMv2
authentication for the computer account connecting to the Forefront
UAG DirectAccess server, and the account must be in an Active
Directory domain. The intranet tunnel uses Kerberos authentication
for the user to create the second tunnel.
- Group policy objects−Forefront UAG
DirectAccess gathers configuration settings into group policy
objects that are applied to Forefront UAG DirectAccess servers,
clients, and internal management servers.
- Security groups and OUs—Forefront UAG
DirectAccess uses global or universal security groups, and
organizational units (OUs), to gather together and identify
DirectAccess client computers, and DirectAccess servers. The group
policies are applied to the required security group or OU.
- Extended IPsec policies—By default
Forefront UAG DirectAccess uses IPsec authentication and encryption
between clients and the Forefront UAG DirectAccess server. You can
extend IPsec authentication and encryption through to specified
internal application servers. To do this, you gather the required
application servers into a security group.
When planning Active Directory for Forefront UAG DirectAccess deployment, the following is required:
- At least one domain controller running
Windows Server 2003 or later is required.
- The Forefront UAG DirectAccess server must be
a domain member.
- DirectAccess clients must be domain members.
Clients can belong to:
- Any domain in the same forest as the
Forefront UAG DirectAccess server.
- Any domain that has a two-way trust with the
Forefront UAG DirectAccess server domain.
- Any domain in a forest that has a two-way
trust with the forest to which the Forefront UAG DirectAccess
- Any domain in the same forest as the Forefront UAG DirectAccess server.
Note the following limitations:
- The Forefront UAG DirectAccess server cannot
be a domain controller.
- The Active Directory domain controller used
for Forefront UAG DirectAccess must not be reachable from the
external Internet adapter of the Forefront UAG DirectAccess server
(the adapter must not be in the domain profile of Windows
Firewall). If either of these is true, the Forefront UAG
DirectAccess Configuration Wizard cannot run.
- If you want to extend IPsec authentication
and encryption through to specific internal application servers,
the application servers must reside in the same forest as that in
which the DirectAccess server is located.
Planning steps include the following:
|Planning stage||Planning steps|
Planning for domain controllers
Plan for at least one domain controller running Windows Server 2003 or later.
If you must deploy an Active Directory domain controller on a perimeter network (and therefore reachable from the Internet-facing interface of Forefront UAG DirectAccess server) prevent the Forefront UAG DirectAccess server from reaching by adding packet filters on the domain controller, to prevent connectivity to the IP address of the Internet adapter.
Planning for client security groups and OUs
For a client computer to receive the DirectAccess client group policy and thus be configured as DirectAccess clients, it must be included in an OU or security group, and belong to one of the client domains specified during Forefront UAG DirectAccess deployment. Note the following:
Planning for DirectAccess server security groups or OUs
DirectAccess servers can be grouped used security groups or OUs. Ensure that servers belong to the required OUs or security group before beginning deployment.
Planning for extended authentication and encryption
If you want to extend IPsec policies through to specific internal application servers, add the required servers to a security group.
Planning for GPOs
During deployment you can choose to let Forefront UAG DirectAccess automatically create GPOs for clients and the DirectAccess server, and internal infrastructure servers. As an alternative, you can specify preexisting GPOs that Forefront UAG DirectAccess should use. This is useful if the Forefront UAG administrator does not have GPO permissions, or if your organization uses a specific naming policy for GPOs. If you want to use predefined GPOs, do the following before beginning deployment:
Ensure that the user account running the script to populate the predefined GPOs during DirectAccess deploy has Write permissions on each GPOs. Otherwise a warning will be issued. We also recommend that you configure Read permissions for the Forefront UAG DirectAccess administrator on the predefined GPOs. If you do not, automatic validation of the GPOs, during DirectAccess configuration and deployment, might fail.
The configuration script generated during Forefront UAG DirectAccess deployment is applied to predefined GPOs as follows:
If you want to use GPOs generated by Forefront UAG DirectAccess, do the following:
Planning for multiple domains
Planning for authentication domains
Domains required for authentication are those containing domain controller required to authenticate user accounts over the infrastructure tunnel. During deployment, client domains are automatically added as authentication domains. Plan to add additional authentication domains as follows: