| Prerequisite
|
Details
|
|
Infrastructure servers
|
You must have at least one domain controller running Windows
Server 2003 or later, and a Domain Name System (DNS) server that
supports dynamic updates. You can use DNS servers that do not
support dynamic updates, but entries must be manually updated.
For more information, see Designing a DNS
infrastructure for Forefront UAG DirectAccess.
|
|
Machine Certificates
|
- You must install and configure a
Certification Authority (CA) for issuing client authentication
certificates, if one does not already exist.
- You must provision a machine certificate to
all Forefront UAG DirectAccess servers and DirectAccess
clients.
 Note: |
| You may choose to provision the certificates by enabling domain
certificate autoenrollment for Forefront UAG DirectAccess clients,
using their security group and group policy.You may choose to
provision the certificates by enabling domain certificate
autoenrollment for Forefront UAG DirectAccess servers and clients,
using security groups, OUs and group policy. |
- Forefront UAG DirectAccess servers and
clients must trust the CA chain that issues root and intermediate
certificates.
For more information, see Designing your PKI for
Forefront UAG DirectAccess.
|
|
IP-HTTPS certificates
|
You can use two types of IP-HTTPS certificates:
- Public—Supplied by a 3rd party.
A Web site certificate used for IP-HTTPS authentication. The
certificate subject must be the externally resolvable FQDN URL used
only for the Forefront UAG DirectAccess server IP-HTTPS
connections.
| Note: |
| This certificate must be copied to all array nodes. |
- Private
The following are required, if they do not already exist:
- A Web site certificate used for IP-HTTPS
authentication. The certificate subject should be the URL of the
Forefront UAG DirectAccess server.
| Note: |
| This certificate must be copied to all array nodes. |
For more information on setting up PKI, see Active Directory Certificate Services
(http://go.microsoft.com/fwlink/?LinkId=154397).
- A certificate revocation list (CRL)
distribution point that is reachable from a publicly resolvable
fully qualified domain name (FQDN).
For more information, see Planning the placement
of CRL distribution points.
|
|
Forefront UAG DirectAccess server
|
The Forefront UAG DirectAccess server has the following
requirements:
- It must be running
Windows Server 2008 R2 Standard (RTM release), or
Windows Server 2008 R2 Enterprise (RTM release).
- It must be joined to an Active Directory
domain.
- It must have at least two physical network
adapters installed.
| Note: |
| One network adapter should be configured as Internal,
and one as External in the Forefront UAG Getting Started
Wizard. |
- IPv6 transition technologies should not be
disabled.
For more information on transition technologies, see IPv6 Transition Technologies
(http://go.microsoft.com/fwlink/?LinkId=154382).
|
|
Forefront UAG DirectAccess client
|
A Forefront UAG DirectAccess client must be:
- Running Windows 7 Enterprise, or Windows 7
Ultimate.
- Joined to an Active Directory domain.
|
|
Global or universal security groups or Organizational Units
(OUs) for Forefront UAG DirectAccess clients
|
You can also use existing global or universal groups.
For more information, see Create a New Group
(http://go.microsoft.com/fwlink/?LinkId=154396).
|
|
Network location server with an HTTPS based URL
|
This should be on a server with high availability, and a valid
SSL certificate trusted by the DirectAccess clients.
 Warning: |
| You must not configure your Forefront UAG DirectAccess server
or your domain controller as the network location server. |
For more information, see Specifying the network
location server.
|
|
Routing
|
Configure routing as follows:
- When native IPv6 is deployed in the
organization, add a route so that the routers on the internal
network route IPv6 traffic back through the Forefront UAG
DirectAccess server.
- Manually configure organization IPv4 and IPv6
routes on the Forefront UAG DirectAccess servers. Add a published
route so that all traffic with an organization (/48) IPv6 prefix is
forwarded to the internal network. In addition, for IPv4 traffic,
add explicit routes so that IPv4 traffic is forwarded to the
internal network.
For more information, see Designing addressing and
routing for the Forefront UAG DirectAccess server.
|
|
When using additional firewalls
|
When using additional firewalls, apply the following
Internet-facing firewall exceptions for Forefront UAG DirectAccess
traffic when the Forefront UAG DirectAccess server is on the IPv4
Internet:
- Teredo traffic—User Datagram Protocol (UDP)
destination port 3544 inbound, and UDP source port 3544
outbound.
- 6to4 traffic—IP Protocol 41 inbound and
outbound
- IP-HTTPS—Transmission Control Protocol (TCP)
destination port 443, and TCP source port 443 outbound
| Note: |
| For Teredo and 6to4 traffic, these exceptions should be applied
for both of the Internet-facing consecutive public IPv4 addresses
on the Forefront UAG DirectAccess server. For IP-HTTPS the
exceptions need only be applied for the first of the
Internet-facing consecutive public IPv4 addresses. |
For more information, see Packet filtering for the
Internet firewall.
When using additional firewalls, apply the following
Internet-facing firewall exceptions for Forefront UAG DirectAccess
traffic when the Forefront UAG DirectAccess server is on the IPv6
Internet:
- IP Protocol 50
- UDP destination port 500 inbound, and UDP
source port 500 outbound
- Internet Control Message Protocol for IPv6
(ICMPv6) traffic inbound and outbound
For more information, see Packet filtering for the
Internet firewall.
When using additional firewalls, apply the following internal
network firewall exceptions for Forefront UAG DirectAccess
traffic:
- ISATAP—Protocol 41 inbound and outbound
- TCP/UDP for all IPv4/IPv6 traffic
- ICMP for all IPv4/IPv6 traffic
For more information, see Packet filtering for
intranet firewalls.
|
|
Network interface settings for a single server Forefront UAG
DirectAccess deployment.
|
The following network interface settings are required for a
single server Forefront UAG DirectAccess deployment:
- Two Internet-facing consecutive public static
IPv4 addresses.
 Important: |
| When configuring your TCP/IP properties on the Forefront UAG
DirectAccess server, do not configure Internet DNS servers on any
of the Forefront UAG DirectAccess server interfaces, as this could
cause DNS64 performance degradation. |
- If your organization has an internal IPv6
deployment, make sure that you configure an internal static IPv6
address.
- An internal static IPv4 address for
NAT64.
| Note: |
| These addresses are configured by using the Change adapter
settings in the Windows Networking and Sharing
Center. |
|
|
Network interface settings for network load balanced Forefront
UAG DirectAccess server in an array.
|
When configuring network interface settings, you must configure
static virtual IP addresses (VIPs), and dedicated IP addresses
(DIPs). A DIP is the existing per node unique IP address. The
following network interface settings are required for a network
load balanced Forefront UAG DirectAccess server in an array:
- Two Internet-facing consecutive public IPv4
addresses (VIPs).
- An Internet-facing static IPv4 address
(DIP).
| Important: |
| When configuring your TCP/IP properties on the Forefront UAG
DirectAccess server, do not configure Internet DNS servers on any
of the Forefront UAG DirectAccess server interfaces, as this could
cause DNS64 performance degradation. |
- An internal network facing static IPv6
address (DIP).
- An internal network facing IPv6 address
(VIP). This must be on the same subnet as the internal network
facing IPv6 DIP.
- An internal network facing static IPv4
address (DIP).
- An internal network facing IPv4 address
(VIP). This must be on the same subnet as the internal network
facing IPv4 DIP.
| Note: |
| DIPs are configured by using the Change adapter settings
in the Windows Networking and Sharing Center, and VIPs in
the Forefront UAG Network Load Balancing configuration. VIPs are
only configured on the array manager. |
For more information, see Configuring NLB for a
Forefront UAG DirectAccess array in SP1.
|
Further prerequisites for a Forefront UAG DirectAccess
SP1 deployment are described in these topics:
