Managing remote client computers

This topic describes how to configure the list of management servers and domain controllers that you need to communicate with DirectAccess clients. DirectAccess clients initiate communications with management servers that provide services such as, Windows update, NAP, and antivirus updates. DirectAccess clients also contact the domain controllers to get Kerberos authentication before accessing the internal network. Management servers communicate with DirectAccess clients to perform management functions such as, software or hardware inventory assessments. Only DirectAccess clients, that are members of the security groups specified in the DirectAccess Client Configuration section of the Forefront UAG DirectAccess Configuration Wizard, can communicate with management servers through Forefront UAG DirectAccess. Management traffic does not require successful smart card authentication.

Note:
Ensure that you add the following to the list of management servers and domain controllers: If NAP is enforced by Forefront UAG DirectAccess, include servers that are used for NAP health check and remediation; for example, HRA, and Windows update servers. If the use of a smart card is enforced, include servers that need to be accessed before the user logs in; for example, antivirus, Windows update, and machine management servers. Include all domain controllers from all the domains that have client computers contained in the security groups specified in the Client Configuration section of the wizard. Include all domain controllers from domains of users that have client computers enabled for Forefront UAG DirectAccess use. This enables a user from another domain using a client computer enabled for Forefront UAG DirectAccess use on the local domain, to be authenticated with a domain controller in the user’s domain.

Note:

Ensure that you add the following to the list of management servers and domain controllers:

If NAP is enforced by Forefront UAG DirectAccess, include servers that are used for NAP health check and remediation; for example, HRA, and Windows update servers.
If the use of a smart card is enforced, include servers that need to be accessed before the user logs in; for example, antivirus, Windows update, and machine management servers.
Include all domain controllers from all the domains that have client computers contained in the security groups specified in the Client Configuration section of the wizard.
Include all domain controllers from domains of users that have client computers enabled for Forefront UAG DirectAccess use. This enables a user from another domain using a client computer enabled for Forefront UAG DirectAccess use on the local domain, to be authenticated with a domain controller in the user’s domain.

To manage remote client computers

In the Infrastructure Servers section of the wizard, on the Management Servers and DCs page, follow these instructions to add, or delete a management server or domain controller.

To add a management server sub-group, in the left pane, right-click on Management, and click Add Group to 'Management', enter a new management group name, and then click OK.

Note:

Access enabling groups must have unique names. This applies to all levels of the access enabling group tree.

Note:
Access enabling groups must have unique names. This applies to all levels of the access enabling group tree.

To add a new domain, in the left pane, right-click Domains, click Add Domain to 'Domains', enter a new domain name, and then click OK.

Note:
All domain controllers in a domain are automatically discovered and selected when you add a new domain to the Domains management group. Click the Refresh icon to update the domain controller list. If a domain controller does not appear in the domain controller list, create a subgroup called Custom domain controllers, and then add the domain controller to that group. To include or exclude a domain controller, in the left pane, click on the relevant domain in the Domains management group, and in the right pane, select or clear the relevant domain controller check box.

Note:

All domain controllers in a domain are automatically discovered and selected when you add a new domain to the Domains management group.
Click the Refresh icon to update the domain controller list.
If a domain controller does not appear in the domain controller list, create a subgroup called Custom domain controllers, and then add the domain controller to that group.
To include or exclude a domain controller, in the left pane, click on the relevant domain in the Domains management group, and in the right pane, select or clear the relevant domain controller check box.

To add a management server, in the left pane, right-click a management server sub-group, click Add Server, enter a server name, IP address or IPv6 prefix, and click OK.
To add multiple management servers, in the left pane, click a management server sub-group, click the Add Server box, and click Add Multiple Servers.

In the Add Computer or Address dialog box, add servers by doing either of the following:
- Enter a server name, IP address or IPv6 prefix, click Add (repeat for each server you want to add), and then click OK.
- Copy into the server list area, a list of server names, IP addresses or IPv6 prefixes of the servers you want to add, and then click OK. To delete a server from the list box, click the server name, right-click the server name, and then click Delete.
To delete a management sub-group, domain, or a management server, right-click the item you want to delete, and click Remove.

Note:

Discovered domain controllers cannot be deleted using the interface. If you do not want to use one of the automatically discovered domain controllers, clear the relevant check box.

Click Finish.

Note:
Discovered domain controllers cannot be deleted using the interface. If you do not want to use one of the automatically discovered domain controllers, clear the relevant check box.

For instructions on configuring the next step of the Forefront UAG DirectAccess Configuration Wizard, see Identifying and configuring application servers.