Prerequisite
|
Details
|
Infrastructure servers
|
You must have at least one domain controller running Windows
Server 2003 or later, and a Domain Name System (DNS) server that
supports dynamic updates. You can use DNS servers that do not
support dynamic updates, but entries must be manually updated.
For more information, see Designing a DNS
infrastructure for Forefront UAG DirectAccess.
|
Machine Certificates
|
- You must install and configure a
Certification Authority (CA) for issuing client authentication
certificates, if one does not already exist.
- You must provision a machine certificate to
all Forefront UAG DirectAccess clients.
Note: |
You may choose to provision the certificates by enabling domain
certificate autoenrollment for Forefront UAG DirectAccess clients,
using their security group and group policy. |
- Domain clients must trust the CA that issues
root and intermediate certificates.
For more information, see Designing your PKI for
Forefront UAG DirectAccess.
|
IP-HTTPS certificates
|
You can use two types of IP-HTTPS certificates:
- Public—Supplied by a 3rd party.
A web certificate is required for IP-HTTPS authentication. The
certificate subject should be the URL of the Forefront UAG
DirectAccess server.
Note: |
This certificate must be copied to all array nodes. |
- Private
The following are required, if they do not already exist:
- A web certificate used for IP-HTTPS
authentication. The certificate subject should be the URL of the
Forefront UAG DirectAccess server.
Note: |
This certificate must be copied to all array nodes. |
For more information on setting up PKI, see Active Directory Certificate Services
(http://go.microsoft.com/fwlink/?LinkId=154397).
- A certificate revocation list (CRL)
distribution point that is reachable from a publicly resolvable
fully qualified domain name (FQDN).
For more information, see Planning the placement
of CRL distribution points.
|
Forefront UAG DirectAccess server
|
The Forefront UAG DirectAccess server has the following
requirements:
- It must be running
Windows Server 2008 R2 Standard (RTM release), or
Windows Server 2008 R2 Enterprise (RTM release).
- It must be joined to an Active Directory
domain.
- It must have two physical network adapters
installed.
Note: |
The network adapters should be configured as Internal and
External in the Forefront UAG Getting Started Wizard. |
- IPv6 transition technologies should not be
disabled.
For more information on transition technologies, see IPv6 Transition Technologies
(http://go.microsoft.com/fwlink/?LinkId=154382).
|
Forefront UAG DirectAccess client
|
A Forefront UAG DirectAccess client must be:
- Running Windows 7 Enterprise, or Windows 7
Ultimate.
- Joined to an Active Directory domain.
|
Global or universal security groups for Forefront UAG
DirectAccess clients
|
You can also use existing global or universal groups.
For more information, see Create a New Group
(http://go.microsoft.com/fwlink/?LinkId=154396).
|
Network location server with an HTTPS based URL
|
This should be on a server with high availability, and a valid
SSL certificate trusted by the DirectAccess clients.
Warning: |
You must not configure your Forefront UAG DirectAccess server
as the network location server. |
For more information, see Specifying the network
location server.
|
Routing
|
Configure routing as follows:
- When IPv6 is deployed in the organization,
add a route so that the routers on the internal network route IPv6
traffic back through the Forefront UAG DirectAccess server.
- Manually configure organization IPv4 and IPv6
routes on the Forefront UAG DirectAccess servers. Add a published
route so that all traffic with an organization (/48) IPv6 prefix is
forwarded to the internal network. In addition, for IPv4 traffic,
add explicit routes so that IPv4 traffic is forwarded to the
internal network.
|
When using additional firewalls
|
When using additional firewalls, apply the following
Internet-facing firewall exceptions for Forefront UAG DirectAccess
traffic when the Forefront UAG DirectAccess server is on the IPv4
Internet:
- Teredo traffic—User Datagram Protocol (UDP)
destination port 3544 inbound, and UDP source port 3544
outbound.
- 6to4 traffic—Protocol 41 inbound and
outbound
- IP-HTTPS—Transmission Control Protocol (TCP)
destination port 443, and TCP source port 443 outbound
For more information, see Packet filtering for the
Internet firewall.
When using additional firewalls, apply the following
Internet-facing firewall exceptions for Forefront UAG DirectAccess
traffic when the Forefront UAG DirectAccess server is on the IPv6
Internet:
- Protocol 50
- UDP destination port 500 inbound, and UDP
source port 500 outbound
- Internet Control Message Protocol for IPv6
(ICMPv6) traffic inbound and outbound
For more information, see Packet filtering for the
Internet firewall.
When using additional firewalls, apply the following internal
network firewall exceptions for Forefront UAG DirectAccess
traffic:
- ISATAP—Protocol 41 inbound and outbound
- TCP/UDP for all IPv4/IPv6 traffic
- ICMP for all IPv4/IPv6 traffic
For more information, see Packet filtering for
intranet firewalls.
|
Network interface settings for a single server Forefront UAG
DirectAccess deployment.
|
The following network interface settings are required for a
single server Forefront UAG DirectAccess deployment:
- Two Internet-facing consecutive public static
IPv4 addresses.
Important: |
When configuring your TCP/IP properties on the Forefront UAG
DirectAccess server, do not configure Internet DNS servers on any
of the Forefront UAG DirectAccess server interfaces, as this could
cause DNS64 performance degradation. |
- If your organization has an internal IPv6
deployment, make sure that you configure an internal static IPv6
address.
- An internal static IPv4 address for
NAT64.
Note: |
These addresses are configured by using the Change adapter
settings in the Windows Networking and Sharing
Center. |
|
Network interface settings for network load balanced Forefront
UAG DirectAccess server in an array.
|
When configuring network interface settings, you must configure
static virtual IP addresses (VIPs), and dedicated IP addresses
(DIPs). A DIP is the existing per node unique IP address. The
following network interface settings are required for a network
load balanced Forefront UAG DirectAccess server in an array:
- Two Internet-facing consecutive public IPv4
addresses (VIPs).
- An Internet-facing static IPv4 address
(DIP).
Important: |
When configuring your TCP/IP properties on the Forefront UAG
DirectAccess server, do not configure Internet DNS servers on any
of the Forefront UAG DirectAccess server interfaces, as this could
cause DNS64 performance degradation. |
- An internal network facing static IPv6
address (DIP).
- An internal network facing IPv6 address
(VIP). This must be on the same subnet as the internal network
facing IPv6 DIP.
- An internal network facing static IPv4
address (DIP).
- An internal network facing IPv4 address
(VIP). This must be on the same subnet as the internal network
facing IPv4 DIP.
Note: |
DIPs are configured by using the Change adapter settings
in the Windows Networking and Sharing Center, and VIPs in
the Forefront UAG Network Load Balancing configuration. VIPs are
only configured on the array manager. |
For more information, see Configuring NLB for a
Forefront UAG DirectAccess array.
|