This following table compares the new features of Forefront UAG DirectAccess Service Pack 1 (SP1) with Forefront UAG DirectAccess RTM.

Feature RTM SP1 Description

Deployment model

Not supported

Can be configured in the Forefront UAG DirectAccess Configuration Wizard. For more planning information, see Planning for remote access and management in Forefront UAG DirectAccess SP1 (http://go.microsoft.com/fwlink/?LinkId=205661).

You can deploy Forefront UAG DirectAccess to allow DirectAccess clients to connect to internal networks, and to remotely manage these clients, or you can deploy Forefront UAG DirectAccess for remote client management only. For more information, see Selecting a deployment model in SP1.

Force tunneling

Not supported in the user interface.

Can be configured in the Forefront UAG DirectAccess Configuration Wizard. For more planning information, see Planning for DirectAccess client Internet access in Forefront UAG SP1 (http://go.microsoft.com/fwlink/?LinkID=205662).

Using the Forefront UAG DirectAccess Server Configuration Wizard you can select whether to send Internet requests from DirectAccess clients directly to the Internet, or to force the tunneling of client Internet requests via the Forefront UAG DirectAccess server. For more information, see Configuring an Internet connectivity method in SP1.

Health verification with Network Access Protection (NAP) policies

Supported for pre-configured NAP deployments.

Can be configured in the Forefront UAG DirectAccess Configuration Wizard to automatically install and configure Network Policy Server (NPS) and Health Registration Authority (HRA) roles on the Forefront UAG DirectAccess server. For more planning information, see Planning for client health verification in Forefront UAG DirectAccess SP1 (http://go.microsoft.com/fwlink/?LinkId=205666).

For increased access control, you can verify that DirectAccess clients are compliant with NAP health policies before allowing them access to internal networks. You can implement NAP in enforcement mode so that only compliant clients are allowed to connect via Forefront UAG DirectAccess, or use monitoring mode that monitors client health, but allows both compliant and non-compliant DirectAccess clients to connect. For more information, see Configuring NAP in SP1.

One-time password (OTP) and smartcard authentication

Smart card two-factor authentication is supported.

Additional support for OTP two factor authentication. For more planning information, see Planning for authentication in Forefront UAG DirectAccess SP1 (http://go.microsoft.com/fwlink/?LinkId=205664).

In addition to using Kerberos to authenticate DirectAccess clients, you can optionally require authentication with OTP. For more information, see Configuring two-factor authentication in SP1.

DirectAccess Connectivity Assistant

Supports DCA version 1.0

Supports DCA version 1.5 with additional support for OTP. For more client-side information, see Using DirectAccess Connectivity Assistant (DCA) 1.5.

Forefront UAG Service Pack 1 introduces a new version of the DirectAccess Connectivity Assistant application, available together with SP1. This application can be installed on Forefront UAG DirectAccess client computers to provide DirectAccess status information and troubleshooting options. In the DirectAccess Client Configuration Wizard, you can specify application settings that are saved as client settings in the client GPO, and are then applied to client computers that have the DirectAccess Connectivity Assistant application installed. For information about configuring settings on the DirectAccess server, see Configuring the DirectAccess Connectivity Assistant (DCA) in SP1.

Group Policy Objects (GPO)

Default GPO creation is supported from the Forefront UAG DirectAccess Configuration Wizard. Changes to GPO creation can be done by editing the Forefront UAG DirectAccess Configuration script.

The Forefront UAG DirectAccess Configuration Wizard enables you to:

  • Use Forefront UAG DirectAccess generated GPO names.

  • Modify Forefront UAG DirectAccess generated GPO names and location.

  • Use pre-created GPOs.

For more information, see Planning Active Directory for Forefront UAG DirectAccess SP1 (http://go.microsoft.com/fwlink/?LinkId=205663).

Forefront UAG delivers DirectAccess settings to DirectAccess clients and servers, and application servers, using GPOs. Client computers that should receive the DirectAccess client GPO were identified using Active Directory security groups.In SP1, you can identify client computers with Active Directory organizational units in addition to security groups. For more information, see Configuring DirectAccess GPOs in Forefront UAG SP1.

Logging and monitoring

Monitoring DirectAccess sessions was supporting using a PowerShell script.

Improved DirectAccess session and Forefront UAG DirectAccess server health monitoring, using Web Monitor, TMG and a PowerShell snap-in cmdlet.

SP1 introduces logging and monitoring features for servers and arrays, to allow you to assess the status of Forefront UAG DirectAccess servers and clients. Features include:

  1. Web Monitor—The status of Forefront UAG DirectAccess servers, services, and active session connections is displayed using Web Monitor

  2. SQL Server logging is enabled by default, and DirectAccess historical session activity is stored in the SQL Server logs, and can be monitored using TMG.

  3. A PowerShell command tool with new features can be run to provide Forefront UAG DirectAccess server health and historical session information.

For more information, see Monitoring Forefront UAG DirectAccess SP1.

Auto-discovery of management servers

Supported for domain controllers in the Forefront UAG DirectAccess server domain.

Supported for domain controllers that belong to authentication domains. Also supported for HRA servers and SCCM servers that belong to the same forest as the Forefront UAG DirectAccess server.

For more information, see Planning for remote access and management in Forefront UAG DirectAccess SP1 (http://go.microsoft.com/fwlink/?LinkId=205661).

For more information on deployment, see Specifying management servers in SP1, and Specifying authentication domains in SP1.