The following should be done before configuring the prerequisites for each Forefront UAG DirectAccess optional setting:

Optional setting Before you run an optional setting configuration

Client Connectivity Assistant


  • Connectivity verifier endpoints.

  • A Forefront UAG portal or an alternate troubleshooting portal reachable from the Internet. The DCA client uses this portal to aid in troubleshooting.

  • A default email address that troubleshooting information will be sent to.

NAP Enforcement

  • Decide whether you want to deploy the Network Policy Server (NPS) and Health registration authority (HRA) on the Forefront UAG DirectAccess server.

  • Install a dedicated NAP Certification Authority (CA).

  • Decide on what NAP enforcement mode you want to use in your organization.

Two Factor Authentication

If the management only deployment model is selected this page does not appear.

If you use two-factor authentication, a PKI smart card, RSA SecureID, or Radius infrastructure must be deployed.

In addition when OTP is selected, ensure you do the following:

  • Configure an ACE or Radius server.

  • Install an OTP dedicated Enterprise Certification Authority (CA) running Windows Server 2008 R2.

  • Decide whether to generate and use a PowerShell script from the Forefront UAG DirectAccess Configuration Wizard that configures the CA templates, or whether to configure the templates manually.

  • Ensure that the DirectAccess Connectivity Assistant has been configured in the Forefront UAG DirectAccess Configuration Wizard and that DirectAccess clients have access to the Microsoft_DirectAccess_Connectivity_Assistant.msi client-side DCA installation file.

Internet Connectivity

Decide whether to configure split tunneling or force tunneling.

Server Groups

Create organizational units (OUs) or security groups containing all the Forefront UAG DirectAccess servers.

End-to-End Access

The following should be prepared before configuring end-to-end access:

  • Ensure that all the application servers you wish to configure with end-to-end authentication are running Windows server 2008 or Windows 7, and have with a valid IPv6 address (native or ISATAP).

  • Create a security group, and add as members the applications servers that require end-to-end authentication.

  • If you additionally want to encrypt data end-to-end, decide what IPsec cryptography methods you are going to use.

For planning information, see the following topics: