On completion of the Forefront UAG DirectAccess Configuration Wizard, you can apply the configuration settings immediately or export them to an export script. In certain cases, you might want to modify parameters in the exported script before you apply it.
This topic describes how to edit parameters in the export script that is created at the end of the Forefront UAG DirectAccess Configuration Wizard.
 Warning: |
|---|
| Unless you are familiar with the parameters in the export script, it is recommended that you do not make any changes. |
Modifying and applying static
Forefront UAG export script parameters
The export script can include static parameters. You can modify the export script parameters depending on their type, as follows.
To modify the export script parameters
-
On the taskbar, click Start, click All Programs, click Accessories, click Windows PowerShell, right-click Windows PowerShell, and then click Run as administrator.
-
From the PowerShell command prompt, type ./script.ps1 –Parameter Name "Example".
Note:See the tables that follow this procedure for a description of the static parameters that you can modify. -
You can also modify the static script parameters as follows:
-
Open the export script using notepad, and referring to the Static Parameters table that follows this procedure, modify the relevant parameters in the export script, and then save the script.
-
On the taskbar, click Start, click All Programs, click Accessories, click Windows PowerShell, right-click Windows PowerShell, and then click Run as administrator.
-
From the Windows PowerShell command prompt, run the modified script file.
-
-
In the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate to start the configuration.
Static Parameters
| Parameter Name | Parameter Definition | Format Type | Example |
|---|---|---|---|
|
UAGDA_ACCESS_ENABLING_ADDRESSES_<GroupName>_<#> |
IPv6 addresses of the servers that are contained in an Access Enabling group. For each 195 servers, a suffix is added to the GroupName. The IPv6 addresses are used in the Access Enabling tunnel IPsec rule. |
Comma delimited |
2012::4444:0:0:c00:1,2012::4444:0:0:b00:11,2012::4444:0:0:b03:34F |
|
UAGDA_CERT_MACHINE_AUTH |
The name of the root or intermediate Certification Authority. This is used for IPsec rules and the NRPT |
Distinguished name of the CA |
DC=com, DC=contoso,DC=corp, CN=corp-DC-CA |
|
UAGDA_CERT_TYPE |
Is the UAGDA_CERT_MACHINE_AUTH of type root or intermediate |
"Root" or "intermediate" |
root |
|
UAGDA_CLIENTDNS_FALLBACK |
Local name resolution option.See, Identifying DNS servers. |
0 = Only use local name resolution if the name does not exist in DNS. 1 = Fall back to local name resolution for any kind of DNS resolution error (least secure). 2 = Fall back to local name resolution if the name does not exist in DNS or the DNS servers are unreachable when the client computer is on a private network (recommended). 3 = No local name resolution. (Not present as an option in the user interface. |
2 |
|
UAGDA_DTE_ACCESS |
External IPv6 address of the Forefront UAG server that will be used as a Remote Tunnel Endpoint of DNS and Access Enabling IPsec rules. |
IPv6 address |
2002:b00:20::b00:20 |
|
UAGDA_DTE_CORP |
External IPv6 address of the Forefront UAG server that will be used as a Remote Tunnel Endpoint of Corp IPsec rule. |
IPv6 address |
|
|
UAGDA_GATEWAY_PUBLIC_IP |
External IPv4 address of the Forefront UAG server. Used for the Transition Technologies (Teredo, 6to4). |
IPv4 address |
199.0.0.30 |
|
UAGDA_IPHTTPS_URL |
URL used for the IP-HTTPS transition technology |
HTTPS URL. You must specify a port. |
https://da.company.net:443/IPHTTPS |
|
UAGDA_IPSEC_E2E_QM_SECMETHODS |
The IPsec QuickMode encryption method that is used in End–to-End rules. |
Netsh format |
ESP:SHA256-None+60min+100000kb |
|
UAGDA_IPSEC_MM_KEYLIFETIME |
The IPsec MainMode key lifetime. |
Netsh format |
60min,0sess |
|
UAGDA_IPSEC_MM_SECMETHODS |
The IPsec MainMode authentication method. |
Netsh format |
dhgroup2:aes128-sha256,dhgroup2:aes128-sha1,dhgroup2:3des-sha1 |
|
UAGDA_IPSEC_QM_SECMETHODS |
The IPsec QuickMode encryption method that is used in End-to-Edge rules. |
Netsh format |
ESP:SHA1-AES192+60min+100000kb |
|
UAGDA_POLICY_GATEWAY_SECGRP |
The list of Forefront UAG array members. This is applied to the server GPO. You must specify all member names in the array. |
Comma delimited list in the format of Domain\MachineName |
corp.contoso.com\DA1$, corp.contoso.com\DA2$ |
|
UAGDA_NCSI_DNSPROBECONTENT |
A Network Connectivity Status Indicator—The resolved IPv6 address of the UAGDA_NCSI_DNSPROBEHOST |
IPv6 address |
::1 |
|
UAGDA_NCSI_DNSPROBEHOST |
A Network Connectivity Status Indicator—The DNS name of an internal corp resource. If this name resolves correctly, you have corp connectivity. |
FQDN |
UAGDirectAccess-corpConnectivityHost.corp.contoso.com |
|
UAGDA_NCSI_SITEPREFIXES |
A Network Connectivity Status Indicator—The prefix of your organization, and the addresses used as IPsec tunnel endpoints.If a connection is made to a destination within one of these prefixes, you have corp connectivity |
IPv6 prefix (comma delimited) |
2002:b00:1f:8000::/49,2001:4110:10::/48, 2002:b00:20::b00:20/128 |
|
UAGDA_NID_ADDRESS |
The IPv6 address of the network location server. This is used in the "NLA Exempt" client IPsec tunnel rule. |
IPv6 address |
2012::2 |
|
UAGDA_NID_URL |
The HTTPS URL of the network location server. This is used to determine whether the client is inside or outside the corp network. |
URL |
https://nls.corp.contoso.com/ |
|
UAGDA_POLICY_APPSERV_NAME |
The name of the Group Policy object that is applied on the Application servers. |
String |
UAG DirectAccess: AppServers (UAG01.corp.contoso.com) |
|
UAGDA_POLICY_APPSERV_LOCATION |
The location of the group policy object that is applied on the Application servers. (Used when the GPO was created by the Forefront UAG DirectAccess server) |
Domain Name (FQDN) |
corp.contoso.com |
|
UAGDA_POLICY_CLIENT_NAME |
The name of the Group Policy object that is applied on the clients. |
String |
UAG DirectAccess: Clients (UAG01.corp.contoso.com) |
|
UAGDA_POLICY_CLIENT_LOCATION |
The location of the group policy object that is applied on the clients. (Used when the GPO was created by the Forefront UAG DirectAccess server) |
Domain Name (FQDN) |
corp.contoso.com |
|
UAGDA_POLICY_GATEWAY_NAME |
The name of the Group Policy object that is applied on the Forefront UAG servers. |
String |
UAG DirectAccess: Gateways (UAG01.corp.contoso.com) |
|
UAGDA_POLICY_GATEWAY_LOCATION |
The location of the group policy object that is applied on the gateways.(Used when the GPO was created by the Forefront UAG DirectAccess server) |
Domain Name (FQDN) |
corp.contoso.com |
|
UAGDA_PREFIX_CORP |
The IPv6 prefix of the organization.This is used in the "Corp" IPsec tunnel rule, and by the Network Connectivity Status Indicator to determine whether you have corp connectivity. |
IPv6 prefix[Comma delimited] |
2002:b00:1f:8000::/49,2001:4110:10::/48 |
|
UAGDA_PREFIX_CORP_EXCLUSION |
An IPv6 range other than the organization prefix.This is used in the AppServers end-to-end IPsec rule when you add end-to-end application servers. |
IPv6 range, Comma delimited |
::-2001:4110:10::,2001:4110:10:ffff:ffff:ffff:ffff:ffff-2002:b00:1f:8000::,2002:b00:1f:ffff:ffff:ffff:ffff:ffff-feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
|
UAGDA_PREFIX_IPHTTPS_CLIENT |
The IPv6 prefix of the IP-HTTPS subnet.This is used in the AppServers end-to-end IPsec rule when you add end-to-end application servers. |
IPv6 prefix |
2002:b00:1f:8100::/56 |
|
UAGDA_POLICY_APPSERV_LINKS |
This links the AppServers GPO to the specified domains.This is used to apply the Group Policy on computers in various domains and OUs. (Used when the GPO was created by the Forefront UAG DirectAccess server). |
Domain name or OU in distinguished names format separated by | |
DC=corp,DC=contoso,DC=com|DC=sales,DC=contoso,DC=com |
|
UAGDA_POLICY_CLIENT_SECGRP |
Security Groups of the DirectAccess clients. (Used when the GPO was created by the Forefront UAG DirectAccess server). |
Comma delimited list of Domain\GroupName |
corp.contoso.com\DirectAccess Client Machines |
|
UAGDA_POLICY_CLIENT_LINKS |
This links the Clients GPO to the specified domains or OUs.This is used to apply the Group Policy on computers in various domains. (Used when the GPO was created by the Forefront UAG DirectAccess server). |
Domain name in distinguished names format separated by | |
DC=corp,DC=contoso,DC=com |
|
UAGDA_POLICY_READ_PERMISSIONS |
Defines the accounts which will have read permissions on the created GPOs.(Used when the GPO was created by the Forefront UAG DirectAccess server). |
Comma delimited list of Domain\GroupName |
NT AUTHORITY\Authenticated Users |