The topic provides information about planning for DirectAccess Connectivity Assistant (DCA) 1.5 deployment.
DirectAccess Connectivity Assistant (DCA) version 1.5 can be installed on DirectAccess client computers, to provide information about the state of DirectAccess connectivity to corporate network resources, as follows:
- Connection status—The DCA informs
mobile users of their connectivity status at all times; and
provides tools to help them reconnect on their own if problems
- Troubleshooting information—The DCA
provides troubleshooting messages to help solve DirectAccess
connection issues, and gathers diagnostic logs that can be send to
network administrators. Without the DCA, there are no means by
which clients can verify whether DirectAccess is working correctly.
In addition, via the DCA administrators can provide a URL that
hosts information and resources for DirectAccess clients.
DCA deployment consists of two steps:
- Deploy the DCA 1.5 application on DirectAccess client
- Configure application settings to be delivered to client
computers running DCA 1.5
The DCA 1.5 application can be deployed using the following means:
- Prepare a network share or Web site on which users installing
the DCA .msi have read permissions.
- Prepare to use a software distribution system such as Microsoft
System Center Configuration Manager to automatically deploy the
- Prepare an Active Directory group policy to automatically
deploy and run the DCA .smi file. The group policy will be applied
on computers you want to configure as DirectAccess clients.
The following is required to deploy DirectAccess settings:
- Allow users to use local name resolution—If you enable
this setting, the Use local DNS resolution is available in
the DCA console running on the client computer. If a remote user
selects this settings, DirectAccess does not send resolution
requests for single label names to internal corporate DNS server,
but uses local name resolution instead (LLMNR and NetBios). Clients
require a means of resolving names locally.
- Connectivity verifiers—Connectivity verifiers are used
by the DCA to provide information about the connectivity status
clients. If connectivity is down then an unavailable status is
displayed in the DCA. The connectivity verifier method can be an
HTTP or HTTPS URL, or a file location. Plan for multiple
connectivity verifiers in a number of locations. For example,
configure one verifier behind the NAT64, and another behind the
ISATAP gateway etc.
- Troubleshooting URL—The DCA provides a URL link to which
clients can connect for troubleshooting information. Plan for a Web
site or portal that contains information for clients. You can use a
Forefront UAG portal if you have deployed portal publishing in
- Email address—The DCA deployment requires an email
address that is monitored for troubleshooting logs sent by
DirectAccess clients. The address appears in the DCA console.
- Diagnostics script—The DCA provides a default script for
gathering diagnostic logs. If you want to add another script,
prepare it before DCA deployment. The script can be any file that
can be run at a command prompt, and that prints output to the
console as text. The script located specified on the client
computer should be accessible by a standard user account. Note that
DCA runs the script with elevated permissions.
The following limitations apply:
- DCA 1.5 must be installed on clients authenticating to
DirectAccess with an OTP.
- DCA 1.5 cannot be installed on clients connecting to Windows
DirectAccess servers. It can be installed on servers running
Forefront UAG DirectAccess SP1, Update 2, Update 1, or RTM.
- The DCA 1.5 .msi installation file is only available after
installing Forefront UAG SP1.
- DCA 1.5 settings can only be configured in the Forefront UAG
Management console, if the Forefront UAG DirectAccess server is
running SP1. Otherwise you must configure DCA settings using a
group policy template.
- When force tunneling is enabled (DirectAccess clients reach the
Internet via the DirectAccess server), the option to allow local
name resolution cannot be provided to DirectAccess clients
- At least one connectivity verifier must be enabled. You cannot
use the network location server Web site as a connectivity
- Any diagnostic script must complete its actions within 45
seconds. Scripts that take longer have their logs truncated.
- When installing DCA 1.5 on a computer running DCA 1.0, or when
uninstalling DCA, the current DCA application process and service
is stopped during setup. However, if a computer has multiple users
and each user runs an instance of the DCA, you must restart the
computer to complete the upgrade or uninstall.
Planning steps consist of the following:
- Define a strategy for deploying and installing DCA 1.5 on
computers that will be configured as DirectAccess clients.
- If you are not running SP1, obtain and import the GPO
- Prepare for deploying DCA 1.5 settings, either via the
Forefront UAG Management console on servers running Forefront UAG
DirectAccess with SP1, or using GPO templates on other Forefront
UAG DirectAccess servers.
- Create HTTP or HTTPS Web sites, or file locations, as
- Prepare a Web site or Forefront UAG portal that contains useful
troubleshooting information for DirectAccess clients.
- Define a email address to which DirectAccess client diagnostic
logs can be sent.
- If you want to use addition diagnostics in addition to the
default diagnostics, prepare a diagnostics script and deploy it on
client computers that will be configured as DirectAccess
- In addition, if you are configuring DCA settings with the
template, collect the IP addresses of DirectAccess servers
- Create HTTP or HTTPS Web sites, or file locations, as connectivity verifiers