Selecting a deployment model in SP1

DirectAccess clients establish IPsec tunnels for the IPv6 DirectAccess traffic to the Forefront UAG DirectAccess server, which acts as a gateway to the intranet.

By default, DirectAccess clients create two tunnels to the Forefront UAG DirectAccess server.

The infrastructure tunnel— Provides access to intranet Domain Name System (DNS) servers, Active Directory Domain Services (AD DS) domain controllers, and other infrastructure management servers.
The intranet tunnel— provides access to intranet resources such as Web sites, file shares, and other application servers, and opens once the client logs in.

You can configure Forefront UAG DirectAccess to only use the infrastructure tunnel.

You can choose one of the following deployment models:

Full intranet access—The DirectAccess client establishes both the infrastructure and intranet tunnels and therefore has access to all resources on the intranet.
Enable Remote management of DirectAccess clients only—Only establishes the infrastructure tunnel between the DirectAccess client and the Forefront UAG DirectAccess server. The DirectAccess client computer therefore only has access to the infrastructure and management servers configured in the Forefront UAG DirectAccess Configuration Wizard.

To choose a deployment model

In the Forefront UAG Management console, click DirectAccess to start the Forefront UAG DirectAccess Configuration Wizard.
From the Forefront UAG DirectAccess Configuration Wizard, under Step 1, in Clients and GPOs, click Edit.

Select the deployment model you wish to use.

To enable Full intranet access, click Allow DirectAccess clients to connect to internal networks ….

To enable access to management servers only, click Enable Remote management of DirectAccess clients only.

Note:
If you select the Enable Remote management of DirectAccess clients only deployment model: Allow only services is automatically selected, and limits access to infrastructure servers to services with computer-account credentials running on the client computer (this is the default selection). To enable user authentication with management servers, deselect Allow only services. This would be necessary in organizations that require a user to authenticate with management servers.

Note:

If you select the Enable Remote management of DirectAccess clients only deployment model:

Allow only services is automatically selected, and limits access to infrastructure servers to services with computer-account credentials running on the client computer (this is the default selection).
To enable user authentication with management servers, deselect Allow only services. This would be necessary in organizations that require a user to authenticate with management servers.

Click Next. The Client Domains page of the Forefront UAG DirectAccess Configuration Wizard opens.

Note the following when deploying Forefront UAG DirectAccess for remote management only:

To choose a deployment model

In the Forefront UAG Management console, click DirectAccess to start the Forefront UAG DirectAccess Configuration Wizard.
From the Forefront UAG DirectAccess Configuration Wizard, under Step 1, in Clients and GPOs, click Edit.

Select the deployment model you wish to use.

To enable Full intranet access, click Allow DirectAccess clients to connect to internal networks ….

To enable access to management servers only, click Enable Remote management of DirectAccess clients only.

Note:
If you select the Enable Remote management of DirectAccess clients only deployment model: Allow only services is automatically selected, and limits access to infrastructure servers to services with computer-account credentials running on the client computer (this is the default selection). To enable user authentication with management servers, deselect Allow only services. This would be necessary in organizations that require a user to authenticate with management servers.

Note:

If you select the Enable Remote management of DirectAccess clients only deployment model:

Allow only services is automatically selected, and limits access to infrastructure servers to services with computer-account credentials running on the client computer (this is the default selection).
To enable user authentication with management servers, deselect Allow only services. This would be necessary in organizations that require a user to authenticate with management servers.

Click Next. The Client Domains page of the Forefront UAG DirectAccess Configuration Wizard opens.

Merging local rules

When deploying Forefront UAG DirectAccess for remote management only, clients can potentially access an intranet server via DirectAccess by creating and merging local IPsec rules with corporate policy rules.

This can occur because by default users in the local administrators group can create connection security rules on the local computer using Windows Firewall with Advanced Security. These local rules can be merged with corporate rules and applied to the computer. This can only occur under the following circumstances:

The user must belong to the local administrators group on the DirectAccess client computer in order to create transport mode IPsec rules (and enable rule merging if it is disabled by group policy).
The user must have local administrator permissions on an internal server in order to create transport mode IPsec rules (and enable rule merging if it is disabled by group policy).
In order to gain access to the internal server the user must have configured the IPsec rules on the server before connecting via DirectAccess. The user cannot gain access to internal servers that do not have the IPsec rules configured.

To mitigate this potential behavior the following options are available:

Ensure that your corporate policy states that users should not create local connection security rules.
When DirectAccess is deployed for remote management only, do not provide users with local administrator privileges on DirectAccess client computers.
Disable rule merging in each domain, as follows:
1. Open the Group Policy Management console.
2. Select the policy you want to edit. You can use an existing policy such as the default domain policy and apply it on the entire domain, or create a dedicated policy and apply it to DirectAccess client computers only.
3. In the policy settings, under Security Settings, right-click Windows Firewall with Advanced Security, and then click Properties.
4. There are two methods for configuring and applying the setting:
  1. If you are applying the policy to the entire domain, on each profile (domain, private, and public) set Apply local connection security rules to No.
  2. If you are using a dedicated policy to apply on DirectAccess client computers only, on private and public profiles, set Apply local connection security rules to No.

Note that local administrators can still manually modify the registry entry that disables the merging of local IPsec policy. If this occurs the administrator can create local rules until the modification is next overwritten with group policy.