System requirements for Forefront UAG DirectAccess

In addition to the requirements described in System requirements for Forefront UAG servers, there are a number of specific requirements for DirectAccess in Forefront Unified Access Gateway (UAG) and Forefront UAG with Service Pack 1 (SP1). This topic summarizes these requirements.

If you are reading this help from the Forefront UAG Management console, the latest version of this topic is available in the Forefront UAG TechNet library.

Prerequisites for deploying Forefront UAG DirectAccess SP1

Prerequisite

Details

Infrastructure servers

You must have at least one domain controller running Windows Server 2003 or later, and a Domain Name System (DNS) server that supports dynamic updates. You can use DNS servers that do not support dynamic updates, but entries must be manually updated.

For more information, see Designing a DNS infrastructure for Forefront UAG DirectAccess.

Machine Certificates

You must install and configure a Certification Authority (CA) for issuing client authentication certificates, if one does not already exist.
You must provision a machine certificate to all Forefront UAG DirectAccess clients.

Note:

You may choose to provision the certificates by enabling domain certificate autoenrollment for Forefront UAG DirectAccess clients, using their security group and group policy.
Domain clients must trust the CA that issues root and intermediate certificates.

For more information, see Designing your PKI for Forefront UAG DirectAccess.

IP-HTTPS certificates

You can use two types of IP-HTTPS certificates:

Public—Supplied by a 3rd party.

A web certificate is required for IP-HTTPS authentication. The certificate subject should be the URL of the Forefront UAG DirectAccess server.

Note:

This certificate must be copied to all array nodes.
Private

The following are required, if they do not already exist:
- A web certificate used for IP-HTTPS authentication. The certificate subject should be the URL of the Forefront UAG DirectAccess server.
  
  Note:
  
  This certificate must be copied to all array nodes.
  
  For more information on setting up PKI, see Active Directory Certificate Services (http://go.microsoft.com/fwlink/?LinkId=154397).
- A certificate revocation list (CRL) distribution point that is reachable from a publicly resolvable fully qualified domain name (FQDN).
  
  For more information, see Planning the placement of CRL distribution points.

Forefront UAG DirectAccess server

The Forefront UAG DirectAccess server has the following requirements:

It must be running Windows Server 2008 R2 Standard (RTM release), or Windows Server 2008 R2 Enterprise (RTM release).
It must be joined to an Active Directory domain.
It must have two physical network adapters installed.

Note:

The network adapters should be configured as Internal and External in the Forefront UAG Getting Started Wizard.
IPv6 transition technologies should not be disabled.

For more information on transition technologies, see IPv6 Transition Technologies (http://go.microsoft.com/fwlink/?LinkId=154382).

Forefront UAG DirectAccess client

A Forefront UAG DirectAccess client must be:

Running Windows 7 Enterprise, or Windows 7 Ultimate.
Joined to an Active Directory domain.

Global or universal security groups for Forefront UAG DirectAccess clients

You can also use existing global or universal groups.

For more information, see Create a New Group (http://go.microsoft.com/fwlink/?LinkId=154396).

Network location server with an HTTPS based URL

This should be on a server with high availability, and a valid SSL certificate trusted by the DirectAccess clients.

Warning:
You must not configure your Forefront UAG DirectAccess server as the network location server.

For more information, see Specifying the network location server.

Routing

Configure routing as follows:

When IPv6 is deployed in the organization, add a route so that the routers on the internal network route IPv6 traffic back through the Forefront UAG DirectAccess server.
Manually configure organization IPv4 and IPv6 routes on the Forefront UAG DirectAccess servers. Add a published route so that all traffic with an organization (/48) IPv6 prefix is forwarded to the internal network. In addition, for IPv4 traffic, add explicit routes so that IPv4 traffic is forwarded to the internal network.

When using additional firewalls

When using additional firewalls, apply the following Internet-facing firewall exceptions for Forefront UAG DirectAccess traffic when the Forefront UAG DirectAccess server is on the IPv4 Internet:

Teredo traffic—User Datagram Protocol (UDP) destination port 3544 inbound, and UDP source port 3544 outbound.
6to4 traffic—Protocol 41 inbound and outbound
IP-HTTPS—Transmission Control Protocol (TCP) destination port 443, and TCP source port 443 outbound

For more information, see Packet filtering for the Internet firewall.

When using additional firewalls, apply the following Internet-facing firewall exceptions for Forefront UAG DirectAccess traffic when the Forefront UAG DirectAccess server is on the IPv6 Internet:

Protocol 50
UDP destination port 500 inbound, and UDP source port 500 outbound
Internet Control Message Protocol for IPv6 (ICMPv6) traffic inbound and outbound

For more information, see Packet filtering for the Internet firewall.

When using additional firewalls, apply the following internal network firewall exceptions for Forefront UAG DirectAccess traffic:

ISATAP—Protocol 41 inbound and outbound
TCP/UDP for all IPv4/IPv6 traffic
ICMP for all IPv4/IPv6 traffic

For more information, see Packet filtering for intranet firewalls.

Network interface settings for a single server Forefront UAG DirectAccess deployment.

The following network interface settings are required for a single server Forefront UAG DirectAccess deployment:

Two Internet-facing consecutive public static IPv4 addresses.

Important:
When configuring your TCP/IP properties on the Forefront UAG DirectAccess server, do not configure Internet DNS servers on any of the Forefront UAG DirectAccess server interfaces, as this could cause DNS64 performance degradation.

If your organization has an internal IPv6 deployment, make sure that you configure an internal static IPv6 address.
An internal static IPv4 address for NAT64.

Note:

These addresses are configured by using the Change adapter settings in the Windows Networking and Sharing Center.

Network interface settings for network load balanced Forefront UAG DirectAccess server in an array.

When configuring network interface settings, you must configure static virtual IP addresses (VIPs), and dedicated IP addresses (DIPs). A DIP is the existing per node unique IP address. The following network interface settings are required for a network load balanced Forefront UAG DirectAccess server in an array:

Two Internet-facing consecutive public IPv4 addresses (VIPs).

An Internet-facing static IPv4 address (DIP).

Important:
When configuring your TCP/IP properties on the Forefront UAG DirectAccess server, do not configure Internet DNS servers on any of the Forefront UAG DirectAccess server interfaces, as this could cause DNS64 performance degradation.

An internal network facing static IPv6 address (DIP).
An internal network facing IPv6 address (VIP). This must be on the same subnet as the internal network facing IPv6 DIP.
An internal network facing static IPv4 address (DIP).

An internal network facing IPv4 address (VIP). This must be on the same subnet as the internal network facing IPv4 DIP.

Note:
DIPs are configured by using the Change adapter settings in the Windows Networking and Sharing Center, and VIPs in the Forefront UAG Network Load Balancing configuration. VIPs are only configured on the array manager.

For more information, see Configuring NLB for a Forefront UAG DirectAccess array.

Further prerequisites for a Forefront UAG DirectAccess SP1 deployment are described in these topics: