Forefront UAG DirectAccess overcomes the limitations of VPNs by automatically establishing a bi-directional connection from client computers to the corporate network. Forefront UAG DirectAccess is built on a foundation of proven, standards-based technologies: Internet Protocol security (IPsec) and Internet Protocol version 6 (IPv6).

Forefront UAG DirectAccess uses IPsec to authenticate both the computer and user, allowing IT to manage the computer before the user logs on. Optionally, you can require a smart card for user authentication.

Forefront UAG DirectAccess also leverages IPsec to provide encryption for communications across the Internet. You can use IPsec encryption methods, such as Triple Data Encryption Standard (3DES) and the Advanced Encryption Standard (AES).

Clients establish an IPsec tunnel for the IPv6 traffic to the Forefront UAG DirectAccess server, which acts as a gateway to the intranet. Figure 1 shows a DirectAccess client connecting to a Forefront UAG DirectAccess server across the public IPv4 Internet.

DA client connecting across the Internet

Figure 1 DirectAccess clients access the intranet using IPv6 and IPsec

The DirectAccess client establishes two IPsec tunnels:

After the tunnels to the Forefront UAG DirectAccess server are established, the client can send traffic to the intranet through the tunnels.