This topic describes the design consideration when deploying Web servers for Forefront UAG DirectAccess.
You need Web locations for the following resources:
- The network location server (an HTTPS-based
uniform resource locator (URL).
- An HTTP-based intranet certificate revocation
list (CRL) distribution point for the HTTPS certificate of the
network location server.
- An HTTP-based Internet CRL distribution point
for the IP-HTTPS certificate of the Forefront UAG DirectAccess
server.
Note: |
---|
The intranet and Internet CRL distribution points can also be based on a universal naming convention (UNC) path of a file server. |
Note: |
---|
When the IP-HTTPS certificate is issued by a 3rd party certification authority, you should use the Internet based CRL of the 3rd party. |
In all of these cases, the Web server providing these resources must be highly available. If these resources cannot be reached, the following occurs:
- If the DirectAccess client on the intranet is
unable to reach the HTTPS-based URL of the network location server,
a DirectAccess client cannot detect when it is on the intranet and
might not be able to access intranet resources.
- If the DirectAccess client on the intranet is
unable to reach the intranet CRL distribution point to perform
certificate revocation checking for the network location server, a
DirectAccess client cannot detect when it is on the intranet and
might not be able to access intranet resources.
- If the DirectAccess client on the Internet is
unable to reach the Internet CRL distribution point to perform
certificate revocation checking for the IP-HTTPS certificate, a
DirectAccess client cannot use IP-HTTPS. Because IP-HTTPS is the
last transition technology that is used for IPv6 connectivity to
the Forefront UAG DirectAccess server, DirectAccess clients will
not be able to establish a connection to the Forefront UAG
DirectAccess server when behind a firewall, Web proxy or behind a
network address translator (NAT) when the Teredo client has been
disabled.
For information on Internet Information Services (IIS)-based Web servers, see Planning Redundancy for a Network Location Server and Planning Redundancy for CRL Distribution Points for information about high availability for Web servers.