Forefront Unified Access Gateway (UAG) DirectAccess extends the benefits of Windows DirectAccess across your infrastructure, enhancing scalability, and simplifying deployments and ongoing management.
This topic provides information on:
- Main features of
Forefront UAG DirectAccess
- Key elements of a
Forefront UAG DirectAccess solution
- Key concepts of
Forefront UAG DirectAccess
Main features of Forefront UAG DirectAccess
Forefront UAG DirectAccess features include the following:
- Improved manageability of remote
users—Forefront UAG DirectAccess enables IT professionals to
manage mobile computers by updating Group Policy settings and
distributing software updates any time the mobile computer has
Internet connectivity, even if the user is not logged on. This
flexibility allows IT professionals to manage remote computers on a
regular basis, and ensures that mobile users stay up-to-date with
security and system health policies.
- More secure and flexible network
infrastructure—Forefront UAG DirectAccess takes advantage of
technologies, such as, Internet Protocol version 6 (IPv6) and
Internet Protocol security (IPsec), providing a more secure and
flexible network infrastructure for enterprises by using
authentication and encryption, as follows:
- Authentication—Forefront UAG
DirectAccess authenticates the client computer, enabling the
computer to connect to the intranet before the user logs on.
- Encryption—Forefront UAG DirectAccess
uses IPsec to provide encryption for communications across the
For more information on IPsec, see IPsec (http://go.microsoft.com/fwlink/?LinkId=154708).
- Authentication—Forefront UAG DirectAccess authenticates the client computer, enabling the computer to connect to the intranet before the user logs on.
- IT simplification and cost
reduction—Forefront UAG enables you to reduce your costs
- Providing unified management—Forefront
UAG provides unified management for all the remote access
- Hardware consolidation—Forefront UAG
manages remote access technologies, load balancing and array
functionality, and NAT64 and DNS64 on the same server using the
same Management console.
- Providing unified management—Forefront UAG provides unified management for all the remote access technologies.
- Extended access to IPv4-only
resources—Forefront UAG DirectAccess uses integrated NAT64 and
DNS64 to enable clients to also access IPv4-only resources
- Simplified deployment and
administration—The Forefront UAG DirectAccess configuration is
incorporated into the Forefront UAG Management console, and is
configured using interactive wizards that provide simpler
deployment and management.
- Enhanced scalability, high availability
and management—By utilizing its array management capabilities
and integrated Windows network load balancing, Forefront UAG
enables you to set up multiple Forefront UAG DirectAccess servers
in an array, providing high availability and scalability.
Forefront UAG DirectAccess SP1 add the following features:
- Simplified deployment and
administration—The Forefront UAG DirectAccess configuration is
incorporated into the Forefront UAG Management Console, and is
configured using interactive wizards, providing simpler deployment
The wizard supports the following new features:
- Management only—You can configure
Forefront UAG DirectAccess for management only, enabling
DirectAccess clients to be managed without giving them access to
- Two-factor authentication—Forefront
UAG DirectAccess supports two-factor authentication using smart
cards and RSA Secure ID tokens.
- Organizational units (OUs)— Forefront
UAG DirectAccess supports the use of OUs when configuring client
and server groups in the Forefront UAG DirectAccess Configuration
- Group Policy object (GPO)
provisioning—Forefront UAG DirectAccess provides a flexible
solution for DirectAccess GPO provisioning.
- DirectAccess Connectivity Assistant
(DCA)—DCA policy can be created in the Forefront UAG
DirectAccess Configuration Wizard and then distributed to
- Force tunneling—DirectAccess clients
can be configured to work using force tunneling, so that all
traffic from a DirectAccess client is channeled through the
Forefront UAG DirectAccess server.
- Network Access Protection (NAP)—NAP
can be automatically configured on the Forefront UAG DirectAccess
server. Existing NAP deployments are also supported.
- Management server
auto-discovery—Forefront UAG DirectAccess supports the
auto-discovery of management servers, including domain controllers,
SCCM servers and HRA servers.
- Management only—You can configure Forefront UAG DirectAccess for management only, enabling DirectAccess clients to be managed without giving them access to the intranet.
- Monitoring—Forefront UAG DirectAccess
enables you to monitor DirectAccess client sessions and Forefront
UAG DirectAccess server’s health, using Web Monitor, TMG and a
PowerShell snap-in cmdlet.
Key elements of a Forefront UAG DirectAccess solution
The key elements of the Forefront UAG DirectAccess solution include the following:
- DirectAccess client—A domain-joined
computer running Windows 7 Enterprise, Windows 7 Ultimate, or
Windows Server 2008 R2, that can automatically and transparently
connect to an internal network through a Forefront UAG DirectAccess
- Forefront UAG DirectAccess server—A
domain joined computer running Windows Server 2008 R2 Standard
edition or Windows Server 2008 R2 Enterprise edition, that accepts
connections from DirectAccess clients and facilitates communication
with internal network resources. The Forefront UAG DirectAccess
server extends the features provided by Windows DirectAccess, and
also offers integrated NAT64 and DNS64. For more information, see
placement of a Forefront UAG DirectAccess server.
- Network location server—A server that
a DirectAccess client uses to determine whether it is located on
the Internet or the intranet. For more information, see Planning the placement
of a network location server.
- Certificate revocation list (CRL)
distribution points—Servers that provide access to the CRL that
is published by the certification authority (CA) issuing
certificates for Forefront UAG DirectAccess. For more information,
see Planning the
placement of CRL distribution points.
The following figure illustrates some of the components of a Forefront UAG DirectAccess infrastructure, and the relationship between the components that work together to provide DirectAccess to the intranet, for clients on the Internet.
Key concepts of Forefront UAG DirectAccess
The Forefront UAG DirectAccess solution uses a combination of technologies that provide transparent access to intranet resources to DirectAccess clients.
The following sections describe the role of these technologies:
- Separation of DNS
- Network location
- NAT64 and DNS64
- Network Load Balancing
- External load
IPv6 is the new version of the network layer of the TCP/IP protocol stack, that is designed to replace Internet Protocol version 4 (IPv4) which is widely used on intranets and the Internet. IPv6 provides an address space large enough to allow for end-to-end addressing of nodes on the IPv6 Internet, and on the IPv4 Internet with IPv6 transition technologies. Forefront UAG DirectAccess uses this capability to provide end-to-end addressing from DirectAccess clients on the IPv4 or IPv6 Internet to computers on an intranet.
Because the current Internet is IPv4-based and many organizations have not deployed native IPv6 addressing and routing on their intranets, Forefront UAG DirectAccess uses IPv6 transition technologies to provide IPv6 connectivity over these IPv4-only networks. Teredo, 6to4, Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS), and the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) are examples of IPv6 transition technologies. These technologies allow you to use IPv6 on the IPv4 Internet and your IPv4-only intranet. IPv6 transition technologies can simplify and reduce the costs of an IPv6 deployment.
IPv6 connectivity across the IPv4 Internet
To send IPv6 packets across the IPv4 Internet, a DirectAccess client can use 6to4, Teredo, or IP-HTTPS. If the DirectAccess client has been assigned a public IPv4 address, it will use 6to4. If assigned a private IPv4 address, it will use Teredo. If the DirectAccess client cannot connect to the Forefront UAG DirectAccess server by using either 6to4 or Teredo, it will use IP-HTTPS.
- 6to4—6to4, defined in RFC 3056, is an
IPv6 transition technology that provides IPv6 connectivity across
the IPv4 Internet for hosts or sites that have a public IPv4
address. For more information, see IPv6 Transition Technologies
- Teredo—Teredo, defined in RFC 4380, is
an IPv6 transition technology that provides IPv6 connectivity
across the IPv4 Internet for hosts that are located behind an IPv4
network address translation (NAT) device, and are assigned a
private IPv4 address. For more information, see Teredo Overview
- IP-HTTPS—IP-HTTPS is a new protocol
for Windows 7 and Windows Server 2008 R2, that
enables hosts behind a Web proxy server or firewall to establish
connectivity by tunneling IPv6 packets inside an IPv4-based HTTPS
session. HTTPS is used instead of HTTP so that Web proxy servers
will not attempt to examine the data stream and close the
connection. IP-HTTPS is typically used only if the client is unable
to connect to the Forefront UAG DirectAccess server by using the
other IPv6 connectivity methods, or if force tunneling has been
Performance of IP-HTTPS may not be as good as the other Forefront UAG DirectAccess connection protocols.
For the details of IP-HTTPS, see the IP over HTTPS (IP-HTTPS) Tunneling Protocol Specification (http://go.microsoft.com/fwlink/?LinkId=169501).
IPv6 connectivity across an IPv4-only intranet
ISATAP, defined in RFC 4214, is an IPv6 transition technology that provides IPv6 connectivity between IPv6/IPv4 hosts across an IPv4-only intranet. ISATAP can be used for Forefront UAG DirectAccess to provide IPv6 connectivity to ISATAP hosts across your intranet.
For more information, see IPv6 Transition Technologies (http://go.microsoft.com/fwlink/?LinkID=154382). ).
IPsec is a framework of open standards for guaranteeing private, secure communications over Internet Protocol (IP) networks by using cryptographic security services. IPsec provides aggressive protection against attacks through end-to-end security. The only computers that must know about IPsec protection are the sender and receiver in the communication. IPsec enables the protection of communication between workgroups, local area network computers, domain clients and servers, branch offices (which might be physically remote), extranets, and roaming clients.
IPsec protection can be used in two different modes: transport mode and tunnel mode. Transport mode is designed to protect an Internet Protocol (IP) packet payload. Tunnel mode is designed to protect a whole IP packet. For more information, see IPsec Protocol Types (http://go.microsoft.com/fwlink/?LinkId=169502).
Forefront UAG DirectAccess uses IPsec settings in the form of connection security rules in the Windows Firewall with Advanced Security snap-in, and the Network Shell (Netsh) command-line tool advfirewall context for peer authentication, data integrity, and data confidentiality (encryption) of DirectAccess connections. Multiple rules can be applied to a computer simultaneously, each providing a different function. The result of all these rules working together is a DirectAccess client that has protected communications with the Forefront UAG DirectAccess server and intranet servers, encrypting traffic sent over the Internet, and optionally protecting end-to-end traffic.
|Windows Server 2003 and earlier versions of Windows Server do not fully support the use of IPsec with IPv6. (Other non-Windows application servers may also fall into this category). IPv6-capable resources on servers that are running Windows Server 2003 will not support IPsec transport encryption and these servers cannot be included in the optional DirectAccess end-to-end application server group. These resources will be available to DirectAccess clients using the default end-to-edge access model. IPv4-only resources on servers that are running Windows Server 2003, including most built-in applications and system services, require IPv6 to IPv4 protocol translation such as the Forefront UAG DirectAccess NAT64 feature to be available to DirectAccess clients.|
When a DirectAccess client sends data to the intranet, the traffic is encrypted over the Internet. For the end-to-edge and selected server access models, multiple connection security rules configured on the DirectAccess client, define tunnel mode IPsec settings for communication between the DirectAccess client and the intranet:
- The first rule for the infrastructure tunnel
requires authentication with a computer certificate along with the
computer account user-based NTLM and encrypts traffic with IPsec
and the Encapsulating Security Payload (ESP). This rule provides
protected communication with Active Directory domain controllers,
DNS servers, and other defined intranet infrastructure resources
for the client machine based on computer authentication even when
no user has logged on.
- The second rule for the intranet tunnel
requires authentication with a computer certificate and user-based
Kerberos credentials. This rule provides protected communication to
all intranet resources with the logged on users credentials, and
may also include additional two factor authentication. For the
end-to-edge access model, termination of IPsec tunnels between the
DirectAccess client and the intranet is done by the IPsec Gateway
feature on the Forefront UAG DirectAccess server.
Data integrity allows the receiving IPsec peer to cryptographically verify that the packet was not changed in transit. When encrypting data with IPsec, data integrity is also provided. It is possible to specify data integrity without encryption. This might be helpful in order to reduce the threat of spoofing or man-in-the-middle attacks and allow you to make sure that DirectAccess clients are connecting to their intended servers.
|When sensitive data is transmitted, IPsec with only data integrity should be used only when some other form of encryption is also implemented. It is possible to have end-to-end data integrity using transport mode rules while you are using end-to-edge encryption for the tunnel mode rules, which is how the specified server access model works.|
Forefront UAG DirectAccess provides data integrity by using transport and tunnel mode IPsec settings. These settings can be applied to DirectAccess clients, Forefront UAG DirectAccess servers, or application servers and provide data integrity by requiring ESP-NULL (recommended). Some network infrastructure devices or traffic monitoring and inspection solutions might not be able to parse packets with an IPsec ESP or AH header. In this case, you can use authentication with null encapsulation to perform IPsec peer authentication, but no per-packet data integrity.
Separation of DNS traffic
Windows Server 2008 R2 and Windows 7 introduced the NRPT, a new feature that enables DNS servers to be defined per DNS namespace, instead of per interface. The NRPT stores a list of rules. Each rule defines a DNS namespace and configuration settings that define the DNS client’s behavior for that namespace. When a DirectAccess client is on the Internet, each name query request is compared with the namespace rules stored in the NRPT. If a match is found, the request is processed according to the settings in the NRPT rule. The settings determine the DNS servers to which the request will be sent.
If a name query request does not match a namespace listed in the NRPT, it is sent to the DNS servers configured in the TCP/IP settings for the specified network interface. For a remote client, this is typically the Internet DNS servers as configured through the Internet service provider (ISP). For a DirectAccess client on the intranet, this is typically the intranet DNS servers as configured through the Dynamic Host Configuration Protocol (DHCP).
Single-label names, such as http://internal, will typically have configured DNS search suffixes appended to the name before they are checked against the NRPT. If no DNS search suffixes are configured, and the single-label name does not match any other single-label name rules in the NRPT, the request will be sent to the DNS servers specified in the client’s TCP/IP settings.
Namespaces, such as .internal.contoso.com, are added to the NRPT followed by the IPv6 addresses of the DNS servers to which requests matching that namespace should be directed. If an IP address is entered for the DNS server, all DNS requests will be sent directly to the DNS server over the DirectAccess connection. There is no need to specify any additional security for this configuration.
The NRPT allows DirectAccess clients to use intranet DNS servers, or the Forefront UAG DirectAccess server when integrated DNS64 is configured, for name resolution (dedicated DNS servers are not required). Forefront UAG DirectAccess is designed to prevent the exposure of your intranet namespace to the Internet.
Some names must be treated differently to others with regard to name resolution; these names must not be resolved using intranet DNS servers. To ensure that these names are resolved with interface-configured DNS servers, you must add them as NRPT exemptions.
If no DNS server addresses are specified in the NRPT rule, or by selecting the Do not use an internal DNS server for the specified server or suffix option in the DNS Suffixes page of the wizard, the rule is an exemption. If a DNS name matches a rule in the NRPT that does not contain addresses of DNS servers or does not match a rule in the NRPT, the DirectAccess client sends the name query to interface-configured DNS servers.
If any of the following servers have a name suffix that matches an NRPT rule for the intranet namespace, that server name must be an NRPT exemption:
- WPAD servers.
- Network location servers.
- Intranet certificate revocation list (CRL)
- All quarantine and system health remediation
These servers must always be resolved with interface-configured DNS servers.
Network location servers
A network location server is an intranet network server that hosts a Secure Hypertext Transfer Protocol (HTTPS)-based uniform resource locator (URL). DirectAccess clients access this URL to determine whether they are located on the intranet. A separate, high-availability Web server is required. The Web server is not required to be dedicated as a network location server.
Because the behavior of the DirectAccess client depends on the response from the network location server, it is critical to ensure that this Web site is available from each remote branch site. Branch locations may need a separate dedicated network location Web site at each branch location, to ensure that the Web site remains accessible even in the event of a link failure.
How intranet detection works
When a DirectAccess client starts up or experiences a significant network change event (such as a change in link status or a new IP address), it is assumed that it is not on the intranet, and uses Forefront UAG DirectAccess rules in the NRPT to determine where to send DNS name queries. The DirectAccess client then attempts to resolve the fully qualified domain name (FQDN) in the URL for the network location server, which is stored in the Computer Configuration/Policies/Administrative Templates/Network/Network Connectivity Status Indicator/Domain Location Determination URL Group Policy setting. Because the NRPT is active, this FQDN should either match an exemption rule or no rules in the NRPT, so that the DirectAccess client can use interface-configured DNS servers.
After resolving the FQDN, the DirectAccess client attempts to connect to the HTTPS-based URL of the network location server, which includes a Secure Sockets Layer (SSL)-based authentication and verification of the server certificate offered by the network location server. For authenticating the DirectAccess client’s access to the URL, use anonymous authentication. Certificate verification includes validating the certificate and verifying that it was not revoked by accessing the CRL location defined in the Web server’s certificate. When the DirectAccess client successfully accesses the HTTPS-based URL of the network location server, it determines that it is on the intranet. The DirectAccess client then removes the Forefront UAG DirectAccess NRPT rules from the active table, and the DirectAccess client uses interface-configured DNS servers to resolve all names.
|Just like the URL for the network location server, the FQDN in the URL or the universal naming convention (UNC) path for the CRL distribution point, should either match an exemption rule or no rules in the NRPT, so that the DirectAccess client can use interface-configured intranet DNS servers to resolve the name. If the DirectAccess client cannot resolve the FQDN for the CRL distribution point, intranet location detection fails.|
NAT64 and DNS64
Forefront UAG DirectAccess requires end-to-end IPv6 communication between DirectAccess clients and the internal resources that they connect to on the intranet. Many resources are not directly accessible over IPv6, including computers that are not capable of running IPv6, or computers with services that are not IPv6-aware (for example, a server that only supports IPv4, or a Windows 2003 server which is IPv6-capable but has services that are not IPv6-aware). When you need to connect to IPv4-only resources on your intranet, you can use the integrated NAT64 and DNS64 functionality on the Forefront UAG DirectAccess server.
NAT64 takes IPv6 traffic on one side and converts it into IPv4 traffic on the other side. The address conversion and conversation handling operate in a similar way to a traditional IPv4 NAT device. On the Forefront UAG DirectAccess server, NAT64 is used in combination with DNS64. DNS64 intercepts DNS queries and modifies the replies, so that IPv4 address answers to requests for the name of a computer, are converted into the appropriate IPv6 address answers that direct clients to the IPv6 address for the computer on the NAT64.
Network Load Balancing (NLB)
Forefront UAG integrates NLB functionality provided by Windows Server 2008 R2, with additional functionality that enables load balancing of Forefront UAG DirectAccess servers in a Forefront UAG array.
Network Load Balancing provides scalability and high availability to enterprise-wide TCP/IP services, and provides the following benefits:
- Scalability—Network Load Balancing
scales the performance of a server-based program, such as a
Forefront UAG DirectAccess, by distributing its client requests
across multiple servers within the Forefront UAG array. As traffic
increases, additional servers can be added to the Forefront UAG
array. Forefront UAG and NLB provide load balancing for up to 8
Forefront UAG DirectAccess array members.
- High availability—Network Load
Balancing provides high availability by automatically detecting the
failure of a server and repartitioning client traffic among the
remaining servers, providing users with continuous service.
- Stickiness—When a DirectAccess client
connects to the intranet through a Forefront UAG NLB array, the NLB
bidirectional affinity feature is applied. This guarantees that
traffic is handled in both directions by the same array member.
External load balancing solutions
Forefront UAG supports the use of external network load balancing solutions. When configuring an external load balancer, the following elements must be configured:
- The external load balancer—The
Internet-facing side of the load balancer.
- The internal load balancer—The intranet
facing side of the load balancer.
- The perimeter network Internet-facing side of
the Forefront UAG DirectAccess server.
- The perimeter network intranet facing side of
the Forefront UAG DirectAccess server.