This topic provides the planning information required for Forefront Unified Access Gateway (UAG) DirectAccess client configuration and deployment.
Managed computers configured as Forefront UAG DirectAccess clients can connect seamlessly to internal networks, regardless of location. DirectAccess client computers can connect to corporate resources, and can be managed with the same mechanisms as computers on the internal network. When a computer running Forefront UAG DirectAccess starts, the following occurs:
- Infrastructure (first) tunnel is established─When a
DirectAccess client computer connects to the Internet ( before the
user logs on) it establishes the infrastructure tunnel, to allow
the client computer to connect to internal management and domain
resources such as AD DS domain controllers and DNS servers. This
tunnel is bidirectional, and can be used to manage DirectAccess
clients computers from the corporate network.
- Intranet (second) tunnel is established─After the user logs on
a second tunnel (the intranet tunnel) is established. This tunnel
enables users to connect to corporate resources as if the
DirectAccess client computer is located in the internal network.
Client computers can connect to internal servers, using both FQDNs
and single label names.
You can deploy two main client scenarios:
- Deploy Forefront UAG DirectAccess for remote
management only─This scenario allows you to manage DirectAccess
client computers remotely, without allowing access to internal
resources. Only the first infrastructure tunnel is established, and
clients have access only to specific infrastructure servers.
Alternative solutions are used to provide remote access if
required. Using remote management tasks you can perform include
pushing software installation and updates; client health checking
and remediation; asset discovery; and remote desktop control.
- Deploy Forefront UAG DirectAccess to provide
internal network access and remotely manage DirectAccess
clients─This scenario provides both remote management, and allows
access to internal resources. Both tunnels are established.
After DirectAccess client computers connect to infrastructure and management servers, communications can be initiated by the client computer or a server. For client-initiated communications, management agents running on the client computer communicate with the servers, over either the infrastructure tunnel (for remote management only) or the intranet tunnel if the user is logged on. No specific firewall rules are required for this type of connection. Examples of client-initiated traffic to servers include:
- System Center Configuration Manager
- Windows Server Update Service
- System Center Operation Manager (in most cases)
- Updating Anti-Virus definitions
- Applying Group Policy Objects
For server-initiated communications, Windows Firewalll with Advanced Security firewall rules might be required to enable management servers to initiate connections. Examples of server initiated traffic to clients include:
- Peer-to-peer protocols that may be used by IT
personnel, such as Remote Desktop, and Server Message Block (SMB)
- Endpoint vulnerability scans
Client initiated communications to infrastructure and management servers.
In addition to general Forefront UAG DirectAccess requirements, client-initiated communications to infrastructure and management servers required the following:
Server initiated communications to infrastructure and management servers.
The following limitations exist when using deploying Forefront UAG DirectAccess for remote management only:
- DirectAccess clients can only access the
infrastructure and management servers configured in the
Management Servers page of the DirectAccess Infrastructure
Server Configuration Wizard.
- NAP monitoring and health remediation is
available, but NAP policies cannot be enforced, because
DirectAccess clients do not need access to internal network
resources via the intranet tunnel. The relevant NAP servers must be
included in the list of infrastructure and management servers.
- Routing of DirectAccess client Internet
requests via the DirectAccess server (force tunneling) is not
available with remote access only.
- Strong authentication with a one-time
password (OTP) is not available.
Planning steps for internal network access and remote management include the following:
- Complete the basic planning steps for Forefront UAG
DirectAccess deployment. For more information, see
- Collect a list of all infrastructure and management servers
that will be available to DirectAccess clients, record server
names, and IPv4 or IPv6 addresses. If you want to provide NAP
monitoring and health remediation, your NAP remediation servers
should be included in the list. Note that when you configure the
list of servers in the dashort Wizard, an auto-discovery feature
automatically identifies your organization’s domain controllers,
Health Registration Authority (HRA servers), and System Center
Configuration Manager (SCCM) servers.
- Ensure that servers that will initiate connections to
DirectAccess clients fully support IPv6. The Forefront UAG
DirectAccess NAT64 implementation on does not support translation
of outbound connections initiated from the intranet.
- If DirectAccess clients are located behind a NAT device, plan
to create Windows Firewall Advanced Security firewall rules to
enable management servers to initiate connections to these clients.
Configure the rules for each protocol that will initiate a
connection to DirectAccess clients. Enable edge traversal on each
rule. Note that although client computers connecting with 6to4 IPv6
do not require rules with edge traversal, we recommend that you
enable edge traversal because the client connection method cannot
always be predicted.
- Servers initiating communication with clients must be able to
determine the IPv6 address of the remote DirectAccess client. The
client must register its FQDN and IPv6 address in the internal
corporate DNS servers. The following DNS servers can be used:
- Windows Server 2008 or Windows Server 2008 R2
based DNS Servers, natively support both of the
- Windows Server 2003 DNS servers with
Forefront UAG DirectAccess, and the integrated NAT64 and DNS64 to
provide connectivity to IPv4 only DNS servers.
Forefront UAG DirectAccess supports using NAT64 and DNS64 to register DirectAccess clients on a Windows 2003 Active Directory infrastructure.
- A DNS server that supports dynamic updates,
and AAAA records.
- Windows Server 2008 or Windows Server 2008 R2 based DNS Servers, natively support both of the above.(Recommended)
- Note that when deploying Forefront UAG DirectAccess for remote
management only, it is still possible to use IKE and ICMP to
resources on the intranet.