This topic describes how to configure clients to receive the Forefront Unified Access Gateway (UAG) DirectAccess client configuration settings. Group Policy provides an object-based method to create, distribute, and apply DirectAccess settings to clients. You must create or use existing Active Directory Domain Services security groups that contain the computer accounts for the computers that you want to receive DirectAccess settings. You select security groups, and add them to the list in the Forefront UAG DirectAccess client configuration screen. The Forefront UAG DirectAccess Configuration Wizard automatically creates Group Policy objects (GPOs) with the appropriate settings, and applies them to the specified security groups.

  • Security groups can contain computer accounts from multiple domains. You must add the domain controllers to the list of Management servers and Domain Controllers, for all domains that have computer accounts in the specified security groups. For instructions, see Managing remote client computers.

  • Only clients from Domains included in the first level of nesting from the parent security group are automatically enabled to receive Forefront UAG DirectAccess Group Policy.

  • The security group's scope must be universal or global.

To configure clients for DirectAccess

  1. In the Forefront UAG Management console, click DirectAccess to start the Forefront UAG DirectAccess Configuration Wizard.

  2. From the Forefront UAG DirectAccess Configuration Wizard, in the Clients box, click Configure.

  3. Click Add, select the security group(s) containing the computer accounts you want to enable for DirectAccess configuration, click OK, and then click Finish. Clicking Remove removes the currently selected security group from the list.

    When security groups are added in the Client Configuration section of the wizard, the domains of the client computers held in the security group are provisioned to receive settings from the GPO. If a client from an additional domain (not present as a client domain when the GPO was created), or a client whose domain is not included in the first level of nesting of the security group, is added to the specified security group, it is not automatically linked to the GPO so the client will not receive GPO settings. To resolve this problem, and link additional user domains, do the following:
    1. At the end of the Forefront UAG DirectAccess Configuration Wizard, click Export Script and save the script, for example script.ps1.

    2. On the taskbar, click Start, click All Programs, click Accessories, click Windows PowerShell, right-click Windows PowerShell, and then click Run as administrator.

    3. From the PowerShell command prompt type the command:

      ./script.ps1 –AdditionalClientDomains "DC=corp, DC=contoso, DC=com|DC=corp2, DC=contoso, DC=com", and then press ENTER.

      "DC=corp, DC=contoso, DC=com" represents a domain, and each domain you want to link is separated by a |.