Modifying the Forefront UAG DirectAccess export script
Updated: February 1, 2011
Applies To: Unified Access Gateway
On completion of the Forefront UAG DirectAccess Configuration Wizard, you can apply the configuration settings immediately or export them to an export script. In certain cases, you might want to modify parameters in the exported script before you apply it; for example, if you want to populate some of the parameters manually instead of using the Forefront UAG DirectAccess Configuration Wizard, or if you want to perform configurations that cannot be done in the wizard, such as changing the name of Group Policy objects (GPOs) created by Forefront UAG DirectAccess.
This topic describes how to edit parameters in the export script that is created at the end of the Forefront UAG DirectAccess Configuration Wizard.
Warning
Unless you are familiar with the parameters in the export script, it is recommended that you do not make any changes.
Modifying and applying runtime and static Forefront UAG export script parameters
The export script can include runtime or static parameters. You can modify the export script parameters depending on their type, as follows.
To modify the export script parameters
On the taskbar, click Start, click All Programs, click Accessories, click Windows PowerShell, right-click Windows PowerShell, and then click Run as administrator.
From the PowerShell command prompt, type ./script.ps1 –Parameter Name "Example".
Note
See the tables that follow this procedure for a description of the runtime and static parameters that you can modify.
You can also modify the static script parameters as follows:
Open the export script using notepad, and referring to the Static Parameters table that follows this procedure, modify the relevant parameters in the export script, and then save the script.
On the taskbar, click Start, click All Programs, click Accessories, click Windows PowerShell, right-click Windows PowerShell, and then click Run as administrator.
From the Windows PowerShell command prompt, run the modified script file.
In the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate to start the configuration.
Runtime Parameters
| Parameter Name | Parameter Definition | Format Type | Example |
|---|---|---|---|
AdditionalAppServerDomains |
Links the AppServers GPO to additional domains as specified. |
Domain name in distinguished names format separated by | |
DC=corp,DC=contoso,DC=com|DC=sales,DC=contoso,DC=com |
AdditionalClientDomains |
Links the Client GPO to additional domains as specified. |
Domain distinguished names separated by | |
DC=corp,DC=contoso,DC=com|DC=sales,DC=contoso,DC=com |
Static Parameters
| Parameter Name | Parameter Definition | Format Type | Example |
|---|---|---|---|
UAGDA_ACCESS_ENABLING_ADDRESSES_<GroupName>_<#> |
IPv6 addresses of the servers that are contained in an Access Enabling group. For each 195 servers, a suffix is added to the GroupName. The IPv6 addresses are used in the Access Enabling tunnel IPsec rule. |
Comma delimited |
2012::4444:0:0:c00:1,2012::4444:0:0:b00:11,2012::4444:0:0:b03:34F |
UAGDA_CERT_MACHINE_AUTH |
The name of the root or intermediate Certification Authority. This is used for IPsec rules and the NRPT |
Distinguished name of the CA |
DC=com, DC=contoso,DC=corp, CN=corp-DC-CA |
UAGDA_CERT_TYPE |
Is the UAGDA_CERT_MACHINE_AUTH of type root or intermediate |
"Root" or "intermediate" |
root |
UAGDA_CLIENTDNS_FALLBACK |
Local name resolution option.See, Identifying DNS servers. |
0 = Only use local name resolution if the name does not exist in DNS. 1 = Fall back to local name resolution for any kind of DNS resolution error (least secure). 2 = Fall back to local name resolution if the name does not exist in DNS or the DNS servers are unreachable when the client computer is on a private network (recommended). 3 = No local name resolution. (Not present as an option in the user interface. |
2 |
UAGDA_DTE_ACCESS |
External IPv6 address of the Forefront UAG server that will be used as a Remote Tunnel Endpoint of DNS and Access Enabling IPsec rules. |
IPv6 address |
2002:b00:20::b00:20 |
UAGDA_DTE_CORP |
External IPv6 address of the Forefront UAG server that will be used as a Remote Tunnel Endpoint of Corp IPsec rule. |
IPv6 address |
|
UAGDA_GATEWAY_PUBLIC_IP |
External IPv4 address of the Forefront UAG server. Used for the Transition Technologies (Teredo, 6to4). |
IPv4 address |
199.0.0.30 |
UAGDA_IPHTTPS_URL |
URL used for the IP-HTTPS transition technology |
HTTPS URL. You must specify a port. |
https://da.company.net:443/IPHTTPS |
UAGDA_IPSEC_E2E_QM_SECMETHODS |
The IPsec QuickMode encryption method that is used in End–to-End rules. |
Netsh format |
ESP:SHA256-None+60min+100000kb |
UAGDA_IPSEC_MM_KEYLIFETIME |
The IPsec MainMode key lifetime. |
Netsh format |
60min,0sess |
UAGDA_IPSEC_MM_SECMETHODS |
The IPsec MainMode authentication method. |
Netsh format |
dhgroup2:aes128-sha256,dhgroup2:aes128-sha1,dhgroup2:3des-sha1 |
UAGDA_IPSEC_QM_SECMETHODS |
The IPsec QuickMode encryption method that is used in End-to-Edge rules. |
Netsh format |
ESP:SHA1-AES192+60min+100000kb |
UAGDA_MACHINES_GW |
The list of Forefront UAG array members. This is applied to the server GPO. You must specify all member names in the array. |
Comma delimited list in the format of Domain\MachineName |
corp.contoso.com\DA1, corp.contoso.com\DA2 |
UAGDA_NCSI_DNSPROBECONTENT |
A Network Connectivity Status Indicator—The resolved IPv6 address of the UAGDA_NCSI_DNSPROBEHOST |
IPv6 address |
::1 |
UAGDA_NCSI_DNSPROBEHOST |
A Network Connectivity Status Indicator—The DNS name of an internal corp resource. If this name resolves correctly, you have corp connectivity. |
FQDN |
ncsida.corp.contoso.com |
UAGDA_NCSI_SITEPREFIXES |
A Network Connectivity Status Indicator—The prefix of your organization, and the addresses used as IPsec tunnel endpoints.If a connection is made to a destination within one of these prefixes, you have corp connectivity |
IPv6 prefix (comma delimited) |
2002:b00:1f:8000::/49,2001:4110:10::/48, 2002:b00:20::b00:20/128 |
UAGDA_NID_ADDRESS |
The IPv6 address of the network location server. This is used in the "NLA Exempt" client IPsec tunnel rule. |
IPv6 address |
2012::2 |
UAGDA_NID_URL |
The HTTPS URL of the network location server. This is used to determine whether the client is inside or outside the corp network. |
URL |
https://io.corp.contoso.com/ |
UAGDA_POLICY_APPSERV |
The name of the Group Policy object that is applied on the Application servers. |
String |
UAG DirectAccess: AppServer{f7b77f47-7c33-4d8c-bb9a-a913c5675d8d} |
UAGDA_POLICY_CLIENT |
The name of the Group Policy object that is applied on the clients. |
String |
UAG DirectAccess: Client{3491980e-ef3c-4ed3-b176-a4420a810f12} |
UAGDA_POLICY_GATEWAY |
The name of the Group Policy object that is applied on the Forefront UAG servers. |
String |
UAG DirectAccess: DaServer{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300} |
UAGDA_PREFIX_CORP |
The IPv6 prefix of the organization.This is used in the "Corp" IPsec tunnel rule, and by the Network Connectivity Status Indicator to determine whether you have corp connectivity. |
IPv6 prefix[Comma delimited] |
2002:b00:1f:8000::/49,2001:4110:10::/48 |
UAGDA_PREFIX_CORP_EXCLUSION |
An IPv6 range other than the organization prefix.This is used in the AppServers end-to-end IPsec rule when you add end-to-end application servers. |
IPv6 range, Comma delimited |
::-2001:4110:10::,2001:4110:10:ffff:ffff:ffff:ffff:ffff-2002:b00:1f:8000::,2002:b00:1f:ffff:ffff:ffff:ffff:ffff-feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
UAGDA_PREFIX_IPHTTPS_CLIENT |
The IPv6 prefix of the IP-HTTPS subnet.This is used in the AppServers end-to-end IPsec rule when you add end-to-end application servers. |
IPv6 prefix |
2002:b00:1f:8100::/56 |
UAGDA_SECGRP_APPSERV_DOMAINS |
This links the AppServers GPO to the specified domains.This is used to apply the Group Policy on computers in various domains. |
Domain name in distinguished names format separated by | |
DC=corp,DC=contoso,DC=com|DC=sales,DC=contoso,DC=com |
UAGDA_SECGRP_APPSSERVS |
Security Groups of the Application Servers when you add end-to-end application servers. |
Comma delimited list of Domain\GroupName |
corp.contoso.com\Application Servers,sales.contoso.com\Sales Servers |
UAGDA_SECGRP_CLIENTS |
Security Groups of the DirectAccess clients. |
Comma delimited list of Domain\GroupName |
corp.contoso.com\DirectAccess Client Machines |
UAGDA_SECGRP_CLIENT_DOMAINS |
This links the Clients GPO to the specified domains.This is used to apply the Group Policy on computers in various domains. |
Domain name in distinguished names format separated by | |
DC=corp,DC=contoso,DC=com |