Capacity planning for Forefront UAG DirectAccess

  • Article

Updated: February 1, 2010

Applies To: Unified Access Gateway

To design a scalable DirectAccess infrastructure, you must analyze the elements of a Forefront UAG DirectAccess deployment, and develop an implementation plan that considers the following factors:

  • Performance—Which types of resources are most used by each server role in your Forefront UAG DirectAccess deployment? How will you monitor performance?

  • Roles—Do servers in your Forefront UAG DirectAccess deployment perform multiple functions? How does this affect performance?

  • Availability—Do you require 100 percent availability for all server roles in your deployment?

  • Access profile—When and where does your network experience peak activity? Is the activity consistent or does it change over time?

The following provides information on:

  • Capacity planning for Forefront UAG DirectAccess servers

  • Capacity planning for network location servers

  • Capacity planning for CRL distribution points

Capacity planning for Forefront UAG DirectAccess servers

You can perform capacity planning for Forefront UAG DirectAccess servers by:

  • Increasing the number of concurrent authentications—If not previously configured, you can increase the number of concurrent authentication calls in progress at one time between the Forefront UAG DirectAccess server and the domain controller, set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ MaxConcurrentApi (REG_DWORD) registry value on the Forefront UAG DirectAccess servers to 5, and then restart the NETLOGON service.

  • Using a Forefront UAG DirectAccess array with load balancing—You can expand the capacity of a single Forefront UAG DirectAccess server deployment by creating a load-balanced Forefront UAG array that provides high availability and scalability. For more information, see Configuring NLB for a Forefront UAG DirectAccess array.

  • Using an external load balancer—You can expand the capacity of a single Forefront UAG DirectAccess server deployment by creating an external load-balanced Forefront UAG array that provides high availability and scalability. For more information, see Configuring external load balancing for a Forefront UAG DirectAccess array.

Capacity planning for network location servers

The network location function for DirectAccess should be placed on an intranet Web server. You must plan the capacity of the network location server so that it can handle the DirectAccess clients on your intranet performing intranet detection.To provide capacity for an Internet Information Services (IIS) 7.0-based Web server, see the documentation for the Web Server (IIS) role (https://go.microsoft.com/fwlink/?LinkId=169495) on Windows Server 2008 R2 or Windows Server 2008, for recommendations on scaling IIS capacity.

Capacity planning for CRL distribution points

The certificate revocation list (CRL) distribution points on the Internet for the IP-HTTPS certificate, and on the intranet for the network location certificate, can be located on Web or file servers. You must plan for the capacity of CRL distribution points so that your Internet and intranet-connected DirectAccess clients can perform certificate revocation checking for the IP-HTTPS connection and for network location detection.

For an Internet Information Services (IIS)-based Web server or a Windows-based file server, see the documentation for the Web Server (IIS) role (https://go.microsoft.com/fwlink/?LinkId=169495), and File Services roles on Windows Server 2008 R2 or Windows Server 2008 for recommendations on scaling capacity.