Designing your intranet for corporate connectivity detection
Updated: February 1, 2010
Applies To: Unified Access Gateway
This topic describes how to ensure that DirectAccess clients can detect connectivity to the intranet.
Computers running Windows 7 or Windows Server 2008 R2 use corporate connectivity detection to determine whether the computer can access the resources of your intranet. Corporate connectivity detection is separate from network location detection. A DirectAccess client can successfully detect corporate connectivity when it is directly connected to the intranet or when it is roaming on the Internet.
Corporate connectivity determination is used for the following:
Active Directory® Domain Services (AD DS) domain members detect corporate connectivity before initiating updates of Group Policy settings.
Network Access Protection (NAP) clients use successful corporate connectivity detection to perform another health check if the NAP client determines that it is unhealthy, because it cannot reach a NAP health policy server in a previous heath check.
DirectAccess clients use corporate connectivity detection to determine when to use IP-HTTPS. If the DirectAccess client cannot access intranet resources using Teredo, it attempts to connect to the Forefront UAG DirectAccess server using IP-HTTPS.
Corporate connectivity detection relies on the ability to perform the following checks for different purposes, depending on the computer’s configuration:
Resolve a specific intranet fully qualified domain name (FQDN) name to a specific Internet Protocol version 6 (IPv6) address.
Determine whether an IPsec security association (SA) has been established for an IPv6 address that is based on the IPv6 prefix of the intranet.
Access a specific intranet Web site.
The Forefront UAG DirectAccess Configuration Wizard automatically configures the following for corporate connectivity detection:
The intranet-specific name and IPv6 address, and registers the corresponding AAAA record in an intranet Domain Name System (DNS) server.
If your organization DNS does not support dynamic updates, you must enter an AAAA record with the FQDN and IPv6 address for the NCSI probe host. The default record that should be registered in the DNS for the NCSI probe host is: AAAA UAGDirectAccess-corpConnectivityHost ::1.
The IPv6 prefix of the intranet.
Configuring settings and infrastructure needed for DirectAccess clients to access a specific intranet Web site
The Forefront UAG DirectAccess Configuration Wizard does not automatically configure the settings and infrastructure needed for DirectAccess clients to access a specific intranet Web site. This additional configuration is required for branch scenarios in which a Web proxy server is between the DirectAccess client and the corporate resources it is trying to reach. This additional configuration also aids in diagnosing DirectAccess connections.
To configure settings and infrastructure needed for DirectAccess clients to access a specific intranet Web site
Determine a Web site on your intranet that is not accessible from the Internet, is highly available, and is reachable with IPv6. To ensure its ongoing reachability with IPv6, either assign a static IPv6 address if you have a native IPv6 infrastructure, or a static Internet Protocol version 4 (IPv4) address if you are using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP). For example, the Contoso Corporation uses cweb.corp.contoso.com as its central, highly-available internal Web site. This Web server uses ISATAP and a static IPv4 address.
Create an alternate name for the Web server, and add that name and IPv6 address of the Web server as an AAAA record in your intranet DNS. For example, create an AAAA record in the intranet DNS that resolves corpcon.corp.contoso.com to the ISATAP-based IPv6 address of the cweb.corp.contoso.com Web server.
Construct an HTTP-based uniform resource locator (URL) based on the alternate name and test it with your Web browser. For example, the corresponding corporate connectivity URL is https://corpcon.corp.contoso.com.
Enable the Computer Configuration/Policies/Administrative Templates/Network/Network Connectivity Status Indicator/Corporate Website Probe URL Group Policy setting in the Group Policy object for DirectAccess clients, and configure it to use the constructed URL. For example, enable and configure the Corporate Website Probe URL setting with https://corpcon.corp.contoso.com.
If you use the Fall back to local name resolution if the name does not exist in DNS or the DNS servers are unreachable when the client computer is on a private network option for local host name resolution, the Corporate Website Probe URL setting must be specified as a FQDN, rather than as an unqualified, single-label name. If you use an unqualified, single-label name, corporate connectivity detection might incorrectly detect that corporate connectivity exists and diagnostics for Forefront UAG DirectAccess can be affected.