Before configuring optional settings in SP1

Updated: February 1, 2011

Applies To: Unified Access Gateway

The following should be done before configuring the prerequisites for each Forefront Unified Access Gateway (UAG) DirectAccess optional setting:

Optional setting	Before you run an optional setting configuration
Client Connectivity Assistant	Prepare: Connectivity verifier endpoints. A Forefront UAG portal or an alternate troubleshooting portal reachable from the Internet. The DCA client uses this portal to aid in troubleshooting. A default email address that troubleshooting information will be sent to.
NAP Enforcement	Decide whether you want to deploy the Network Policy Server (NPS) and Health registration authority (HRA) on the Forefront UAG DirectAccess server. Install a dedicated NAP Certification Authority (CA). Decide on what NAP enforcement mode you want to use in your organization.
Two Factor Authentication Note If the management only deployment model is selected this page does not appear.	If you use two-factor authentication, a PKI smart card, RSA SecureID, or Radius infrastructure must be deployed. In addition when OTP is selected, ensure you do the following: Configure an ACE or Radius server. Install an OTP dedicated Enterprise Certification Authority (CA) running Windows Server 2008 R2. Decide whether to generate and use a PowerShell script from the Forefront UAG DirectAccess Configuration Wizard that configures the CA templates, or whether to configure the templates manually. Ensure that the DirectAccess Connectivity Assistant has been configured in the Forefront UAG DirectAccess Configuration Wizard and that DirectAccess clients have access to the Microsoft_DirectAccess_Connectivity_Assistant.msi client-side DCA installation file.
Internet Connectivity	Decide whether to configure split tunneling or force tunneling.
Server Groups	Create organizational units (OUs) or security groups containing all the Forefront UAG DirectAccess servers.
End-to-End Access	The following should be prepared before configuring end-to-end access: Ensure that all the application servers you wish to configure with end-to-end authentication are running Windows server 2008 or Windows 7, and have with a valid IPv6 address (native or ISATAP). Create a security group, and add as members the applications servers that require end-to-end authentication. If you additionally want to encrypt data end-to-end, decide what IPsec cryptography methods you are going to use.

For planning information, see the following topics:

• Planning for client health verification in Forefront UAG DirectAccess SP1 (https://go.microsoft.com/fwlink/?LinkId=205666)

• Planning for DirectAccess client Internet access in Forefront UAG SP1 (https://go.microsoft.com/fwlink/?LinkID=205662)

• Planning for authentication in Forefront UAG DirectAccess SP1 (https://go.microsoft.com/fwlink/?LinkId=205664)

• Planning Active Directory for Forefront UAG DirectAccess SP1 (https://go.microsoft.com/fwlink/?LinkId=205663)