Planning for Forefront UAG SP1 DirectAccess deployment

Applies To: Unified Access Gateway

This topic provides the planning information required for Forefront Unified Access Gateway (UAG) DirectAccess client configuration and deployment.

  • Overview

  • Requirements

  • Limitations

  • Planning steps

Overview

Managed computers configured as Forefront UAG DirectAccess clients can connect seamlessly to internal networks, regardless of location. DirectAccess client computers can connect to corporate resources, and can be managed with the same mechanisms as computers on the internal network. When a computer running Forefront UAG DirectAccess starts, the following occurs:

  1. Infrastructure (first) tunnel is established—When a DirectAccess client computer connects to the Internet ( before the user logs on) it establishes the infrastructure tunnel, to allow the client computer to connect to internal management and domain resources such as AD DS domain controllers and DNS servers. This tunnel is bidirectional, and can be used to manage DirectAccess client computers from the corporate network.

  2. Intranet (second) tunnel is established—After the user logs on a second tunnel (the intranet tunnel) is established. This tunnel enables users to connect to corporate resources as if the DirectAccess client computer is located in the internal network. Client computers can connect to internal servers, using both FQDNs and single label names.

You can deploy two main client scenarios:

  • Deploy Forefront UAG DirectAccess for remote management only—This scenario allows you to manage DirectAccess client computers remotely, without allowing access to internal resources. Only the first infrastructure tunnel is established, and clients have access only to specific infrastructure servers. Alternative solutions are used to provide remote access if required. Using remote management tasks you can perform include pushing software installation and updates; client health checking and remediation; asset discovery; and remote desktop control.

  • Deploy Forefront UAG DirectAccess to provide internal network access and remotely manage DirectAccess clients—This scenario provides both remote management, and allows access to internal resources. Both tunnels are established.

After DirectAccess client computers connect to infrastructure and management servers, communications can be initiated by the client computer or a server. For client-initiated communications, management agents running on the client computer communicate with the servers, over either the infrastructure tunnel (for remote management only) or the intranet tunnel if the user is logged on. No specific firewall rules are required for this type of connection. Examples of client-initiated traffic to servers include:

  1. System Center Configuration Manager

  2. Windows Server Update Service

  3. System Center Operation Manager (in most cases)

  4. Updating Anti-Virus definitions

  5. Applying Group Policy Objects

For server-initiated communications, Windows Firewalll with Advanced Security firewall rules might be required to enable management servers to initiate connections. Examples of server initiated traffic to clients include:

  • Peer-to-peer protocols that may be used by IT personnel, such as Remote Desktop, and Server Message Block (SMB) traffic.

  • Endpoint vulnerability scans

Requirements

Scenario Details  

Remote management

Client initiated communications to infrastructure and management servers.

In addition to general Forefront UAG DirectAccess requirements, client-initiated communications to infrastructure and management servers required the following:

  • Internal infrastructure and management servers, Infrastructure servers must support IPv6, ISATAP, or IPv4 (for IPv4 Forefront UAG DirectAccess NAT64 and DNS64 are used).

Server initiated communications to infrastructure and management servers.

  1. Servers must be IPv6-capable, because the Forefront UAG DirectAccess NAT64 implementation does not translate connections initiated from the internal network.

  2. DirectAccess clients that are located behind NAT devices and use Teredo for IPv6 connectivity need specific Firewall Rules to support remote management. The rules are created for each protocol required to connect from the internal network to the DirectAccess client.

Limitations

The following limitations exist when using deploying Forefront UAG DirectAccess for remote management only:

  • DirectAccess clients can only access the infrastructure and management servers configured in the Management Servers page of the DirectAccess Infrastructure Server Configuration Wizard.

  • NAP monitoring and health remediation is available, but NAP policies cannot be enforced, because DirectAccess clients do not need access to internal network resources via the intranet tunnel. The relevant NAP servers must be included in the list of infrastructure and management servers.

  • Routing of DirectAccess client Internet requests via the DirectAccess server (force tunneling) is not available with remote access only.

  • Strong authentication with a one-time password (OTP) is not available.

Planning steps

Planning steps for internal network access and remote management include the following:

  1. Complete the basic planning steps for Forefront UAG DirectAccess deployment. For more information, see

  2. Collect a list of all infrastructure and management servers that will be available to DirectAccess clients, record server names, and IPv4 or IPv6 addresses. If you want to provide NAP monitoring and health remediation, your NAP remediation servers should be included in the list. Note that when you configure the list of servers in the dashort Wizard, an auto-discovery feature automatically identifies your organization’s domain controllers, Health Registration Authority (HRA servers), and System Center Configuration Manager (SCCM) servers.

  3. Ensure that servers that will initiate connections to DirectAccess clients fully support IPv6. The Forefront UAG DirectAccess NAT64 implementation on does not support translation of outbound connections initiated from the intranet.

  4. If DirectAccess clients are located behind a NAT device, plan to create Windows Firewall Advanced Security firewall rules to enable management servers to initiate connections to these clients. Configure the rules for each protocol that will initiate a connection to DirectAccess clients. Enable edge traversal on each rule. Note that although client computers connecting with 6to4 IPv6 do not require rules with edge traversal, we recommend that you enable edge traversal because the client connection method cannot always be predicted.

  5. Servers initiating communication with clients must be able to determine the IPv6 address of the remote DirectAccess client. The client must register its FQDN and IPv6 address in the internal corporate DNS servers. The following DNS servers can be used:

    • Windows Server 2008 or Windows Server 2008 R2 based DNS Servers, natively support both of the above.(Recommended)

    • Windows Server 2003 DNS servers with Forefront UAG DirectAccess, and the integrated NAT64 and DNS64 to provide connectivity to IPv4 only DNS servers.

      Forefront UAG DirectAccess supports using NAT64 and DNS64 to register DirectAccess clients on a Windows 2003 Active Directory infrastructure.

    • A DNS server that supports dynamic updates, and AAAA records.

  6. Note that when deploying Forefront UAG DirectAccess for remote management only, it is still possible to use IKE and ICMP to resources on the intranet.