Offline Migration Steps
Applies To: Windows Server 2012 R2, Windows Server 2012
This topic describes the steps required to perform an offline migration from Forefront UAG SP1 DirectAccess to DirectAccess in Windows ServerĀ® 2012.
Task |
Description |
---|---|
Step 1: Install the Remote Access role |
Configure the Windows Server 2012 computer as a Remote Access server. |
Step 2: Configure IP addresses |
Configure IP addresses on the Remote Access server. |
Step 3: Obtain a server certificate for IP-HTTPS connections |
DirectAccess in Windows Server 2012 provides two options for the IP-HTTPS certificate. You can obtain a certificate from a CA, in a similar way to Forefront UAG DirectAccess, or you can configure Windows Server 2012 DirectAccess to automatically issue a self-signed certificate for IP-HTTPS authentication. |
Step 4: Prepare GPOs |
Prepare the required GPOs. |
Step 5: Additional steps |
Step 1: Install the Remote Access role
Export the settings using the following procedure.
To install the role
In the dashboard of the Server Manager console click Add roles.
Click Next until you reach the Select Server Roles dialog.
On the Select Server Roles dialog, select Remote Access. Click Add Required Features, and then click Next.
On the Select features dialog, expand Remote Server Administration Tools. Expand Role Administration Tools, and then select Remote Access Management Tools. Click Next until you reach the Confirm installation selections dialog.
On the Confirm installation selections dialog, click Install.
On the Installation progress dialog, verify that the installation was successful, and then click Close.
Step 2: Configure IP addresses
Configure the IP addresses using the following procedure.
To configure addresses
On the external network adapter, use the value specified in DirectAccess server Internet-facing address, in the DirectAccess Server Settings section of the exported Forefront UAG configuration setting file as the first IP address. For the second IP address, use this address increased by one. For example, 1.2.3.4 and 1.2.3.5.
To ensure that ISATAP is not configured, configure an arbitrary IPv6 unique local address (prefix fc00::/7) on the internal network adapter.
For the internal network adapter, use the address specified in the DirectAccess server internal address, in the DirectAccess Server Settings section of the exported Forefront UAG configuration settings file.
On the Select features dialog, expand Remote Server Administration Tools. Expand Role Administration Tools, and then select Remote Access Management Tools. Click Next until you reach the Confirm installation selections dialog.
On the Confirm installation selections dialog, click Install.
On the Installation progress dialog, verify that the installation was successful, and then click Close.
Step 3: Obtain an IP-HTTPS certificate
Obtain a web server certificate with a subject name that matches the FQDN of the Forefront UAG server. If you want to export the certificate from Forefront UAG and import it to the Remote Access server, see Export a certificate with the private key for instructions. Note that exporting the private key is only possible if the Make private key exportable option was checked when the original Forefront UAG certificate was created. Otherwise, the private key cannot be exported, and a new certificate with the same FQDN for the Remote Access server must be created.
Step 4: Prepare GPOs
Prepare GPOs for the Remote Access server, DirectAccess clients, and application servers. DirectAccess administrators should have the correct permissions (edit settings, delete, modify security) to modify the GPOs.
Step 5: Configure DirectAccess
Configure DirectAccess using the instructions described in Step 9: Configure DirectAccess.