+1 (866) 930-8356

We are experts on the entire Microsoft enterprise product stack. These are Microsoft technologies we regularly deploy. We provide real business value through strategic guidance, technical expertise, and knowledge transfer.

 

Most organizations share a core set of business needs. These solution categories apply across industries, helping line-of-business managers and the IT managers who support them apply genuine solutions to universal needs.

 

As an IT systems integrator, our expertise is putting all the pieces together to get the job done, so we never have to take “no” for an answer. We help organizations improve business productivity in any department.

 

We provide solutions customized to the needs of your industry. Whatever your industry or product, we can provide project, service, process, and content management solutions—to increase productivity and IT value.

 
Concurreny
Real Microsoft expertise. Real business value.
Microsoft Hybrid Cloud Event – Milwaukee
Concurrency To Share Microsoft eDiscovery Insights
Microsoft eDiscovery Event
2013 Wisconsin IT Symposium – An Invitation
Concurrency Offers In-Depth Course on Microsoft Dynamics CRM Extensions
Concurrency Educational Events On Combining Dynamics CRM and Lync
Blog
January 25, 2011 | Shannon Fritz | DirectAccess, Infrastructure, Unified Access Gateway

UAG SP1 DirectAccess: Configuration Guide

A few months ago I wrote a series of blog posts that covered the configuration of DirectAccess using Unified Access Gateway RTM, and it was pretty popular so I decided to update it now that UAG Service Pack 1 has been released. There is a fairly substantial number of enhancements that make the new release worth using.

For me, some of the highlights for DirectAccess with UAG SP1 include:

  • Improved Configuration Wizards
  • Simplified Configuration of the Connectivity Assistant
  • Easier Configuration of “Manage Out” Deployments

If you are already using UAG RTM for DirectAccess I highly recommend you make the upgrade to SP1. The process has been pretty simple in the deployments I have already done. You just install the service pack on the UAG server, click through the configuration wizards, regenerate the policies and then activate the configuration. Your DirectAccess clients will continue to work so you don’t need to worry about any significant down time or needing to bring those machines in-house or anything.

This new guide re-uses portions of the older guide where the information has not changed but I decided to re-post them to keep this new guide complete on it’s own and leave the RTM guide in tact. Now, without further adieu, here’s The DirectAccess Configuration Guide for Unified Access Gateway SP1!

  1. Before Getting Started (this page)
  2. IP Addressing the Server
  3. Installation and Updates
  4. Certificates, Groups and Prerequisites
  5. Internal and External DNS
  6. Network Location Server (NLS)
  7. Firewalls and TMG Settings
  8. Config Wizard: The First Time
  9. Config Wizard: Clients
  10. Config Wizard: DirectAccess Server
  11. Config Wizard: Infrastructure Servers
  12. Config Wizard: End-to-End Access
  13. Apply and Activate
  14. Connectivity Assistant v1.5

I recomend you also review the UAG SP1 Deployment Guide at TechNet and look over the official list of prerequisites.

Before Getting Started

The first step in deploying UAG for DirectAccess will be to understand what this guide will do for you and what you will need in your environment before getting started with UAG or DirectAccess.

  • We’ll be setting up a very simple, single instance UAG server.  This does create a potential “single point of failure” but greatly reduces the complexity of setup.  Once you have this in place you can move on to building NLB clusters and a High Availability UAG environment, but for now, let’s keep it simple.  Call it a Proof-of-Concept as opposed to full production-ready configuration.
  • DirectAccess without UAG would require you to have at least one Domain Controller (or just a DNS server) that is running Windows Server 2008 or 2008 R2 to support IPv6 in DNS.  Also, without UAG the domain functional level would need to be at 2003 Native or higher. These are no longer requirements thanks to the NAT64 and DNS64 features of UAG. However, that being said, I recommend you have at least one 2008 R2 domain controller to leverage the extended Group Policy schema for Windows 7.
  • You should already have a PKI set up.  If you do not have an Enterprise Certificate Server with Auto-Enrollment set up for your workstations, start here.  Without computer certificates DirectAccess will not work and without Auto Enrollment things just get complicated and cumbersome.
  • Using aVirtual Machine for UAG is 100% supported (and I recommend it). Give this machine 4 CPU’s and 8GB of memory, although this is about twice the minimum requirements.
  • You’ll need a minimal amount of disk space to hold just the OS and 2.5GB for UAG. If you are using a VM then 40GB on a dynamic disk is great but still more than you really need.
  • Install Windows Server 2008 R2 Standard. If you want to, Enterprise is supported but not required, even if you plan on setting up a cluster of UAG servers later because it uses NLB and not Failover Clustering. If you are re-using hardware be sure to delete all existing partitions and let the Windows installer create them for you.
  • When you name the server make sure it is 15 characters or less. While NetBIOS is dead in our hearts it is still lurking there in the ghost of the machine.
  • The server needs TWO network interfaces, one will need to be connected to your external network or DMZ, the other internal. It’ll look like this.
  • You will need TWO external IP’s that are in numerical order (x.x.x.1 and x.x.x.2). You cannot use NAT, the IP’s on the external NIC must be public addresses that can be ping’d.
  • The first IP will need an External DNS record. DA.[yourdomain].com would be fine. This name will be used later when you create a certificate for the IP-HTTPS interface.
  • Collect a list of all IPv4 networks (ip range, subnets, gateways) and vlan’s in your enterprise that you want the DirectAccess clients to have access to. You’ll need to create static routes on the UAG server so it and the clients will to be able communicate with endpoints in each of your subnets.
  • Make sure the workstations that you want to enable for DirectAccess are running Windows 7 Enterprise or Ultimate. Other / earlier versions of Windows do not support DirectAccess. Keep in mind you can use UAG as a way of establishing an SSL VPN for older clients like XP, but this guide does not cover that.
  • There are a few IIS sites that we’ll need to put someplace. Try to think of a server that might be appropriate for this (like an intranet site server or an IIS farm). Another option that works well is to use the PKI / Certificate server for this purpose since it usually already has IIS installed.

With all that in mind, the network connectivity diagram will look something like this:

The remote DirectAccess Client machine is likely behind a router at their home or hotel someplace which connects to the internet and the UAG server over an IPv4 network.  The traffic which is destined for the corporate resources gets wrapped up in secure and virtual IPv6 network that is established between the client computer’s virtual adapter and the UAG server.  Then the traffic is then dropped onto the corporate IPv4 network and arrives at the corporate resource.

There are a number of variations on this diagram, including firewalls on either side of the UAG server, but that is essentially how DirectAccess works over a pure IPv4 network and what this guide will walk you through setting up.

A lot of this walk-through guide is based on the contents of the Microsoft guide for Step by Step: Demonstrating Direct Access in a Lab, Step by Step Troubleshooting DirectAccess and Tom Shinder’s Test Lab Guide for UAG SP1 RC.  In case I miss something or you want more details you should refer first to those documents.

Once you have completed the configuration you’ll be able to enable computers for DirectAccess by simply adding the computer to a Security Group or an OU in Active Directory and reboot it.  Then the computer (and the person using it) can access your corporate resources from anyplace they have Internet access.

More on UAG SP1 DirectAccess Configuration:

  1. » Before Getting Started «
  2. IP Addressing the Server
  3. Installation and Updates
  4. Certificates, Groups and Prerequisites
  5. Internal and External DNS
  6. Network Location Server (NLS)
  7. Firewalls and TMG Settings
  8. Config Wizard: The First Time
  9. Config Wizard: Clients
  10. Config Wizard: DirectAccess Server
  11. Config Wizard: Infrastructure Servers
  12. Config Wizard: End-to-End Access
  13. Apply and Activate
  14. Connectivity Assistant v1.5</
 
 

Shannon Fritz

Infrastructure Architect and Server Team Lead at Concurrency. Shannon is an MVP in Forefront and Enterprise Security, MCSE in Private Cloud and MCSA Windows Server 2012. He's also a self-professed media junkie. Just ask him about MediaCenter!

 

  • Pingback: #Forefront #UAG 2010 SP1 | #DirectAccess Resources « System Management

  • http://YourWebsite Imran Ulghar

    Hi,

    Very excellent blog, impressed with the information you have put here. I have a question:- I am configuring my UAG Appliance and want to configure one Network port as iLO to that the Appliance can be managed such as Troubleshooting, Powerin on/off without going to the Appliance itself, unfortunately I am new and would be thankful if you could give me some tips on how to proceed on configuring the UAG/TMG with a Network port as iLO.

    Thanks

  • http://devry.edu Tony

    The iLO is a separate “Management” port.
    Your server should have two additional NICs for Networking.
    So in total three ports.

  • Pingback: ForeFront UAG Direct Access – First Thoughts | ZennTechnology

  • http://YourWebsite Valeriy Vainkop

    Very good guide, thank you Shannon!

  • http://YourWebsite Bill

    My company is piloting UAG and we are in planning stages.
    AD team would like to be cautious with PKI and not enable ‘Auto-Enrollment’. Above you said it gets complicated and cumbersome.
    What challenges will we face if we don’t auto-enroll our certificates?

    Thanks!
    Bill

  • http://Updateparagraph3 Edward

    In paragraph three, you said: “Without computer certificates”; however, the autoenrollment link points to a user-autoenrollment page.
    You may want to change the link to this one instead: http://technet.microsoft.com/en-us/library/ee649166(WS.10).aspx

  • http://YourWebsite Tobias Nilsson

    Im about halfway through installing the UAG now and was reading further ahead and it seems that the UAG is going to write Policys in the Active Directory. I cannot find that you should join the UAG to the domain anywhere before those things are put in the AD.

    Will it be able to do that even if it is not joined to the Domain ?
    Or should it just be automatically understood by me that the server should be added to the domain ?

  • http://YourWebsite Jerry

    Thanks for this impressive writeup. I have a question; I am planning to deploy UAG that would be utilized by only few people (within 10 users)and we don’t have the resources to have additional server that will serve as Network Location Server. Is there a way a single machine can serve? I mean a means of installing all that will make UAG function in a single server?

    Thanks

Categories

 

Get in touch

By Technology

By Solution

By Department

By Industry

You can find us at

Concurrency Building

Concurrency, Inc.
3190 Gateway Road
Brookfield, WI 53045
262.364.5800

 

All rights reserved © 2012

Concurrency

For technical support and additional information: Client Support,
Remote Support, Blog, Contact Us.

Our mission is to help clients increase business productivity and get more value from their IT investments. Let us know your business needs.

Microsoft Partner