Share via


Modifying the Forefront UAG DirectAccess export script

Updated: February 1, 2011

Applies To: Unified Access Gateway

On completion of the Forefront UAG DirectAccess Configuration Wizard, you can apply the configuration settings immediately or export them to an export script. In certain cases, you might want to modify parameters in the exported script before you apply it; for example, if you want to populate some of the parameters manually instead of using the Forefront UAG DirectAccess Configuration Wizard, or if you want to perform configurations that cannot be done in the wizard, such as changing the name of Group Policy objects (GPOs) created by Forefront UAG DirectAccess.

This topic describes how to edit parameters in the export script that is created at the end of the Forefront UAG DirectAccess Configuration Wizard.

Warning

Unless you are familiar with the parameters in the export script, it is recommended that you do not make any changes.

Modifying and applying runtime and static Forefront UAG export script parameters

The export script can include runtime or static parameters. You can modify the export script parameters depending on their type, as follows.

To modify the export script parameters

  1. On the taskbar, click Start, click All Programs, click Accessories, click Windows PowerShell, right-click Windows PowerShell, and then click Run as administrator.

  2. From the PowerShell command prompt, type ./script.ps1 –Parameter Name "Example".

    Note

    See the tables that follow this procedure for a description of the runtime and static parameters that you can modify.

  3. You can also modify the static script parameters as follows:

    1. Open the export script using notepad, and referring to the Static Parameters table that follows this procedure, modify the relevant parameters in the export script, and then save the script.

    2. On the taskbar, click Start, click All Programs, click Accessories, click Windows PowerShell, right-click Windows PowerShell, and then click Run as administrator.

    3. From the Windows PowerShell command prompt, run the modified script file.

  4. In the Forefront UAG Management console, click the Activate configuration icon, and then on the Activate Configuration dialog box, click Activate to start the configuration.

Runtime Parameters

Parameter Name Parameter Definition Format Type Example

AdditionalAppServerDomains

Links the AppServers GPO to additional domains as specified.

Domain name in distinguished names format separated by |

DC=corp,DC=contoso,DC=com|DC=sales,DC=contoso,DC=com

AdditionalClientDomains

Links the Client GPO to additional domains as specified.

Domain distinguished names separated by |

DC=corp,DC=contoso,DC=com|DC=sales,DC=contoso,DC=com

Static Parameters

Parameter Name Parameter Definition Format Type Example

UAGDA_ACCESS_ENABLING_ADDRESSES_<GroupName>_<#>

IPv6 addresses of the servers that are contained in an Access Enabling group. For each 195 servers, a suffix is added to the GroupName. The IPv6 addresses are used in the Access Enabling tunnel IPsec rule.

Comma delimited

2012::4444:0:0:c00:1,2012::4444:0:0:b00:11,2012::4444:0:0:b03:34F

UAGDA_CERT_MACHINE_AUTH

The name of the root or intermediate Certification Authority. This is used for IPsec rules and the NRPT

Distinguished name of the CA

DC=com, DC=contoso,DC=corp, CN=corp-DC-CA

UAGDA_CERT_TYPE

Is the UAGDA_CERT_MACHINE_AUTH of type root or intermediate

"Root" or "intermediate"

root

UAGDA_CLIENTDNS_FALLBACK

Local name resolution option.See, Identifying DNS servers.

0 = Only use local name resolution if the name does not exist in DNS.

1 = Fall back to local name resolution for any kind of DNS resolution error (least secure).

2 = Fall back to local name resolution if the name does not exist in DNS or the DNS servers are unreachable when the client computer is on a private network (recommended).

3 = No local name resolution. (Not present as an option in the user interface.

2

UAGDA_DTE_ACCESS

External IPv6 address of the Forefront UAG server that will be used as a Remote Tunnel Endpoint of DNS and Access Enabling IPsec rules.

IPv6 address

2002:b00:20::b00:20

UAGDA_DTE_CORP

External IPv6 address of the Forefront UAG server that will be used as a Remote Tunnel Endpoint of Corp IPsec rule.

IPv6 address

UAGDA_GATEWAY_PUBLIC_IP

External IPv4 address of the Forefront UAG server. Used for the Transition Technologies (Teredo, 6to4).

IPv4 address

199.0.0.30

UAGDA_IPHTTPS_URL

URL used for the IP-HTTPS transition technology

HTTPS URL. You must specify a port.

https://da.company.net:443/IPHTTPS

UAGDA_IPSEC_E2E_QM_SECMETHODS

The IPsec QuickMode encryption method that is used in End–to-End rules.

Netsh format

ESP:SHA256-None+60min+100000kb

UAGDA_IPSEC_MM_KEYLIFETIME

The IPsec MainMode key lifetime.

Netsh format

60min,0sess

UAGDA_IPSEC_MM_SECMETHODS

The IPsec MainMode authentication method.

Netsh format

dhgroup2:aes128-sha256,dhgroup2:aes128-sha1,dhgroup2:3des-sha1

UAGDA_IPSEC_QM_SECMETHODS

The IPsec QuickMode encryption method that is used in End-to-Edge rules.

Netsh format

ESP:SHA1-AES192+60min+100000kb

UAGDA_MACHINES_GW

The list of Forefront UAG array members. This is applied to the server GPO. You must specify all member names in the array.

Comma delimited list in the format of Domain\MachineName

corp.contoso.com\DA1, corp.contoso.com\DA2

UAGDA_NCSI_DNSPROBECONTENT

A Network Connectivity Status Indicator—The resolved IPv6 address of the UAGDA_NCSI_DNSPROBEHOST

IPv6 address

::1

UAGDA_NCSI_DNSPROBEHOST

A Network Connectivity Status Indicator—The DNS name of an internal corp resource. If this name resolves correctly, you have corp connectivity.

FQDN

ncsida.corp.contoso.com

UAGDA_NCSI_SITEPREFIXES

A Network Connectivity Status Indicator—The prefix of your organization, and the addresses used as IPsec tunnel endpoints.If a connection is made to a destination within one of these prefixes, you have corp connectivity

IPv6 prefix (comma delimited)

2002:b00:1f:8000::/49,2001:4110:10::/48, 2002:b00:20::b00:20/128

UAGDA_NID_ADDRESS

The IPv6 address of the network location server. This is used in the "NLA Exempt" client IPsec tunnel rule.

IPv6 address

2012::2

UAGDA_NID_URL

The HTTPS URL of the network location server. This is used to determine whether the client is inside or outside the corp network.

URL

https://io.corp.contoso.com/

UAGDA_POLICY_APPSERV

The name of the Group Policy object that is applied on the Application servers.

String

UAG DirectAccess: AppServer{f7b77f47-7c33-4d8c-bb9a-a913c5675d8d}

UAGDA_POLICY_CLIENT

The name of the Group Policy object that is applied on the clients.

String

UAG DirectAccess: Client{3491980e-ef3c-4ed3-b176-a4420a810f12}

UAGDA_POLICY_GATEWAY

The name of the Group Policy object that is applied on the Forefront UAG servers.

String

UAG DirectAccess: DaServer{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}

UAGDA_PREFIX_CORP

The IPv6 prefix of the organization.This is used in the "Corp" IPsec tunnel rule, and by the Network Connectivity Status Indicator to determine whether you have corp connectivity.

IPv6 prefix[Comma delimited]

2002:b00:1f:8000::/49,2001:4110:10::/48

UAGDA_PREFIX_CORP_EXCLUSION

An IPv6 range other than the organization prefix.This is used in the AppServers end-to-end IPsec rule when you add end-to-end application servers.

IPv6 range, Comma delimited

::-2001:4110:10::,2001:4110:10:ffff:ffff:ffff:ffff:ffff-2002:b00:1f:8000::,2002:b00:1f:ffff:ffff:ffff:ffff:ffff-feff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

UAGDA_PREFIX_IPHTTPS_CLIENT

The IPv6 prefix of the IP-HTTPS subnet.This is used in the AppServers end-to-end IPsec rule when you add end-to-end application servers.

IPv6 prefix

2002:b00:1f:8100::/56

UAGDA_SECGRP_APPSERV_DOMAINS

This links the AppServers GPO to the specified domains.This is used to apply the Group Policy on computers in various domains.

Domain name in distinguished names format separated by |

DC=corp,DC=contoso,DC=com|DC=sales,DC=contoso,DC=com

UAGDA_SECGRP_APPSSERVS

Security Groups of the Application Servers when you add end-to-end application servers.

Comma delimited list of Domain\GroupName

corp.contoso.com\Application Servers,sales.contoso.com\Sales Servers

UAGDA_SECGRP_CLIENTS

Security Groups of the DirectAccess clients.

Comma delimited list of Domain\GroupName

corp.contoso.com\DirectAccess Client Machines

UAGDA_SECGRP_CLIENT_DOMAINS

This links the Clients GPO to the specified domains.This is used to apply the Group Policy on computers in various domains.

Domain name in distinguished names format separated by |

DC=corp,DC=contoso,DC=com