Installing Forefront UAG DirectAccess
[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

If Forefront Unified Access Gateway (UAG) is not already installed, use the following procedure to install a Forefront UAG as a DirectAccess server. Before you begin, review the prerequisites for deploying Forefront UAG, described in Forefront UAG DirectAccess prerequisites topic.

To install Forefront UAG DirectAccess

  1. Install Windows Server 2008 R2 (RTM release) on a server computer with two physical network adapters.

  2. Join the server to an Active Directory domain.

  3. Install a computer certificate on the server, which will be used for IPsec authentication, and a Web certificate that will be used by the IP-HTTPS Web listener. For more information, see Configuring authentication options.

  4. Configure the DirectAccess server to be in the perimeter network with one network adapter connected to the Internet, and at least one other network adapter connected to the intranet.

  5. Verify that the ports and protocols listed in Forefront UAG DirectAccess prerequisites are open on the perimeter and Internet-facing firewalls.

  6. The DirectAccess server requires at least two consecutive, public static IPv4 addresses that are assigned to an FQDN which is externally resolvable. (Note that addresses in the ranges 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 must not be used to simulate the internet, even in a lab environment).

  7. Create a security group in Active Directory and add the client computer accounts for the DirectAccess clients. For more information, see Create a New Group (http://go.microsoft.com/fwlink/?LinkID=154396).

  8. Install a network location server with high availability, and install the IIS role on the server. You can use any internal HTTPS server but it must have high availability and should not be accessible from the Internet.

    Dd776098.note(en-us,TechNet.10).gifNote:
    Your Forefront UAG DirectAccess server should not be the network location server.

  9. Install Forefront UAG. For more information, see Installing Forefront UAG software.

  10. Using the Forefront UAG Getting Started Wizard, designate one of the server network adapters as the Internet-facing interface, and the other as the internal network-facing interface. The Internet-facing interface requires two consecutive, public IPv4 addresses. Both IPv4 addresses must be assigned to the same interface.

  11. Apply the configuration. Applying the configuration is a two step process whereby the configuration is applied to the relevant group policy objects, and then the configuration settings are activated on the Forefront UAG DirectAccess server. For more information, see Applying or exporting the Forefront UAG DirectAccess configuration.
Next Steps

After completing installation, do the following:

  1. Configuring clients for Forefront UAG DirectAccess—How to configure clients so they receive the Forefront UAG DirectAccess client configuration settings. For more information, see Configuring clients for Forefront UAG DirectAccess.

  2. Configuring the Forefront UAG DirectAccess server—How to configure the connectivity and security policies for the Forefront UAG server. For more information, see Configuring the Forefront UAG DirectAccess server.

  3. Identifying infrastructure servers—The infrastructure servers required by Forefront UAG DirectAccess clients. For more information, see Identifying infrastructure servers.

  4. Identifying and configuring application servers—How to determine which access model to use, and how to identify an application server that requires additional authentication. For more information, see Identifying and configuring application servers.

  5. Applying or exporting the configuration─After completing the Forefront UAG DirectAccess Configuration Wizard, apply the changes. For more information, see Applying or exporting the Forefront UAG DirectAccess configuration.

  6. Modifying the export script─If you ran the wizard and selected to export the configuration, you can optionally modify parameters in the exported script before you apply it. For example, if you want to populate some of the parameters manually instead of using the wizard, or if you want to perform configurations that cannot be done in the wizard, like adding multiple organization prefixes. For more information, Modifying the Forefront UAG DirectAccess export script.

    Dd776098.Caution(en-us,TechNet.10).gifCaution:
    Modifying the exported script is not recommended unless changes are required, and you are familiar with the script parameters.
Copyright © 2009 by Microsoft Corporation. All rights reserved.
Page view tracker