1. Install Windows Server 2008 R2 Standard or Windows Server 2008 R2 Enterprise edition, on a server computer with two physical network adapters.

2. Join the server to an Active Directory domain.

3. Install a computer certificate on the server that will be used for IPsec authentication, and a Web certificate that will be used by the IP-HTTPS Web listener. For more information, see Configuring authentication options.

4. Configure the Forefront UAG DirectAccess server to be inside the perimeter network, with one network adapter connected to the Internet and at least one other network adapter connected to the intranet.

5. Verify that the ports and protocols (listed in Forefront UAG DirectAccess prerequisites) are open on the perimeter and Internet-facing firewalls.

6. The DirectAccess server requires at least two consecutive, public static IPv4 addresses that are assigned to an FQDN which is externally resolvable. (Note that addresses in the ranges 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 must not be used to simulate the internet, even in a lab environment).

7. Create a security group in Active Directory, and add the client computer accounts for the DirectAccess clients. For more information, see Create a New Group (http://go.microsoft.com/fwlink/?LinkID=154396).

8. Install a network location server with high availability, and install the IIS role on the server. You can use any internal HTTPS server, but it must have high availability and should not be accessible from the Internet.

   Warning:
   You must not configure your Forefront UAG DirectAccess server as the network location server.

9. Install Forefront UAG. For instructions, see Installing Forefront UAG in interactive mode.

10. Using the Forefront UAG Getting Started Wizard, designate one of the server network adapters as the Internet-facing interface, and the other as the internal network-facing interface. The Internet-facing interface requires two consecutive, public IPv4 addresses. Both IPv4 addresses must be assigned to the same interface.

After completing installation, do the following:

1. Configure clients to receive the Forefront UAG DirectAccess client configuration settings. See Configuring clients for Forefront UAG DirectAccess.
   
   
2. Configure the connectivity and security policies for the Forefront UAG server. See Configuring the Forefront UAG DirectAccess server.
   
   
3. Identify the infrastructure servers required by Forefront UAG DirectAccess clients. See Identifying infrastructure servers.
   
   
4. Determine which access model to use, and how to identify an application server that requires additional authentication. See Identifying and configuring application servers.
   
   
5. Apply the changes after completing the Forefront UAG DirectAccess Configuration Wizard. Applying the configuration is a two step process, whereby the configuration is applied to the relevant group policy objects and then the configuration settings are activated on the Forefront UAG DirectAccess server. For more information, see Applying or exporting the Forefront UAG DirectAccess configuration.
   
   
6. Modify the export script. If you ran the wizard and selected to export the configuration, you can optionally modify parameters in the exported script before you apply it; for example, if you want to populate some of the parameters manually instead of using the wizard, or if you want to perform configurations that cannot be done in the wizard, such as, adding multiple organization prefixes. See Modifying the Forefront UAG DirectAccess export script.
   
   

   Caution:
   Modifying the exported script is not recommended unless changes are required, and you are familiar with the script parameters.