.png)
Designing your Web servers for Forefront UAG DirectAccess
Published: January 11, 2010
Updated: February 1, 2010
Applies To: Unified Access Gateway
This topic describes the design consideration when deploying Web servers for Forefront UAG DirectAccess.
You need Web locations for the following resources:
-
The network location server (an HTTPS-based uniform resource locator (URL).
-
An HTTP-based intranet certificate revocation list (CRL) distribution point for the HTTPS certificate of the network location server.
-
An HTTP-based Internet CRL distribution point for the IP-HTTPS certificate of the Forefront UAG DirectAccess server.
 Note: |
|---|
| The intranet and Internet CRL distribution points can also be based on a universal naming convention (UNC) path of a file server. |
|
Note: |
|---|
| When the IP-HTTPS certificate is issued by a 3rd party certification authority, you should use the Internet based CRL of the 3rd party. |
In all of these cases, the Web server providing these resources must be highly available. If these resources cannot be reached, the following occurs:
-
If the DirectAccess client on the intranet is unable to reach the HTTPS-based URL of the network location server, a DirectAccess client cannot detect when it is on the intranet and might not be able to access intranet resources.
-
If the DirectAccess client on the intranet is unable to reach the intranet CRL distribution point to perform certificate revocation checking for the network location server, a DirectAccess client cannot detect when it is on the intranet and might not be able to access intranet resources.
-
If the DirectAccess client on the Internet is unable to reach the Internet CRL distribution point to perform certificate revocation checking for the IP-HTTPS certificate, a DirectAccess client cannot use IP-HTTPS. Because IP-HTTPS is the last transition technology that is used for IPv6 connectivity to the Forefront UAG DirectAccess server, DirectAccess clients will not be able to establish a connection to the Forefront UAG DirectAccess server when behind a firewall, Web proxy or behind a network address translator (NAT) when the Teredo client has been disabled.
For information on Internet Information Services (IIS)-based Web servers, see Planning Redundancy for a Network Location Server and Planning Redundancy for CRL Distribution Points for information about high availability for Web servers.
