Forefront UAG DirectAccess and Third-party host firewalls
Published: January 11, 2010
Updated: February 1, 2010
Applies To: Unified Access Gateway
Because Forefront UAG DirectAccess relies on IPsec, AuthIP, and Windows Firewall connection security rules, it is recommended that you do not disable the Windows Firewall service when using a third-party host firewall. When Windows Firewall is enabled, DirectAccess clients can use the built-in IPsec functionality and Windows Firewall connection security rules to protect DirectAccess connections and traffic.
Your third-party firewall should be certified by the Microsoft Driver Logo Program for seamless Forefront UAG DirectAccess functionality. For a list of logo requirements and certified third-party host firewalls, see Windows Quality Online Services (http://go.microsoft.com/fwlink/?LinkId=169342).
Check with your host firewall vendor to see if it supports one of the following options for seamless Forefront UAG DirectAccess functionality:
Uses Windows Firewall functionality; for example, Microsoft Forefront Client Security.
Uses Windows Firewall categories and does not replace Windows Firewall connection security (IPsec).
Windows Firewall categories allow third-party host firewalls in Windows 7 to selectively replace specific elements of Windows Firewall functionality while retaining others. Categories make it possible for third-party host firewalls to operate side-by-side with Windows Firewall.
To determine if Windows Firewall is providing connection security when a third-party host firewall is installed, type netsh advfirewall monitor show firewall at a Command Prompt. In Global Settings, in the Categories section, Windows Firewall should be listed for the ConSecRuleRuleCategory category.
Third-party host firewalls should also support edge traversal to allow intranet servers and computers to initiate connections to DirectAccess clients for remote management. Check the documentation for your third-party host firewall to determine if edge traversal is supported and how to enable it. If supported, the documentation for your third-party firewall will typically refer to this setting as NAT traversal, enabling Teredo, or IPv6 transition technologies.
For more information about Windows Firewall categories, see INetFwProduct Interface (http://go.microsoft.com/fwlink/?LinkId=169343).
For more information about third-party firewall requirements for Teredo, see Teredo co-existence with third-party firewalls (http://go.microsoft.com/fwlink/?LinkId=169344).