Configuring DirectAccess GPOs in Forefront UAG SP1
Updated: February 1, 2011
Applies To: Unified Access Gateway
The Forefront UAG Configuration Wizard uses Group Policy objects (GPO) to distribute Forefront UAG DirectAccess group policy to the following:
DirectAccess Clients— Contains settings for IPv6 transition technologies, NRPT entries, and Windows Firewall with Advanced Security connection security rules (required).
DirectAccess server— Contains Windows Firewall with Advanced Security connection security rules (required).
Application servers— Contains settings for Windows Firewall with Advanced Security connection security rules (optional).
Configuring Group Policy management
To create Group Policy objects, the administrator applying the Forefront UAG DirectAccess Configuration Wizard must have the correct permissions to create and modify these objects. In many organizations the Forefront UAG DirectAccess administrator might not have permissions to do this. Furthermore company naming standards for Group Policy objects may exist in an organization.
The Forefront UAG DirectAccess Configuration Wizard allows you to manage your Group Policy as follows:
Use the auto generated GPOs and their location created by the Forefront UAG DirectAccess Configuration Wizard.
Modify the auto generated GPOs and their location created by the Forefront UAG DirectAccess Configuration Wizard.
Apply Forefront UAG DirectAccess settings to GPOs that have been created by the GPO administrator.
Note
When using Forefront UAG DirectAccess generated GPOs:
- The Forefront UAG DirectAccess administrator running the Forefront UAG DirectAccess Configuration script, requires GPO Create permissions for each domain that is specified, and link permissions to all the selected client domain roots (in security group mode), or to all the selected OUs (in OU mode).
- Alternately the Forefront UAG DirectAccess administrator can send an exported Forefront UAG DirectAccess Configuration script to a domain administrator with the correct permissions, to run on their domain.
Note
When using pre-created GPOs, the Client Groups and the Server Groups pages of the wizard are skipped, and the Forefront UAG DirectAccess configuration script does not attempt to link the GPOs or to change their security filtering.
- The Forefront UAG DirectAccess administrator running the Forefront UAG DirectAccess Configuration script, requires GPO Create permissions for each domain that is specified, and link permissions to all the selected client domain roots (in security group mode), or to all the selected OUs (in OU mode).
For planning information on Group Policy object (GPO) provisioning, see Planning Active Directory for Forefront UAG DirectAccess SP1 (https://go.microsoft.com/fwlink/?LinkId=205663).
To automatically generate the default GPOs and use the default location for the GPOs
- In the Clients and GPOs section of the Forefront UAG DirectAccess Configuration Wizard, on the Policy Management page, click Next. The Client Groups page appears.
To modify the names and location of the automatically generated GPOs
On the Policy Management page, click Modify. The GPOs automatically generated by UAG DirectAccess window opens.
To modify the domain where a specific Group Policy will reside, click Change, and select a domain from the domain tree or enter a domain, and then click OK.
Note
The location of the Forefront UAG DirectAccess server GPO cannot be modified.
Click OK, and then click Next. The Client Groups page appears.
To apply Forefront UAG DirectAccess settings to GPOs created by the GPO administrator.
On the Policy Management page, click Save the UAG DirectAccess settings to these existing GPOs, and then click Assign. The GPOs designated for UAG DirectAccess Policy dialog box opens.
Note
It is recommended that you pre-create the GPOs before starting this procedure. You must create the GPOs before running the Forefront UAG DirectAccess Configuration script.
Enter the designated GPOs, click OK, and click Next, and then click Finish.
Note
Validation occurs when you close the GPOs designated for UAG DirectAccess Policy dialog box. If the client GPO name does not exist in at least one client domain, or the Forefront UAG DirectAccess server GPO name does not exist in the Forefront UAG DirectAccess server domain, a message appears with instructions on how to proceed.