DirectAccess Connectivity Assistant 1.5 Deployment Guide

Updated: February 1, 2011

Applies To: Unified Access Gateway

The Microsoft DirectAccess Connectivity Assistant (DCA) version 1.5 supports a DirectAccess client computer that is running Windows® 7 by clearly indicating the state of DirectAccess connectivity to corporate network resources. The DCA, improves your DirectAccess connectivity experience, and helps organizations to reduce the cost of supporting DirectAccess by:

• Providing easy access to troubleshooting information—Without the DCA, when a user’s Internet connection (for example, https://www.bing.com) appears to be available, but corporate network resources are not accessible, there is no way that the user can verify if the problem is caused by DirectAccess not working correctly. The DCA clearly indicates the operational status of DirectAccess by using an icon in the notification area and informational messages. This helps the user identify the problem area and helps direct troubleshooting efforts.

• Providing the user with easy access to an extranet URL— For example, this URL might point to a Web site that hosts support information for the organization’s user community.

• Allowing the user to easily send diagnostic log files to the DirectAccess support staff— The log files contain default information, and in addition, the administrator can include a script in the DCA configuration that creates additional diagnostic information that is included in the diagnostic log files sent to the support team.

About this guide

This document is intended for information technology (IT) administrators and support staff who deploy, manage, and support DirectAccess on their corporate networks. For the DCA to function correctly, DirectAccess clients must be configured with DCA Group Policy settings, and the DCA must be deployed on DirectAccess client computers.

This guide includes the following topics:

• Configuring the DCA software in Forefront UAG SP1

• Configuring the DCA software when Forefront UAG RTM or UP1 versions is deployed

Configuring the DCA software in Forefront UAG SP1

The DirectAccess Connectivity Assistant (DCA) is configured using Group Policy settings. You can configure DCA Group Policy settings in the Forefront UAG DirectAccess Configuration Wizard. The settings are included as part of the UAG DirectAccess: Clients GPO, created when the Forefront UAG DirectAccess Configuration Wizard is applied.

Configuring the DCA software when Forefront UAG RTM or UP1 versions is deployed

DCA 1.5 can be installed on DirectAccess clients when Forefront UAG RTM or UP1 version is deployed. Whilst installing the DCA 1.5 client-side software gives you improved error messages and diagnostics functionality, the main reason for installing the DCA 1.5 client, is in preparation for a migration to Forefront UAG SP1.

The DCA is configured using Group Policy settings. If Forefront UAG RTM or UP1 is deployed, you must download two Group Policy template files (.admx and .adml) that are available on the DCA version 1.0 download page. These files enable you to store DCA settings in a Group Policy object (GPO). It is recommended that you apply the settings by using the DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12} or UAG DirectAccess: Client-{3491980e-ef3c-4ed3-b176-a4420a810f12} GPOs that are created when you install DirectAccess on your network. Alternatively, you can create a new GPO and scope the GPO to apply to the security groups that contain all of your client computers that participate in your DirectAccess deployment.

The following topics describe how to configure the DCA software when deploying Forefront UAG RTM or UP1 versions:

1. Installing the DCA Group Policy template files

2. Configuring the DCA client settings

Installing the DCA Group Policy template files

The following procedure explains how to download and store the DCA template files.

To import the DCA template files into the Group Policy Management Console

1. Perform these steps on a computer that is running either Windows Server 2008 R2, or Windows 7 and has the Remote Server Administration Tools (RSAT) installed. To download RSAT, see Remote Server Administration Tools (https://go.microsoft.com/fwlink/?linkid=182617)

2. In your Web browser, type https://go.microsoft.com/fwlink/?LinkId=184636 in the Address bar, and download the DirectAccess Connectivity Assistant GP.adml and DirectAccess Connectivity Assistant GP.ADMX files.

3. Copy the DCA Group Policy .admx and .adml template files to your computer as follows:

   1. Copy the DirectAccess Connectivity Assistant GP.admx file to the folder %systemroot%\PolicyDefinitions.

   2. Copy the DirectAccess Connectivity Assistant GP.adml file to the folder **%systemroot%\PolicyDefinititions\**language. For example, for US English, copy the file to %systemroot%\PolicyDefinitions\en-us.

4. On the taskbar, click Start, click Run, type gpmc.msc and then click OK. The Group Policy Management Console opens.

5. Navigate to the Client GPO, right-click, and then click Edit.

6. Expand Computer Configuration, expand Policies, expand Administrative Templates, and then select DirectAccess Connectivity Assistant.

   The settings for DirectAccess Connectivity Assistant appear in the details pane.

Configuring the DCA client settings

This section describes the settings that are available to configure a DCA client.

DTE

Type: A collection of IPv6 addresses that each identify a DirectAccess server.

Default: None

Description: Specifies the dynamic tunnel endpoints (DTEs) of the IPsec tunnels that enable DirectAccess. It is through these tunnels that the DCA attempts to access the resources that are specified in the CorporateResources setting. By default, the DCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two DTEs, one for the infrastructure tunnel, and one for the intranet tunnel.

You should configure one DTE for each tunnel. Each entry consists of the text PING: followed by the IPv6 address.

For example if the two Internet-facing IPv4 addresses which server as DTEs on the Forefront UAG DirectAccess server are: 192.0.2.30 and 192.0.2.31, the corresponding IPv6 DTEs are 2002:c000:21e::c000:21e and 2002:c000:21f::c000:21f. You enter the DTEs in the format: PING: 2002:c000:21e::c000:21e and PING: 2002:c000:21f::c000:21f.

CorporateResources

Type: A collection of strings that identify network resources to test.

Default: None

Description: Specifies resources that are normally accessible to DirectAccess clients. You must configure this setting to have complete DCA functionality. Each entry is a string that identifies the type of resource and the identification of the resource. Each string in its respective key can be one of the following types:

• An IPv6 address or DNS name to ping. The syntax is the text PING: followed by a fully qualified domain name (FQDN) that resolves to an IPv6 address, or an IPv6 address, for example: PING:myserver.mydomain.com or PING:2002:836b:1::1.

  Note

  It is recommended that you use FQDNs instead of addresses where possible.

  Important

  At least one of the resources must use the PING: syntax and name resolution.

• A Uniform Resource Locator (URL) to query with an HTTP request. The syntax is the word HTTP: followed by a URL that resolves to an IPv6 address of a Web server, for example: HTTP:https://2002:836b:1::1/ or HTTP:https://myserver.mydomain.com/.

• A Universal Naming Convention (UNC) path to a file that the DCA checks. The DCA does not actually open or read the file; it only confirms that it exists. The syntax is the word FILE: followed by a UNC path that resolves to an IPv6 address file on a share, for example: FILE:\\2002:836b:1::1\myshare\test.txt or FILE:\\myserver\myshare\test.txt.

  Important

  The administrator must ensure that the file exists, and that the DCA has read permissions to the file.

  Important

  The URL and UNC paths that you configure should not require any type of user account credentials for authentication or authorization.

The DCA periodically checks its ability to access the specified resources, and it uses the results of those tests to determine and report the operating status of DirectAccess. If a DCA client computer cannot access any of the specified resources, the icon in the notification area changes to red. The list of resources and their success or failure state is listed in the log files that are captured when the user selects Advanced diagnostics.

You should specify a diverse set of resources that ideally have DirectAccess as the only common factor. These resources should be accessible through the intranet tunnel on the internal private network, and not part of the DirectAccess infrastructure. This diversity helps ensure that a failure to access a resource is an unambiguous indication of a problem with DirectAccess rather than a problem with another component. For example, if all of the specified resources are behind a NAT64/DNS64, the failure of DCA to access the test resources might indicate a failure of the NAT64/DNS64 rather than a failure of DirectAccess. Instead, identify one resource behind the NAT64/DNS64, another that is an ISATAP host, and so on.

Corporate Portal Site

Type: String

Default: None

Description: Specifies the URL to an externally accessible Web site to which the DCA can refer users to help troubleshoot DirectAccess issues. The URL appears in DCA pop-up messages and in the Advanced Diagnostics window. We recommend that you maintain a list of current troubleshooting steps for common problems, and provide contact information for users when the Web site does not help the user solve the problem.

PortalName

Type: String

Default: “Help Portal”

Description: Specifies the friendly name of the corporate portal Web site. This name appears in the link in the DCA Advanced Diagnostics window. You can customize this to include your organization’s name.

SupportEmail

Type: String

Default: None

Description: Specifies the e-mail address to be used when the user starts Advanced Diagnostics and selects the option to transmit log files to the DirectAccess administrator. When the user clicks Email Logs, the default e-mail client opens a new message with the specified address in the To: field of the message, and attaches the generated log files as a .cab file. The user can review the e-mail and add additional information before clicking Send.

LocalNamesOn

Type: Enabled or disabled

Default: Disabled

Description: Specifies whether the user sees the menu option Prefer Local DNS Names, and can remove the DirectAccess rules from the Name Resolution Policy Table (NRPT) and instead use local name resolution. If enabled, the user can right-click the DCA icon and then click Prefer Local DNS Names. If this setting is disabled, the menu option does not appear on the DCA menu.

If the user selects Prefer Local DNS Names, DirectAccess stops sending name resolution requests to the internal corporate DNS servers. Instead, the client uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to Internet DNS servers. For more information about local names versus corporate names, see Using the DirectAccess Connectivity Assistant (DCA) 1.5 (https://go.microsoft.com/fwlink/?LinkId=203299).

AdminScript

Type: String

Default: None

Description: Specifies the path and file name of a script that is provided by the administrator and is run as part of the Advanced Diagnostic log generation process. The output of the script is included in the .cab file that is created as part of the collection of the logs that is initiated when the user opens the Advanced Diagnostics dialog box. The script can be a .cmd file, .bat file, or any other command that can be run at a command prompt and that prints output to the console as text. The script must complete its actions within 45 seconds. Scripts that take longer have their logs truncated.

For information on how to install and deploy the DCA client-side software, see Installing and Deploying the DCA client-side software.