Configuring pre-created GPOs

Updated: February 1, 2011

Applies To: Unified Access Gateway

When using the Apply Forefront UAG DirectAccess settings to GPOs that have been pre-created by the GPO administrator option, the administrator must create multiple copies of the client GPO, one for each client domain. When End-to-End Access is configured, the administrator must create multiple copies of the application server GPO, one for each domain in the forest that contains specified application servers.

The Forefront UAG DirectAccess Configuration script:

• Searches for identical pre-created client GPO names in all client domains, and copies the policy settings to the corresponding GPO in each client domain.

• Searches the forest that the Forefront UAG DirectAccess server belongs to, and copies the policy settings to the corresponding GPO for each domain where a specified application server is identified.

One copy of the Forefront UAG DirectAccess gateway GPO must be created in the domain where the Forefront UAG DirectAccess server resides. The Forefront UAG DirectAccess configuration script looks for the pre-created gateway GPO name on that domain and copies the policy settings to it.

When using GPOs pre-created by an administrator, the export script does not change the security filtering of the GPOs nor try to create GPO links.

For more information on configuring security filtering and creating GPO links, see Control the Scope of Group Policy Objects (https://go.microsoft.com/fwlink/?LinkId=206623).

Creating and configuring GPOs

1. Create the Forefront UAG DirectAccess gateway GPO in the same domain as the Forefront UAG DirectAccess server, configure Security Filtering, and then create a link to an OU or to the domain root.

   Note

   This GPO must only be applied on Forefront UAG DirectAccess servers.

2. Create client GPO names in all client domains (identical to the name specified in the Forefront UAG DirectAccess Configuration Wizard), configure Security Filtering and then create links as required.

   Note

   It is recommended that you do not create cross-domain links.

3. Create AppServer GPO names in each domain on the Forefront UAG’s forest where AppServers reside (identical to the name specified in the Forefront UAG DirectAccess Configuration Wizard), configure Security Filtering and then create links as required.

   Note

   The Forefront UAG DirectAccess Configuration Wizard look for the specified AppServer GPO in every domain in the forest and attempts to populate the GPO with the required settings. Application servers outside of the Forefront UAG’s forest are not supported.

4. Ensure that the user applying policies or running the Forefront UAG DirectAccess export script has Edit settings permissions on the GPOs. Failing to do this will result in a warning when the policy is applied.

   It is recommended that the administrator who configures DirectAccess has Read permissions to the GPOs so that the Wizard is able to find the GPOs. Failing to do this causes certain validations to fail and results in a warning when selecting the names of the GPOs in the Forefront UAG DirectAccess Configuration Wizard.