Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Offline Migration Steps

Published: February 29, 2012

Updated: February 29, 2012

Applies To: Windows Server 2012, Windows Server 2012 R2



This topic describes the steps required to perform an offline migration from Forefront UAG SP1 DirectAccess to DirectAccess in Windows Server® 2012.

 

Task Description

Step 1: Install the Remote Access role

Configure the Windows Server 2012 computer as a Remote Access server.

Step 2: Configure IP addresses

Configure IP addresses on the Remote Access server.

Step 3: Obtain a server certificate for IP-HTTPS connections

DirectAccess in Windows Server 2012 provides two options for the IP-HTTPS certificate. You can obtain a certificate from a CA, in a similar way to Forefront UAG DirectAccess, or you can configure Windows Server 2012 DirectAccess to automatically issue a self-signed certificate for IP-HTTPS authentication.

Step 4: Prepare GPOs

Prepare the required GPOs.

Step 5: Additional steps

Export the settings using the following procedure.

  1. In the dashboard of the Server Manager console click Add roles.

  2. Click Next until you reach the Select Server Roles dialog.

  3. On the Select Server Roles dialog, select Remote Access. Click Add Required Features, and then click Next.

  4. On the Select features dialog, expand Remote Server Administration Tools. Expand Role Administration Tools, and then select Remote Access Management Tools. Click Next until you reach the Confirm installation selections dialog.

  5. On the Confirm installation selections dialog, click Install.

  6. On the Installation progress dialog, verify that the installation was successful, and then click Close.

Configure the IP addresses using the following procedure.

  1. On the external network adapter, use the value specified in DirectAccess server Internet-facing address, in the DirectAccess Server Settings section of the exported Forefront UAG configuration setting file as the first IP address. For the second IP address, use this address increased by one. For example, 1.2.3.4 and 1.2.3.5.

  2. To ensure that ISATAP is not configured, configure an arbitrary IPv6 unique local address (prefix fc00::/7) on the internal network adapter.

  3. For the internal network adapter, use the address specified in the DirectAccess server internal address, in the DirectAccess Server Settings section of the exported Forefront UAG configuration settings file.

  4. On the Select features dialog, expand Remote Server Administration Tools. Expand Role Administration Tools, and then select Remote Access Management Tools. Click Next until you reach the Confirm installation selections dialog.

  5. On the Confirm installation selections dialog, click Install.

  6. On the Installation progress dialog, verify that the installation was successful, and then click Close.

Obtain a web server certificate with a subject name that matches the FQDN of the Forefront UAG server. If you want to export the certificate from Forefront UAG and import it to the Remote Access server, see Export a certificate with the private key for instructions. Note that exporting the private key is only possible if the Make private key exportable option was checked when the original Forefront UAG certificate was created. Otherwise, the private key cannot be exported, and a new certificate with the same FQDN for the Remote Access server must be created.

Prepare GPOs for the Remote Access server, DirectAccess clients, and application servers. DirectAccess administrators should have the correct permissions (edit settings, delete, modify security) to modify the GPOs.

Configure DirectAccess using the instructions described in Side-by-side migration steps.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.