Identifying your Forefront UAG DirectAccess deployment goals

Updated: October 21, 2010

Applies To: Unified Access Gateway

For the successful deployment of Forefront Unified Access Gateway (UAG) DirectAccess, you must identify your Forefront UAG DirectAccess deployment goals correctly. This topic is designed to help you identify your Forefront UAG DirectAccess deployment goals. By identifying these goals, you can clearly pinpoint the Forefront UAG DirectAccess design requirements necessary to meet each goal. Depending on the size of your organization, implementing a solution might require the involvement of other IT staff, in addition to the infrastructure specialist or systems architect. You can take advantage of existing, documented, and predefined Forefront UAG DirectAccess deployment goals that are relevant to Forefront UAG DirectAccess designs, and develop a working solution for your Forefront UAG DirectAccess scenarios.

Note the following:

The following lists the predefined Forefront UAG DirectAccess deployment goals, which you can combine if required, to meet your organizational objectives:

  • Transparent and automatic remote access for DirectAccess clients

  • Ongoing management of remote DirectAccess clients

  • Efficient routing of intranet and Internet traffic

  • Reduction of remote access-based servers in your edge network

  • End-to-end traffic protection

  • Access to IPv4-only resources on the intranet using Forefront UAG DirectAccess NAT64 and DNS64

  • A scalable Forefront UAG DirectAccess solution

  • Multi-factor credentials for intranet access

Transparent and automatic remote access for DirectAccess clients

Forefront UAG DirectAccess enhances the productivity of mobile workers by connecting their computers automatically and seamlessly to their intranet any time Internet access is available. Users do not need to initiate a virtual private network (VPN) connection every time that they need to access intranet resources. With Forefront UAG DirectAccess, intranet file shares, Web sites, and line-of-business applications can remain accessible wherever you have an Internet connection as if you were directly connected to the intranet.

Ongoing management of remote DirectAccess clients

With current VPN solutions, the remote computer is connected to the intranet only intermittently. This model of user-initiated connections makes it difficult for IT staff to manage remote computers with the latest updates and security policies. Remote computer management can be mitigated by checking for and requiring system health updates before completing the VPN connection. However, such requirements can add substantial wait times to the VPN connection process.

With DirectAccess, IT staff can manage mobile computers by updating Group Policy settings and distributing software updates any time the mobile computer has Internet connectivity, even if the user is not logged on. This flexibility allows IT staff to manage remote computers on a regular basis and ensures that mobile users stay up-to-date with security and system health policies.

Efficient routing of intranet and Internet traffic

Forefront UAG DirectAccess separates intranet from Internet traffic, which reduces unnecessary traffic on the intranet by sending only traffic destined for the intranet through the Forefront UAG DirectAccess server. Some VPN solutions use Network layer routing table entries to separate intranet from Internet traffic, in a configuration known as split-tunneling. Forefront UAG DirectAccess solves this problem in the Application layer through more intelligent name resolution, and in the Network layer by summarizing the IPv6 address space of an entire organization with IPv6 address prefixes. Rather than directing traffic solely based on a destination address, DirectAccess clients also direct traffic based on the name required by the application.

DirectAccess clients use a Name Resolution Policy Table (NRPT) that contains Domain Name System (DNS) namespace rules, and a corresponding set of intranet DNS servers that resolve names for that DNS namespace. When an application on a DirectAccess client attempts to resolve a name, it first compares the name with the rules in the NRPT. If there is a match, the DirectAccess client uses the specified intranet DNS servers to resolve the name to intranet addresses and establish connections. If there is no match or there is an entry specifying the qualified name as an exemption within the namespace, the DirectAccess client uses Internet DNS servers to resolve the name to Internet addresses and establish connections.

Reduction of remote access-based servers in your edge network

With Forefront UAG DirectAccess, you can reduce your dependence on remote access and application edge servers, leading to an edge network with fewer remote access-based servers. For example, the number of application edge servers can be reduced as the number of remote access clients provisioned for DirectAccess increase because DirectAccess clients can directly access the corresponding application servers on the intranet.

End-to-end traffic protection

You can specify that the traffic between DirectAccess clients and intranet applications servers is protected from end-to-end. In most VPN solutions, the protection only extends to the VPN server. This capability for end-to-end traffic protection provides additional security for traffic to selected application servers inside the intranet. Additionally, by leveraging the flexibility and control that is possible with connection security rules in Windows Firewall with Advanced Security, you can specify that the end-to-end protection includes encryption.

Access to IPv4-only resources on the intranet using Forefront UAG DirectAccess NAT64 and DNS64

The Forefront UAG DirectAccess server has integrated NAT64 and DNS64 components. The combination of NAT64 and DNS64 enable DirectAccess clients to access resources on your intranet that are IPv4-only aware.

A scalable Forefront UAG DirectAccess solution

Forefront UAG integrates NLB functionality provided by Windows Server 2008 R2 with additional functionality that enables load balancing of Forefront UAG DirectAccess servers. Forefront UAG NLB provides load balancing for up to 8 Forefront UAG DirectAccess array members. The Forefront UAG DirectAccess Configuration Wizard also enables you to use an external load balancing solution for the array.

Multi-factor credentials for intranet access

In typically deployed access models, DirectAccess clients create two tunnels to the Forefront UAG DirectAccess server. The first tunnel, the infrastructure tunnel, provides access to intranet Domain Name System (DNS) servers, Active Directory Domain Services (AD DS) domain controllers, and other infrastructure servers. The second tunnel, the intranet tunnel, provides access to intranet resources such as Web sites, file shares, and other application servers.

To provide an additional layer of security for traffic sent over the intranet tunnel, you can specify that the intranet tunnel also requires smart card authorization, which enforces the use of multiple sets of credentials to access intranet resources. Multi-factor credentials for the intranet tunnel uses the tunnel-mode authorization feature of Windows Firewall with Advanced security in Windows 7 and Windows Server 2008 R2, which allows you to specify that only authorized computers or users can establish an inbound tunnel.