Introduction to Forefront UAG DirectAccess design

Updated: October 21, 2010

Applies To: Unified Access Gateway

Forefront Unified Access Gateway (UAG) DirectAccess extends the benefits of Windows DirectAccess across your infrastructure, enhancing scalability, and simplifying deployments and ongoing management.

This topic provides information on:

  • Main features of Forefront UAG DirectAccess

  • Key elements of a Forefront UAG DirectAccess solution

  • Key concepts of Forefront UAG DirectAccess

Main features of Forefront UAG DirectAccess

Forefront UAG DirectAccess features include the following:

  • Improved manageability of remote users—Forefront UAG DirectAccess enables IT professionals to manage mobile computers by updating Group Policy settings and distributing software updates any time the mobile computer has Internet connectivity, even if the user is not logged on. This flexibility allows IT professionals to manage remote computers on a regular basis, and ensures that mobile users stay up-to-date with security and system health policies.

  • More secure and flexible network infrastructure—Forefront UAG DirectAccess takes advantage of technologies, such as, Internet Protocol version 6 (IPv6) and Internet Protocol security (IPsec), providing a more secure and flexible network infrastructure for enterprises by using authentication and encryption, as follows:

    • Authentication—Forefront UAG DirectAccess authenticates the client computer, enabling the computer to connect to the intranet before the user logs on.

    • Encryption—Forefront UAG DirectAccess uses IPsec to provide encryption for communications across the Internet.

    For more information on IPv6, see Microsoft Internet Protocol Version 6 (IPv6) (https://go.microsoft.com/fwlink/?LinkID=154707).

    For more information on IPsec, see IPsec (https://go.microsoft.com/fwlink/?LinkId=154708).

  • IT simplification and cost reduction—Forefront UAG enables you to reduce your costs by:

    • Providing unified management—Forefront UAG provides unified management for all the remote access technologies.

    • Hardware consolidation—Forefront UAG manages remote access technologies, load balancing and array functionality, and NAT64 and DNS64 on the same server using the same Management console.

  • Extended access to IPv4-only resources—Forefront UAG DirectAccess uses integrated NAT64 and DNS64 to enable clients to also access IPv4-only resources

  • Simplified deployment and administration—The Forefront UAG DirectAccess configuration is incorporated into the Forefront UAG Management console, and is configured using interactive wizards that provide simpler deployment and management.

  • Enhanced scalability, high availability and management—By utilizing its array management capabilities and integrated Windows network load balancing, Forefront UAG enables you to set up multiple Forefront UAG DirectAccess servers in an array, providing high availability and scalability.

Forefront UAG DirectAccess SP1 add the following features:

  • Simplified deployment and administration—The Forefront UAG DirectAccess configuration is incorporated into the Forefront UAG Management Console, and is configured using interactive wizards, providing simpler deployment and management.

    The wizard supports the following new features:

    • Management only—You can configure Forefront UAG DirectAccess for management only, enabling DirectAccess clients to be managed without giving them access to the intranet.

    • Two-factor authentication—Forefront UAG DirectAccess supports two-factor authentication using smart cards and RSA Secure ID tokens.

    • Organizational units (OUs)— Forefront UAG DirectAccess supports the use of OUs when configuring client and server groups in the Forefront UAG DirectAccess Configuration Wizard.

    • Group Policy object (GPO) provisioning—Forefront UAG DirectAccess provides a flexible solution for DirectAccess GPO provisioning.

    • DirectAccess Connectivity Assistant (DCA)—DCA policy can be created in the Forefront UAG DirectAccess Configuration Wizard and then distributed to DirectAccess clients.

    • Force tunneling—DirectAccess clients can be configured to work using force tunneling, so that all traffic from a DirectAccess client is channeled through the Forefront UAG DirectAccess server.

    • Network Access Protection (NAP)—NAP can be automatically configured on the Forefront UAG DirectAccess server. Existing NAP deployments are also supported.

    • Management server auto-discovery—Forefront UAG DirectAccess supports the auto-discovery of management servers, including domain controllers, SCCM servers and HRA servers.

  • Monitoring—Forefront UAG DirectAccess enables you to monitor DirectAccess client sessions and Forefront UAG DirectAccess server’s health, using Web Monitor, TMG and a PowerShell snap-in cmdlet.

Key elements of a Forefront UAG DirectAccess solution

The key elements of the Forefront UAG DirectAccess solution include the following:

  • DirectAccess client—A domain-joined computer running Windows 7 Enterprise, Windows 7 Ultimate, or Windows Server 2008 R2, that can automatically and transparently connect to an internal network through a Forefront UAG DirectAccess server.

  • Forefront UAG DirectAccess server—A domain joined computer running Windows Server 2008 R2 Standard edition or Windows Server 2008 R2 Enterprise edition, that accepts connections from DirectAccess clients and facilitates communication with internal network resources. The Forefront UAG DirectAccess server extends the features provided by Windows DirectAccess, and also offers integrated NAT64 and DNS64. For more information, see Planning the placement of a Forefront UAG DirectAccess server.

  • Network location server—A server that a DirectAccess client uses to determine whether it is located on the Internet or the intranet. For more information, see Planning the placement of a network location server.

  • Certificate revocation list (CRL) distribution points—Servers that provide access to the CRL that is published by the certification authority (CA) issuing certificates for Forefront UAG DirectAccess. For more information, see Planning the placement of CRL distribution points.

The following figure illustrates some of the components of a Forefront UAG DirectAccess infrastructure, and the relationship between the components that work together to provide DirectAccess to the intranet, for clients on the Internet.

Components of a Forefront UAG DirectAccess Infra.

Key concepts of Forefront UAG DirectAccess

The Forefront UAG DirectAccess solution uses a combination of technologies that provide transparent access to intranet resources to DirectAccess clients.

The following sections describe the role of these technologies:

  • IPv6

  • IPsec

  • Separation of DNS traffic

  • Network location servers

  • NAT64 and DNS64

  • Network Load Balancing (NLB)

  • External load balancing solutions

IPv6

IPv6 is the new version of the network layer of the TCP/IP protocol stack, that is designed to replace Internet Protocol version 4 (IPv4) which is widely used on intranets and the Internet. IPv6 provides an address space large enough to allow for end-to-end addressing of nodes on the IPv6 Internet, and on the IPv4 Internet with IPv6 transition technologies. Forefront UAG DirectAccess uses this capability to provide end-to-end addressing from DirectAccess clients on the IPv4 or IPv6 Internet to computers on an intranet.

Because the current Internet is IPv4-based and many organizations have not deployed native IPv6 addressing and routing on their intranets, Forefront UAG DirectAccess uses IPv6 transition technologies to provide IPv6 connectivity over these IPv4-only networks. Teredo, 6to4, Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS), and the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) are examples of IPv6 transition technologies. These technologies allow you to use IPv6 on the IPv4 Internet and your IPv4-only intranet. IPv6 transition technologies can simplify and reduce the costs of an IPv6 deployment.

IPv6 connectivity across the IPv4 Internet

To send IPv6 packets across the IPv4 Internet, a DirectAccess client can use 6to4, Teredo, or IP-HTTPS. If the DirectAccess client has been assigned a public IPv4 address, it will use 6to4. If assigned a private IPv4 address, it will use Teredo. If the DirectAccess client cannot connect to the Forefront UAG DirectAccess server by using either 6to4 or Teredo, it will use IP-HTTPS.

  • 6to4—6to4, defined in RFC 3056, is an IPv6 transition technology that provides IPv6 connectivity across the IPv4 Internet for hosts or sites that have a public IPv4 address. For more information, see IPv6 Transition Technologies (https://go.microsoft.com/fwlink/?LinkID=154382).

  • Teredo—Teredo, defined in RFC 4380, is an IPv6 transition technology that provides IPv6 connectivity across the IPv4 Internet for hosts that are located behind an IPv4 network address translation (NAT) device, and are assigned a private IPv4 address. For more information, see Teredo Overview (https://go.microsoft.com/fwlink/?LinkId=169500).

  • IP-HTTPS—IP-HTTPS is a new protocol for Windows 7 and Windows Server 2008 R2, that enables hosts behind a Web proxy server or firewall to establish connectivity by tunneling IPv6 packets inside an IPv4-based HTTPS session. HTTPS is used instead of HTTP so that Web proxy servers will not attempt to examine the data stream and close the connection. IP-HTTPS is typically used only if the client is unable to connect to the Forefront UAG DirectAccess server by using the other IPv6 connectivity methods, or if force tunneling has been configured.

    Performance of IP-HTTPS may not be as good as the other Forefront UAG DirectAccess connection protocols.

    For the details of IP-HTTPS, see the IP over HTTPS (IP-HTTPS) Tunneling Protocol Specification (https://go.microsoft.com/fwlink/?LinkId=169501).

IPv6 connectivity across an IPv4-only intranet

ISATAP, defined in RFC 4214, is an IPv6 transition technology that provides IPv6 connectivity between IPv6/IPv4 hosts across an IPv4-only intranet. ISATAP can be used for Forefront UAG DirectAccess to provide IPv6 connectivity to ISATAP hosts across your intranet.

For more information, see IPv6 Transition Technologies (https://go.microsoft.com/fwlink/?LinkID=154382). ).

IPsec

IPsec is a framework of open standards for guaranteeing private, secure communications over Internet Protocol (IP) networks by using cryptographic security services. IPsec provides aggressive protection against attacks through end-to-end security. The only computers that must know about IPsec protection are the sender and receiver in the communication. IPsec enables the protection of communication between workgroups, local area network computers, domain clients and servers, branch offices (which might be physically remote), extranets, and roaming clients.

IPsec protection can be used in two different modes: transport mode and tunnel mode. Transport mode is designed to protect an Internet Protocol (IP) packet payload. Tunnel mode is designed to protect a whole IP packet. For more information, see IPsec Protocol Types (https://go.microsoft.com/fwlink/?LinkId=169502).

Forefront UAG DirectAccess uses IPsec settings in the form of connection security rules in the Windows Firewall with Advanced Security snap-in, and the Network Shell (Netsh) command-line tool advfirewall context for peer authentication, data integrity, and data confidentiality (encryption) of DirectAccess connections. Multiple rules can be applied to a computer simultaneously, each providing a different function. The result of all these rules working together is a DirectAccess client that has protected communications with the Forefront UAG DirectAccess server and intranet servers, encrypting traffic sent over the Internet, and optionally protecting end-to-end traffic.

Note

Windows Server 2003 and earlier versions of Windows Server do not fully support the use of IPsec with IPv6. (Other non-Windows application servers may also fall into this category). IPv6-capable resources on servers that are running Windows Server 2003 will not support IPsec transport encryption and these servers cannot be included in the optional DirectAccess end-to-end application server group. These resources will be available to DirectAccess clients using the default end-to-edge access model. IPv4-only resources on servers that are running Windows Server 2003, including most built-in applications and system services, require IPv6 to IPv4 protocol translation such as the Forefront UAG DirectAccess NAT64 feature to be available to DirectAccess clients.

Encryption

When a DirectAccess client sends data to the intranet, the traffic is encrypted over the Internet. For the end-to-edge and selected server access models, multiple connection security rules configured on the DirectAccess client, define tunnel mode IPsec settings for communication between the DirectAccess client and the intranet:

  • The first rule for the infrastructure tunnel requires authentication with a computer certificate along with the computer account user-based NTLM and encrypts traffic with IPsec and the Encapsulating Security Payload (ESP). This rule provides protected communication with Active Directory domain controllers, DNS servers, and other defined intranet infrastructure resources for the client machine based on computer authentication even when no user has logged on.

  • The second rule for the intranet tunnel requires authentication with a computer certificate and user-based Kerberos credentials. This rule provides protected communication to all intranet resources with the logged on users credentials, and may also include additional two factor authentication. For the end-to-edge access model, termination of IPsec tunnels between the DirectAccess client and the intranet is done by the IPsec Gateway feature on the Forefront UAG DirectAccess server.

Data integrity

Data integrity allows the receiving IPsec peer to cryptographically verify that the packet was not changed in transit. When encrypting data with IPsec, data integrity is also provided. It is possible to specify data integrity without encryption. This might be helpful in order to reduce the threat of spoofing or man-in-the-middle attacks and allow you to make sure that DirectAccess clients are connecting to their intended servers.

Note

When sensitive data is transmitted, IPsec with only data integrity should be used only when some other form of encryption is also implemented. It is possible to have end-to-end data integrity using transport mode rules while you are using end-to-edge encryption for the tunnel mode rules, which is how the specified server access model works.

Forefront UAG DirectAccess provides data integrity by using transport and tunnel mode IPsec settings. These settings can be applied to DirectAccess clients, Forefront UAG DirectAccess servers, or application servers and provide data integrity by requiring ESP-NULL (recommended). Some network infrastructure devices or traffic monitoring and inspection solutions might not be able to parse packets with an IPsec ESP or AH header. In this case, you can use authentication with null encapsulation to perform IPsec peer authentication, but no per-packet data integrity.

Separation of DNS traffic

Windows Server 2008 R2 and Windows 7 introduced the NRPT, a new feature that enables DNS servers to be defined per DNS namespace, instead of per interface. The NRPT stores a list of rules. Each rule defines a DNS namespace and configuration settings that define the DNS client’s behavior for that namespace. When a DirectAccess client is on the Internet, each name query request is compared with the namespace rules stored in the NRPT. If a match is found, the request is processed according to the settings in the NRPT rule. The settings determine the DNS servers to which the request will be sent.

If a name query request does not match a namespace listed in the NRPT, it is sent to the DNS servers configured in the TCP/IP settings for the specified network interface. For a remote client, this is typically the Internet DNS servers as configured through the Internet service provider (ISP). For a DirectAccess client on the intranet, this is typically the intranet DNS servers as configured through the Dynamic Host Configuration Protocol (DHCP).

Single-label names, such as https://internal, will typically have configured DNS search suffixes appended to the name before they are checked against the NRPT. If no DNS search suffixes are configured, and the single-label name does not match any other single-label name rules in the NRPT, the request will be sent to the DNS servers specified in the client’s TCP/IP settings.

Namespaces, such as .internal.contoso.com, are added to the NRPT followed by the IPv6 addresses of the DNS servers to which requests matching that namespace should be directed. If an IP address is entered for the DNS server, all DNS requests will be sent directly to the DNS server over the DirectAccess connection. There is no need to specify any additional security for this configuration.

The NRPT allows DirectAccess clients to use intranet DNS servers, or the Forefront UAG DirectAccess server when integrated DNS64 is configured, for name resolution (dedicated DNS servers are not required). Forefront UAG DirectAccess is designed to prevent the exposure of your intranet namespace to the Internet.

NRPT exemptions

Some names must be treated differently to others with regard to name resolution; these names must not be resolved using intranet DNS servers. To ensure that these names are resolved with interface-configured DNS servers, you must add them as NRPT exemptions.

If no DNS server addresses are specified in the NRPT rule, or by selecting the Do not use an internal DNS server for the specified server or suffix option in the DNS Suffixes page of the wizard, the rule is an exemption. If a DNS name matches a rule in the NRPT that does not contain addresses of DNS servers or does not match a rule in the NRPT, the DirectAccess client sends the name query to interface-configured DNS servers.

If any of the following servers have a name suffix that matches an NRPT rule for the intranet namespace, that server name must be an NRPT exemption:

  • WPAD servers.

  • Network location servers.

  • Intranet certificate revocation list (CRL) distribution points.

  • All quarantine and system health remediation servers.

These servers must always be resolved with interface-configured DNS servers.

Network location servers

A network location server is an intranet network server that hosts a Secure Hypertext Transfer Protocol (HTTPS)-based uniform resource locator (URL). DirectAccess clients access this URL to determine whether they are located on the intranet. A separate, high-availability Web server is required. The Web server is not required to be dedicated as a network location server.

Because the behavior of the DirectAccess client depends on the response from the network location server, it is critical to ensure that this Web site is available from each remote branch site. Branch locations may need a separate dedicated network location Web site at each branch location, to ensure that the Web site remains accessible even in the event of a link failure.

How intranet detection works

When a DirectAccess client starts up or experiences a significant network change event (such as a change in link status or a new IP address), it is assumed that it is not on the intranet, and uses Forefront UAG DirectAccess rules in the NRPT to determine where to send DNS name queries. The DirectAccess client then attempts to resolve the fully qualified domain name (FQDN) in the URL for the network location server, which is stored in the Computer Configuration/Policies/Administrative Templates/Network/Network Connectivity Status Indicator/Domain Location Determination URL Group Policy setting. Because the NRPT is active, this FQDN should either match an exemption rule or no rules in the NRPT, so that the DirectAccess client can use interface-configured DNS servers.

After resolving the FQDN, the DirectAccess client attempts to connect to the HTTPS-based URL of the network location server, which includes a Secure Sockets Layer (SSL)-based authentication and verification of the server certificate offered by the network location server. For authenticating the DirectAccess client’s access to the URL, use anonymous authentication. Certificate verification includes validating the certificate and verifying that it was not revoked by accessing the CRL location defined in the Web server’s certificate. When the DirectAccess client successfully accesses the HTTPS-based URL of the network location server, it determines that it is on the intranet. The DirectAccess client then removes the Forefront UAG DirectAccess NRPT rules from the active table, and the DirectAccess client uses interface-configured DNS servers to resolve all names.

Note

Just like the URL for the network location server, the FQDN in the URL or the universal naming convention (UNC) path for the CRL distribution point, should either match an exemption rule or no rules in the NRPT, so that the DirectAccess client can use interface-configured intranet DNS servers to resolve the name. If the DirectAccess client cannot resolve the FQDN for the CRL distribution point, intranet location detection fails.

NAT64 and DNS64

Forefront UAG DirectAccess requires end-to-end IPv6 communication between DirectAccess clients and the internal resources that they connect to on the intranet. Many resources are not directly accessible over IPv6, including computers that are not capable of running IPv6, or computers with services that are not IPv6-aware (for example, a server that only supports IPv4, or a Windows 2003 server which is IPv6-capable but has services that are not IPv6-aware). When you need to connect to IPv4-only resources on your intranet, you can use the integrated NAT64 and DNS64 functionality on the Forefront UAG DirectAccess server.

NAT64 takes IPv6 traffic on one side and converts it into IPv4 traffic on the other side. The address conversion and conversation handling operate in a similar way to a traditional IPv4 NAT device. On the Forefront UAG DirectAccess server, NAT64 is used in combination with DNS64. DNS64 intercepts DNS queries and modifies the replies, so that IPv4 address answers to requests for the name of a computer, are converted into the appropriate IPv6 address answers that direct clients to the IPv6 address for the computer on the NAT64.

Network Load Balancing (NLB)

Forefront UAG integrates NLB functionality provided by Windows Server 2008 R2, with additional functionality that enables load balancing of Forefront UAG DirectAccess servers in a Forefront UAG array.

Network Load Balancing provides scalability and high availability to enterprise-wide TCP/IP services, and provides the following benefits:

  • Scalability—Network Load Balancing scales the performance of a server-based program, such as a Forefront UAG DirectAccess, by distributing its client requests across multiple servers within the Forefront UAG array. As traffic increases, additional servers can be added to the Forefront UAG array. Forefront UAG and NLB provide load balancing for up to 8 Forefront UAG DirectAccess array members.

  • High availability—Network Load Balancing provides high availability by automatically detecting the failure of a server and repartitioning client traffic among the remaining servers, providing users with continuous service.

  • Stickiness—When a DirectAccess client connects to the intranet through a Forefront UAG NLB array, the NLB bidirectional affinity feature is applied. This guarantees that traffic is handled in both directions by the same array member.

External load balancing solutions

Forefront UAG supports the use of external network load balancing solutions. When configuring an external load balancer, the following elements must be configured:

  • The external load balancer—The Internet-facing side of the load balancer.

  • The internal load balancer—The intranet facing side of the load balancer.

  • The perimeter network Internet-facing side of the Forefront UAG DirectAccess server.

  • The perimeter network intranet facing side of the Forefront UAG DirectAccess server.