Designing your Web servers for Forefront UAG DirectAccess

  • Article

Updated: February 1, 2010

Applies To: Unified Access Gateway

This topic describes the design consideration when deploying Web servers for Forefront UAG DirectAccess.

You need Web locations for the following resources:

  • The network location server (an HTTPS-based uniform resource locator (URL).

  • An HTTP-based intranet certificate revocation list (CRL) distribution point for the HTTPS certificate of the network location server.

  • An HTTP-based Internet CRL distribution point for the IP-HTTPS certificate of the Forefront UAG DirectAccess server.

Note

The intranet and Internet CRL distribution points can also be based on a universal naming convention (UNC) path of a file server.

Note

When the IP-HTTPS certificate is issued by a 3rd party certification authority, you should use the Internet based CRL of the 3rd party.

In all of these cases, the Web server providing these resources must be highly available. If these resources cannot be reached, the following occurs:

  • If the DirectAccess client on the intranet is unable to reach the HTTPS-based URL of the network location server, a DirectAccess client cannot detect when it is on the intranet and might not be able to access intranet resources.

  • If the DirectAccess client on the intranet is unable to reach the intranet CRL distribution point to perform certificate revocation checking for the network location server, a DirectAccess client cannot detect when it is on the intranet and might not be able to access intranet resources.

  • If the DirectAccess client on the Internet is unable to reach the Internet CRL distribution point to perform certificate revocation checking for the IP-HTTPS certificate, a DirectAccess client cannot use IP-HTTPS. Because IP-HTTPS is the last transition technology that is used for IPv6 connectivity to the Forefront UAG DirectAccess server, DirectAccess clients will not be able to establish a connection to the Forefront UAG DirectAccess server when behind a firewall, Web proxy or behind a network address translator (NAT) when the Teredo client has been disabled.

For information on Internet Information Services (IIS)-based Web servers, see Planning Redundancy for a Network Location Server and Planning Redundancy for CRL Distribution Points for information about high availability for Web servers.