Planning Forefront UAG DirectAccess with an existing server and domain isolation deployment
Published: January 11, 2010
Updated: February 1, 2010
Applies To: Unified Access Gateway
This topic describes the design implications that should be considered when server and domain isolation exists on your network.
Server and Domain Isolation (SDI) allows administrators to dynamically segment their Windows environment into more secure and isolated logical networks using IPsec, without costly changes to their network infrastructure or applications. This creates an additional layer of policy-driven protection, helps protect against costly network attacks, and helps prevent unauthorized access to trusted networked resources, achieve regulatory compliance, and reduce operational costs. For more information, see Server and Domain Isolation (http://go.microsoft.com/fwlink/?LinkId=169488).
Both Forefront UAG DirectAccess and SDI use a set of Windows Firewall with Advanced Security connection security rules in Group Policy objects (GPOs), to determine when and how to protect intranet traffic. You should analyze your existing SDI global IPsec settings and connection security rules, and the global IPsec settings and rules created by the Forefront UAG Configuration Wizard to determine whether they are compatible. A mismatch in global IPsec or connection security rule settings between DirectAccess and SDI can cause an IPsec negotiation failure, and a lack of connectivity when a DirectAccess client attempts to access an intranet resource protected with SDI. You can change the global IPsec settings in Forefront UAG DirectAccess by editing the main mode cryptography settings from the Edit cryptography settings option in the Authentication Options page of the Forefront UAG DirectAccess Configuration Wizard.
Additional design considerations for deploying Forefront UAG DirectAccess in an existing SDI environment are as follows:
To allow for Teredo client discovery, you should exempt Internet Control Message Protocol (ICMP) from IPsec protection in your SDI deployment.
If you are only using SDI for data integrity, you must use Encapsulating Security Protocol (ESP)-NULL, rather than Authentication Header (AH). If you are using AH, you should reconfigure your SDI deployment to use ESP-NULL before deploying Forefront UAG DirectAccess.