Connections and tunnels
Published: January 11, 2010
Updated: February 1, 2010
Applies To: Unified Access Gateway
Forefront UAG DirectAccess overcomes the limitations of VPNs by automatically establishing a bi-directional connection from client computers to the corporate network. Forefront UAG DirectAccess is built on a foundation of proven, standards-based technologies: Internet Protocol security (IPsec) and Internet Protocol version 6 (IPv6).
Forefront UAG DirectAccess uses IPsec to authenticate both the computer and user, allowing IT to manage the computer before the user logs on. Optionally, you can require a smart card for user authentication.
Forefront UAG DirectAccess also leverages IPsec to provide encryption for communications across the Internet. You can use IPsec encryption methods, such as Triple Data Encryption Standard (3DES) and the Advanced Encryption Standard (AES).
Clients establish an IPsec tunnel for the IPv6 traffic to the Forefront UAG DirectAccess server, which acts as a gateway to the intranet. Figure 1 shows a DirectAccess client connecting to a Forefront UAG DirectAccess server across the public IPv4 Internet.
Figure 1 DirectAccess clients access the intranet using IPv6 and IPsec
The DirectAccess client establishes two IPsec tunnels:
IPsec Encapsulating Security Payload (ESP) tunnel using a computer certificate—This tunnel provides access to an intranet DNS server, domain controller, and other management servers, allowing the computer to download Group Policy objects, and to request authentication on the user’s behalf.
IPsec ESP tunnel using both a computer certificate and user credentials—This tunnel authenticates the user and provides access to intranet resources and application servers. For example, this tunnel must be established before Microsoft Outlook can download e-mail from the intranet Microsoft Exchange Server.
After the tunnels to the Forefront UAG DirectAccess server are established, the client can send traffic to the intranet through the tunnels.