Specifying management servers in SP1

  • Article

Updated: February 1, 2011

Applies To: Unified Access Gateway

This topic describes how to configure the list of management servers and domain controllers that you need to communicate with DirectAccess clients. DirectAccess clients initiate communications with management servers that provide services such as, Windows update, NAP, and antivirus updates. DirectAccess clients also contact the domain controllers to get Kerberos authentication before accessing the internal network. Management servers communicate with DirectAccess clients to perform management functions such as, software or hardware inventory assessments. Only DirectAccess clients, that are members of the client groups specified in the Client Configuration section of the Forefront UAG DirectAccess Configuration Wizard, can communicate with management servers through Forefront UAG DirectAccess. 

Note

Management traffic does not require successful smart card, NAP or OTP authentication.

The wizard provides Built-In Server Groups that cannot be deleted, and enables you to create User-Defined Server Groups for management servers that do not fall into a built-in group category.

The following Built-In Server groups are auto-discovered:

Note

Ensure that you add the following to the list of management servers:

  • If NAP is enforced by Forefront UAG DirectAccess, include servers that are used for NAP health check and remediation; for example, HRA, and Windows update servers.

  • If the use of a smart card is enforced or you are authenticating using OTP, include servers that need to be accessed before the user logs in; for example, antivirus, Windows update, and management servers.

To manage remote client computers

  1. In the Infrastructure Servers section of the wizard, on the Management Servers page, follow these instructions to add, or delete a management servers and groups.

    1. To add User-Defined Server Groups, click the Add Group icon, enter a new group name, and then click OK.

      Note

      • New server groups cannot be added in the Built-In Server Groups.

      • Server groups must have unique names.

    2. To add a management server, in the left pane, select a server group and above the right pane, click the Add Server icon, enter a server name, IP address or IPv6 prefix, and click OK.

    3. To add multiple management servers, in the left pane, select a server group, and above the right pane, click the drop-down arrow next to Add Servers, and click Add Multiple Servers. Enter a server name, IP address or IPv6 prefix, and click Add. Repeat this step until all the servers have been added and click OK.

    4. To update the complete auto-discovered management servers list, click the Refresh All icon.

      To update a group specific auto-discovered management servers list, right click the Built-In server group and click Refresh.

    5. To include or exclude a domain controller from the list of domain controllers, in the right pane select or clear the domain controller check box.

      To include or exclude all domain controllers, above the right pane, click the Select All icon.

    6. To delete a User-Defined Server Group, click the server group, and then above the left pane, click the Remove Group icon.

      To delete a management server, select the server and above the right pane, click the Remove Server icon.

      Note

      Auto-discovered management servers cannot be deleted. If you do not want to use one of the auto-discovered management servers, clear the relevant check box.

    Note

    The required Active Directory markers for SCCM servers are located in the relevant domain container, under System\System Management. If a DnsHostName field contains an IP address or a DNS host name that is not valid, the auto-discovery for SCCM servers will fail for all SCCM servers.

  2. When you have finished configuring management servers, click Finish.