Forefront UAG DirectAccess prerequisites

  • Article

Updated: February 1, 2011

Applies To: Unified Access Gateway

The following lists the prerequisites for deploying Forefront Unified Access Gateway (UAG) DirectAccess on single servers, and on multiple servers that use Forefront UAG DirectAccess integrated Network Load Balancing (NLB).

Prerequisites for deploying Forefront UAG DirectAccess

Prerequisite Details

Infrastructure servers

You must have at least one domain controller running Windows Server 2003 or later, and a Domain Name System (DNS) server that supports dynamic updates. You can use DNS servers that do not support dynamic updates, but entries must be manually updated.

For more information, see Designing a DNS infrastructure for Forefront UAG DirectAccess.

Machine Certificates
  • You must install and configure a Certification Authority (CA) for issuing client authentication certificates, if one does not already exist.

  • You must provision a machine certificate to all Forefront UAG DirectAccess clients.

    Note

    You may choose to provision the certificates by enabling domain certificate autoenrollment for Forefront UAG DirectAccess clients, using their security group and group policy.

  • Domain clients must trust the CA that issues root and intermediate certificates.

For more information, see Designing your PKI for Forefront UAG DirectAccess.

IP-HTTPS certificates

You can use two types of IP-HTTPS certificates:

  • Public—Supplied by a 3rd party.

    A web certificate is required for IP-HTTPS authentication. The certificate subject should be the URL of the Forefront UAG DirectAccess server.

    Note

    This certificate must be copied to all array nodes.

  • Private

    The following are required, if they do not already exist:

    • A web certificate used for IP-HTTPS authentication. The certificate subject should be the URL of the Forefront UAG DirectAccess server.

      Note

      This certificate must be copied to all array nodes.

      For more information on setting up PKI, see Active Directory Certificate Services (https://go.microsoft.com/fwlink/?LinkId=154397).

    • A certificate revocation list (CRL) distribution point that is reachable from a publicly resolvable fully qualified domain name (FQDN).

      For more information, see Planning the placement of CRL distribution points.

Forefront UAG DirectAccess server

The Forefront UAG DirectAccess server has the following requirements:

  • It must be running Windows Server 2008 R2 Standard (RTM release), or Windows Server 2008 R2 Enterprise (RTM release).

  • It must be joined to an Active Directory domain.

  • It must have two physical network adapters installed.

    Note

    The network adapters should be configured as Internal and External in the Forefront UAG Getting Started Wizard.

  • IPv6 transition technologies should not be disabled.

    For more information on transition technologies, see IPv6 Transition Technologies (https://go.microsoft.com/fwlink/?LinkId=154382).

Forefront UAG DirectAccess client

A Forefront UAG DirectAccess client must be:

  • Running Windows 7 Enterprise, or Windows 7 Ultimate.

  • Joined to an Active Directory domain.

Global or universal security groups for Forefront UAG DirectAccess clients

You can also use existing global or universal groups.

For more information, see Create a New Group (https://go.microsoft.com/fwlink/?LinkId=154396).

Network location server with an HTTPS based URL

This should be on a server with high availability, and a valid SSL certificate trusted by the DirectAccess clients.

Warning

You must not configure your Forefront UAG DirectAccess server as the network location server.

For more information, see Specifying the network location server.

Routing

Configure routing as follows:

  • When IPv6 is deployed in the organization, add a route so that the routers on the internal network route IPv6 traffic back through the Forefront UAG DirectAccess server.

  • Manually configure organization IPv4 and IPv6 routes on the Forefront UAG DirectAccess servers. Add a published route so that all traffic with an organization (/48) IPv6 prefix is forwarded to the internal network. In addition, for IPv4 traffic, add explicit routes so that IPv4 traffic is forwarded to the internal network.

When using additional firewalls

When using additional firewalls, apply the following Internet-facing firewall exceptions for Forefront UAG DirectAccess traffic when the Forefront UAG DirectAccess server is on the IPv4 Internet:

  • Teredo traffic—User Datagram Protocol (UDP) destination port 3544 inbound, and UDP source port 3544 outbound.

  • 6to4 traffic—Protocol 41 inbound and outbound

  • IP-HTTPS—Transmission Control Protocol (TCP) destination port 443, and TCP source port 443 outbound

For more information, see Packet filtering for the Internet firewall.

When using additional firewalls, apply the following Internet-facing firewall exceptions for Forefront UAG DirectAccess traffic when the Forefront UAG DirectAccess server is on the IPv6 Internet:

  • Protocol 50

  • UDP destination port 500 inbound, and UDP source port 500 outbound

  • Internet Control Message Protocol for IPv6 (ICMPv6) traffic inbound and outbound

For more information, see Packet filtering for the Internet firewall.

When using additional firewalls, apply the following internal network firewall exceptions for Forefront UAG DirectAccess traffic:

  • ISATAP—Protocol 41 inbound and outbound

  • TCP/UDP for all IPv4/IPv6 traffic

  • ICMP for all IPv4/IPv6 traffic

For more information, see Packet filtering for intranet firewalls.

Network interface settings for a single server Forefront UAG DirectAccess deployment.

The following network interface settings are required for a single server Forefront UAG DirectAccess deployment:

  • Two Internet-facing consecutive public static IPv4 addresses.

    Important

    When configuring your TCP/IP properties on the Forefront UAG DirectAccess server, do not configure Internet DNS servers on any of the Forefront UAG DirectAccess server interfaces, as this could cause DNS64 performance degradation.

  • If your organization has an internal IPv6 deployment, make sure that you configure an internal static IPv6 address.

  • An internal static IPv4 address for NAT64.

    Note

    These addresses are configured by using the Change adapter settings in the Windows Networking and Sharing Center.

Network interface settings for network load balanced Forefront UAG DirectAccess server in an array.

When configuring network interface settings, you must configure static virtual IP addresses (VIPs), and dedicated IP addresses (DIPs). A DIP is the existing per node unique IP address. The following network interface settings are required for a network load balanced Forefront UAG DirectAccess server in an array:

  • Two Internet-facing consecutive public IPv4 addresses (VIPs).

  • An Internet-facing static IPv4 address (DIP).

    Important

    When configuring your TCP/IP properties on the Forefront UAG DirectAccess server, do not configure Internet DNS servers on any of the Forefront UAG DirectAccess server interfaces, as this could cause DNS64 performance degradation.

  • An internal network facing static IPv6 address (DIP).

  • An internal network facing IPv6 address (VIP). This must be on the same subnet as the internal network facing IPv6 DIP.

  • An internal network facing static IPv4 address (DIP).

  • An internal network facing IPv4 address (VIP). This must be on the same subnet as the internal network facing IPv4 DIP.

    Note

    DIPs are configured by using the Change adapter settings in the Windows Networking and Sharing Center, and VIPs in the Forefront UAG Network Load Balancing configuration. VIPs are only configured on the array manager.

    For more information, see Configuring NLB for a Forefront UAG DirectAccess array.