Dec 30
Forefront UAG DirectAccess. Step 1 – Clients and GPOs
Eric Inch
I enjoy learning, using and helping others through technology. This is my fourth year with C/D/H after many years of consulting for numerous small and mid-sized companies. I enjoy challenging projects and continual improvement in all areas. Most recently, I have been working to help grow the unified communications and virtualization practices at C/D/H.
When I’m not working, I enjoy spending time with my family. My girls keep me extremely busy but are always the highlight of my day.
For a more in-depth bio and a list of my areas of expertise, please visit http://www.cdh.com.
More about Eric
Articles by Eric Inch
Microsoft’s DirectAccess has been getting a lot of buzz for its seamless remote connectivity and endpoint management capabilities. I figured I would write a multi-part series on configuring the granddaddy of DirectAccess – Forefront Unified Access Gateway (UAG) DirectAccess.
This is part 1 of the series.
To configure the settings for UAG DirectAccess, select DirectAccess from the navigation menu on the left. The UAG DirectAccess configuration screen will be displayed with the steps required to complete. Initially, only Step 1 will be accessible, with Step 2, Step 3, and Step 4 greyed out. After Step 1 is completed, Step 2 will be available, and so on. This forces you to configure the necessary settings in succession to ensure you complete all of the required steps.
The first screen, after selecting the Edit link within the box for Step 1, is the Deployment Model screen. It allows you to decide how you want to deploy DirectAccess to the clients. You can enable a full DirectAccess deployment to “Allow DirectAccess clients to connect to internal networks, and enable remote management of DirectAccess clients” or have more of an endpoint management model where you “Enable remote management of DirectAccess clients only.” The difference is that the first option allows the client access to the internal network, systems and resources.
After selecting the deployment model, select Next to continue with the configuration.
The second screen in the Clients and GPOs Configuration is to select the client domains in which the clients are allowed to connect. If you have a large Active Directory forest you have the ability to specify any domain for applying DirectAccess group policies to domain workstations. After adding all of the domains you need, select Next to continue.
The third screen is for policy management. Forefront UAG creates and uses group policies to apply the DirectAccess policies, UAG servers, and application servers included in the DirectAccess architecture. You have the option to have UAG automatically create the policies or to save the configuration settings in an existing group policy.
Note: From a security standpoint, I would recommend not naming your server with the role it serves. But for this blog, we’re using UAG in the name. (If we did this in the “real-world”, it would be like saying, “Hey, would-be attacker. This machine is a server based machine (SRVUAG) running Unified Access Gateway (SRVUAG), come and get me” :-) )
The fourth and final screen in the Clients and GPOs Configuration wizard is to select how you would like to apply the group policy settings that contain the client configurations. You have the option to apply based on Active Directory Security Group or by Organizational Unit. In this example I have the GPOs being applied to the security group “DirectAccess Clients” which will contain the computer accounts to be enabled for DirectAccess.
Configuring Settings for Client Connectivity Assistant
Step 1 also allows you to configure settings for the DirectAccess Client Connectivity Assistant. To start the wizard, select the link under Optional Settings. The first screen will allow you to specify whether or not you want to configure settings for the assistant. I highly recommend you use the Client Connectivity Assistant, at least during initial configuration and testing. Select “Yes, configure application settings” and whether or not you want users to have the ability to toggle between local name resolution and corporate DNS resolution. After you have the options you want selected, choose Next to proceed.
The second screen in the Client Connectivity Assistant Configuration wizard is to provide internal-only resources for the DirectAccess client – so it can check whether or not there is a successful DirectAccess network connection. You should include at least one http/https address, and at least one SMB file share. After the internal resources are added, select Next to continue with the configuration.
The third step is to configure a portal users can go to for troubleshooting connectivity. You can select an existing UAG portal or some other site URL. Enter a friendly name for the link and select Next.
On the final screen, enter an administrator’s email address for forwarding diagnostics logs. You also specify the path and name of a diagnostics script that can run during diagnostics. Select Finish to complete the wizard.
This concludes the first step in configuring Forefront UAG DirectAccess. I will continue my “series” with Step 2 – UAG DirectAccess Server Configuration in my next blog article.
For an overview of Forefront UAG DirectAccess, please see my Knowledge Transfer article, “Always-on secure access, with Forefront UAG DirectAccess”.