UAG SP1 DirectAccess: Config Wizard, Clients

Author by Shannon Fritz

The first wizard has been given some pretty significant enhancements in SP1 that include easier configuration of the deployment type and more flexible ways of defining who your DirectAccess clients will be. Here you can select whether or not you want the users who are logged into the DirectAccess enabled computer are able to connect to your corporate resources.  The default is yes, you want to allow users to reach your file servers and intranet web sites and so on.  Alternatively you can select what is commonly referred to as a "Manage Out" deployment where only the computer account (not the user) is able to reach into the corpnet so that it can fetch updates, talk to your domain controllers and other management services.  In either deployment model you will be able to reach out to the DA clients FROM your corpnet on any host that is IPv6 enabled (typically thanks to you using ISATAP on the intranet). You can also select other domains that you want to allow your DA clients to connect to. New in SP1 is the ability to inject the Group Policy settings into existing policies or create new ones.  I prefer the default which is to leave the DirectAccess Policies in their own GPO.  Fun fact:  If you are upgrading from RTM to SP1, your existing DirectAccess policies will be listed in the"Automatically Generate" option as they are in the screen shot below, with the GUID in the name. If you are doing a new deployment, or if you delete the existing policies and make new ones, the GPO names will include the name of your UAG server instead of the GUID.  So if you want your GPO's to be named pretty, delete the existing policies and net UAG create new ones. Also new in SP1 is the ability to apply the DirectAccess client policy to AD Security Group(s) OR Active Directory OU(s).  I prefer using a single group, but you can decide what's best for your organization. Click Finish and you're ready to move on to the next wizard. Don't worry about configuring the "optional" Client Connectivity Assistant for now. I'll soon have another post available that runs you through that.

Shannon Fritz

Infrastructure Architect & Server Team Lead