UAG SP1 DirectAccess: Config Wizard, End-to-End Access

Author by Shannon Fritz

Prior to SP1 this was called the "Application Servers" wizard. It's been renamed to more accurately describe it's function, however the Group Policy it generates is still called "AppServer" by default.  Aside from the rename and a little face-lift to the UI it is the same one page wizard as before. You already know that DirectAccess clients connect to corporate resources via an encrypted IPv6 tunnel.  The Application Servers wizarad is how you decide where to terminate that encrypted tunnel.  The traffic between the client over the Internet and to the UAG server on the corporate “edge” is always encrypted, but with this wizard you can decide to carry that encrytpion all the way through to the resource endpoint to keep the data encrypted even on the corpnet.  Here’s a brief TechNet article on the topic. The default (and easiest to configure) is called "End-to-Edge" Encryption.  This will encrypt data only between the client and the UAG server and then send the trafic over the unencrypted corporate network that exists between the UAG server and the endpoint corporate resource.  This option more closely resembles the way a traditional VPN secures traffic.

End-to-Edge

The second option, which is called "End-to-End" Encryption enables the encryption to pass through the UAG server all the way to the target.  It does not prevent End-to-Edge connectivity, it just requires that the servers you specify in this wizard must use encryption between it and the UAG server.

End-to-End

This requires these target resources to use IPv6 and IPSec. It's not used all that commonly, but if you want to use this option, Deb Shinder has a great summary overview of the RTM UAG DA Configuration and in there touches on how to navigate the End-to-End configuration wizard. We'll be using End-to-Edge so leave the box unchecked for now.  You can always come back later and give it a try after you have DirectAccess tested and working first.  
Author

Shannon Fritz

Infrastructure Architect & Server Team Lead