UAG DirectAccess: Application Servers Wizard

Author by Shannon Fritz

UPDATE: My guide for Configuring DirectAccess with UAG Service Pack 1 has been released! Read it here.
By now you already know that DirectAccess clients connect to corporate resources via an encrypted IPv6 tunnel.  The Application Servers wizarad is how you decide where to terminate that encrypted tunnel.  The traffic between the client over the Internet and to the UAG server on the corporate "edge" is always encrypted, but with this wizard you can decide to end the encryption after the UAG server or carry that all the way through to the resource endpoint to keep the data encrypted even on the corpnet.  Here's a brief TechNet article on the topic. Click the Edit button under Application Servers to launch this one page wizard. The default (and easiest to configure) is the End-to-Edge Encryption.  This will encrypt data only between the client and the UAG server and then send the trafic over the unencrypted network that exists between the UAG server and the endpoint corporate resource.  This option more closely resembles the way a traditional VPN secures traffic. The second option enables encryption to pass through the UAG server all the way to the target.  It does not prevent End-to-Edge only connectivity, it just requires that the servers you specify in the wizard must use encryption between it and the UAG server.  This means these resources must be running Windows Server 2008 or newer, use IPv6 and IPSec.  So currently, it's use is pretty scarce.  If you want to use this option, Deb Shinder has a great summary overview of the UAG DA Configuration and in there touches on how to navigate the End-to-End configuration wizard. For this guide we'll be doing the End-to-Edge Encryption.
Next Step:
Index 1. IP Addressing the UAG Server 2. Unified Access Gateway Installation & Updates 3. Firewall and DNS Considerations 4. Certificates, Groups and Client Requirements 5. Configure other Prerequisites for UAG 6. Configuration Wizard: Clients 7. Configuration Wizard: DirectAccess Server 8. Network Location Server (NLS IIS site) 9. Configuration Wizard: Infrastructure Servers 10. Configuration Wizard: Application Servers 11. Generate and Activate Policies 12. DirectAccess Connectivity Assistant 13. What won’t work over DirectAccess

Shannon Fritz

Infrastructure Architect & Server Team Lead