My guide for Configuring DirectAccess with UAG Service Pack 1 has been released! Read it here
Getting DirectAccess up and running has never been easier than before the Unified Access Gateway
, yet it can still be a challenge to get all of the stars to align so it works right. To help, I've put together a collection of posts that will assist you in setting up DirectAccess step-by-step and give you some troubleshooting tips along the way.
Don't know what DirectAccess is? Think of it as a way of extending your company network to users when they are outside of the office. Here's a collection of resources to further shape your understanding of DirectAccess
Here's the index of this series. If you find that you want DirectAccess but do not want to go through all of this yourself, you can pay for hourly phone support with Microsoft Advisory Services
or you can hire me to come out and do it for you
- IP Addressing the UAG Server
- Unified Access Gateway Installation & Updates
- Firewall and DNS Considerations
- Certificates, Groups and Client Requirements
- Configure other Prerequisites for UAG
- Configuration Wizard: Clients
- Configuration Wizard: DirectAccess Server
- Network Location Server (NLS IIS site)
- Configuration Wizard: Infrastructure Servers
- Configuration Wizard: Application Servers
- Generate and Activate Policies
- DirectAccess Connectivity Assistant
- What won't work over DirectAccess
Before getting started with the guide, there are a few things take note of. Microsoft's official list of prerequisites is located here
- We'll be setting up a very simple, single instance UAG server. This does create a potential "single point of failure" but greatly reduces the complexity of setup. Once you have this in place you can move on to building NLB clusters and a High Availability UAG environment, but for now, let's keep it simple. Call it a Proof-of-Concept as opposed to full production-ready configuration.
- DirectAccess without UAG would require you to have at least one Domain Controller (or just a DNS server) that is running Windows Server 2008 or 2008 R2 to support IPv6 in DNS. Also, without UAG the domain functional level would need to be at 2003 Native or higher. These are no longer requirements thanks to the NAT64 and DNS64 features of UAG.
- You should already have a PKI set up. If you do not have an Enterprise Certificate Server with Auto-Enrollment set up for your workstations, start here. Without computer certificates DirectAccess will not work.
- Using aVirtual Machine for UAG is 100% supported (and I would recommend it personally). I would give this machine 4 CPU’s and 8GB of memory, although this is about twice the minimum requirements.
- You’ll need a minimal amount of disk space. If you are using a VM then 60GB on a dynamic disk is great but more than you really need.
- Install Windows Server 2008 R2 Standard. It you want it, Enterprise is supported but not required, even if you plan on setting up a cluster of UAG servers later because it uses NLB and not Failover Clustering. If you are reusing hardware be sure to delete any existing partitions and let the installer create them for you.
- When you name the server make sure it is 15 characters or less.
- The server needs TWO network interfaces, one will need to be connected to your external network or DMZ, the other internal. It'll look like this.
- You will need TWO external IP’s that are in numerical order (x.x.x.1 and x.x.x.2). You cannot use NAT, the IP's on the external NIC must be public addresses.
- The first IP will need an External DNS record. DA.[yourdomain].com would be fine.
- Collect a list of all IPv4 networks (ip range, subnets, gateways) and vlan’s in your enterprise. You have to create static routes for the UAG server to be able communicate directly with each of your subnets.
- Make sure the workstations that you want to enable for DirectAccess are running Windows 7 Enterprise or Ultimate as other / earlier versions of Windows do not support DirectAccess.
- There are a few IIS sites that we’ll need to put someplace. Try to think of a server that might be appropriate for this (like an intranet site server or an IIS farm), otherwise I have used the certificate server for this purpose.
With all that in mind, the network connectivity diagram will look something like this:
The remote DirectAccess Client machine is likely behind a router at their home or hotel someplace which connects to the internet and the UAG server over an IPv4 network. The traffic which is destined for the corporate resources gets wrapped up in secure and virtual IPv6 network that is established between the client computer's virtual adapter and the ISATAP router tht runs on the UAG server. Then the traffic is then dropped onto the corporate IPv4 network and arrives at the corporate resource.
There are a number of variations on this diagram, but that is essentially how DirectAccess works over a pure IPv4 network and what this guide will walk you through setting up.
A lot of this walk-through guide is based on the contents of the Microsoft guide for Step by Step: Demonstrating Direct Access in a Lab
and the Step by Step Troubleshooting DirectAccess
. In case I miss something or you want more details you should refer first to those two documents.
Once you have completed the configuration you'll be able to enable computers for DirectAccess by simply adding the computer to a security group and reboot it. Then the computer (and the person using it) can access your corporate resources from anyplace they have Internet access.