UAG DirectAccess: DirectAccess Server Wizard

Author by Shannon Fritz

UPDATE: My guide for Configuring DirectAccess with UAG Service Pack 1 has been released! Read it here.
Getting through the DirectAccess Server wizard might be the most challenging becuase it's behaviour and what it asks for is determined by some dependancy checks that the wizard does in the background.  To get started, click the Edit button in the DirectAccess Server group. NOTE: At the time of this writting, Forefront UAG Update 1 and earlier has a known bug in this particular wizard that can appear when you reach the page about selecting certificates.  Microsoft delevopers are aware of the issue as discussed here in the Microsoft Forefront forum but I have been told that there won't be a fix until UAG Service Pack 1 due for release around the end of 2010.  It seems to be fine the first time you go through the wizard but if you select one certificate type and then rerun the wizard and select the other type the wizard will peg the CPU at 100% on the third and any subsequent times that you run the wizard.  So the moral of the story here is to get it right the first time and you'll be fine.  Otherwise you may need to wipe the entire UAG Configuration (by running configmgrutil -del) and start all over. Remember, I am assuming that your internal network infrastructure is running purely IPv4.  With that in mind, the first page of this wizard will sort of tell you if you have things set up right...but you have to know what you are looking for.   If you notice that the dropdown list for IPv4 is disabled, then you're missing something.  It looks like this: This usually means the wizard was unable to find an ISATAP router and assumes you are using IPv6 on your internal network becuase, well, without ISATAP to convert IPv6 into IPv4 you would need native IPv6 for DirectAccess to work.  Since we do not have IPv6 internally and we want to use ISATAP, there are two things to check in order to correct this:
  1. Make sure ISATAP has been removed from the DNS Global Block List (here's how)
  2. Make sure you have an "A record" in DNS for "ISATAP" that points to the internal IP address of your UAG server.
Once you have the DNS considerations for ISATAP taken care of you should see that IPv6 is now grey'd out and the IPv4 dropdown is enabled. The two dropdown lists should be populated with only one option in each.  In the left DDL for the Internet-facing IPv4 address select the first public IP on your server and then you should see the second address appear underneath the drop-down.  In the right DDL for the Internal IPv4 address select the server's intranet address and then the wizard should tell you that it will be enabling ISATAP and that you should create the DNS record for ISATAP.  Of course that's a little ironic being that you needed to do that beforehand. Next leave both NAT64 and DNS64 checked.  If you don't you will either need to configure your own services or be unable to connect to IPv4 targets.  So, yeah, leave those checked. Finally, you need to select the select the certificate for the server that is issuing the certs to your enterprise.  At this point you should have already generated a web certificate to be used for IP-HTTPS and imported it into the Computer account's Personal Certificates store of the UAG server.  Select both certificates and click Finish. It may be appropriate to point out here that IP-HTTPS, while it is the least desierable connection method due to it's overhead, it is incredibly useful since it is the option most likely to work in "unusual" scenarios due to popular support for connecting to secure web sites through firewalls.  When it comes to the configuration of the UAG server, it does proxy all IP-HTTPS trafic through a local instance of IIS.  To accomplish this the UAG Wizard seems to wipe and re-write the IIS settings when activating the UAG configuration.  Why is that important?  Well, you should not expect to be able to use the IIS installation on the UAG server for anything other than IP-HTTPS.  So don't bother adding another site or try to bind one to a different IP or even make some subdirectories in any existing site.  UAG will destroy it and it doesn't tell you about it either.
Next Step:
Index 1. IP Addressing the UAG Server 2. Unified Access Gateway Installation & Updates 3. Firewall and DNS Considerations 4. Certificates, Groups and Client Requirements 5. Configure other Prerequisites for UAG 6. Configuration Wizard: Clients 7. Configuration Wizard: DirectAccess Server 8. Network Location Server (NLS IIS site) 9. Configuration Wizard: Infrastructure Servers 10. Configuration Wizard: Application Servers 11. Generate and Activate Policies 12. DirectAccess Connectivity Assistant 13. What won’t work over DirectAccess
Author

Shannon Fritz

Infrastructure Architect & Server Team Lead