UAG DirectAccess: Infrastructure Servers Wizard

Author by Shannon Fritz

UPDATE: My guide for Configuring DirectAccess with UAG Service Pack 1 has been released! Read it here.
The Infrastructure Servers wizard is likely the one you'll revisit the most often.  This is where you will specify which hosts the computer accounts can access prior to a user logging onto the computer (like Domain Controllers and virus update servers) and which hosts should not be accessible over DirectAccess (like the NLS and resources you truly want to be available on the Intranet only).  To get started, click the Edit button in the Infrastructure Servers group. the first page of the wizard will ask for the URL to the Network Location Server.  Once you enter that and click Validate you'll want to see the lovely green check mark to indicate your NLS is working properly.  Notice the recommendation that the NLS should be Highly Available. Next you have an opportunity to specify DNS names and patterns that will be used to populate the Name Resolution Policy Table (NRPT) which is used by the DirectAccess clients to decide if it should use the corporate DNS servers or it's own DNS servers.  This allows you to prevent DirectAccess clients from using internal resources that would otherwise be available externally.  For example, you would want to use this to exclude Outlook Web Access or Office Communications Server since those have public interfaces that users outside the office should (or must) use instead of traversing the DirectAccess tunnel. By default your entire domain is added with a wildcard (*.domain.com) to be used with DNS64.  This is what ISATAP uses to translate the IPv4 address from a DNS requests for hostname into an IPv6 address.  So when a DirectAccess client does a dns query for "hostname.domain.com" the NRPT rule sends the request to internal DNS.  The UAG server intercepts the request and asks your internal DNS server for the record.  If it gets and IPv6 address it passes it back to the client, but if it gets IPv4 then it translates the address into an IPv6 address and passes that back to the client.  When the client tries to send traffic to that address the UAG server uses NAT64 to direct the data flow to the real target IPv4 address. What you really want to do on this page of the wizard is define hostnames that should NOT be resolved using internal IP addresses.  For the most part, any service that has external connectivity that uses the same name internally should be excluded.  For example, if you use http://cirtix.domain.com/ on your internal AND external network to route traffic to the same service, then you should exclude citrix.domain.com to ensure that users outside the corpnet use the external address.  If you do not exclude the address then DirectAccess enabled clients will tunnel into your corpnet and use the internal address instead. To exclude something from DNS64, enter the hostname (or entire domain suffix) and specify not to use internal DNS.  This will cause the NRPT to direct the client to query it's own DNS server (likely assigned form DHCP) to resolve the IP address.  Click OK and repeat if you have several hosts to exclude. Here's a couple common examples to exclude:
  • mail.domain.com
  • owa.domain.com
  • webmail.domain.com
  • autodiscover.domain.com
  • _sipinternaltls._tcp.domain.com
  • _sipinternal._tcp.domain.com
  • _sip._tls.domain.com
  • _sip._tcp.domain.com
  • sip.domain.com
  • sipinternal.domain.com
  • sipexternal.domain.com
The final page of this wizard lists all of the resources that a DirectAccess enabled computer should know about even before a user logs in.  This includes Domain Controllers so machines can update their group policy, Anti-Virus servers so definitions can be updated, Client Management servers like WSUS and System Center Configuration Manager so software updates can be applied, etc.  The domain controllers should be entered for you already, you'll just need to add any other hosts you deem appropriate. Here is some pretty detailed information about that particular piece of the configuration wizard.  Keep in mind that if you change the IP's or names of the servers you list here you will need to re-run this wizard and regenerate your policies (a step I haven't covered yet).  Clients will then need to process group policy to get the new settings and thankfully DirectAccess clients do that naturally.
Next Step:
Index 1. IP Addressing the UAG Server 2. Unified Access Gateway Installation & Updates 3. Firewall and DNS Considerations 4. Certificates, Groups and Client Requirements 5. Configure other Prerequisites for UAG 6. Configuration Wizard: Clients 7. Configuration Wizard: DirectAccess Server 8. Network Location Server (NLS IIS site) 9. Configuration Wizard: Infrastructure Servers 10. Configuration Wizard: Application Servers 11. Generate and Activate Policies 12. DirectAccess Connectivity Assistant 13. What won’t work over DirectAccess
Author

Shannon Fritz

Infrastructure Architect & Server Team Lead