Skip to main content

UAG DirectAccess: IP Addressing the Server

Author by Shannon Fritz

UPDATE: My guide for Configuring DirectAccess with UAG Service Pack 1 has been released! Read it here.
Before you even begin to configure UAG or DirectAccess you need to get your IP addressing squared away.  The UAG server will act as an entry point into your network (aka, the "corpnet") from the outside Internet, so you need two network interfaces. One will be connected to your network via the Internal NIC (AKA Inside Interface) and the other will be conencted to the Internet or perhaps to your DMZ through the External NIC (AKA Outside Interface). I should probably note that I originally posted a different verion of this elsewhere but it fits better here with the rest of the Walkthrough.  In any case, here are a few things to focus on when setting up your IP addresses.

Name your Network Adapters

To keep things easy to diagnose, you should rename your Network Adpaters to reflect their intended use.  Just open the network control panel, right click the adapter and rename them to something like "Internal Network" and "External Network" so you know which adapter is connected to which side of your corpnet.

Configure the External NIC

DirectAccess uses/requires two sequential IP addresses that are bound to the outside interface.  This means if you were planning on just assigning a host name and doing some port forwarding on your existing internet connection, you are out of luck.  You'll need to burn two IP's from your public block, and they must be in sequential numerical order.  So if you have A.B.C.4 then you will also need A.B.C.5.
  1. Right click the External Interface and select Properties.  Uncheck File and Printer Sharing for Microsoft Networks and uncheck Client for Microsoft Networks.  We won't be needing either of those.
  2. Select the TCP/IPv4 item and click Properties. Select "Use the following IP address" but do not enter anything else on this page; instead click the Advanced button.  Here you can enter both of the public IP addresses that will be used for DirectAccess.  Click Add, enter the first IP and it's Subnet and add it.  Repeat for the second IP.  Add the Gateway (which is your ISP's internet gateway or the Gateway on your DMZ) by clicking the Add button for that section; you can leave the automatic metric checked.
  3. Select the DNS tab and make sure "Register this connection's address in DNS" is not checked.  You should also make sure there are no DNS server addresses set here.  You want this server to always use internal DNS servers so it'll be configured on the Internal NIC only.
  4. Select the WINS tab and select Disable NetBIOS over TCP/IP.  You can "OK" your way back to the Network Control Panel.

Configure the Internal NIC

As long as you are running 100% IPv4 on your corpnet (internal network) then you only need one IPv4 address on your Internal NIC.  This TechNet article discusses the possible IP infrastructure options you might be using.  I am assuming you are "the most common situation" and have no existing IPv6 infrastructure.
  1. Right click your Internal NIC and select Properties.  Select the TCP/IPv4 item and click Properties. Select "Use the following IP address" and enter the IP and Subnet but do not enter a Gateway.  The Gateway needs to be set on the External NIC only so that all traffic that is not destined for something within your corpnet is treated as “External” and will get routed through the outside interface.  You should, however, enter the IP's of your internal DNS servers.
  2. Do a quick check of the advanced settings to ensure that "Register this connection's address in DNS" is checked on the Internal NIC and enter your domain name in the Suffix field.
From an elevated command prompt run "net stop iphlpsvc && net start iphlpsvc" to restart the IP Helper Service.

Add Static Routes to the Internal NIC

The External NIC holds the default gateway setting and the Internal NIC does not.  This would work out fine if your entire domain works in the same subnet, but what if you have multiple subnets or VLAN’s in your domain? Without a gateway on the internal nic, your server will only be able to the Internet and to servers within the same subnet that you defined on the Internal NIC. You can fix this by defining "persistent static routes". Any traffic that is destined for an IP address that matches a range that has been defined in one of these routes will traverse your Internal NIC and anything else will go through the default gateway (aka the default route) over the External NIC. I like to get the list of Subnets from the AD Sites and Services MMC and then run the following command from an elevated/administartor command prompt for each one. NOTE: In slash notation a /16 means a subnet of and /24 is All routes should get "metric 1" and using -p makes the route persistent (it'll still be there after a reboot).
So let's say for example that your UAG server has an internal IPv4 address of and would normally use as it’s gateway to reach your network.  Instead of defining a default gateway you would add a route for it like this:
> route add mask metric 1 –p
So now instead of using the default route which would go out to the Internet, it'll use your static route into your Intranet.  Repeat that for every network that you want your UAG server (and the people/computers connecting to it) to be able to reach.  Once you are done you can examine your work by running "route print".

Change Binding Order

I am not sure this makes much of a difference really, but while troubleshooting another issue with Microsoft, they had me change the binding order under the Advanced Settings of the Network Connections Control Panel. Just hit Alt to bring up the Advanced menu, select Advanced settings and then move the Internal NIC to the top of the list.

Check your Wiring

Once you have all this done, the last thing you need to do (or perhaps first thing you should have done) is to make sure the nics are actually attached to the correct network. Ensure that the routing on your switches and gateways is set up correctly and if you’re using a VM be certain that your virtual networks are configured correctly to allow access to the both the internal and external network segments.  Documenting the entire path that traffic takes from inside to outside and vice-versa can help you a lot down the road in knowing what routers or firewalls might need some attention. Note: Jason Jones, a Forefront MVP, also has a really good post on this topic as well. Edit: Thank you Tom Shinder for your very constructive criticism on this post.
Next Step:
Index 1. IP Addressing the UAG Server 2. Unified Access Gateway Installation & Updates 3. Firewall and DNS Considerations 4. Certificates, Groups and Client Requirements 5. Configure other Prerequisites for UAG 6. Configuration Wizard: Clients 7. Configuration Wizard: DirectAccess Server 8. Network Location Server (NLS IIS site) 9. Configuration Wizard: Infrastructure Servers 10. Configuration Wizard: Application Servers 11. Generate and Activate Policies 12. DirectAccess Connectivity Assistant 13. What won’t work over DirectAccess

Shannon Fritz

Infrastructure Architect & Server Team Lead