UAG SP1 DirectAccess: Configuration Guide

A few months ago I wrote a series of blog posts that covered the configuration of DirectAccess using Unified Access Gateway RTM, and it was pretty popular so I decided to update it now that UAG Service Pack 1 has been released. There is a fairly substantial number of enhancements that make the new release worth using. For me, some of the highlights for DirectAccess with UAG SP1 include:

• Improved Configuration Wizards
• Simplified Configuration of the Connectivity Assistant
• Easier Configuration of "Manage Out" Deployments

If you are already using UAG RTM for DirectAccess I highly recommend you make the upgrade to SP1. The process has been pretty simple in the deployments I have already done. You just install the service pack on the UAG server, click through the configuration wizards, regenerate the policies and then activate the configuration. Your DirectAccess clients will continue to work so you don't need to worry about any significant down time or needing to bring those machines in-house or anything. This new guide re-uses portions of the older guide where the information has not changed but I decided to re-post them to keep this new guide complete on it's own and leave the RTM guide in tact. Now, without further adieu, here's The DirectAccess Configuration Guide for Unified Access Gateway SP1!

1. Before Getting Started (this page)
2. IP Addressing the Server
3. Installation and Updates
4. Certificates, Groups and Prerequisites
5. Internal and External DNS
6. Network Location Server (NLS)
7. Firewalls and TMG Settings
8. Config Wizard: The First Time
9. Config Wizard: Clients
10. Config Wizard: DirectAccess Server
11. Config Wizard: Infrastructure Servers
12. Config Wizard: End-to-End Access
13. Apply and Activate
14. Connectivity Assistant v1.5

I recomend you also review the UAG SP1 Deployment Guide at TechNet and look over the official list of prerequisites.

Before Getting Started

The first step in deploying UAG for DirectAccess will be to understand what this guide will do for you and what you will need in your environment before getting started with UAG or DirectAccess.

• We'll be setting up a very simple, single instance UAG server.  This does create a potential "single point of failure" but greatly reduces the complexity of setup.  Once you have this in place you can move on to building NLB clusters and a High Availability UAG environment, but for now, let's keep it simple.  Call it a Proof-of-Concept as opposed to full production-ready configuration.
• DirectAccess without UAG would require you to have at least one Domain Controller (or just a DNS server) that is running Windows Server 2008 or 2008 R2 to support IPv6 in DNS.  Also, without UAG the domain functional level would need to be at 2003 Native or higher. These are no longer requirements thanks to the NAT64 and DNS64 features of UAG. However, that being said, I recommend you have at least one 2008 R2 domain controller to leverage the extended Group Policy schema for Windows 7.
• You should already have a PKI set up.  If you do not have an Enterprise Certificate Server with Auto-Enrollment set up for your workstations, start here.  Without computer certificates DirectAccess will not work and without Auto Enrollment things just get complicated and cumbersome.
• Using aVirtual Machine for UAG is 100% supported (and I recommend it). Give this machine 4 CPU’s and 8GB of memory, although this is about twice the minimum requirements.
• You’ll need a minimal amount of disk space to hold just the OS and 2.5GB for UAG. If you are using a VM then 40GB on a dynamic disk is great but still more than you really need.
• Install Windows Server 2008 R2 Standard. If you want to, Enterprise is supported but not required, even if you plan on setting up a cluster of UAG servers later because it uses NLB and not Failover Clustering. If you are re-using hardware be sure to delete all existing partitions and let the Windows installer create them for you.
• When you name the server make sure it is 15 characters or less. While NetBIOS is dead in our hearts it is still lurking there in the ghost of the machine.
• The server needs TWO network interfaces, one will need to be connected to your external network or DMZ, the other internal. It'll look like this.
• You will need TWO external IP’s that are in numerical order (x.x.x.1 and x.x.x.2). You cannot use NAT, the IP's on the external NIC must be public addresses that can be ping'd.
• The first IP will need an External DNS record. DA.[yourdomain].com would be fine. This name will be used later when you create a certificate for the IP-HTTPS interface.
• Collect a list of all IPv4 networks (ip range, subnets, gateways) and vlan’s in your enterprise that you want the DirectAccess clients to have access to. You'll need to create static routes on the UAG server so it and the clients will to be able communicate with endpoints in each of your subnets.
• Make sure the workstations that you want to enable for DirectAccess are running Windows 7 Enterprise or Ultimate. Other / earlier versions of Windows do not support DirectAccess. Keep in mind you can use UAG as a way of establishing an SSL VPN for older clients like XP, but this guide does not cover that.
• There are a few IIS sites that we’ll need to put someplace. Try to think of a server that might be appropriate for this (like an intranet site server or an IIS farm). Another option that works well is to use the PKI / Certificate server for this purpose since it usually already has IIS installed.

With all that in mind, the network connectivity diagram will look something like this: The remote DirectAccess Client machine is likely behind a router at their home or hotel someplace which connects to the internet and the UAG server over an IPv4 network.  The traffic which is destined for the corporate resources gets wrapped up in secure and virtual IPv6 network that is established between the client computer's virtual adapter and the UAG server.  Then the traffic is then dropped onto the corporate IPv4 network and arrives at the corporate resource. There are a number of variations on this diagram, including firewalls on either side of the UAG server, but that is essentially how DirectAccess works over a pure IPv4 network and what this guide will walk you through setting up. A lot of this walk-through guide is based on the contents of the Microsoft guide for Step by Step: Demonstrating Direct Access in a Lab, Step by Step Troubleshooting DirectAccess and Tom Shinder's Test Lab Guide for UAG SP1 RC.  In case I miss something or you want more details you should refer first to those documents. Once you have completed the configuration you'll be able to enable computers for DirectAccess by simply adding the computer to a Security Group or an OU in Active Directory and reboot it.  Then the computer (and the person using it) can access your corporate resources from anyplace they have Internet access.