DirectAccess with UAG

DirectAccess (a remote access solution for Windows 7 and Windows 2008 R2)

It extends the corporate network to the client sitting on the Internet.

It creates two tunnels

The first is pre logon that communicates with the infrastructure server(Patch management, health check and GPOs) in the Corporate network

The second tunnel is established when you login. It is for Network level computer/user authetication and encryption

Forefront UAG is a single entry-point for all remote access

  

It also extends Windows DirectAccess capabilities to IPv4 only servers

You can publish applications and reverse proxy with UAG

UAG Array

• We can bulid up to 8 array members (NLB)
• One server acts as the Array Manager Server (AMS)
  • It propagates configuration to the other members

 

UAG DirectAccess Functions

• Runs DirectAccess Wizard
• Provides IPSec tunnel gateway to/from DirectAccess clients
• Routes IPv6 traffic between clients and server on the corporate network
• Provides IPv6 over IPv4 tunnel end-points for internet clients
• Can provide ISATAP router to support IPv6 over IPv4 for intranet
• Can provide DNS64 and NAT64
  • Support IPv6 to IPv4 translation for IPv4 only internal resources

 

Planning is Essential

• Identify DirectAccess clients
• Identify server to be available via infrastructure tunnel
  • DCs, DNS, Management server, NAP servers etc
• Identify servers to be available to user via intranet tunnel
• Identify server requiring end-point authentication/encryption
• Choose name resolution options (anything for internal servers goes to internal DNS)
• Design the network location server
• Choose authentication enhancements
  • Smart card, NAP health certificates
• Design PKI and issue require certificates
  • Must include design for CRL distribution points
• Design the internal IPv6 network connectivity
• Design Active Directory subnets
• Design UAG server array and placement requirements