If you would like to read the other parts in this article series please go to:
- Microsoft Forefront UAG - Configuring Forefront UAG as a DirectAccess Server (Part 2)
- Microsoft Forefront UAG - Configuring Forefront UAG as a DirectAccess Server (Part 3)
This is a three part article series about setting up Forefront UAG as a DirectAccess Server. In part I, I will show you how to configure the prerequisites for using Forefront UAG as a DirectAccess Server. Part II will show you how to configure Forefront UAG as a DirectAccess Server. Part III of this article series will show you how to troubleshoot DirectAccess client connections and how to monitor DirectAccess clients with Forefront UAG.
DirectAccess is a new feature which is built into Windows Server 2008 R2 and Windows 7 Ultimate and Enterprise. DirectAccess provides a technology called “always on” which means the client is permanently connected with the corporate network given that an Internet connection is present. With DirectAccess, users are able to access all corporate resources.
This seamless connectivity provided by DirectAccess also enables Administrators to manage its mobile computers outside the internal network. Notebooks are able to update Group Policy settings, receive software updates, Windows updates, and report security events anytime they have Internet connectivity, even if the user is not logged on. DirectAccess uses Internet Protocol Security (IPsec) to ensure data integrity and encryption. DirectAccess performs both computer and user authentication, and can be configured to require two-factor user authentication for corporate network access using smart cards and OTP.
Figure 1: DirectAccess overview (Source: MOC - 50402A-ENU_Module08.pptx)
DirectAccess infrastructure requirements
For a successful DirectAccess implementation you must configure several components on your internal IT infrastructure:
A domain joined computer running Windows 7 Enterprise or Windows 7.
Ultimate, DirectAccess clients communicate with the corporate network using Internet Protocol version 6 (IPv6) and IPsec, encapsulated over IPv4 transition technologies (6to4, Teredo, or IP-HTTPS).
A domain joined computer running Windows Server 2008 R2 or as in this article series using Forefront UAG on top that accepts connections from DirectAccess clients, and establishes communication with intranet resources. The DirectAccess server authenticates DirectAccess clients and acts as the IPsec tunnel router/gateway for the external traffic, while also acting as an IPv6/DNS64/NAT64 router forwarding the network traffic between the clients connected to the Internet, and clients and servers in the internal network.
Internal clients and server
Internal servers and clients are also joined to the IPv6 network and communicate with DirectAccess clients through the DirectAccess server. For legacy applications and non-Windows servers that have no IPv6 support, Forefront UAG translates the incoming IPv6 traffic to IPv4 using NAT64/DNS64.
You can use Network Access Protection (NAP) as an optional component for DirectAccess clients which connect to the internal network through Forefront UAG.
DirectAccess console in Forefront UAG
At first glance, the DirectAccess Management console in Forefront UAG looks similar to the one that comes with Windows Server 2008 R2, but there are some important differences. I will show you what’s different and how to configure DirectAccess with Forefront UAG in part II of this article series.
You should walk through the DirectAccess wizard after all prerequisites has been fulfilled. If not all prerequisites are fulfilled, DirectAccess will NOT be functional when the wizard steps are completed.
Figure 2: DirectAccess wizard in Forefront UAG
Active Directory requirements
The Active Directory requirements are relatively simple. Forefront UAG creates group policies for DirectAccess clients who can be associated via group policy security filtering to a Windows group or an Active Directory Organizational Unit (OU). In most of my DirectAccess implementations we used a global windows group which contains all Windows 7 Notebooks which should be enabled for DirectAccess. The Forefront UAG DirectAccess wizard creates the required group policy objects. The group policy for DirectAccess clients will be linked to the top level of the Active Directory domain with group policy security filtering for the specified windows group.
Figure 3: Active Directory user group for DirectAccess Notebooks
DNS server requirements
Internal clients who must reach DirectAccess clients on the Internet must be enabled for ISATAP. If a client / Server is able to reach the name ISATAP which points to the ISATAP Router Forefront TMG, the client will enable its ISATAP interface and is now able to communicate with DirectAcess clients.
The use of ISATAP is not required for the entire organization. Microsoft doesn’t recommend enabling ISATAP in the entire organization. You can read more about this statement here. ISATAP will be used for managed out capabilities. ISATAP enabled clients will be able to communicate with DirectAccess clients if the doesn’t support native IPv6 protocols. So if you want to enable internal clients for ISATAP, create an entry in the HOSTS file on the client with the name ISATAP which points to the internal IP address of the Forefront UAG Server.
If you want to enable ISATAP for the entire organization, we must create a new host record with the name ISATAP in the internal DNS forward lookup zone of your Active Directory for which DirectAccess should be enabled. The ISATAP host record must be associated with the internal IP address of the Forefront UAG Server.
A Windows Server 2008 or higher DNS Server doesn’t answer requests for the following names: ISATAP and WPAD. Because DirectAccess uses ISATAP (Intra Site Automatic Tunnel Addressing Protocol) as an IPv6 transition technology for internal clients and Servers you must remove ISATAP from the global DNS query blocklist. After ISATAP has been removed from the blocklist all IPv6 capable Windows clients and Servers will activate their ISATAP interface and register an IPv6 IP address with the internal DNS Server. This IP address will be used for communication between these clients and servers to the DirectAccess client.
If you do not want to globally activate ISATAP on all clients and servers, it is also possible to create an ISATAP record with the IP address of the Forefront UAG server in the local HOSTS file on the client/server. The following screenshot shows how to disable the DNS global query blocklist.
Figure 4: Disable the DNS global query blocklist
A Forefront UAG DirectAccess deployment requires the following certificates:
DirectAccess client computer
Each DirectAccess client computer requires a computer certificate that is used for establishing the IPSEC tunnel between the client and the Forefront UAG server, and when IP-HTTPS is used to connect the DirectAccess client to the Forefront UAG server if other IPV6/IPv4 transition technologies cannot be used due to limitations or restriction in the public network infrastructure.
The DirectAccess server requires a computer certificate to establish IPsec connections with DirectAccess client computers.
IP-HTTPS is an IPv6 transition technology that enables DirectAccess clients to connect to the DirectAccess server over the IPv4 Internet. Forefront UAG acts as an IP-HTTPS web server. The IP-HTTPS website requires a webserver certificate, and DirectAccess clients must be able to download the certificate revocation list (CRL) for the certificate.
Network Location Server (NPS)
The NPS Server is a web server with HTTPS binding which is located on the internal network. The DirectAccess client tries to connect to the NPS Server. If the client is able to access the DirectAccess server, the client doesn’t use DirectAccess. If the client cannot reach the NPS server, the DirectAccess client will be enabled. A DirectAccess client must be able to download the CRL for the certificate issued to the NPS server from the internal Certificate Authority.
Network Access Protection (NAP)
NAP is an optional component in Forefront UAG to enhance security. The Health Registration Authority (HRA) server obtains health certificates on behalf of NAP clients determined as compliant with network health requirements. These health certificates are later used to authenticate NAP clients for IPsec-protected communications with other NAP clients on an intranet.
It is also an optional configuration option that makes it possible to configure Forefront UAG DirectAccess with two-factor authentication using a one-time password (OTP).
You can optionally implement two-factor authentication using smartcards.
For all certificate requirements it is recommended using an internal Active Directory integrated Certificate Authority. If you use an internal Certificate Authority (CA), the CA will also publish a CRL (Certificate Revocation List).
A DirectAccess client must have access to the CRL when it connects to the Internet to check certificates for revocation, and when IPsec tunnel should be established or IP-HTTPS as the last resort for IPv6/IPv4 transition must be used. Because the default CDP (CRL Distribution Point) for HTTP is only available from internal clients we must extend the CA with a CRL using a public DNS name which is accessible from the Internet. To extend the CDP start the Certificate Authority Management Console, navigate to the properties of the CA and add an additional CDP from type HTTP as shown in the following screenshot.
Figure 5: Add the public hostname for the CRL access to the CA
After the CA has been extended with a new public available CDP for HTTP, we must create a solution which gives clients from the Internet access to the CDP. There are two common ways to do this. You can use Forefront TMG or Forefront UAG to publish the CRL.
Network Policy Server (NPS)
The Network Policy Server (NPS) is a Webserver with a HTTPS binding and a certificate issued from your internal CA which is used by DirectAccess clients to determine if they are connected to the corporate network or to the Internet. If the client cannot reach the HTTPS URL of the NPS server, the client activates its DirectAccess configuration and tries to establish a DirectAccess IPsec connection over Forefront UAG with the internal network. Because of the importance of a reachable NPS Server, Microsoft recommends to provide fault tolerance for NPS servers. For example, you can use Network Load Balancing or virtualization to provide high availability.
The configuration of a NPS server is quite simple. Install a Windows Server / client with the IIS (Internet Information Server) role and issue a web server certificate for NPS from your internal CA, and add a HTTPS binding to the default website with the certificate issued previously.
In this first article we talked about the prerequisites in order to be able to implement DirectAccess with Forefront UAG. I showed you how to configure your internal Certification Authority, and how to publish the Certificate Revocation List. We also removed ISATAP from the DNS Global Query Blocklist, created a host record for ISATAP and we created the required Active Directory group with DirectAccess clients.
- Forefront UAG DirectAccess deployment guide
- Forefront UAG DirectAccess planning guide
- Forefront UAG DirectAccess technical overview
- Secure CDP publishing with Forefront TMG and the HTTP-filter
- Planning CAs and certificates for Forefront UAG DirectAccess SP1
- Microsoft Forefront UAG – Overview of Microsoft Forefront UAG
- Forefront UAG technical overview
If you would like to read the other parts in this article series please go to: