TechNet
Products
IT Resources
Downloads
Training
Support
Products
Windows
Windows Server
System Center
Microsoft Edge
Office
Office 365
Exchange Server
SQL Server
SharePoint Products
Skype for Business
See all products »
Resources
Channel 9 Video
Evaluation Center
Learning Resources
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Script Center
Server and Tools Blogs
TechNet Blogs
TechNet Flash Newsletter
TechNet Gallery
TechNet Library
TechNet Magazine
TechNet Wiki
Windows Sysinternals
Virtual Labs
Solutions
Networking
Cloud and Datacenter
Security
Virtualization
Updates
Service Packs
Security Bulletins
Windows Update
Trials
Windows Server 2016
System Center 2016
Windows 10 Enterprise
SQL Server 2016
See all trials »
Related Sites
Microsoft Download Center
Microsoft Evaluation Center
Drivers
Windows Sysinternals
TechNet Gallery
Training
Expert-led, virtual classes
Training Catalog
Class Locator
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
Microsoft Official Courses On-Demand
Certifications
Certification overview
Special offers
MCSE Cloud Platform and Infrastructure
MCSE: Mobility
MCSE: Data Management and Analytics
MCSE Productivity
Other resources
Microsoft Events
Exam Replay
Born To Learn blog
Find technical communities in your area
Azure training
Official Practice Tests
Support options
For business
For developers
For IT professionals
For technical support
Support offerings
More support
Microsoft Premier Online
TechNet Forums
MSDN Forums
Security Bulletins & Advisories
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
Sign in
Home
Library
Wiki
Learn
Gallery
Downloads
Support
Forums
Blogs
Resources For IT Professionals
United States (English)
Россия (Pусский)
中国(简体中文)
Brasil (Português)
Skip to locale bar
Editing: Test Lab Guide: Demonstrate Forefront UAG SP1 RC DirectAccess with Secure Socket Tunneling Protocol (SSTP) - Community Edition
Wiki
>
TechNet Articles
>
Test Lab Guide: Demonstrate Forefront UAG SP1 RC DirectAccess with Secure Socket Tunneling Protocol (SSTP) - Community Edition
Article
History
Title
<html> <body> <p>This is the text of the <a href="http://go.microsoft.com/fwlink/?LinkId=206283"><span style="color:#0066dd">Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess with Secure Socket Tunneling Protocol (SSTP)</span></a> Test Lab Guide, which you can download at <a href="http://go.microsoft.com/fwlink/?LinkId=206283">http://go.microsoft.com/fwlink/?LinkId=206283</a> </p> <p>I am posting the entire text of the Test Lab Guide here with the goal that the community can improve on the Test Lab Guide by adding new options, demonstrating new features, or just correct errors in the text :) In fact, you can make any changes you like - that is the nature of a wiki. I'm looking forward to seeing how you all can make this great Test Lab Guide even better!</p> <p>========================================================</p> <h1 style="margin:24pt 0in 0pt"><a name="Introduction"></a><a name="_Toc277243945"></a><a name="_Toc265500018"><span style="font-family:Cambria; color:#365f91">Introduction</span></a></h1> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-family:Calibri; font-size:small">DirectAccess is a new feature in the Windows 7 and Windows Server 2008 R2 operating systems that gives users the experience of being seamlessly connected to their intranet any time they have Internet access. With DirectAccess enabled, requests for intranet resources (such as e-mail servers, shared folders, or intranet Web sites) are securely directed to the intranet, without requiring users to connect to a VPN. DirectAccess provides increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside the office. </span></p> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-family:Calibri; font-size:small">Forefront Unified Access Gateway (UAG) SP1 RC extends the value of the Windows DirectAccess solution by adding features that meet the requirements of many enterprise deployments:</span></p> <ul style="margin-top:0in; list-style-type:disc"> <li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-family:Calibri; font-size:small">Support for arrays of up to 8 UAG DirectAccess servers where configuration is done once on an array master and is automatically deployed to all other members of the array</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-family:Calibri; font-size:small">Support for Network Load Balancing, which enables the UAG DirectAccess SP1 RC array to be highly available without requiring the use of an external hardware load balancer</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-family:Calibri; font-size:small">Support for IPv4-only networks, network segments, or server or application resources with the help of NAT64/DNS64 IPv6/IPv4 transition technologies.</span> </li></ul> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-family:Calibri; font-size:small">To learn more about UAG DirectAccess, see the following resources:</span></p> <p class="MsoListParagraphCxSpFirst" style="line-height:150%; text-indent:-0.25in; margin:2pt 79.9pt 0pt 0.5in"> <span style="font-family:Symbol"><span style="font-size:small">·</span><span style="font-style:normal; font-variant:normal; font-weight:normal; font-size:7pt; line-height:normal; font-family:'Times New Roman'"> </span></span><a href="http://technet.microsoft.com/en-us/library/ee406191.aspx"><span style="line-height:150%; font-size:10pt; font-family:Calibri; color:#0000ff">Forefront UAG DirectAccess Design Guide</span></a></p> <p class="MsoListParagraphCxSpLast" style="line-height:150%; text-indent:-0.25in; margin:0in 79.9pt 6pt 0.5in"> <span class="MsoHyperlink" style="line-height:150%; font-size:10pt; font-family:Symbol; text-decoration:underline; color:#0000ff">·<span style="font-style:normal; font-variant:normal; font-weight:normal; font-size:7pt; line-height:normal; font-family:'Times New Roman'"> </span></span><a href="http://technet.microsoft.com/en-us/library/dd857320.aspx"><span style="line-height:150%; font-size:10pt; font-family:Calibri; color:#0000ff">Forefront UAG DirectAccess Deployment Guide</span></a><span class="MsoHyperlink" style="line-height:150%; font-size:10pt"></span></p> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">UAG SP1 RC supports hosting multiple roles on a single UAG server or UAG array. For example, you might want to host both the DirectAccess server and SSTP VPN server roles on the same server or array. Windows 7 clients that are configured DirectAccess clients will automatically use DirectAccess to connect to intranet resources. Windows 7 clients that are not domain members, or who are not configured as DirectAccess clients can use SSTP to connect to the intranet using a network level VPN connection. In addition, DirectAccess clients hosting applications that are not compatible with DirectAccess can connect to the SSTP VPN when they need to use the non-compatible application.</span></p> <p class="AlertLabel" style="margin:6pt 0in 0pt"><span style="font-size:small; font-family:Calibri"></span><strong><span style="font-size:small; font-family:Calibri">Note </span></strong></p> <p class="AlertText" style="margin:0in 0.25in 10pt"><span style="font-size:small; font-family:Calibri">Non-Windows 7 operating systems (such as Windows Vista, Windows XP) can use the UAG Network Connector to connect to the intranet using a network level SSL VPN connection. However, you cannot host the Network Connector application on the same server or array that is also hosting DirectAccess. To support network level VPN connectivity for non-Windows 7 clients, you will need to deploy a second UAG server or array.</span></p> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri"> </span></p> <h2 style="margin:10pt 0in 0pt"><a name="In_this_guide"></a><a name="_Toc277243946"></a><a name="_Toc265500019"></a><a name="_Toc250629632"><span style="font-size:medium; font-family:Cambria; color:#4f81bd">In this guide</span></a></h2> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">This guide provides step-by-step instructions for configuring UAG DirectAccess SP1 RC with SSTP in a test lab so that you can see how it works. You will set up and deploy UAG DirectAccess SP1 RC using five server computers, two client computers, Windows Server 2008 R2 Enterprise edition, and Windows 7 Ultimate Edition. The Test Lab simulates intranet, Internet, and a home networks, and demonstrates a co-located Forefront UAG DirectAccess and SSTP VPN server role deployment. The starting point for this paper is the </span><a href="http://go.microsoft.com/fwlink/?LinkId=204993"><span style="line-height:115%; font-size:10pt; font-family:Calibri">Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess</span></a><span style="font-family:Calibri"><span class="MsoHyperlink" style="line-height:115%; font-size:10pt; text-decoration:underline; color:#0000ff"> </span><span style="font-size:small">. </span></span></p> <table cellpadding="0" border="1" class="MsoNormalTable" style="margin:auto auto auto 3.75pt; width:97%; border:1pt solid #dddddd"> <tbody> <tr> <td valign="bottom" style="border-color:#cccccc #cccccc #c8cdde; border-width:1pt; border-style:solid; background-color:#efeff7; padding:3.75pt"> <p class="MsoNormal" style="margin:0in 0in 10pt"><strong><span style="font-size:small; font-family:Calibri"></span><span style="font-size:small; font-family:Calibri">Important: </span></strong></p> </td> </tr> <tr> <td valign="top" style="border-color:#cccccc #d5d5d3 #cccccc #cccccc; border-width:1pt; border-style:solid; background-color:#f7f7ff; padding:3.75pt"> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">These instructions are designed for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network, and to show clearly the required functionality. This configuration is not designed to reflect best practices, nor does it reflect a required or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed to work only on a separate test lab network. For more information on planning and deploying DirectAccess with Forefront UAG, please see the </span><a href="http://technet.microsoft.com/en-us/library/ee406191.aspx"><span style="line-height:115%; font-size:10pt; font-family:Calibri; color:#0000ff">Forefront UAG DirectAccess design guide</span></a><span style="font-size:small; font-family:Calibri"> and the </span><a href="http://technet.microsoft.com/en-us/library/dd857320.aspx"><span style="line-height:115%; font-size:10pt; font-family:Calibri; color:#0000ff">Forefront UAG DirectAccess deployment guide</span></a></p> </td> </tr> </tbody> </table> <h1 style="margin:24pt 0in 0pt"><a name="Overview_of_the_test_lab_scenario"></a><a name="_Toc277243947"></a><a name="_Toc267915211"><span style="font-family:Cambria; color:#365f91">Overview of the test lab scenario</span></a></h1> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">In this test lab scenario, Forefront UAG DirectAccess SP1 RC is deployed with:</span></p> <ul style="margin-top:0in; list-style-type:disc"> <li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">One computer running Windows Server 2008 R2 Enterprise Edition (DC1), that is configured as an intranet domain controller, Domain Name System (DNS) server, Dynamic Host Configuration Protocol (DHCP) server, and an enterprise root certification authority (CA).</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">One intranet member server running Windows Server 2008 R2 Enterprise Edition (UAG1), that is configured as a Forefront UAG SP1 RC DirectAccess and SSTP VPN server.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">One intranet member server running Windows Server 2008 R2 Enterprise Edition (APP1) that is configured as a general application server and network location server.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">One intranet member server running Windows Server 2003 SP2 (APP3) that is configured as an IPv4 only web and file server. This server is used to highlight the UAG’s NAT64/DNS64 capabilities.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">One standalone server running Windows Server 2008 R2 Enterprise Edition (INET1) that is configured as an Internet DNS and DHCP server.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">One standalone client computer running Windows 7 Ultimate Edition (NAT1), that is configured as a network address translator (NAT) device using Internet Connection Sharing.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">One roaming domain member client computer running Windows 7 Ultimate Edition (CLIENT1) that is configured as a DirectAccess client.</span> </li></ul> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">The test lab consists of three subnets that simulate the following:</span></p> <ul style="margin-top:0in; list-style-type:disc"> <li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">A home network named Homenet (192.168.137.0/24) connected to the Internet subnet by NAT1.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">The Internet subnet (131.107.0.0/24).</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">The Corpnet subnet (10.0.0.0/24) separated from the Internet by the Forefront UAG DirectAccess server.</span> </li></ul> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">Computers on each subnet connect using either a physical or virtual hub or switch, as shown in the following figure.</span></p> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri"></span></p> <h1 style="margin:24pt 0in 0pt"><a name="Configuration_component_requirements"></a><a name="_Toc277243948"></a><a name="_Toc267915212"><span style="font-family:Cambria; color:#365f91">Configuration component requirements</span></a></h1> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">The following components are required for configuring Forefront UAG DirectAccess in the test lab:</span></p> <ul style="margin-top:0in; list-style-type:disc"> <li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">The product disc or files for Windows Server 2008 R2 Enterprise Edition.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">The product disc or files for Windows Server 2003 Enterprise SP2</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">The product disc or files for of Windows 7 Ultimate.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">Five computers or virtual machines that meet the minimum hardware requirements for Windows Server 2008 R2 Enterprise; two of these computers has two network adapters installed.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">One computer or virtual machine that meets the minimum hardware requirements for Windows Server 2003 SP2</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">Two computers or virtual machines that meet the minimum hardware requirements for Windows 7 Ultimate; one of these computers has two network adapters installed (NAT1).</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">The product disc or a downloaded version of Microsoft Forefront Unified Access Gateway (UAG) SP1 RC.</span> </li></ul> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">This Test Lab Guide demonstrates a combined UAG SP1 RC DirectAccess and SSTP deployment. </span></p> <p class="AlertLabel" style="margin:6pt 0in 0pt"><span style="font-size:small; font-family:Calibri"></span><strong><span style="font-size:small; font-family:Calibri">Important </span></strong></p> <p class="AlertText" style="margin:0in 0.25in 10pt"><span style="font-size:small; font-family:Calibri">The following instructions are for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. It is important to remember that this configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.</span></p> <p class="AlertText" style="margin:0in 0.25in 10pt"><span style="font-size:small; font-family:Calibri">Attempting to adapt this test lab configuration to a pilot or production deployment can result in configuration or functionality issues. To ensure proper configuration and operation of UAG DirectAccess and SSTP, please refer to the </span> <a href="http://technet.microsoft.com/en-us/library/dd857320.aspx"><span style="line-height:115%; font-size:10pt; font-family:Calibri; color:#0000ff">Forefront UAG DirectAccess Deployment Guide</span></a><span style="font-size:small; font-family:Calibri"> for the steps to configure the UAG DirectAccess server and supporting infrastructure servers.</span></p> <h1 style="margin:24pt 0in 0pt"><a name="Steps_for_configuring_the_test_lab"></a><a name="_Toc277243949"><span style="font-family:Cambria; color:#365f91">Steps for configuring the test lab</span></a></h1> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">The following sections describe how to configure UAG1 as both a DirectAccess and SSTP VPN server. After UAG1 is configured, this guide provides steps for demonstrating the DirectAccess and SSTP VPN functionality for CLIENT1 when it is connected to the Homenet subnet.</span></p> <p class="AlertLabel" style="margin:6pt 0in 0pt"><span style="font-size:small; font-family:Calibri"></span><strong><span style="font-size:small; font-family:Calibri">Note </span></strong></p> <p class="AlertText" style="margin:0in 0.25in 10pt"><span style="font-size:small; font-family:Calibri">You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group. For all tasks described in this document you can use the <strong>CONTOSO\User1</strong> account created when you went through the steps in the UAG DirectAccess </span><a href="http://go.microsoft.com/fwlink/?LinkId=204993"><span style="line-height:115%; font-size:10pt; font-family:Calibri">Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess</span></a><span style="font-family:Calibri; font-size:small">.</span></p> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-family:Calibri; font-size:small">The following procedures are performed to enable and allow you to test the UAG SP1 RC DCA:</span></p> <p class="MsoListParagraphCxSpFirst" style="line-height:115%; text-indent:-0.25in; margin:0in 0in 10pt 0.5in"> <span style="font-family:Symbol"><span style="font-size:small">·</span><span style="font-style:normal; font-variant:normal; font-weight:normal; font-size:7pt; line-height:normal; font-family:'Times New Roman'"> </span></span><span style="font-size:small; font-family:Calibri"><strong>Step 1: Complete the Demonstrate UAG SP1 RC DirectAccess Test Lab Guide – </strong>The first step is to complete all the steps in the </span><a href="http://go.microsoft.com/fwlink/?LinkId=204993"><span style="line-height:115%; font-size:10pt; font-family:Calibri">Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess</span></a><span style="font-family:Calibri; font-size:small">.</span></p> <p class="MsoListParagraphCxSpMiddle" style="line-height:115%; text-indent:-0.25in; margin:0in 0in 10pt 0.5in"> <span style="font-family:Symbol"><span style="font-size:small">·</span><span style="font-style:normal; font-variant:normal; font-weight:normal; font-size:7pt; line-height:normal; font-family:'Times New Roman'"> </span></span><span style="font-family:Calibri; font-size:small"><strong>Step 2: Create the HTTPS Trunk</strong>. UAG uses the concept of “trunk” as the primary listener for incoming SSL connections to a UAG portal page. In this step you will create an SSL Trunk that can be used to create a portal page that includes the SSTP VPN application.</span></p> <p class="MsoListParagraphCxSpMiddle" style="line-height:115%; text-indent:-0.25in; margin:0in 0in 10pt 0.5in"> <span style="font-family:Symbol"><span style="font-size:small">·</span><span style="font-style:normal; font-variant:normal; font-weight:normal; font-size:7pt; line-height:normal; font-family:'Times New Roman'"> </span></span><span style="font-family:Calibri; font-size:small"><strong>Step 3: Configure the Remote Network Access Settings</strong>. The SSTP application requires configuration of a number of settings before it can be deployed. In this step you will configure these settings.</span></p> <p class="MsoListParagraphCxSpMiddle" style="line-height:115%; text-indent:-0.25in; margin:0in 0in 10pt 0.5in"> <span style="font-family:Symbol"><span style="font-size:small">·</span><span style="font-style:normal; font-variant:normal; font-weight:normal; font-size:7pt; line-height:normal; font-family:'Times New Roman'"> </span></span><span style="font-family:Calibri; font-size:small"><strong>Step 4: Add the SSTP Remote Network Access Application to the Trunk</strong>. In order for users to access the SSTP VPN application, that application must be added to a trunk. In this step you will add the SSTP application to the HTTPS trunk.</span></p> <p class="MsoListParagraphCxSpMiddle" style="line-height:115%; text-indent:-0.25in; margin:0in 0in 10pt 0.5in"> <span style="font-family:Symbol"><span style="font-size:small">·</span><span style="font-style:normal; font-variant:normal; font-weight:normal; font-size:7pt; line-height:normal; font-family:'Times New Roman'"> </span></span><span style="font-family:Calibri; font-size:small"><strong>Step 5: Activate the Configuration and View Activation in the Activation Monitor</strong>. You need to activate the configuration after adding the SSTP VPN application to the trunk. In this step you will activate the configuration and view the activation process in the Activation Monitor.</span></p> <p class="MsoListParagraphCxSpMiddle" style="line-height:115%; text-indent:-0.25in; margin:0in 0in 10pt 0.5in"> <span style="font-family:Symbol"><span style="font-size:small">·</span><span style="font-style:normal; font-variant:normal; font-weight:normal; font-size:7pt; line-height:normal; font-family:'Times New Roman'"> </span></span><span style="font-family:Calibri; font-size:small"><strong>Step 6</strong>: <strong>Test DirectAccess and SSTP Connectivity</strong>. After activation is complete, you are ready to test both DirectAccess and SSTP connectivity. In this step you will confirm DirectAccess connectivity and then start an SSTP VPN connection through the portal.</span></p> <p class="MsoListParagraphCxSpLast" style="line-height:115%; text-indent:-0.25in; margin:0in 0in 10pt 0.5in"> <span style="font-family:Symbol"><span style="font-size:small">·</span><span style="font-style:normal; font-variant:normal; font-weight:normal; font-size:7pt; line-height:normal; font-family:'Times New Roman'"> </span></span><span style="font-size:small; font-family:Calibri"><strong>Step 7:</strong> <strong>Snapshot the configuration</strong>. After completing the Test Lab, take a snapshot of the working UAG DirectAccess with SSTP Test Lab so that you can return to it later to test additional scenarios.</span></p> <p class="AlertLabel" style="margin:6pt 0in 0pt"><span style="font-size:small; font-family:Calibri"></span><strong><span style="font-size:small; font-family:Calibri">Note </span></strong></p> <p class="AlertText" style="margin:0in 0.25in 10pt"><span style="font-size:small; font-family:Calibri">You will notice that there are several steps that begin with an asterisk (*). The * indicates that the step requires that you move to a computer or virtual machine that is different from the computer or virtual machine you were at when you completed the previous step. </span></p> <h2 style="margin:10pt 0in 0pt"><a name="STEP_1_Complete_the_Demonstrate_UAG_SP1_RC_DirectAccess_Test_Lab_Guide"></a><a name="_Toc277243950"><span style="font-size:medium; font-family:Cambria; color:#4f81bd">STEP 1: Complete the Demonstrate UAG SP1 RC DirectAccess Test Lab Guide</span></a><span style="font-size:medium; color:#4f81bd; font-family:Cambria"> </span></h2> <p class="AlertText" style="margin:0in 0.25in 10pt 0in"><span style="font-size:small; font-family:Calibri">The first step is to complete all the steps in the </span><a href="http://go.microsoft.com/fwlink/?LinkId=204993"><span style="line-height:115%; font-size:10pt; font-family:Calibri">Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess</span></a><span style="font-size:small; font-family:Calibri">. After completing the steps in that Test Lab Guide you will have the core infrastructure required to complete this Test Lab Guide on how to configure the UAG DirectAccess DCA. If you have already completed the steps in that Test Lab Guide and saved a snapshot or disk image of the Test Lab, you can restore the snapshot or image and begin with the next step.</span></p> <h2 style="margin:10pt 0in 0pt"><a name="STEP_2_Create_the_HTTPS_Trunk"></a><a name="_Toc277243951"></a><a name="_Toc265500029"><span style="font-size:medium; font-family:Cambria; color:#4f81bd">STEP 2: </span></a><span style="font-size:medium; color:#4f81bd; font-family:Cambria">Create the HTTPS Trunk</span></h2> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">UAG uses the concept of “trunk” as the primary listener for incoming SSL connections to a UAG portal page. In this step you will create an SSL Trunk that can be used to create a portal page that includes the SSTP VPN application. </span></p> <ol style="margin-top:0in; list-style-type:decimal"> <li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">At the UAG1 computer or virtual machine, log on as CORP\User1. Click <strong>Start</strong> and then click <strong>All Programs</strong>. Click<strong> Microsoft Forefront UAG</strong> and then click <strong>Forefront UAG Management</strong>.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">In the right pane of the console, click <strong>Allow remote access to the UAG server via an HTTPS trunk</strong>.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">On the <strong>Welcome to the Create Trunk Wizard</strong> page, click <strong>Next</strong>.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">On the <strong>Step 1 – Select Trunk Type</strong> page, select the <strong>Portal trunk</strong> option and click <strong>Next</strong>.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">On the <strong>Step 2 – Setting the Trunk</strong> page, in the <strong>Trunk name</strong> text box, enter <strong>HTTPSTrunk</strong>. In the <strong>Public host name</strong> text box, enter <strong>uag1.contoso.com</strong>. In the <strong>External Web Site</strong> section, confirm that the <strong>IP address </strong>is <strong>131.107.0.2</strong>. Confirm that the <strong> HTTP port</strong> is <strong>80</strong> and confirm that the <strong>HTTPS port </strong>is <strong>443</strong>. Click <strong>Next</strong>. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">On the <strong>Step 3 – Authentication</strong> page, click the <strong>Add</strong> button. In the <strong>Authentication and Authorization Servers</strong> dialog box, click the <strong> Add</strong> button.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">In the <strong>Add Authentication Server</strong> dialog box, in the <strong>Server type</strong> drop down list, confirm that <strong>Active Directory </strong>is selected. In the <strong>Server Name </strong> text box, enter <strong>dc1.corp.contoso.com</strong>. In the <strong>Connection Settings</strong> section, select <strong>Use local Active Directory forest authentication</strong>. In the <strong> Search Settings</strong> section, click the ellipses (…) button. In the <strong>Search Root (Base DN)</strong> dialog box, confirm that the <strong>Select Base DN </strong>entry is <strong>CN=Users,DC=corp,DC=contoso,DC=com</strong>. Click <strong>OK</strong>. In the <strong>Server access</strong> section, in the <strong> User (domain\user)</strong> text box, enter <strong>CORP\User1</strong>. In the <strong> Password</strong> text box, enter User1’s password. Click <strong>OK</strong>. </span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">In the <strong>Authentication and Authorization Servers</strong> dialog box, click <strong> Select</strong>. On the <strong>Step 3 – Authentication </strong>page, confirm that <strong>User selects from a server list</strong> is selected and that there is a checkmark in the <strong>Show server names</strong> checkbox. Click <strong>Next</strong>.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">On the <strong>Step 4 – Certificate</strong> page, confirm that <strong>uag1.contoso.com</strong> appears in the <strong>Server certificate</strong> drop down list. Click <strong>Next</strong>. </span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">On the <strong>Step – 5 Endpoint Security</strong> page, select the <strong>Use Forefront UAG access policies</strong> option and click <strong>Next</strong>. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">On the <strong>Step 6 – Endpoint Policies</strong> page, in the <strong>Nonprivileged access policy</strong> dropdown box, select <strong>Always</strong>. Note that we select <strong>Always</strong> in this Test Lab because the default access policy requires that clients have antivirus software installed. In this Test Lab CLIENT1 does not have antivirus software installed so we need to change from the default <strong>Nonprivileged<span> </span>access policy</strong> to one that will allow a system without antivirus software to access the portal. Click <strong>Next</strong>.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">On the <strong>Completing the Create Trunk Wizard</strong> page, click <strong>Finish</strong>. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">In the <strong>Trunk Configuration</strong> section<strong>, </strong>click the <strong> Configure</strong> button. On the <strong>Advanced Trunk Configuration [HTTPSTrunk]</strong> page, click the <strong>Session</strong> tab. In the <strong>Default Sessions Settings</strong> section, in the <strong>Inactive session timeout (seconds)</strong> text box, enter <strong>1800</strong>. In the <strong>Trigger automatic logoff after</strong> text box, enter <strong>1440</strong>. Click <strong>OK</strong>. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">Click the <strong>File</strong> menu and click <strong>Activate</strong>. On the <strong>Activate Configuration</strong> page, click the <strong>Activate</strong> button. Click <strong>Finish</strong> when the activation completes.</span> </li></ol> <h2 style="margin:10pt 0in 0pt"><a name="STEP_3_Configure_the_Remote_Network_Access_Settings"></a><a name="_Toc277243952"></a><a name="_Toc265500030"><span style="font-size:medium; font-family:Cambria; color:#4f81bd">STEP 3: </span></a><span style="font-size:medium; color:#4f81bd; font-family:Cambria">Configure the Remote Network Access Settings</span></h2> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">The SSTP application requires configuration of a number of settings before it can be deployed. In this step you will configure these settings. </span></p> <ol style="margin-top:0in; list-style-type:decimal"> <li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">In the <strong>Microsoft Forefront Unified Access Gateway Management</strong> console, click the <strong>Admin</strong> menu and point to <strong>Remote Network Access</strong>. Click on <strong>SSL Network Tunneling (SSTP)…</strong> . </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">In the <strong>SSL Network Tunneling Configuration</strong> dialog box, on the <strong>General</strong> tab, put a checkmark in the <strong>Enable remote client VPN access</strong> checkbox. In the <strong>Maximum VPN Client connections</strong> text box, enter <strong>10</strong>. In the <strong>SSL Tunneling VPN Trunk</strong> section, from the <strong>Trunk</strong> drop down list, select <strong>HTTPSTrunk</strong>. Confirm that is says <strong>uag1.contoso.com</strong> in the <strong>Public host name</strong> box.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">Click the <strong>Protocols</strong> tab. Confirm that there is a checkmark in the <strong> Secure Socket Tunneling Protocol (SSTP)</strong>. Note that while there are checkboxes for <strong>Point-to-Point Tunneling Protocol (PPTP)</strong> and <strong>Layer Two Tunneling Protocol (L2TP)/IPsec</strong>, they are not functional. UAG SP1 does not support PPTP or L2TP/IPsec network level VPN protocols.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">Click the <strong>IP Address Assignment</strong> tab. Select the <strong>Assign address using DHCP</strong>. Note that you can use this option only when you have a single server deployment. If you have a UAG array and want to enable SSTP support, you will need to assign a static address pool to each of the servers in the array and the addresses used in each pool must be different on each server.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">Click on the <strong>User Groups</strong> tab. On this tab you can limit SSTP access on a per group basis to selected assets on the intranet. In this test lab we will not enable this feature. Click <strong>OK</strong>. </span></li></ol> <h2 style="margin:10pt 0in 0pt"><a name="STEP_4_Add_the_SSTP_Remote_Network_Access_Application_to_the_Trunk"></a><a name="_Toc277243953"></a><a name="_Toc265500033"><span style="font-size:medium; font-family:Cambria; color:#4f81bd">STEP 4: </span></a><span style="font-size:medium; color:#4f81bd; font-family:Cambria">Add the SSTP Remote Network Access Application to the Trunk</span></h2> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">In order for users to access the SSTP VPN application, that application must be added to a trunk. In this step you will add the SSTP application to the HTTPS trunk.</span></p> <ol style="margin-top:0in; list-style-type:decimal"> <li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">In the right pane of the console, in the <strong>Applications</strong> section, click the <strong>Add</strong> button.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">On the <strong>Welcome to the Add Application Wizard</strong> page, click <strong>Next</strong>.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">On the <strong>Step – 1</strong> page, select the <strong>Client/server and legacy</strong> option. From the drop down list, select <strong>Remote Network Access</strong>. Click <strong>Next</strong>.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">On the <strong>Step 2 – Configure Application</strong> page, in the <strong>Application name</strong> text box, enter <strong>SSTP VPN</strong>. Click <strong>Next</strong>. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">On the <strong>Step 3 – Select Endpoint Policies</strong> page, in the <strong>Access policy</strong> drop down box, select <strong>Always</strong>. The reason we select this option in the Test Lab is that the default setting requires the client to have antivirus software installed, and in this Test Lab CLIENT1 does not have antivirus software installed. Click <strong>Next</strong>. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">On the <strong>Step 4 – Configure Server Settings</strong> page, make no changes and accept the default values. Click <strong>Next</strong>. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">On the <strong>Step 5 – Portal Link</strong> page, make no changes and click <strong>Next</strong>.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">On the <strong>Step 6 – Authorization</strong> page, confirm that there is a checkmark in the <strong>Authorize all users</strong> checkbox and click <strong>Next</strong>.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">On the <strong>Completing the Add Application Wizard</strong> page, click <strong>Finish</strong>. </span></li></ol> <h2 style="margin:10pt 0in 0pt"><a name="STEP_5_Activate_the_Configuration_and_View_Activation_in_the_Activation_Monitor"></a><a name="_Toc277243954"></a><a name="_Toc265500035"><span style="font-size:medium; font-family:Cambria; color:#4f81bd">STEP 5: </span></a><span style="font-size:medium; color:#4f81bd; font-family:Cambria">Activate the Configuration and View Activation in the Activation Monitor</span></h2> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">You need to activate the configuration after adding the SSTP VPN application to the trunk. In this step you will activate the configuration and view the activation process in the Activation Monitor.</span></p> <ol style="margin-top:0in; list-style-type:decimal"> <li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">Click <strong>Start</strong> and then click <strong>All Programs</strong>. Click <strong> Microsoft Forefront UAG</strong> and then click <strong>Forefront UAG Activation Monitor</strong>. In the <strong>Use Account Control</strong> dialog box, click <strong>Yes</strong>. It may take a minute or two for the Activation Monitor to open. Maximize the Activation Monitor after it opens, and then minimize the window.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">In the <strong>Microsoft Forefront Unified Access Gateway Management</strong> console, click the <strong>File</strong> menu and then click <strong>Activate</strong>. In the <strong> Activate Configuration</strong> dialog box, click the <strong>Activate </strong>button.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">Maximize the <strong>Forefront Unified Access Gateway Activation Monitor. </strong>Click the <strong> UAG1</strong> node in the left pane of the console. Notice in the right pane that it tells you the time when the activation started. Click the <strong>Options</strong> button. In the <strong>Autorefresh Interval (sec)</strong> text box, enter <strong>10</strong> and then click <strong>OK</strong>.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">When the activation completes, scroll through the output in the right pane. This provides you information about what happened during the activation process. At the bottom of the output, you should see <strong>Activation completed successfully</strong>. Minimize the <strong>Forefront Unified Access Gateway Activation Monitor</strong> console.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">In the <strong>Activate Configuration</strong> dialog box, click <strong>Finish</strong>. </span></li></ol> <h2 style="margin:10pt 0in 0pt"><a name="STEP_6_Test_DirectAccess_and_SSTP_Connectivity"></a><a name="_Toc277243955"><span style="font-size:medium; font-family:Cambria; color:#4f81bd">STEP 6: Test DirectAccess and SSTP Connectivity</span></a></h2> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">After activation is complete, you are ready to test both DirectAccess and SSTP connectivity. In this step you will confirm DirectAccess connectivity and then start an SSTP VPN connection through the portal.</span></p> <ol style="margin-top:0in; list-style-type:decimal"> <li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">*Move the CLIENT1 computer to Homenet subnet and then log on as CORP\User1. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">Open an elevated command prompt. In the command prompt window enter <strong>ipconfig</strong> and press ENTER. You should see an IPv6 address assigned to <strong>Tunnel adapter Teredo Tunneling Pseudo-Interface</strong>. In the command prompt window, enter <strong>ping dc1</strong> and press ENTER. You should see four responses from the ISATAP address assigned to DC1. In the command prompt window, enter <strong>net view </strong></span><a href="file://dc1/"><strong><span style="line-height:115%; font-size:10pt; font-family:Calibri; color:#0000ff">\\dc1</span></strong></a><span style="font-size:small; font-family:Calibri"> and press ENTER. You should see a list of shares on DC1. This indicates that the infrastructure tunnel is working properly over DirectAccess.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">In the command prompt window, enter <strong>ping app1</strong> and press ENTER. You should see four responses from the ISATAP address assigned to APP1. This indicates that name resolution is working correctly. At the command prompt window, enter <strong>net view </strong></span><a href="file://app1/"><strong><span style="line-height:115%; font-size:10pt; font-family:Calibri; color:#0000ff">\\app1</span></strong></a><span style="font-size:small; font-family:Calibri"> and press ENTER. You should see a list of shares on APP1. This indicates that the intranet tunnel is working correctly over DirectAccess. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">In the command prompt window, enter <strong>netsh namespace show effectivepolicy</strong> and press ENTER. You should see that the Name Resolution Policy Table is active and it shows that there are two entries in the NRPT. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">Open <strong>Internet Explorer</strong>. In the address bar, enter </span><a href="https://uag1.contoso.com/"><strong><span style="line-height:115%; font-size:10pt; font-family:Calibri; color:#0000ff">https://uag1.contoso.com</span></strong></a><span style="font-size:small; font-family:Calibri"> and press ENTER. Endpoint components will be downloaded to CLIENT1. In the information bar in Internet Explorer, click the <strong>This website want to install the following add-on…”</strong> and then click <strong>Install This Add-on for All Users on This Computer</strong>. Click <strong> Yes</strong> in the <strong>User Account Control</strong> dialog box. In the <strong> Forefront UAG endpoint components</strong> dialog box, put a checkmark in the <strong> do not show this message again</strong> checkbox and click <strong>Yes</strong>. You will see <strong>Downloading Endpoint Component Manager</strong> on the web page with a progress bar. In the <strong>Security Alert</strong> dialog box, put a checkmark in the <strong>Trust this site</strong> checkbox and then select the <strong>Always</strong> option. Click <strong>Trust</strong>. The web page will now say <strong>Checking for device compliance</strong>. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">The <strong>Application and Network Access Portal</strong> page should now appear. If you see a mobile log on page, close Internet Explorer and open it again and go to </span><a href="https://uag1.contoso.com/"><strong><span style="line-height:115%; font-size:10pt; font-family:Calibri; color:#0000ff">https://uag1.contoso.com</span></strong></a><span style="font-size:small; font-family:Calibri">. In the <strong>User name</strong> text box, enter <strong>CORP\User1</strong> and in the <strong>Password</strong> text box, enter User1’s password. Click <strong>Log On</strong>. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">The <strong>Application and Network Access Portal</strong> now appears. You can see an entry for <strong>SSTP VPN</strong> in both the left and right panes of the console. Click the <strong>SSTP VPN</strong> link in the right pane of the console. A new web page window will open. That web page will disappear and you will see an icon with a balloon that says <strong>Forefront UAG Remote network Access Connection started</strong>. Right click on the icon and click <strong>Show Status</strong>. In the <strong>Portal Activity</strong> dialog box, in the <strong>Active Connections</strong> section, you will see the URL that CLIENT1 is connect to and the time that Remote Network Access started. In the <strong>Launched Applications</strong> section, you will see the application is <strong> SSTP VPN</strong>. Click <strong>Hide</strong>. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">Return to the elevated command prompt window. In the command prompt window, enter <strong>ipconfig</strong> and press ENTER. You will see an IPv4 address assigned to <strong>PPP adapter UAGSSTPVPN</strong>. You will also see an ISATAP address assigned based on the PPP adapter’s IPv4 address; this enables CLIENT1 to communicate with IPv6 only servers on the intranet through the SSTP VPN connection. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">In the command prompt window, enter <strong>ping dc1</strong> and press ENTER. You will see four responses from the IPv6 ISATAP address of DC1<strong>. </strong>In the command prompt window, enter <strong>ping app1</strong> and press ENTER. You will see four responses from the IPv6 ISATAP addresses assigned to APP1. In the command prompt window, enter <strong>ping app3</strong> and press ENTER. In this case you see four responses from the IPv4 address assigned to APP3. Remember, APP3 is an IPv4 only resource. In the command prompt window, enter <strong>netsh namespace show effectivepolicy</strong>. You should see the output say <strong>Note: DirectAccess settings would be turned off when computer is inside corporate network</strong>. The reason for this is that when the SSTP connection was established, CLIENT1 was able to resolve the name of the Network Location Server (nls.corp.contoso.com), which causes the NRPT to disable itself. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">Click <strong>Start</strong> and then in the <strong>Search</strong> box enter <strong> wf.msc</strong> and press ENTER. In the <strong>Windows Firewall with Advanced Security</strong> console, navigate to the <strong>Monitoring\Security Associations\Main Mode</strong> node in the left pane of the console. Note that there are no security associations, indicating that DirectAccess has been disabled. Click the top node, <strong>Windows Firewall with Advanced Security on Local Computer</strong>. In the right pane you will see that <strong>Domain Profile is Active</strong> – this is the reason why DirectAccess is disabled, as the DirectAccess related Connection Security Rules that establish the DirectAccess IPsec tunnels are not available when the Domain Profile is active on the DirectAccess client computer. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">Right click the <strong>Remote Network Access</strong> icon in the System Notification Area. Click <strong>Disconnect Remote Network Access</strong>. In the <strong>Windows Firewall with Advanced Security</strong> console, click <strong>Refresh</strong> in the right pane. Notice that the <strong>Domain Profile</strong> is no longer active and the current profile is <strong>Public Profile is Active</strong>. Network Location Awareness determined that CLIENT1 was no longer connected to the intranet and changed the Firewall Profile settings. Navigate to the <strong>Monitoring\Security Associations\Main Mode</strong> node in the left pane of the console. You will see a Main Mode security association, indicating that the DirectAccess intranet tunnel has come up automatically. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">Return to the elevated command prompt. In the command prompt window, enter <strong>ping APP3</strong> and press ENTER. Notice that this time there are four responses from an IPv6 address. This IPv6 address is generated by the NAT64 feature in UAG.</span> </li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">Close the command prompt window. Close the <strong>Windows Firewall with Advanced Security</strong> console. Close Internet Explorer. Click <strong>Yes</strong> in the <strong>SSL Application Tunneling</strong> dialog box.</span> </li></ol> <h2 style="margin:10pt 0in 0pt"><a name="STEP_7_Snapshot_the_Configuration"></a><a name="_Toc277243956"></a><a name="_Toc268018645"><span style="font-size:medium; font-family:Cambria; color:#4f81bd">STEP 7: Snapshot the Configuration</span></a></h2> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">This completes the UAG SP1 RC DirectAccess with SSTP test lab. To save this configuration so that you can quickly return to a working UAG SP1 RC DirectAccess Connectivity Assistant configuration from which you can test other DirectAccess modular TLGs, TLG extensions, or for your own experimentation and learning, do the following:</span></p> <ol style="margin-top:0in; list-style-type:decimal"> <li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">On all physical computers or virtual machines in the test lab, close all windows and then perform a graceful shutdown. </span></li><li class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">If your lab is based on virtual machines, save a snapshot of each virtual machine and name the snapshots <strong>TLG UAG DirectAccess SP1RC SSTP</strong>. If your lab uses physical computers, create disk images to save the DirectAccess test lab configuration.</span> </li></ol> <h1 style="margin:24pt 0in 0pt"><a name="Additional_Resources"></a><a name="_Toc277243957"></a><a name="_Toc267913054"></a><a name="_Toc267556283"><span style="font-family:Cambria; color:#365f91">Additional Resources</span></a></h1> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">For more information on UAG and SSTP, see </span><a href="http://technet.microsoft.com/en-us/library/dd861404.aspx"><span style="line-height:115%; font-size:10pt; font-family:Calibri; color:#0000ff">Setting up Remote Network Access</span></a><span style="font-size:small; font-family:Calibri">.</span></p> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">For procedures to configure the Base Configuration test lab on which this document is based, see the </span><a href="http://go.microsoft.com/fwlink/?LinkId=198140"><span style="line-height:115%; font-size:small; font-family:Calibri; color:#0000ff">Test Lab Guide: Base Configuration</span></a><span style="font-size:small; font-family:Calibri">.</span></p> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">For procedures to configure UAG SP1 RC DirectAccess on which this document is based, see the </span><a href="http://go.microsoft.com/fwlink/?LinkId=204993"><span style="line-height:115%; font-size:10pt; font-family:Calibri">Test Lab Guide: Demonstrate Forefront UAG SP1 RC DirectAccess</span></a><span style="font-size:small; font-family:Calibri">. </span></p> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">For a comprehensive list of Test Lab Guides, please see </span><a href="http://social.technet.microsoft.com/wiki/contents/articles/test-lab-guides.aspx"><span style="line-height:115%; font-size:10pt; font-family:Calibri">Test Lab Guides</span></a><span style="font-size:small; font-family:Calibri">.</span></p> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">For a list of UAG DirectAccess related Test Lab Guides, please see </span><a href="http://social.technet.microsoft.com/wiki/contents/articles/uag-directaccess-test-lab-guide-portal-page.aspx"><span style="line-height:115%; font-size:10pt; font-family:Calibri">UAG DirectAccess Test Lab Guide Portal Page</span></a></p> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">For the design and configuration of your pilot or production deployment of DirectAccess, see the </span><a href="http://technet.microsoft.com/en-us/library/ee406191.aspx"><span style="line-height:115%; font-size:small; font-family:Calibri; color:#0000ff">Forefront UAG DirectAccess design guide</span></a><span style="font-size:small; font-family:Calibri"> and the </span><a href="http://technet.microsoft.com/en-us/library/dd857320.aspx"><span style="line-height:115%; font-size:small; font-family:Calibri; color:#0000ff">Forefront UAG DirectAccess deployment guide</span></a><span style="font-size:small; font-family:Calibri">. <strong></strong></span></p> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">For information about troubleshooting DirectAccess, see the </span><a href="http://go.microsoft.com/fwlink/?LinkId=165904"><span style="line-height:115%; font-size:small; font-family:Calibri; color:#0000ff">DirectAccess Troubleshooting Guide</span></a><span style="font-size:small; font-family:Calibri">.</span></p> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">For information on troubleshooting UAG DirectAccess in a Test Lab, see </span><a href="http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=d2e460c8-b4bf-4fda-9f86-ecc4b7add5d1"><span style="line-height:115%; font-size:10pt; font-family:Calibri; color:#0000ff">Test Lab Guide: Troubleshooting UAG DirectAccess</span></a><span style="font-size:small; font-family:Calibri">.<strong> </strong></span></p> <p class="MsoNormal" style="margin:0in 0in 10pt"><span style="font-size:small; font-family:Calibri">For more information about DirectAccess, see the </span><a href="http://www.microsoft.com/servers/directaccess.mspx"><span style="line-height:115%; font-size:small; font-family:Calibri; color:#0000ff">DirectAccess Getting Started Web page</span></a><span style="font-size:small; font-family:Calibri"> and the </span><a href="http://technet.microsoft.com/en-us/network/dd420463.aspx"><span style="line-height:115%; font-size:small; font-family:Calibri">DirectAccess TechNet Web page</span></a><span style="font-size:small; font-family:Calibri">.</span></p> <p> </p> <p>========================================================</p> <p> </p> <p> </p> </body> </html>
Comment
Tags
Please add 7 and 6 and type the answer here: