Editing: Test Lab Guide: Demonstrate Forefront UAG SP1 RC DirectAccess with Secure Socket Tunneling Protocol (SSTP) - Community Edition - TechNet Articles - United States (English)

Title
<html> <body> This is the text of the <a href="http://go.microsoft.com/fwlink/?LinkId=206283">Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess with Secure Socket Tunneling Protocol (SSTP)</a> Test Lab Guide, which you can download at <a href="http://go.microsoft.com/fwlink/?LinkId=206283">http://go.microsoft.com/fwlink/?LinkId=206283</a>    I am posting the entire text of the Test Lab Guide here with the goal that the community can improve on the Test Lab Guide by adding new options, demonstrating new features, or just correct errors in the text :)  In fact, you can make any changes you like - that is the nature of a wiki. I'm looking forward to seeing how you all can make this great Test Lab Guide even better! ======================================================== <h1 style="margin:24pt 0in 0pt"><a name="Introduction"></a><a name="_Toc277243945"></a><a name="_Toc265500018">Introduction</a></h1> DirectAccess is a new feature in the Windows 7 and Windows Server 2008 R2 operating systems that gives users the experience of being seamlessly connected to their intranet any time they have Internet access. With DirectAccess enabled, requests for intranet resources (such as e-mail servers, shared folders, or intranet Web sites) are securely directed to the intranet, without requiring users to connect to a VPN. DirectAccess provides increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside the office. Forefront Unified Access Gateway (UAG) SP1 RC extends the value of the Windows DirectAccess solution by adding features that meet the requirements of many enterprise deployments: <ul style="margin-top:0in; list-style-type:disc"> <li class="MsoNormal" style="margin:0in 0in 10pt">Support for arrays of up to 8 UAG DirectAccess servers where configuration is done once on an array master and is automatically deployed to all other members of the array </li><li class="MsoNormal" style="margin:0in 0in 10pt">Support for Network Load Balancing, which enables the UAG DirectAccess SP1 RC array to be highly available without requiring the use of an external hardware load balancer </li><li class="MsoNormal" style="margin:0in 0in 10pt">Support for IPv4-only networks, network segments, or server or application resources with the help of NAT64/DNS64 IPv6/IPv4 transition technologies. </li></ul> To learn more about UAG DirectAccess, see the following resources: ·         <a href="http://technet.microsoft.com/en-us/library/ee406191.aspx">Forefront UAG DirectAccess Design Guide</a> ·         <a href="http://technet.microsoft.com/en-us/library/dd857320.aspx">Forefront UAG DirectAccess Deployment Guide</a> UAG SP1 RC supports hosting multiple roles on a single UAG server or UAG array. For example, you might want to host both the DirectAccess server and SSTP VPN server roles on the same server or array. Windows 7 clients that are configured DirectAccess clients will automatically use DirectAccess to connect to intranet resources. Windows 7 clients that are not domain members, or who are not configured as DirectAccess clients can use SSTP to connect to the intranet using a network level VPN connection. In addition, DirectAccess clients hosting applications that are not compatible with DirectAccess can connect to the SSTP VPN when they need to use the non-compatible application. Note Non-Windows 7 operating systems (such as Windows Vista, Windows XP) can use the UAG Network Connector to connect to the intranet using a network level SSL VPN connection. However, you cannot host the Network Connector application on the same server or array that is also hosting DirectAccess. To support network level VPN connectivity for non-Windows 7 clients, you will need to deploy a second UAG server or array.   <h2 style="margin:10pt 0in 0pt"><a name="In_this_guide"></a><a name="_Toc277243946"></a><a name="_Toc265500019"></a><a name="_Toc250629632">In this guide</a></h2> This guide provides step-by-step instructions for configuring UAG DirectAccess SP1 RC with SSTP in a test lab so that you can see how it works. You will set up and deploy UAG DirectAccess SP1 RC using five server computers, two client computers, Windows Server 2008 R2 Enterprise edition, and Windows 7 Ultimate Edition. The Test Lab simulates intranet, Internet, and a home networks, and demonstrates a co-located Forefront UAG DirectAccess and SSTP VPN server role deployment. The starting point for this paper is the <a href="http://go.microsoft.com/fwlink/?LinkId=204993">Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess</a> . <table cellpadding="0" border="1" class="MsoNormalTable" style="margin:auto auto auto 3.75pt; width:97%; border:1pt solid #dddddd"> <tbody> <tr> <td valign="bottom" style="border-color:#cccccc #cccccc #c8cdde; border-width:1pt; border-style:solid; background-color:#efeff7; padding:3.75pt"> Important: </td> </tr> <tr> <td valign="top" style="border-color:#cccccc #d5d5d3 #cccccc #cccccc; border-width:1pt; border-style:solid; background-color:#f7f7ff; padding:3.75pt"> These instructions are designed for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network, and to show clearly the required functionality. This configuration is not designed to reflect best practices, nor does it reflect a required or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed to work only on a separate test lab network. For more information on planning and deploying DirectAccess with Forefront UAG, please see the <a href="http://technet.microsoft.com/en-us/library/ee406191.aspx">Forefront UAG DirectAccess design guide</a> and the <a href="http://technet.microsoft.com/en-us/library/dd857320.aspx">Forefront UAG DirectAccess deployment guide</a> </td> </tr> </tbody> </table> <h1 style="margin:24pt 0in 0pt"><a name="Overview_of_the_test_lab_scenario"></a><a name="_Toc277243947"></a><a name="_Toc267915211">Overview of the test lab scenario</a></h1> In this test lab scenario, Forefront UAG DirectAccess SP1 RC is deployed with: <ul style="margin-top:0in; list-style-type:disc"> <li class="MsoNormal" style="margin:0in 0in 10pt">One computer running Windows Server 2008 R2 Enterprise Edition (DC1), that is configured as an intranet domain controller, Domain Name System (DNS) server, Dynamic Host Configuration Protocol (DHCP) server, and an enterprise root certification authority (CA). </li><li class="MsoNormal" style="margin:0in 0in 10pt">One intranet member server running Windows Server 2008 R2 Enterprise Edition (UAG1), that is configured as a Forefront UAG SP1 RC DirectAccess and SSTP VPN server. </li><li class="MsoNormal" style="margin:0in 0in 10pt">One intranet member server running Windows Server 2008 R2 Enterprise Edition (APP1) that is configured as a general application server and network location server. </li><li class="MsoNormal" style="margin:0in 0in 10pt">One intranet member server running Windows Server 2003 SP2 (APP3) that is configured as an IPv4 only web and file server. This server is used to highlight the UAG’s NAT64/DNS64 capabilities. </li><li class="MsoNormal" style="margin:0in 0in 10pt">One standalone server running Windows Server 2008 R2 Enterprise Edition (INET1) that is configured as an Internet DNS and DHCP server. </li><li class="MsoNormal" style="margin:0in 0in 10pt">One standalone client computer running Windows 7 Ultimate Edition (NAT1), that is configured as a network address translator (NAT) device using Internet Connection Sharing. </li><li class="MsoNormal" style="margin:0in 0in 10pt">One roaming domain member client computer running Windows 7 Ultimate Edition (CLIENT1) that is configured as a DirectAccess client. </li></ul> The test lab consists of three subnets that simulate the following: <ul style="margin-top:0in; list-style-type:disc"> <li class="MsoNormal" style="margin:0in 0in 10pt">A home network named Homenet (192.168.137.0/24) connected to the Internet subnet by NAT1. </li><li class="MsoNormal" style="margin:0in 0in 10pt">The Internet subnet (131.107.0.0/24). </li><li class="MsoNormal" style="margin:0in 0in 10pt">The Corpnet subnet (10.0.0.0/24) separated from the Internet by the Forefront UAG DirectAccess server. </li></ul> Computers on each subnet connect using either a physical or virtual hub or switch, as shown in the following figure. <h1 style="margin:24pt 0in 0pt"><a name="Configuration_component_requirements"></a><a name="_Toc277243948"></a><a name="_Toc267915212">Configuration component requirements</a></h1> The following components are required for configuring Forefront UAG DirectAccess in the test lab: <ul style="margin-top:0in; list-style-type:disc"> <li class="MsoNormal" style="margin:0in 0in 10pt">The product disc or files for Windows Server 2008 R2 Enterprise Edition. </li><li class="MsoNormal" style="margin:0in 0in 10pt">The product disc or files for Windows Server 2003 Enterprise SP2 </li><li class="MsoNormal" style="margin:0in 0in 10pt">The product disc or files for of Windows 7 Ultimate. </li><li class="MsoNormal" style="margin:0in 0in 10pt">Five computers or virtual machines that meet the minimum hardware requirements for Windows Server 2008 R2 Enterprise; two of these computers has two network adapters installed. </li><li class="MsoNormal" style="margin:0in 0in 10pt">One computer or virtual machine that meets the minimum hardware requirements for Windows Server 2003 SP2 </li><li class="MsoNormal" style="margin:0in 0in 10pt">Two computers or virtual machines that meet the minimum hardware requirements for Windows 7 Ultimate; one of these computers has two network adapters installed (NAT1). </li><li class="MsoNormal" style="margin:0in 0in 10pt">The product disc or a downloaded version of Microsoft Forefront Unified Access Gateway (UAG) SP1 RC. </li></ul> This Test Lab Guide demonstrates a combined UAG SP1 RC DirectAccess and SSTP deployment. Important The following instructions are for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. It is important to remember that this configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network. Attempting to adapt this test lab configuration to a pilot or production deployment can result in configuration or functionality issues. To ensure proper configuration and operation of UAG DirectAccess and SSTP, please refer to the <a href="http://technet.microsoft.com/en-us/library/dd857320.aspx">Forefront UAG DirectAccess Deployment Guide</a> for the steps to configure the UAG DirectAccess server and supporting infrastructure servers. <h1 style="margin:24pt 0in 0pt"><a name="Steps_for_configuring_the_test_lab"></a><a name="_Toc277243949">Steps for configuring the test lab</a></h1> The following sections describe how to configure UAG1 as both a DirectAccess and SSTP VPN server. After UAG1 is configured, this guide provides steps for demonstrating the DirectAccess and SSTP VPN functionality for CLIENT1 when it is connected to the Homenet subnet. Note You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group. For all tasks described in this document you can use the CONTOSO\User1 account created when you went through the steps in the UAG DirectAccess <a href="http://go.microsoft.com/fwlink/?LinkId=204993">Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess</a>. The following procedures are performed to enable and allow you to test the UAG SP1 RC DCA: ·         Step 1: Complete the Demonstrate UAG SP1 RC DirectAccess Test Lab Guide – The first step is to complete all the steps in the <a href="http://go.microsoft.com/fwlink/?LinkId=204993">Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess</a>. ·         Step 2: Create the HTTPS Trunk. UAG uses the concept of “trunk” as the primary listener for incoming SSL connections to a UAG portal page. In this step you will create an SSL Trunk that can be used to create a portal page that includes the SSTP VPN application. ·         Step 3: Configure the Remote Network Access Settings. The SSTP application requires configuration of a number of settings before it can be deployed. In this step you will configure these settings. ·         Step 4: Add the SSTP Remote Network Access Application to the Trunk. In order for users to access the SSTP VPN application, that application must be added to a trunk. In this step you will add the SSTP application to the HTTPS trunk. ·         Step 5: Activate the Configuration and View Activation in the Activation Monitor. You need to activate the configuration after adding the SSTP VPN application to the trunk. In this step you will activate the configuration and view the activation process in the Activation Monitor. ·         Step 6: Test DirectAccess and SSTP Connectivity. After activation is complete, you are ready to test both DirectAccess and SSTP connectivity. In this step you will confirm DirectAccess connectivity and then start an SSTP VPN connection through the portal. ·         Step 7: Snapshot the configuration. After completing the Test Lab, take a snapshot of the working UAG DirectAccess with SSTP Test Lab so that you can return to it later to test additional scenarios. Note You will notice that there are several steps that begin with an asterisk (*). The * indicates that the step requires that you move to a computer or virtual machine that is different from the computer or virtual machine you were at when you completed the previous step. <h2 style="margin:10pt 0in 0pt"><a name="STEP_1_Complete_the_Demonstrate_UAG_SP1_RC_DirectAccess_Test_Lab_Guide"></a><a name="_Toc277243950">STEP 1: Complete the Demonstrate UAG SP1 RC DirectAccess Test Lab Guide</a> </h2> The first step is to complete all the steps in the <a href="http://go.microsoft.com/fwlink/?LinkId=204993">Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess</a>. After completing the steps in that Test Lab Guide you will have the core infrastructure required to complete this Test Lab Guide on how to configure the UAG DirectAccess DCA.  If you have already completed the steps in that Test Lab Guide and saved a snapshot or disk image of the Test Lab, you can restore the snapshot or image and begin with the next step. <h2 style="margin:10pt 0in 0pt"><a name="STEP_2_Create_the_HTTPS_Trunk"></a><a name="_Toc277243951"></a><a name="_Toc265500029">STEP 2: </a>Create the HTTPS Trunk</h2> UAG uses the concept of “trunk” as the primary listener for incoming SSL connections to a UAG portal page. In this step you will create an SSL Trunk that can be used to create a portal page that includes the SSTP VPN application. <ol style="margin-top:0in; list-style-type:decimal"> <li class="MsoNormal" style="margin:0in 0in 10pt">At the UAG1 computer or virtual machine, log on as CORP\User1. Click Start and then click All Programs. Click Microsoft Forefront UAG and then click Forefront UAG Management. </li><li class="MsoNormal" style="margin:0in 0in 10pt">In the right pane of the console, click Allow remote access to the UAG server via an HTTPS trunk. </li><li class="MsoNormal" style="margin:0in 0in 10pt">On the Welcome to the Create Trunk Wizard page, click Next. </li><li class="MsoNormal" style="margin:0in 0in 10pt">On the Step 1 – Select Trunk Type page, select the Portal trunk option and click Next. </li><li class="MsoNormal" style="margin:0in 0in 10pt">On the Step 2 – Setting the Trunk page, in the Trunk name text box, enter HTTPSTrunk. In the Public host name text box, enter uag1.contoso.com. In the External Web Site section, confirm that the IP address is 131.107.0.2. Confirm that the HTTP port is 80 and confirm that the HTTPS port is 443. Click Next. </li><li class="MsoNormal" style="margin:0in 0in 10pt">On the Step 3 – Authentication page, click the Add button. In the Authentication and Authorization Servers dialog box, click the Add button. </li><li class="MsoNormal" style="margin:0in 0in 10pt">In the Add Authentication Server dialog box, in the Server type drop down list, confirm that Active Directory is selected. In the Server Name text box, enter dc1.corp.contoso.com. In the Connection Settings section, select Use local Active Directory forest authentication. In the Search Settings section, click the ellipses (…) button. In the Search Root (Base DN) dialog box, confirm that the Select Base DN entry is CN=Users,DC=corp,DC=contoso,DC=com. Click OK. In the Server access section, in the User (domain\user) text box, enter CORP\User1. In the Password text box, enter User1’s password. Click OK. </li><li class="MsoNormal" style="margin:0in 0in 10pt">In the Authentication and Authorization Servers dialog box, click Select. On the Step 3 – Authentication page, confirm that User selects from a server list is selected and that there is a checkmark in the Show server names checkbox. Click Next. </li><li class="MsoNormal" style="margin:0in 0in 10pt">On the Step 4 – Certificate page, confirm that uag1.contoso.com appears in the Server certificate drop down list. Click Next. </li><li class="MsoNormal" style="margin:0in 0in 10pt">On the Step – 5 Endpoint Security page, select the Use Forefront UAG access policies option and click Next. </li><li class="MsoNormal" style="margin:0in 0in 10pt">On the Step 6 – Endpoint Policies page, in the Nonprivileged access policy dropdown box, select Always. Note that we select Always in this Test Lab because the default access policy requires that clients have antivirus software installed. In this Test Lab CLIENT1 does not have antivirus software installed so we need to change from the default Nonprivileged  access policy to one that will allow a system without antivirus software to access the portal. Click Next. </li><li class="MsoNormal" style="margin:0in 0in 10pt">On the Completing the Create Trunk Wizard page, click Finish. </li><li class="MsoNormal" style="margin:0in 0in 10pt">In the Trunk Configuration section, click the Configure button. On the Advanced Trunk Configuration [HTTPSTrunk] page, click the Session tab. In the Default Sessions Settings section, in the Inactive session timeout (seconds) text box, enter 1800. In the Trigger automatic logoff after text box, enter 1440. Click OK. </li><li class="MsoNormal" style="margin:0in 0in 10pt">Click the File menu and click Activate. On the Activate Configuration page, click the Activate button. Click Finish when the activation completes. </li></ol> <h2 style="margin:10pt 0in 0pt"><a name="STEP_3_Configure_the_Remote_Network_Access_Settings"></a><a name="_Toc277243952"></a><a name="_Toc265500030">STEP 3: </a>Configure the Remote Network Access Settings</h2> The SSTP application requires configuration of a number of settings before it can be deployed. In this step you will configure these settings. <ol style="margin-top:0in; list-style-type:decimal"> <li class="MsoNormal" style="margin:0in 0in 10pt">In the Microsoft Forefront Unified Access Gateway Management console, click the Admin menu and point to Remote Network Access. Click on SSL Network Tunneling (SSTP)… . </li><li class="MsoNormal" style="margin:0in 0in 10pt">In the SSL Network Tunneling Configuration dialog box, on the General tab, put a checkmark in the Enable remote client VPN access checkbox. In the Maximum VPN Client connections text box, enter 10. In the SSL Tunneling VPN Trunk section, from the Trunk drop down list, select HTTPSTrunk. Confirm that is says uag1.contoso.com in the Public host name box. </li><li class="MsoNormal" style="margin:0in 0in 10pt">Click the Protocols tab. Confirm that there is a checkmark in the Secure Socket Tunneling Protocol (SSTP). Note that while there are checkboxes for Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP)/IPsec, they are not functional. UAG SP1 does not support PPTP or L2TP/IPsec network level VPN protocols. </li><li class="MsoNormal" style="margin:0in 0in 10pt">Click the IP Address Assignment tab. Select the Assign address using DHCP. Note that you can use this option only when you have a single server deployment. If you have a UAG array and want to enable SSTP support, you will need to assign a static address pool to each of the servers in the array and the addresses used in each pool must be different on each server. </li><li class="MsoNormal" style="margin:0in 0in 10pt">Click on the User Groups tab. On this tab you can limit SSTP access on a per group basis to selected assets on the intranet. In this test lab we will not enable this feature. Click OK. </li></ol> <h2 style="margin:10pt 0in 0pt"><a name="STEP_4_Add_the_SSTP_Remote_Network_Access_Application_to_the_Trunk"></a><a name="_Toc277243953"></a><a name="_Toc265500033">STEP 4: </a>Add the SSTP Remote Network Access Application to the Trunk</h2> In order for users to access the SSTP VPN application, that application must be added to a trunk. In this step you will add the SSTP application to the HTTPS trunk. <ol style="margin-top:0in; list-style-type:decimal"> <li class="MsoNormal" style="margin:0in 0in 10pt">In the right pane of the console, in the Applications section, click the Add button. </li><li class="MsoNormal" style="margin:0in 0in 10pt">On the Welcome to the Add Application Wizard page, click Next. </li><li class="MsoNormal" style="margin:0in 0in 10pt">On the Step – 1 page, select the Client/server and legacy option. From the drop down list, select Remote Network Access. Click Next. </li><li class="MsoNormal" style="margin:0in 0in 10pt">On the Step 2 – Configure Application page, in the Application name text box, enter SSTP VPN. Click Next. </li><li class="MsoNormal" style="margin:0in 0in 10pt">On the Step 3 – Select Endpoint Policies page, in the Access policy drop down box, select Always. The reason we select this option in the Test Lab is that the default setting requires the client to have antivirus software installed, and in this Test Lab CLIENT1 does not have antivirus software installed. Click Next. </li><li class="MsoNormal" style="margin:0in 0in 10pt">On the Step 4 – Configure Server Settings page, make no changes and accept the default values. Click Next. </li><li class="MsoNormal" style="margin:0in 0in 10pt">On the Step 5 – Portal Link page, make no changes and click Next. </li><li class="MsoNormal" style="margin:0in 0in 10pt">On the Step 6 – Authorization page, confirm that there is a checkmark in the Authorize all users checkbox and click Next. </li><li class="MsoNormal" style="margin:0in 0in 10pt">On the Completing the Add Application Wizard page, click Finish. </li></ol> <h2 style="margin:10pt 0in 0pt"><a name="STEP_5_Activate_the_Configuration_and_View_Activation_in_the_Activation_Monitor"></a><a name="_Toc277243954"></a><a name="_Toc265500035">STEP 5: </a>Activate the Configuration and View Activation in the Activation Monitor</h2> You need to activate the configuration after adding the SSTP VPN application to the trunk. In this step you will activate the configuration and view the activation process in the Activation Monitor. <ol style="margin-top:0in; list-style-type:decimal"> <li class="MsoNormal" style="margin:0in 0in 10pt">Click Start and then click All Programs. Click Microsoft Forefront UAG and then click Forefront UAG Activation Monitor. In the Use Account Control dialog box, click Yes. It may take a minute or two for the Activation Monitor to open. Maximize the Activation Monitor after it opens, and then minimize the window. </li><li class="MsoNormal" style="margin:0in 0in 10pt">In the Microsoft Forefront Unified Access Gateway Management console, click the File menu and then click Activate. In the Activate Configuration dialog box, click the Activate button. </li><li class="MsoNormal" style="margin:0in 0in 10pt">Maximize the Forefront Unified Access Gateway Activation Monitor. Click the UAG1 node in the left pane of the console. Notice in the right pane that it tells you the time when the activation started. Click the Options button. In the Autorefresh Interval (sec) text box, enter 10 and then click OK. </li><li class="MsoNormal" style="margin:0in 0in 10pt">When the activation completes, scroll through the output in the right pane. This provides you information about what happened during the activation process. At the bottom of the output, you should see Activation completed successfully. Minimize the Forefront Unified Access Gateway Activation Monitor console. </li><li class="MsoNormal" style="margin:0in 0in 10pt">In the Activate Configuration dialog box, click Finish. </li></ol> <h2 style="margin:10pt 0in 0pt"><a name="STEP_6_Test_DirectAccess_and_SSTP_Connectivity"></a><a name="_Toc277243955">STEP 6: Test DirectAccess and SSTP Connectivity</a></h2> After activation is complete, you are ready to test both DirectAccess and SSTP connectivity. In this step you will confirm DirectAccess connectivity and then start an SSTP VPN connection through the portal. <ol style="margin-top:0in; list-style-type:decimal"> <li class="MsoNormal" style="margin:0in 0in 10pt">*Move the CLIENT1 computer to Homenet subnet and then log on as CORP\User1. </li><li class="MsoNormal" style="margin:0in 0in 10pt">Open an elevated command prompt. In the command prompt window enter ipconfig and press ENTER. You should see an IPv6 address assigned to Tunnel adapter Teredo Tunneling Pseudo-Interface. In the command prompt window, enter ping dc1 and press ENTER. You should see four responses from the ISATAP address assigned to DC1. In the command prompt window, enter net view <a href="file://dc1/">\\dc1</a> and press ENTER. You should see a list of shares on DC1. This indicates that the infrastructure tunnel is working properly over DirectAccess. </li><li class="MsoNormal" style="margin:0in 0in 10pt">In the command prompt window, enter ping app1 and press ENTER. You should see four responses from the ISATAP address assigned to APP1. This indicates that name resolution is working correctly. At the command prompt window, enter net view <a href="file://app1/">\\app1</a> and press ENTER. You should see a list of shares on APP1. This indicates that the intranet tunnel is working correctly over DirectAccess. </li><li class="MsoNormal" style="margin:0in 0in 10pt">In the command prompt window, enter netsh namespace show effectivepolicy and press ENTER. You should see that the Name Resolution Policy Table is active and it shows that there are two entries in the NRPT. </li><li class="MsoNormal" style="margin:0in 0in 10pt">Open Internet Explorer. In the address bar, enter <a href="https://uag1.contoso.com/">https://uag1.contoso.com</a> and press ENTER. Endpoint components will be downloaded to CLIENT1. In the information bar in Internet Explorer, click the This website want to install the following add-on…” and then click Install This Add-on for All Users on This Computer. Click Yes in the User Account Control dialog box. In the Forefront UAG endpoint components dialog box, put a checkmark in the do not show this message again checkbox and click Yes. You will see Downloading Endpoint Component Manager on the web page with a progress bar. In the Security Alert dialog box, put a checkmark in the Trust this site checkbox and then select the Always option. Click Trust. The web page will now say Checking for device compliance. </li><li class="MsoNormal" style="margin:0in 0in 10pt">The Application and Network Access Portal page should now appear. If you see a mobile log on page, close Internet Explorer and open it again and go to <a href="https://uag1.contoso.com/">https://uag1.contoso.com</a>. In the User name text box, enter CORP\User1 and in the Password text box, enter User1’s password. Click Log On. </li><li class="MsoNormal" style="margin:0in 0in 10pt">The Application and Network Access Portal now appears. You can see an entry for SSTP VPN in both the left and right panes of the console. Click the SSTP VPN link in the right pane of the console. A new web page window will open. That web page will disappear and you will see an icon with a balloon that says Forefront UAG Remote network Access Connection started. Right click on the icon and click Show Status. In the Portal Activity dialog box, in the Active Connections section, you will see the URL that CLIENT1 is connect to and the time that Remote Network Access started. In the Launched Applications section, you will see the application is SSTP VPN. Click Hide. </li><li class="MsoNormal" style="margin:0in 0in 10pt">Return to the elevated command prompt window. In the command prompt window, enter ipconfig and press ENTER. You will see an IPv4 address assigned to PPP adapter UAGSSTPVPN. You will also see an ISATAP address assigned based on the PPP adapter’s IPv4 address; this enables CLIENT1 to communicate with IPv6 only servers on the intranet through the SSTP VPN connection. </li><li class="MsoNormal" style="margin:0in 0in 10pt">In the command prompt window, enter ping dc1 and press ENTER. You will see four responses from the IPv6 ISATAP address of DC1. In the command prompt window, enter ping app1 and press ENTER. You will see four responses from the IPv6 ISATAP addresses assigned to APP1. In the command prompt window, enter ping app3 and press ENTER. In this case you see four responses from the IPv4 address assigned to APP3. Remember, APP3 is an IPv4 only resource. In the command prompt window, enter netsh namespace show effectivepolicy. You should see the output say Note: DirectAccess settings would be turned off when computer is inside corporate network. The reason for this is that when the SSTP connection was established, CLIENT1 was able to resolve the name of the Network Location Server (nls.corp.contoso.com), which causes the NRPT to disable itself. </li><li class="MsoNormal" style="margin:0in 0in 10pt">Click Start and then in the Search box enter wf.msc and press ENTER. In the Windows Firewall with Advanced Security console, navigate to the Monitoring\Security Associations\Main Mode node in the left pane of the console. Note that there are no security associations, indicating that DirectAccess has been disabled. Click the top node, Windows Firewall with Advanced Security on Local Computer. In the right pane you will see that Domain Profile is Active – this is the reason why DirectAccess is disabled, as the DirectAccess related Connection Security Rules that establish the DirectAccess IPsec tunnels are not available when the Domain Profile is active on the DirectAccess client computer. </li><li class="MsoNormal" style="margin:0in 0in 10pt">Right click the Remote Network Access icon in the System Notification Area. Click Disconnect Remote Network Access. In the Windows Firewall with Advanced Security console, click Refresh in the right pane. Notice that the Domain Profile is no longer active and the current profile is Public Profile is Active. Network Location Awareness determined that CLIENT1 was no longer connected to the intranet and changed the Firewall Profile settings. Navigate to the Monitoring\Security Associations\Main Mode node in the left pane of the console. You will see a Main Mode security association, indicating that the DirectAccess intranet tunnel has come up automatically. </li><li class="MsoNormal" style="margin:0in 0in 10pt">Return to the elevated command prompt. In the command prompt window, enter ping APP3 and press ENTER. Notice that this time there are four responses from an IPv6 address. This IPv6 address is generated by the NAT64 feature in UAG. </li><li class="MsoNormal" style="margin:0in 0in 10pt">Close the command prompt window. Close the Windows Firewall with Advanced Security console. Close Internet Explorer.  Click Yes in the SSL Application Tunneling dialog box. </li></ol> <h2 style="margin:10pt 0in 0pt"><a name="STEP_7_Snapshot_the_Configuration"></a><a name="_Toc277243956"></a><a name="_Toc268018645">STEP 7: Snapshot the Configuration</a></h2> This completes the UAG SP1 RC DirectAccess with SSTP test lab. To save this configuration so that you can quickly return to a working UAG SP1 RC DirectAccess Connectivity Assistant configuration from which you can test other DirectAccess modular TLGs, TLG extensions, or for your own experimentation and learning, do the following: <ol style="margin-top:0in; list-style-type:decimal"> <li class="MsoNormal" style="margin:0in 0in 10pt">On all physical computers or virtual machines in the test lab, close all windows and then perform a graceful shutdown. </li><li class="MsoNormal" style="margin:0in 0in 10pt">If your lab is based on virtual machines, save a snapshot of each virtual machine and name the snapshots TLG UAG DirectAccess SP1RC SSTP. If your lab uses physical computers, create disk images to save the DirectAccess test lab configuration. </li></ol> <h1 style="margin:24pt 0in 0pt"><a name="Additional_Resources"></a><a name="_Toc277243957"></a><a name="_Toc267913054"></a><a name="_Toc267556283">Additional Resources</a></h1> For more information on UAG and SSTP, see <a href="http://technet.microsoft.com/en-us/library/dd861404.aspx">Setting up Remote Network Access</a>. For procedures to configure the Base Configuration test lab on which this document is based, see the <a href="http://go.microsoft.com/fwlink/?LinkId=198140">Test Lab Guide: Base Configuration</a>. For procedures to configure UAG SP1 RC DirectAccess on which this document is based, see the <a href="http://go.microsoft.com/fwlink/?LinkId=204993">Test Lab Guide: Demonstrate Forefront UAG SP1 RC DirectAccess</a>. For a comprehensive list of Test Lab Guides, please see <a href="http://social.technet.microsoft.com/wiki/contents/articles/test-lab-guides.aspx">Test Lab Guides</a>. For a list of UAG DirectAccess related Test Lab Guides, please see <a href="http://social.technet.microsoft.com/wiki/contents/articles/uag-directaccess-test-lab-guide-portal-page.aspx">UAG DirectAccess Test Lab Guide Portal Page</a> For the design and configuration of your pilot or production deployment of DirectAccess, see the <a href="http://technet.microsoft.com/en-us/library/ee406191.aspx">Forefront UAG DirectAccess design guide</a> and the <a href="http://technet.microsoft.com/en-us/library/dd857320.aspx">Forefront UAG DirectAccess deployment guide</a>. For information about troubleshooting DirectAccess, see the <a href="http://go.microsoft.com/fwlink/?LinkId=165904">DirectAccess Troubleshooting Guide</a>. For information on troubleshooting UAG DirectAccess in a Test Lab, see <a href="http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=d2e460c8-b4bf-4fda-9f86-ecc4b7add5d1">Test Lab Guide: Troubleshooting UAG DirectAccess</a>. For more information about DirectAccess, see the <a href="http://www.microsoft.com/servers/directaccess.mspx">DirectAccess Getting Started Web page</a> and the <a href="http://technet.microsoft.com/en-us/network/dd420463.aspx">DirectAccess TechNet Web page</a>.   ========================================================     </body> </html>
Comment
Tags
Please add 7 and 6 and type the answer here:

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Editing: Test Lab Guide: Demonstrate Forefront UAG SP1 RC DirectAccess with Secure Socket Tunneling Protocol (SSTP) - Community Edition