UAG DirectAccess Step by Step Guide

Second Edition

Demonstrating the Forefront Unified Access Gateway’s Unique Value Propositions


 

This topic is a how to.
Please keep it as clear and simple as possible. Avoid speculative discussions as well as a deep dive into underlying mechanisms or related technologies.

Contents

Step-by-step guide for setting up Forefront UAG DirectAccess in a test lab. 5

About this guide. 5

Overview of the test lab scenario. 5

Configuration component requirements. 7

Steps for configuring the test lab. 8

1.      STEP1: Configure DC1. 9

A.     Install the Operating System on DC1. 11

B.     Configure TCP/IP Properties on DC1. 11

C.     Rename DC1. 12

D.     Configure DC1 as a Domain Controller and DNS Server 12

E.      Create Reverse Lookup Zone on DNS Server on DC1. 13

F.      Enter PTR Record for DC1. 13

G.     Enable ISATAP Name Resolution on DNS Server on DC1. 14

H.     Create DNS Records for NLS and ISATAP on DC1. 14

I.       Configure DC1 as DHCP and Certificate Server 15

J.      Create a New Administrator Account in Active Directory on DC1. 17

K.      Create a Security Group for DirectAccess Clients on DC1. 17

L.      Create and Deploy a Security Template for the IP-HTTPS Listener Certificate and Network Location Server Certificate. 18

M.         Create ICMPv4 and ICMPv6 Echo Request Firewall Rules in Domain Group Policy on DC1. 19

N.     Enable Computer Certificate Autoenrollment in Group Policy for the CORP Domain on DC1. 21

O.     Remove CRL Distribution Settings on the Certificate Authority on DC1. 22

P.      Create a Shared Folder on the C:\ Drive on DC1. 22

2.      STEP2: Configure APP1. 23

A.     Install the OS on APP1. 24

B.     Configure TCP/IP Properties on APP1. 24

C.     Rename APP1 and Join it to the corp.contoso.com Domain. 25

D.     Obtain NLS Certificate for SSL Connections to Network Location Server on APP1. 25

E.      Install the Web Server Role on APP1. 26

F.      Configure the HTTPS Security Binding on the NLS Web Site on APP1. 26

3.      STEP3: Configure APP3. 27

A.     Install the OS on APP3 and Disable the Firewall 28

B.     Install Web Services. 29

C.     Create a Shared Folder on C:\. 29

4.      STEP4: Configure UAG1. 30

A.     Install the OS on UAG1. 32

B.     Configure TCP/IP Properties on UAG1. 33

C.     Rename the Computer and Join UAG1 to the corp.contoso.com Domain. 34

D.     Obtain the IP-HTTPS Listener Certificate on UAG1. 35

E.      Install Forefront UAG on UAG1. 36

F.      Run the UAG Getting Started Wizard. 36

G.     Run the UAG DirectAccess Configuration Wizard. 37

H.     Confirm Group Policy Settings on UAG1. 39

I.       Confirm IPv6 Settings on UAG1. 40

J.      Update IPv6 Settings on DC1. 40

K.      Update IPv6 Settings on APP1. 41

L.      Confirm IPv6 Address Registration in DNS. 41

M.         Confirm IPv6 Connectivity between DC1/APP1/UAG1. 41

5.      STEP5: Configure CLIENT1. 42

A.     Install the Operating System on CLIENT1. 42

B.     Join CLIENT1 to the CORP Domain. 43

C.     Add CLIENT1 to the DA_Clients Security Group. 43

D.     Test IPv6 Configuration, Confirm Group Policy Settings and Machine Certificate on CLIENT1. 44

E.      Test Connectivity to a Network Share and the Network Location Server 45

6.      STEP 6: Configure INET1. 45

A.     Install the Operating System.. 46

B.     Configure TCP/IP Properties on INET1. 46

C.     Rename the Computer on INET1. 47

D.     Install and Configure the DNS Server Role on INET1. 47

E.      Install the DHCP Server Role on INET1. 48

7.      STEP7: Configure NAT1. 49

A.     Install the OS on NAT1. 50

B.     Rename the Network Interfaces on NAT1. 50

C.     Disable 6to4 on NAT1. 51

D.     Configure ICS on the External Interface of NAT1. 51

8.      STEP 8: Test DirectAccess Connectivity from the Internet 52

9.      STEP 9: Test DirectAccess Connectivity from Behind a NAT Device. 54

A.     Testing Teredo Connectivity. 55

B.     Testing IP-HTTPS Connectivity. 56

10.        STEP 10: Test Connectivity When Returning to the Corpnet 58

11.        STEP 11: Configure UAG2. 59

A.     Install the OS on UAG2. 59

B.     Configure TCP/IP Properties on UAG2. 59

C.     Rename the UAG2 Computer or Virtual Machine and Join the corp.contoso.com Domain. 61

D.     Install the IP-HTTPS Certificate on UAG2 Computer 61

12.        STEP 12: Create the Networked Load Balanced UAG DirectAccess Array. 62

A.     Update ISATAP record in the DNS server to include future VIPs and DIPs. 63

B.     Change the Single Server IP addressing configuration on UAG1. 63

C.     Change the UAG1 Single Server Configuration to an Array Manager 64

D.     Configure UAG2 as a new node in the UAG DirectAccess Array. 65

E.      Configure NLB on the Array Manager (UAG1) 66

F.      Reconfiguring and Applying new Configuration Settings for UAG DirectAccess. 67

G.     Start NLB. 68

H.     Test Client Connectivity through the NLB Array. 69

13.        Configure and Test Manage Out (Remote Management) Capabilities. 70

A.     Create the DirectAccess Client Organizational Unit and Place CLIENT1 in the New OU.. 71

B.     Create the DirectAccess GPO and Link it to the DirectAccess Client Organizational Unit 72

C.     Refresh the DirectAccess Client Configuration and Enable Remote Desktop Connections to CLIENT1. 74

D.     “Manage-Out” the DirectAccess Client 74

 

 
 

Step-by-step guide for setting up Forefront UAG DirectAccess in a test lab

Forefront Unified Access Gateway (UAG) provides users with the experience of being seamlessly connected to their intranet any time they have Internet access. When DirectAccess is enabled, requests for intranet resources (such as e-mail servers, shared folders, or intranet Web sites) are securely directed to the intranet, without the need for users to connect to a VPN. DirectAccess enables increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside of the office. Forefront UAG DirectAccess extends the benefits of Windows DirectAccess across your infrastructure by enhancing availability and scalability, as well as simplifying deployments and ongoing management. For more information, see Overview of Forefront UAG DirectAccess.

About this guide

This guide provides step-by-step instructions for configuring Forefront UAG DirectAccess in a test lab so that you can see how it works. This guide expands on the Step By Step Guide: Demonstrate DirectAccess in a Test Lab by demonstrating several of the unique features and capabilities only available when deploying DirectAccess with Forefront UAG. You will set up and deploy Forefront UAG DirectAccess using six server computers, two client computers, Windows Server 2008 R2 Enterprise edition, and Windows 7 Ultimate or Windows 7 Enterprise. The test lab simulates intranet, Internet, and a home networks, and demonstrates Forefront UAG DirectAccess in different Internet connection scenarios.
Important:
These instructions are designed for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network, and to show clearly the required functionality. This configuration is not designed to reflect best practices, nor does it reflect a required or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed to work only on a separate test lab network. For more information on planning and deploying DirectAccess with Forefront UAG, please see the Forefront UAG DirectAccess design guide and the Forefront UAG DirectAccess deployment guide

Overview of the test lab scenario

In this test lab scenario, Forefront UAG DirectAccess is deployed with:
  • One computer running Windows Server 2008 R2 Enterprise Edition (DC1), that is configured as an intranet domain controller, Domain Name System (DNS) server, Dynamic Host Configuration Protocol (DHCP) server, and an enterprise root certification authority (CA).
  • One intranet member server running Windows Server 2008 R2 (UAG1), that is configured as the first Forefront UAG DirectAccess server in a Forefront UAG DirectAccess server array.
  • One intranet member server running Windows Server 2008 R2 (UAG2), that is configured as the second Forefront UAG DirectAccess server in a Forefront UAG DirectAccess server array.
  • One intranet member server running Windows Server 2008 R2 (APP1), that is configured as a general application server and network location server. This server is used to complete a Forefront UAG DirectAccess server array to highlight centralized configuration and Network Load Balancing high availability.
  • One intranet member server running Windows Server 2003 SP2 (APP3), that is configured as a IPv4 only web and file server. This server is used to highlight the NAT64/DNS64 capabilities.
  • One standalone server running Windows Server 2008 R2 (INET1), that is configured as an Internet DNS and DHCP server.
  • One standalone client computer running Windows 7 (NAT1), that is configured as a network address translator (NAT) device using Internet Connection Sharing.
  • One roaming member client computer running Windows 7 Enterprise or Ultimate (CLIENT1), that is configured as a DirectAccess client.
The test lab consists of three subnets that simulate the following:
  • A home network named Homenet (192.168.137.0/24) connected to the Internet by a NAT.
  • The Internet (131.107.0.0/24).
  • An intranet named Corpnet (10.0.0.0/24) separated from the Internet by the Forefront UAG DirectAccess server.
Computers on each subnet connect using either a physical or virtual hub or switch, as shown in the following figure.
CLIENT1 initially connects to the Corpnet subnet and joins the intranet domain. After DA1 is configured as a Forefront UAG DirectAccess server, and CLIENT1 is updated with the associated Group Policy settings, CLIENT1 later connects to the Internet subnet and the Homenet subnet, and tests DirectAccess connectivity to intranet resources on the Corpnet subnet.

Configuration component requirements

The following components are required for configuring Forefront UAG DirectAccess in the test lab:
  • The product disc or files for Windows Server 2008 R2 Enterprise.
  • The product disc or files for Windows Server 2003 Enterprise and SP2
  • The product disc or files for of Windows 7 Ultimate or Enterprise.
  • 6 computers or virtual machines that meet the minimum hardware requirements for Windows Server 2008 R2 Enterprise; two of these computers has two network adapters installed.
  • Two computers that meet the minimum hardware requirements for Windows 7 Ultimate or Enterprise; one of these computers has two network adapters installed.
  • The product disc or a downloaded version of Microsoft Forefront Forefront Unified Access Gateway (UAG) RTM.

Steps for configuring the test lab

The following steps describe how to configure the server and client computers, and configure the Forefront UAG DirectAccess server, in a test lab. Following these configurations you can verify DirectAccess connectivity from the Internet and Homenet subnets.
Note:
You must be logged on as a member of the Domain Admins group or as a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group.
 

1.      Step 1: Configure DC1 - DC1 is the domain controller, Network Location Server (NLS), Certificate server, DNS server, File Server and DHCP server for the corp.contoso.com domain.

2.      Step 2: Configure APP1- APP1 is a Windows Server 2008 R2 computer that acts in the role of the Network Location Server on the network.  

3.      Step 3: Configure APP3 - APP3 is a Windows Server 2003 Enterprise Edition computer that acts as an IPv4 only host and is used to demonstrate DirectAccess connectivity to IPv4 only resources using the UAG DNS64 and NAT64 features. APP3 hosts both HTTP and SMB resources that the DirectAccess client computer will be able to access from other the simulated Internet.

4.      Step 4: Configure UAG1 – UAG1 acts as the first DirectAccess server and Array Master in a Forefront UAG DirectAccess array.

5.      Step 5: Configure CLIENT1 – CLIENT1 is a DirectAccess client that is used to test DirectAccess connectivity in several Internet network access scenarios.

6.      Step 6: Configure INET1 – INET1 provides DNS and DHCP servers for CLIENT1 when CLIENT1 is connected to the Internet. INET1 also provides DNS services to NAT1 in NAT1’s role as Internet Connection Server (ICS).

7.      Step 7: Configure NAT1 – NAT1 acts as a simulated NAT router that enables CLIENT1 access to the UAG DirectAccess server over the simulated Internet.

8.      Step 8: Test DirectAccess Connectivity from the Internet – CLIENT1 is connected to the simulated Internet subnet to demonstrate DirectAccess connectivity using the 6to4 IPv6 transition technology.

9.      Step 9: Test DirectAccess Connectivity from Behind a NAT Device – CLIENT1 is connected to the simulated private address network to demonstrate DirectAccess connectivity using the Teredo and IP-HTTPS IPv6 transition technologies.

10.   Step 10: Test Connectivity When Returning to the Corpnet – CLIENT1 is connected again to the Corpnet subnet to demonstrate how DirectAccess components are automatically disabled to connect to local resources.

11.   Step 11: Configure UAG2 – UAG2 is acts as the second DirectAccess server in a Forefront UAG DirectAccess array.

12.   Step 12: Create a Networked Load Balanced UAG DirectAccess Array – UAG1 is configured as a Array Master in a Forefront UAG DirectAccess array. UAG2 is joined to the array and Network Load Balancing is configured for the array.

13.   Step 13: Configure and Test Remote Management Capabilities – CLIENT1 is connected to the Homenet and remote connectivity to the DirectAccess client is tested from DC1 on the Corpnet.

 

1.    STEP1: Configure DC1

DC1 acts as the domain controller, Network Location Server (NLS), Certificate server, DNS server, File Server and DHCP server for the corp.contoso.com domain. The following steps prepare DC1 to carry out these roles to support a working DirectAccess solution:

A.     Install the operating system on DC1.
The first step is to install the Windows Server 2008 R2 operating system on the corp.contoso.com domain’s domain controller, DC1.

B.     Configure the TCP/IP Properties on DC1.
After installing the operating system on DC1, configure the TCP/IP Properties to provide the server an IP address, subnet mask, DNS server address and connection specific DNS suffix.

C.     Rename the Computer on DC1.
Change the default name of the computer assigned during setup to DC1.

D.     Configure DC1 as a Domain Controller and DNS Server.
DC1 is the domain controller and the authoritative DNS server for the corp.contoso.com domain. The domain controller and DNS server is required as part of the DirectAccess solution.

E.      Create a Reverse Lookup Zone on the DNS Server on DC1.
A reverse lookup zone for network ID 10.0.0.0/24 is required to create a pointer record for DC1. The pointer record allows reverse name resolution for DC1, and prevents name resolution errors during DNS related configuration steps. The reverse lookup zone is not required for a functional DirectAccess solution.

F.      Enter a Pointer Record for DC1.
A pointer record for DC1 will allow services to perform reverse name resolution for DC1. This is when performing DNS related operations. It is not required for a functional DirectAccess solution.

G.     Enable ISATAP Name Resolution in DNS on DC1.
By default, the Windows Server 2008 R2 DNS server will not answer queries for the ISATAP and WPAD host names. The DNS server is configured so that it will answer queries for ISATAP.

H.     Create DNS Records for NLS and ISATAP on DC1.
The DirectAccess client uses a Network Location Server to determine if the computer is on or off the corporate network. If on the corporate network, the DirectAccess can connect to the Network Location Server using an HTTPS connection. A DNS record is required to resolve the name of the Network Location Server. In addition, a DNS record for ISATAP is required so that ISATAP capable hosts on the network can obtain IPv6 addressing and routing information.

I.       Configure DC1 as a DHCP and Certificate Server.
DC1 is configured as a DHCP server so that CLIENT1 can automatically obtain IP addressing information when connected to the corpnet. Certificate Services are installed on DC1 so that computer certificates can be automatically assigned to all members of the CORP domain. Certificates are used for IPsec communications, as well as Web site certificates, which are used by the Network Location Server and the UAG DirectAccess server’s IP-HTTPS listener.  Certificates are required by the DirectAccess solution; however you can use either or both commercial or private certificates as part of the DirectAccess solution. DHCP is not required to support a DirectAccess solution.

J.       Create a New Administrator Account on DC1.
As a network management best practice, the default domain administrator account should not be used for routine network operations. For this reason a new domain administrator account is created and used when making configuration changes. Using an alternate domain admin account is not required for a functional DirectAccess solution.

K.     Create a Security Group for DirectAccess Clients on DC1.
When DirectAccess is configured on the UAG DirectAccess server, it automatically creates Group Policy Objects and GPO settings that are applied to DirectAccess clients and servers. The DirectAccess client GPO uses security group filtering to assign the GPO settings to a designated DirectAccess security group. The is populated with the computer accounts of DirectAccess client computers. This is a required component of a DirectAccess solution.

L.      Create and Deploy a Security Template for the IP-HTTPS Listener Certificate and the Network Location Server Certificate.
A Web site certificate is required for the Network Location Server so that computers can use HTTPS to connect to it when they are on the corporate network. The UAG DirectAccess server uses a Web site certificate on its IP-HTTPS listener so that it can accept incoming connections from DirectAccess clients that are behind network devices that limit outbound connections to only HTTP/HTTPS. A Web site certificate template is created and used for certificate requests to the Microsoft Certificate Server installed on DC1. A Web site certificate bound to the UAG DirectAccess server’s IP-HTTPS is a required component of a working DirectAccess solution.

M.   Create ICMPv4 and ICMPv6 Echo Request Firewall Rules in Domain Group Policy on DC1.
ICMP v4 and v6 echo requests inbound and outbound are required for Teredo support. Firewall Rules are configured using the Windows Firewall with Advanced Security GPO snap-in to distribute the configuration.

N.     Enable Computer Certificate Autoenrollment in Group Policy for the corp.contoso.com Domain on DC1.
DirectAccess clients use computer certificates to establish IPsec connections to the UAG DirectAccess server. In addition, in an end to end scenario, IPsec is also used to connect the DirectAccess client to the destination resource server. Computer certificates are required for a working DirectAccess solution.

O.     Remove CRL Distribution Settings on the Certificate Authority on DC1.
When IP-HTTPS clients connect to the UAG DirectAccess server, a certificate revocation check is performed by the client. If the CRL check fails or if the CRL is unavailable, the IP-HTTPS connection will fail. The Certificate Server is configured to remove CRL distribution settings so that the CRL check will not fail. In a production environment, DirectAccess requires access to the CRL from clients situated on the Internet.

P.     Create a Shared Folder on the C:\ Drive on DC1.
A shared folder is created on the C:\drive of DC1 to test SMB connectivity for DirectAccess clients to a resource on the CORP domain.

A.     Install the Operating System on DC1

The first step is to install the Windows Server 2008 R2 Enterprise Edition software on DC1 . Windows Server 2008 R2 is required by UAG 2010. UAG 2010 can be installed on either Windows Server 2008 R2 Standard or Enterprise Edition. Enterprise Edition supports the installation of an Enterprise Certificate Authority enables autoenrollment of the CA certificate to all domain members thereby reducing administrative overhead.
  1. On DC1, start the installation of Windows Server 2008 R2 Enterprise Edition.
  2. Follow the instructions to complete the installation, specifying Windows Server 2008 R2 Enterprise Edition and a strong password for the local Administrator account. Log on using the local Administrator account.
  3. Connect the network adapter to the Corpnet subnet or the virtual switch representing the corpnet subnet.

B.     Configure TCP/IP Properties on DC1

After installing the operating system on DC1, configure its TCP/IP Properties to provide the server an IP address, subnet mask, DNS server address and connection specific suffix. Note that the connection specific suffix is not required for a working DirectAccess solution, but simplifies name resolution prior to completing the DNS infrastructure in the POC lab environment.
  1. On DC1, in Initial Configuration Tasks, clicks Configure networking.
  2. In Network Connections, right-click Local Area Connection, and then click Properties.
  3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
  4. Select Use the following IP address, type 10.0.0.1 next to IP address, and type 255.255.255.0 next to Subnet mask.
  5. Select the Use the following DNS server addresses option. Enter 10.0.0.1 in the Preferred DNS server text box.
  6. Click Advanced, and then click the DNS tab.
  7. In DNS suffix for this connection, type corp.contoso.com, click OK twice, and then click Close. (Note: configuring a DNS suffix is not required for DirectAccess to work correctly, but is used to simplify name resolution).
  8. Close the Network Connections window

C.      Rename DC1

The installation routine created a default computer name. The following steps change the computer name from its default to DC1.
  1. On DC1, in Initial Configuration Tasks, click Provide computer name and domain.
  2. In the System Properties dialog box, click Change. In the Computer Name/Domain Change dialog box, in the Computer name text box, enter DC1, and click OK twice, and then click Close. When prompted to restart the computer, click Restart Now.
  3. After restarting, login using the local administrator account.

D.     Configure DC1 as a Domain Controller and DNS Server

DC1 is the domain controller and authoritative DNS server for the CORP (corp.contoso.com) domain. The domain controller and DNS server roles are required for the DirectAccess solution.
  1. On DC1, on the Initial Configuration Tasks page, click the Add Roles link.
  2. Click Next on the Before You Begin page.
  3. On the Select Server Roles page, click Active Directory Domain Services, click Add Required Features, click Next on the Introduction to the Active Directory Domain Services page, and click Install on the Confirm Installation Selections page. Click Close on the Installation Results page.
  4. To start the Active Directory Installation Wizard, click Start, enter dcpromo in the Search box, and then press ENTER.
  5. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.
  6. On the Operating System Compatibility page, click Next.
  7. On the Choose a Deployment Configuration page, click Create a new domain in a new forest, and then click Next.
  8. On the Name the Forest Root Domain page, enter corp.contoso.com, and then click Next.
  9. On the Set Forest Functional Level page, in Forest Functional Level, click Windows Server 2008 R2, and then click Next. (Note that Windows Server 2008 R2 Forest Functional Level is not required for the DirectAccess solution. You can use any of the available Forest Functional Levels.)
  10. On the Additional Domain Controller Options page, insure that the DNS Server option is selected and click Next, click Yes in the Active Directory Domain Service Installation Wizard dialog box, and then on the Location for Database, Log Files, and SYSVOL page, click Next.
  11. On the Directory Services Restore Mode Administrator Password page, enter a strong password twice, and then click Next.
  12. On the Summary page, click Next.
  13. In the Active Directory Domain Services Installation Wizard dialog box, put a checkmark in the Reboot on completion checkbox.
  14. Log on to DC1 as Administrator after the server automatically restarts.

E.      Create Reverse Lookup Zone on DNS Server on DC1

A reverse lookup zone on DC1 for network ID 10.0.0.0/24 is required to create a pointer record for DC1. The pointer record will allow reverse name resolution for DC1, which will prevent name resolution errors during several DNS related configuration steps. The reverse lookup zone is not required for a functional DirectAccess solution and is used as a convenience in this lab.
  1. On DC1, click Start, and point to Administrative Tools. Click DNS.
  2. In the DNS Manager console, in the left pane of the console, expand the server name, and click Reverse Lookup Zones. Right click Reverse Lookup Zones and click New Zone.
  3. On the Welcome to the New Zone Wizard page, click Next.
  4. On the Zone Type page, click Next.
  5. On the Active Directory Zone Replication Scope page, click Next.
  6. On the Reverse Lookup Zone Name page, click Next.
  7. On the Reverse Lookup Zone Name page, select the Network ID option, and then enter 10.0.0 in the text box. Click Next.
  8. On the Dynamic Update page, click Next.
  9. On the Completing the New Zone Wizard page, click Finish.
  10. Leave the DHCP console open for the next operation.

F.      Enter PTR Record for DC1

A pointer record for DC1 will allow services to perform reverse name resolution for the DC1 computer. This will be useful when performing several DNS related operations. It is not required for a functional DirectAccess solution and it configured as a convenience for this lab.
  1. On DC1, in the DNS Manager console, expand the Forward Lookup Zones node in the left pane of the console. Click on corp.contoso.com.
  2. Double click on dc1 in the right pane of the console.
  3. In the DC1 Properties dialog box, put a checkmark in the Update associated pointer (PTR) record checkbox and click OK.
  4. Expand the Reverse Lookup Zones node in the left pane of the console and click 0.0.10.in-addr.arpa. Confirm that there is an entry for 10.0.0.1 in the middle pane of the console.
  5. Leave the DNS console open.

G.     Enable ISATAP Name Resolution on DNS Server on DC1

By default, the Windows Server 2008 R2 DNS server will not answer queries for ISATAP and WPAD host names. These names are included in the DNS server’s Global Query Block List. The following procedures configure the DNS server so that it will answer queries for ISATAP by removing ISATAP from the Global Query Block List.
  1. On DC1, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. In the command window, type dnscmd /config /globalqueryblocklist wpad, and then press ENTER.
  3. In the command prompt window, type dnscmd /info /globalqueryblocklist to confirm that ISATAP is not included in the list, and that the display says Query result: String: wpad
  4. Close the command window.

H.     Create DNS Records for NLS and ISATAP on DC1

DirectAccess clients use a Network Location Server to determine if the computer is on or off the corporate network. If the DirectAccess client can connect to the Network Location Server using HTTPS, it determines that it is on the corporate network and the DirectAccess client configuration is disabled. If the DirectAccess client cannot connect to the Network Location Server, the DirectAccess client configuration is enabled and then the computer configures itself to use the appropriate IPv6 adapter and IPv6 transition technology to connect to the DirectAccess server (the adapter used can be 6to4, Teredo, or IP-HTTPS).
A DNS record is required for the DirectAccess client to resolve the name of the Network Location Server. In addition, all IPv6 capable hosts on the corpnet need to resolve the name ISATAP to the internal interface of the UAG DirectAccess server, so a DNS record is required for ISATAP. The UAG DirectAccess server will act as an ISATAP router for the organization and provides prefix and routing information for ISATAP hosts on the corporate network.
  1. On DC1, click the corp.contoso.com forward lookup zone in the left pane of the console. Right click corp.contoso.com and click New Host (A or AAAA).
  2. In the New Host dialog box, enter ISATAP in the Name (uses parent domain name if blank) text box. Then enter 10.0.0.2 in the IP address text box. (IP address 10.0.0.2 will be the IP address of the internal interface of the UAG server, which will act as the ISATAP router in this lab).
  3.  Click Add Host.  Then click OK in the DNS dialog box.
  4. In the New Host dialog box, enter NLS in the Name (uses parent domain name if blank) text box (this is the name the DirectAccess clients use to connect to the Network Location Server). Enter 10.0.0.3 in the IP address text box, and then click Add Host. Click OK in the DNS text box. (Note that IP address 10.0.0.3 is the IP address of APP1, which acts as a network location server in this lab).
  5. Click Done.
  6. Confirm that there are entries for DC1, ISATAP and NLS in the middle pane of the console.
  7. Open a command prompt window and enter nslookup isatap and press ENTER. Confirm that DC1 resolves ISATAP to 10.0.0.2. Close the command prompt window.

I.       Configure DC1 as DHCP and Certificate Server

A DHCP server is used on the simulated corpnet to provide IP addressing information for the DirectAccess client when it is connected to the corpnet. DHCP is not required for a working DirectAccess solution, but facilitates automatic addressing when the DirectAccess client moves between the corpnet and external networks. The Microsoft Certificate Server is used to provide computer certificates to domain member computers, which can be used for computer authentication and IPsec connectivity. In addition, the Certificate Server is used to obtain Web site certificates for the Network Location Server and the UAG DirectAccess server’s IP-HTTPS listener. Note that a Microsoft Certificate Server is not required for either computer or Web site certificates. However, it is the preferred method for computer certificate assignment as it can significantly lower administrative overhead compared to other approaches. In a production environment, the IP-HTTPS Listener will typically use a commercial certificate, though this is not a requirement; a commercial certificate simplifies DirectAccess client access to the Certificate Revocation List listed in the certificate used by the IP-HTTPS listener, which is required. Both computer and Web site certificates are required for a working DirectAccess solution.
  1. On DC1, in the Initial Configuration Tasks window, click the Add Roles link.
  2. On the Before You Begin page, click Next.
  3. On the Select Server Roles page, put a checkmark in the Active Directory Certificate Services and DHCP Server checkboxes. Click Next.
  4. On the Introduction to DHCP Server page, click Next.
  5. On the Select Network Connection Bindings page, confirm that in the Network Connections section that 10.0.0.1 is selected. Click Next.
  6. On the Specify IPv4 DNS Server Settings dialog page, confirm that the Parent domain text box contains corp.contoso.com. In the Preferred DNS server IPv4 address text box, enter 10.0.0.1. Click Validate. A green circle with a checkmark should appear and it should state Valid to the right of that circle. Click Next.
  7. On the Specify IPv4 WINS Server Settings page, click Next.
  8. On the Add or Edit DHCP Scopes page, click the Add button.
  9. In the Add Scope dialog box, in the Scope name text box enter Corpnet. In the Starting IP address text box, enter 10.0.0.100. In the Ending IP address text box, enter 10.0.0.150. In the subnet mask text box, enter 255.255.255.0. Click OK.
  10. On the Add or Edit DHCP Scopes page, click Next.
  11. On the Configure DHCPv6 Stateless Mode page, select the Disable DHCPv6 stateless mode for this server option and click Next. (Note: Disabling stateless mode is not a requirement for the DirectAccess solution; this option is selected because we are not using a native IPv6 infrastructure in this lab).
  12. On the Authorize DHCP Server page, click Next.
  13. On the Introduction to Active Directory Certificate Services page, click Next.
  14. On the Select Role Services page, confirm that there is a checkmark in the Certification Authority checkbox, then click Next.
  15. On the Specify Setup Type page, confirm that Enterprise is selected and click Next. (Note: An Enterprise CA is used so that autoenrollment automatically distributes the CA and computer certificates).
  16. On the Specify CA Type page, confirm that Root CA is selected and click Next.
  17. On the Set Up Private key page, confirm that Create a new private key is selected and click Next.
  18. On the Configure Cryptography for CA page, click Next.
  19. On the Configure CA Name page, click Next.
  20. On the Set Validity Period page, click Next.
  21.  On the Configure Certificate Database page, click Next.
  22. On the Confirm Installation Selections page, click Install.
  23. On the Installation Results page, click Close.

J.       Create a New Administrator Account in Active Directory on DC1

As a network management best practice, the default domain administrator account should not be used for regular network operations. For this reason a new domain administrator account is created and used when making configuration changes. Using an alternate domain admin account is not required for a functional DirectAccess solution, and is done as a best practice example for this lab.
  1. On DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, expand corp.contoso.com, right-click Users, point to New, and then click User.
  3. In the New Object - User dialog box, next to Full name, type User1, and in User logon name, type User1.
  4. Click Next.
  5. In Password, type the password that you want to use for this account, and in Confirm password, type the password again.
  6. Clear the User must change password at next logon check box, and select the Password never expires check box.
  7. Click Next, and then click Finish.
  8. In the console tree, click Users.
  9. In the details pane, double-click Domain Admins.
  10. In the Domain Admins Properties dialog box, click the Members tab, and then click Add.
  11. Under Enter the object names to select (examples), enter User1, and then click OK twice.
  12. Leave the Active Directory Users and Computers console open for the following procedure.

K.     Create a Security Group for DirectAccess Clients on DC1

When you run the UAG DirectAccess wizard on the UAG1 computer, the wizard will create Group Policy Objects and deploy them in Active Directory. One GPO is created for the UAG DirectAccess server, and the another is created for DirectAccess clients. Security Group filtering is used to apply the DirectAccess GPO settings to the DirectAccess Clients security Group. To obtain the settings required to be a DirectAccess client, the computer must be a member of this security group. Do not use any of the built-in security groups as your DirectAccess security Group. Use the following procedure to create the DirectAccess security group. This group is required for a working DirectAccess solution.
  1. On DC1, in the Active Directory Users and Computers console tree, right-click Users, point to New, and then click Group.
  2. In the New Object - Group dialog box, under Group name, enter DA_Clients. (Note that the group name “DA_Clients” is not a mandatory name; you can use any name you like for the DirectAccess clients security group).
  3. Under Group scope, choose Global, under Group type, choose Security, and then click OK.
  4. Close the Active Directory Users and Computers console.

L.      Create and Deploy a Security Template for the IP-HTTPS Listener Certificate and Network Location Server Certificate

A Web site certificate is required for the Network Location Server so that computers can use HTTPS to connect to it located on the corporate network. In addition, the UAG DirectAccess server uses a Web site certificate on its IP-HTTPS listener so that it can accept incoming connections from DirectAccess clients that are behind network devices that limit outbound connections to only HTTP/HTTPS. The following procedures describes how to create a Web site certificate template to use for requests to the Microsoft Certificate Server installed on DC1. A Web site certificate bound to the UAG DirectAccess server’s IP-HTTPS listener and a Web site certificate bound to the Network Location Server Web site are both required for a working DirectAccess solution.
  1. On DC1, click Start, enter mmc in the Search box, and then press ENTER.
  2. Click the File menu, and then click Add/Remove Snap-in.
  3. In the list of snap-ins, click Certificate Templates, click Add, and then click OK.
  4. In the console tree, expand Certificates Templates.
  5. In the contents pane, right-click the Web Server template, and then click Duplicate Template.
  6. Click Windows Server 2003 Enterprise, and then click OK. (Note that you can use either the Windows Server 2003 or Windows Server 2008 templates). In Template display name, type Web Server 2003.
  7. Click the Security tab.
  8. Click Authenticated Users, and then select Enroll in the Allow column.
  9. Click Add, enter Domain Computers in the Enter the object names to select text box, and then click OK.
  10. Click Domain Computers, and then select Enroll in the Allow column.
  11. Click the Request Handling tab.
  12. Select Allow private key to be exported (note that we do this as a convenience for this lab, making the private key exportable is not required by DirectAccess; however, in order to create a UAG DirectAccess array, the same certificate must be installed on all array members; enabling export of the private key greatly simplifies this requirement).
  13. Click OK.
  14. Close the MMC window without saving changes.
  15. Click Start, point to Administrative Tools, and then click Certification Authority.
  16. In the console tree, expand corp-DC1-CA, right-click Certificate Templates, point to New, and then click Certificate Template to Issue.
  17. In the list of certificate templates, click Web Server 2003, and then click OK.
  18. In the right pane of the console, you should see the Web Server 2003 certificate template with an Intended Purpose of Server Authentication.
  19. Close the Certification Authority console.

M.    Create ICMPv4 and ICMPv6 Echo Request Firewall Rules in Domain Group Policy on DC1

Support for incoming and outgoing ICMPv4 and v6 is required for Teredo clients. DirectAccess clients will use Teredo as their IPv6 transition technology to connect to the UAG DirectAccess server over the IPv4 Internet when they are assigned a private (RFC 1918) IP address and are located behind a NAT device or firewall. In addition, enabling ping facilitates connectivity testing between participants in the DirectAccess solution.
  1. On DC1 , click Start, click Administrative Tools, and then click Group Policy Management.
  2. In the console tree, expand Forest: corp.contoso.com. Then expand Domains, and then expand corp.contoso.com.
  3. In the console tree, right-click Default Domain Policy, and then click Edit.
  4. In the console tree of the Group Policy Management Editor, expand Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security-LDAP://.
  5. In the console tree, click Inbound Rules, right-click Inbound Rules, and then click New Rule.
  6. On the Rule Type page, click Custom, and then click Next.
  7. On the Program page, click Next.
  8. On the Protocols and Ports page, for Protocol type, click ICMPv4, and then click Customize.
  9. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK.
  10. Click Next.
  11. On the Scope page, click Next.
  12. On the Action page, click Next.
  13. On the Profile page, click Next.
  14. On the Name page, for Name, type Inbound ICMPv4 Echo Requests, and then click Finish.
  15. In the console tree, right-click Inbound Rules, and then click New Rule.
  16. On the Rule Type page, click Custom, and then click Next.
  17. On the Program page, click Next.
  18. On the Protocols and Ports page, for Protocol type, click ICMPv6, and then click Customize.
  19. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK.
  20. Click Next.
  21. On the Scope page, click Next.
  22. On the Action page, click Next.
  23. On the Profile page, click Next.
  24. On the Name page, for Name, type Inbound ICMPv6 Echo Requests, and then click Finish.
  25. In the console tree, right-click Outbound Rules, and then click New Rule.
  26. On the Rule Type page, click Custom, and then click Next.
  27. On the Program page, click Next.
  28. On the Protocols and Ports page, for Protocol type, click ICMPv4, and then click Customize.
  29. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK.
  30. Click Next.
  31. On the Scope page, click Next.
  32. On the Action page, click Allow the connection, and then click Next.
  33. On the Profile page, click Next.
  34. On the Name page, for Name, type Outbound ICMPv4 Echo Requests, and then click Finish.
  35. In the console tree, right-click Outbound Rules, and then click New Rule.
  36. On the Rule Type page, click Custom, and then click Next.
  37. On the Program page, click Next.
  38. On the Protocols and Ports page, for Protocol type, click ICMPv6, and then click Customize.
  39. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK.
  40. Click Next.
  41. On the Scope page, click Next.
  42. On the Action page, click Allow the connection, and then click Next.
  43. On the Profile page, click Next.
  44. On the Name page, for Name, type Outbound ICMPv6 Echo Requests, and then click Finish.
  45. Confirm that the rules you created appear in the Inbound Rules and Outbound Rules nodes. Close the Group Policy Management Editor.

N.     Enable Computer Certificate Autoenrollment in Group Policy for the CORP Domain on DC1

In the DirectAccess solution, computer certificates can be used for computer authentication and IPsec connection establishment. One efficient method for distributing computer certificates is to take advantage of Group Policy based autoenrollment for computer certificates. The following procedure enables autoenrollment for computer certificates for domain member computers.
  1. On DC1, from the Administrative Tools menu, open Group Policy Management.
  2. In the Group Policy Management console, expand Forest: corp.contoso.com and then expand Domains. Expand corp.contoso.com and then right click Default Domain Policy and click Edit.
  3. In the console tree of the Group Policy Management Editor, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
  4. In the details pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.
  5. In the Automatic Certificate Request Wizard, click Next.
  6. On the Certificate Template page, click Computer, click Next, and then click Finish.
  7. Leave the Group Policy Management Editor open for the next procedure.

O.     Remove CRL Distribution Settings on the Certificate Authority on DC1

When a DirectAccess client uses the IP-HTTP IPv6 transition protocol to connect to the DirectAccess server over the IPv4 Internet, it must be able to find and check the Certificate Revocation List noted in the web site certificate presented by DirectAccess server’s IP-HTTPS listener.  In a production environment, a commercial or private certificate can be used for the IP-HTTPS listener certificate. If a commercial certificate is chosen, no action is required to make the CRL available to the DirectAccess client located on the Internet. If a private certificate from your own organization’s PKI is used, then the CRL must be published or made available in some other way to Internet based hosts. In this lab, the CRL check issue is eliminated by configuring the CA to not assign CRL publishing points; this prevents the CRL check from failing when the DirectAccess client connects to the IP-HTTPS listener. Note that this is done as a convenience for this lab and must not be done in a production environment, as it removes the ability to revoke certificates. The CRL must be available to DirectAccess clients that need to use IP-HTTPS to create a working production DirectAccess solution that support IP-HTTPS.
  1. On DC1, click Start, point to Administrative Tools, and then click Certification Authority.
  2. In the console tree, right-click corp-DC1-CA, and then click Properties.
  3. Click the Extensions tab. In Specify locations for which users can obtain a certificate revocation list, check all locations of the CRL Distribution Point (CDP) Authority Information Access (AIA), and verify that none of them have Publish CRLs to this location, or Publish Delta CRLs to this location selected. (NOTE: This step is done as a convenience for this lab, and should not be done in a production environment).
  4. Click OK, click Yes to restart Active Directory Certificate Services, and then close the Certification Authority console.

P.     Create a Shared Folder on the C:\ Drive on DC1

DirectAccess client should be able to connect to SMB resources when the DirectAccess client is connected to the simulated Internet, or connecting from behind a NAT device over the Internet. A network share is created on DC1 to test this.
  1. Click Start, and then click Computer.
  2. Double-click the drive on which Windows Server 2008 R2 is installed.
  3. Click New Folder, type Files, and then press ENTER. Leave the Local Disk window open.
  4. Click Start, click All Programs, click Accessories, right-click Notepad, and then click Run as administrator.
  5. In the Untitled – Notepad window, type This is a shared file on DC1.
  6. Click File, click Save, double-click Computer, double-click the drive on which Windows Server 2008 R2 is installed, and then double-click the Files folder.
  7. In File name, type Example.txt, and then click Save. Close the Notepad window.
  8. In the Local Disk window, right-click the Files folder, point to Share with, and then click Specific people.
  9. Click Share, and then click Done. (Note: this provides Full Control Share Permissions to Everyone, and NTFS Full Control permissions to SYSTEM, Administrator, and CORP\Administrators).
  10. Close the Local Disk window.

2.    STEP2: Configure APP1

APP1 is a Windows Server 2008 R2 computer that acts in the role of the Network Location Server on the network. We have chosen to not to install the Network Location Server on the domain controller, even though that would have reduced the number of machines required for the lab network. The reason for this is that NLS on the DC can be a problematic if the DC is IPv6 based (which isn’t the case in this lab and vast majority of networks at this time).  However, if the DC were IPv6 based, the problem is that when the client is on the corporate network you don’t want it to try to use IPSec to connect to the Network Location Server before it even knows it is inside the corporate network. When this happens, the DirectAccess client applies the public IPv6 policy. The DirectAccess solution does create a client side policy to make sure Network Location Awareness detection is skipped, which leads to a situation where if we put the NLA location on the same IP address as the DC, then the DC would be exempt from IPSec. To work around this problem you could add another IP address to the DC and add the NLA on that or just put it on another computer. Since it’s easier to use a separate computer, and the fact that a production environment will use a high availability array for Network Location Servers, we decided to use a separate computer for the Network Location Server.
You will perform the following operations to configure APP1:

A.     Install the operating system on APP1.
Windows Server 2008 R2 is installed on APP1. Note that this is not required, as any machine that can host the SSL web site for the NLS server will work.

B.     Configure TCP/IP Properties on APP1. After installing the operating system on APP1, configure static IP addressing information on its network interface card.

C.     Rename APP1 and Join it to the CORP Domain. To simplify deployment of the Web site certificate, APP1 is joined to the corp.contoso.com domain.

D.     Obtain an NLS Certificate for SSL Connections to the Network Location Server on APP1.
APP1 acts as the Network Location Server. To enable this role, APP1 needs a web site certificate so that the DirectAccess clients are able to establish an SSL connection to a Web site on APP1. DirectAccess clients access this site by connecting to Network Location Server name, which is nls.corp.contoso.com in this scenario.

E.      Install the Web Server Role on APP1.
Install IIS Web services on APP1 so that it can host the Network Location Server web site.

F.       Configure the HTTPS Security Binding on the NLS Web Site on APP1. The web site certificate need to be bound to a web site on APP1 so that it can respond to SSL connection requests from the DirectAccess clients on the corporate network.

A.     Install the OS on APP1

The first step is to install Windows Server 2008 R2 Enterprise Edition on APP1. This is not a requirement. The goal is to provide an SSL web site that the DirectAccess clients can connect to so that they can determine if they are on the corporate network.
  1. On APP1, start the installation of Windows Server 2008 R2 Enterprise Edition.
  2. Follow the instructions to complete the installation, specifying Windows Server 2008 R2 Enterprise Edition and a strong password for the local Administrator account. Log on using the local Administrator account.
  3. Connect the network adapter to the Corpnet subnet or the virtual switch representing the corpnet subnet.

B.     Configure TCP/IP Properties on APP1

After installing the operating system on APP1, configure its TCP/IP Properties to provide the server an IP address, subnet mask, DNS server address and connection specific suffix. Note that the connection specific suffix is not required for a working DirectAccess solution, but simplifies name resolution prior to completing the DNS infrastructure in the lab environment.
  1. On APP1, in Initial Configuration Tasks, clicks Configure networking.
  2. In Network Connections, right-click Local Area Connection, and then click Properties.
  3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
  4. Select Use the following IP address, enter 10.0.0.3 next to IP address, and enter 255.255.255.0 next to Subnet mask.
  5. Select the Use the following DNS server addresses option. Enter 10.0.0.1 in the Preferred DNS server text box.
  6. Click Advanced, and then click the DNS tab.
  7. In DNS suffix for this connection, enter corp.contoso.com, click OK twice, and then click Close. (Note: configuring a DNS suffix is not required for DirectAccess to work correctly).
  8. Close the Network Connections window

C.      Rename APP1 and Join it to the corp.contoso.com Domain

The installation routine created a default computer name. The follow procedure changes the computer name from its default to APP1 and joins APP1 to the CORP domain.
  1. On APP1, in Initial Configuration Tasks, click Provide computer name and domain.
  2. In the System Properties dialog box, click Change. In the Computer Name/Domain Change dialog box, in the Computer name text box, enter APP1. In the Member of frame, select the Domain option, and enter corp.contoso.com in the text box. Click OK.
  3. In the Computer Name/Domain Changes dialog box, enter CORP\User1 in the User name text box and the password in the Password text box. Click OK.
  4. After restarting, login using CORP\User1.

D.     Obtain NLS Certificate for SSL Connections to Network Location Server on APP1

The Network Location Server is used by computers configured to be DirectAccess clients to determine if the DirectAccess client is on the corporate network. If the DirectAccess client can connect to the Network Location Server using HTTPS, then it determines that it is on the corporate network and will not turn on its DirectAccess client configuration. If the computer is not able to connect to the Network Location Server using HTTPS, then it determines that it is off the corporate network and will turn on its DirectAccess client configuration and attempt to use one of several IPv6 transition technologies to connect to the UAG DirectAccess over the IPv4 Internet. The Network Location Server requires a Web site certificate to enable SSL session establishment with the DirectAccess client. The subject name on this certificate must match the name that the DirectAccess client uses to connect to the Network Location Server. On this lab network, the DirectAccess client tries to connect to nls.corp.contoso.com. This name is used later in the DirectAccess configuration wizard on the UAG server.
  1. On APP1, click Start, enter mmc, and then press ENTER.
  2. Click File  menu, and then click Add/Remove Snap-in.
  3. Click Certificates, click Add, select Computer account, click Next, select Local computer, click Finish, and then click OK.
  4. In the left pane of the console, expand Certificates (Local Computer)\Personal\Certificates.
  5. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
  6. On the Before You Begin page, click Next.
  7. On the Select Certificate Enrollment Policy page, select the Active Directory Enrollment Policy entry and click Next.
  8. On the Request Certificates page, put a checkmark in the Web Server 2003 checkbox, and then click More information is required to enroll for this certificate.
  9. On the Subject tab of the Certificate Properties dialog box, in Subject name section, for Type, select Common Name.
  10. In the Value section, enter nls.corp.contoso.com, and then click Add.
  11. In the Alternative name section, for Type, select DNS.
  12. In Value, type nls.corp.contoso.com, and then click Add.
  13. Click OK, click Enroll, and then click Finish.
  14. In the details pane of the Certificates snap-in, verify that a new certificate with the name nls.corp.contoso.com was enrolled with Intended Purposes of Server Authentication.
  15. Right click the nls.corp.contoso.com certificate and click Properties.
  16. In the nls.corp.contoso.com Properties dialog box, in the Friendly name text box, enter NLS Certificate. Click OK. (Note: this is not required for the DirectAccess solution to work, but this makes the certificate easy to identify when binding it to the NLS Web site’s SSL listener).
  17. Close the console window. If you are prompted to save settings, click No.

E.      Install the Web Server Role on APP1

APP1 hosts the Network Location Server. Since the Network Location Server is a web server that can accept SSL connections from computers configured to be DirectAccess clients, the web server role is required on the Network Location Server.
  1. On APP1, in the Initial Configuration Tasks window, click the Add Roles link.
  2. On the Before You Begin page, click Next.
  3. On the Select Server Roles page, select the Web Server (IIS) check box, and then click Next.
  4. On the Introduction to Web Server (IIS) page, click Next.
  5. On the Select Role Services page, click Next.
  6. On the Confirm Installation Selections page, click Install.
  7. Verify that all installations were successful, and then click Close.

F.      Configure the HTTPS Security Binding on the NLS Web Site on APP1

After the web server role is installed, the web site certificate must be bound to the Network Location Server web site. This is required for the web server to establish an SSL connection with the computer configured as a DirectAccess client, and is a required component of a DirectAccess solution.
  1. On APP1 , click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. In the left pane of the console, open APP1\Sites, and then click Default Web site.
  3. In the Actions pane, click Bindings.
  4. In the Site Bindings dialog box, click Add.
  5. In the Add Site Binding dialog box, in Type, click https. In SSL Certificate, click the NLS Certificate.
  6. Click the View button.
  7. In the Certificate dialog box, confirm that the certificate was Issued to: nls.corp.contoso.com. (this is the name the DirectAccess client computer must use to connect to the Network Location Server).
  8. In the Add Site Binding dialog box, click OK.
  9. In the Site Bindings dialog box, click Close.
  10. Close the Internet Information Services (IIS) Manager console.

3.    STEP3: Configure APP3

APP3 is a Windows Server 2003 SP2 Enterprise Edition computer that acts as an IPv4 only host and is used to demonstrate DirectAccess connectivity to IPv4 only resources using the UAG DNS64 and NAT64 features. APP3 hosts both HTTP and SMB resources that the DirectAccess client computer will be able to access from other the simulated Internet. The UAG NAT64/DNS64 feature set enables organizations to deploy DirectAccess without requiring them to upgrade network resources to native IPv6 or even IPv6 capable.
For more information on NAT64/DNS64 please see Deep Dive Into DirectAccess – NAT64 and DNS64 in Action
The following operations are performed to configure APP3:

A.     Install the operating system on APP3 and Disable the Firewall
The first step is to install Windows Server 2003 Enterprise Edition SP2 on APP3. This is not a requirement. You could use another IPv4 only operating system, such as Windows 2000 Server or even Windows XP. The goal is to provide an IPv4 resource for the DirectAccess clients to connect to from over the Internet.

B.     Install Web services on APP3
Install IIS Web services on APP3 so that HTTP connectivity over the DirectAccess connection to an IPv4 only host is demonstrated.

C.     Create a shared folder on APP3
Create a shared folder on APP3 to demonstrate SMB connectivity over the DirectAccess connection.

A.     Install the OS on APP3 and Disable the Firewall

The first step is to install Windows Server 2003 Enterprise Edition SP2 on APP3. This is not a requirement. You could use another IPv4 only operating system, such as Windows 2000 Server or even Windows XP. The goal is to provide an IPv4 resource for the DirectAccess clients to connect to from over the Internet.
  1. Start the installation of Windows Server 2003.
  2. On the Welcome to the Windows Setup Wizard page, click Next.
  3. On the Regional and Language Options page, click Next.
  4. On the Personalize Your Software page, enter your Name and Organization information, click Next.
  5. On the Licensing Modes page, select Per server. Number of concurrent connections option and enter 100. Click Next.
  6. On the Computer Name and Administrator Password page, in the Computer name text box, enter APP3. Enter a complex Administrator password and Confirm password. Click Next.
  7. On the Date and Time Settings page, set the correct date and time and click Next.
  8. On the Networking Settings page, select Custom Settings and click Next.
  9. On the Networking Components page, select Internet Protocol (TCP/IP) and click Properties.
  10. On the Internet Protocol (TCP/IP) Properties page, select the Use the following IP address option. In the IP address text box, enter 10.0.0.4. In the Subnet Mask text box, enter 255.255.255.0 Select the Use the following DNS server addresses option. In the Preferred DNS server text box, enter 10.0.0.1.
  11. In the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
  12. In the Advanced TCP/IP Settings dialog box, click the DNS tab.
  13. On the DNS tab, in the DNS Suffix for this connection text box, enter corp.contoso.com. Click OK. In the Internet Protocol (TCP/IP) Properties dialog box, click OK. On the Networking Components page, click Next.
  14. On the Workgroup or Computer Domain page, select the Yes make this computer a member of the following domain option. In the text box under that option, enter CORP.
  15. In the Join Computer to CORP Domain dialog box, in the User name text box, enter CORP\User1 and in the Password text box, enter User1’s password. Click OK.
  16. Log on as CORP\User1.
  17. Click Start, point to Control Panel and point to Network Connections. Right click on Local Area Connection and click Properties.
  18. In the Local Area Connection Properties dialog box, click the Advanced tab.
  19. On the Advanced tab, click the Settings button.
  20. In the Windows Firewall dialog box, on the General tab, select the Off option. (Note: we are turning off the Windows Firewall as a convenience for this lab so that we can ping APP3. In a production environment, you should enable ping selectively through the Windows Firewall).
Note: If you install Windows Server 2003 RTM, there is  no Windows Firewall and you will not need to disable the firewall.

B.     Install Web Services

Install IIS Web services on APP3 so that HTTP connectivity can be demonstrated over the DirectAccess connection.
  1. At APP3, click Start and point to Control Panel. Click Add or Remove Programs.
  2. In the Add or Remove Programs window, click Add/Remove Windows Components button.
  3. On Windows Components page, click Application Server and then click Details.
  4. In the Application Server dialog box, put a checkmark in the Internet Information Services (IIS) checkbox. Click OK.
  5. On the Windows Components page, click Next.
  6. On the Completing the Windows Components Wizard page, click Finish.
  7. Close the Add or Remove Programs window.
  8. Click the Internet Explorer icon in the Quick Start Bar.
  9. In the dialog box that informs you Internet Explorer Enhanced Security Configuration is enabled, put a checkmark in the In the future, do not show this message checkbox and then click OK.
  10. In the Internet Explorer address bar, enter http://localhost and press ENTER.
  11. You should see the IIS Under Construction page, indicating that the default IIS Web site is available and running.

C.      Create a Shared Folder on C:\

Create a shared folder on APP3 to demonstrate the ability to connect to an SMB resource on a IPv4 only computer on the DirectAccess connection over the Internet.
  1. At APP3, click Start and click Windows Explorer.
  2. In the left pane of the Windows Explorer window, expand My Computer and click Local Disk (C:)
  3. Click the File menu, point to New and click Folder.
  4. Rename New Folder to Files.
  5. Right click the Files folder and click Sharing and Security.
  6. In the Files Properties dialog box, on the Sharing tab, select the Share this folder option. Accept the default share name, which is Files.  Click OK.
  7. Double click the Files folder.
  8. Click the File menu, point to new, and click New Text Document.
  9. Double click the New Text Document.txt file.
  10. In the New Text Document.txt – Notepad window, enter This is a new text document.
  11. Close the Notepad window. In the Notepad dialog box, click Yes to save the changes.

4.    STEP4: Configure UAG1

UAG1 acts as the UAG DirectAccess server for the network. UAG1 will be connected to both the similar Internet and the intranet and will need one network interface connected to each of these networks. The UAG DirectAccess server provides the following network services:

·        ISATAP router
An ISATAP router is an IPv6 router that advertises subnet prefixes to ISATAP hosts and forwards IPv6 traffic between ISATAP hosts and hosts on other IPv6 subnets. The ISATAP router provides ISATAP clients the information they need to properly configure their ISATAP adapters. For more information about ISATAP, please see http://technet.microsoft.com/en-us/magazine/2008.03.cableguy.aspx

·        Teredo server
A Teredo server is an IPv6/IPv4 node that is connected to both the IPv4 Internet and the IPv6 intranet, supports a Teredo tunneling interface over which packets are received. The general role of the Teredo server is to assist in the address configuration of Teredo client and to facilitate the initial communication between Teredo clients and other Teredo clients or between Teredo clients and IPv6 hosts. The Teredo server listens on UDP port 3544 for Teredo traffic. DirectAccess clients located behind NAT devices and firewalls use Teredo to connect to the UAG DirectAccess server. For more information on Teredo, please see http://technet.microsoft.com/en-us/library/bb457011.aspx

·        IPsec gateway
The Full Intranet access model (which is used in this lab document) allows DirectAccess clients to connect to all resources inside the intranet. It does this by using IPsec-based tunnel policies that require authentication and encryption and IPsec sessions terminate at the IPsec Gateway. The IPsec Gateway is a function that is hosted on the UAG DirectAccess server.

·        IP-HTTPS server
IP-HTTPS is a new protocol for Windows 7 and Windows Server 2008 R2 that allows hosts behind a Web proxy server or firewall to establish connectivity by tunneling IPv6 packets inside an IPv4-based HTTPS session. HTTPS is used instead of HTTP so that Web proxy servers will not attempt to examine the data stream and terminate the connection. The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections. Note that IP-HTTPS does not work behind authenticating web proxies (when authentication is required) or from behind web proxies that perform outbound SSL inspection.

·        NAT64/DNS64 IPv6/IPv4 protocol translator
The UAG DirectAccess server includes NAT64 and DNS64, which enables DirectAccess clients on the Internet to connect to IPv4 resources on the intranet. DirectAccess clients always use IPv6 to communicate with intranet servers. When a DirectAccess client needs to connect to IPv4 resources on the intranet, it issues a DNS query for the FQDN of the resource. DNS64 intercepts the request, sends the query to the intranet DNS server, and obtains the IPv4 address of the resource. DNS64 then dynamically generates an IPv6 address for the client of the IPv6 address dynamically assigned to the IPv4 resource; in addition, DNS64 informs NAT64 of the IPv4/IPv6 mapping. The client issues a request for the dynamically generated IPv6 address, which is intercepted by NAT64, and then NAT64 forwards the request to the IPv4 address of the intranet resource. NAT64 also returns the response based on entries in its state table. For more information about DNS64 and NAT64, please see http://blogs.technet.com/edgeaccessblog/archive/2009/09/08/deep-dive-into-directaccess-nat64-and-dns64-in-action.aspx

·        6to4 relay router
A 6to4 relay router can accept traffic from DirectAccess clients using the 6to4 IPv6 transition technology and forward the traffic over an IPv4 intranet. The UAG DirectAccess server acts as the 6to4 relay router and provides addressing information to the DirectAccess clients. DirectAccess clients uses this information to configure their 6to4 tunnel adapter to forward IPv6 messages over the IPv4 Internet to the UAG DirectAccess servers. For more information on 6to4 please see http://technet.microsoft.com/en-us/library/cc756770(WS.10).aspx

The following procedures are performed on the UAG1 computer or virtual machine:

A.     Install the operating system on UAG1.
The first step is to install the Windows Server 2008 R2 operating system on UAG1. Forefront Unified Access Gateway 2010 requires Windows Server 2008 R2.

B.     Configure TCP/IP Properties on UAG1.
After installing the operating system on UAG1, configure the TCP/IP Properties to provide the server an IP address, subnet mask, DNS server address and connection specific suffix on both the internal and external interfaces. Settings are configured on both the Internet and the corpnet interfaces.

C.     Rename UAG1 and Join it to the corp.contoso.com Domain
Change the default computer name assigned during setup to UAG1 and join it to the CORP domain. Domain membership is a required for the DirectAccess solution.

D.     Obtain a Certificate for the IP-HTTPS Listener on UAG1
The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections from DirectAccess clients on the Internet. The IP-HTTPS Listener requires a web site certificate to support the SSL connection between itself and the DirectAccess client.

E.      Install Forefront UAG on UAG1
Install the Forefront Unified Access Gateway software on UAG1.

F.      Run the UAG Getting Started Wizard on UAG1
The UAG Getting Started Wizard walks you through the process of initial configuration of the UAG server.

G.     Run the UAG DirectAccess Configuration Wizard on UAG1
DirectAccess is not enabled by default. The UAG DirectAccess wizard must be run to enable DirectAccess features and capabilities on UAG1.

H.     Confirm Group Policy Settings on UAG1
The UAG DirectAccess wizard configures GPOs and settings that are automatically deployed to the Active Directory. One GPO is assigned to the UAG DirectAccess server, and one is deployed to machines that belong to the DirectAccess Clients security group. The step confirms that the Group Policy settings were deployed to the UAG DirectAccess server.

I.       Confirm IPv6 Settings on UAG1
For the DirectAccess solution to function, the IPv6 settings on must be correct. This step confirms these setting on UAG1.

J.       Update IPv6 Settings on DC1
DC1 is capable of being an ISATAP host. However, this functionality might not be immediately available. This step expedites DC1 setting itself up as an ISATAP host by updating its IPv6 configuration.

K.     Update IPv6 Settings on APP1
APP1 is capable of being an ISATAP host. However, this functionality might not be immediately available. This step expedites APP1 setting itself up as an ISATAP host by updating its IPv6 configuration.

L.      Confirm IPv6 Address Registration in DNS
IPv6 capable hosts can communicate with one another over IPv6 using their ISATAP adapters. However, they must be able to resolve the destination host to an IPv6 address to use this capability. This step confirms that the IPv6 ISATAP addressees are registered in DNS.

M.   Confirm IPv6 Connectivity between DC1/APP1/UAG1
After activity the IPv6 settings on DC1, APP1 and UAG1, test IPv6 connectivity by using the ping utility.

A.     Install the OS on UAG1

The first step is to install the Windows Server 2008 R2 operating system on UAG1. Forefront Unified Access Gateway 2010 requires Windows Server 2008 R2.
  1. At UAG1, start the installation of Windows Server 2008 R2.
  2. Follow the instructions to complete the installation, specifying Windows Server 2008 R2 Enterprise Edition and a strong password for the local Administrator account. Log on using the local Administrator account.
  3. Connect one network interface to the simulated Internet or virtual switch representing the simulated Internet and one to the corpnet or virtual switch representing the corpnet.

B.     Configure TCP/IP Properties on UAG1

After installing the operating system on UAG1, configure the TCP/IP Properties to provide the server an IP address, subnet mask, DNS server address and connection specific suffix on both the internal and external interfaces. Settings are configured on both the Internet and the corpnet interfaces. Note that you will enter two consecutive public IP addresses to the external interface of UAG1. This is required to support DirectAccess clients and Teredo. Public IP addresses are required. If you use private IP addresses on the external interface, the UAG DirectAccess Configuration Wizard will warn you of the configuration error and not enable DirectAccess.
  1. At UAG1, in Initial Configuration Tasks, click Configure networking.
  2. In Network Connections, right-click the network connection that is connected to the Corpnet subnet or virtual switch, and then click Rename.
  3. Enter Corpnet, and then press ENTER.
  4. Right-click Corpnet, and then click Properties.
  5. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
  6. Select Use the following IP address. In IP address, enter 10.0.0.2. In Subnet mask, enter 255.255.255.0.
  7. Select Use the following DNS server addresses. In Preferred DNS server, enter 10.0.0.1.
  8. Click Advanced, and then the DNS tab.
  9. In DNS suffix for this connection, enter corp.contoso.com, click OK twice, and then click Close. (A connection specific DNS suffix is not required for DirectAccess to work correctly).
  10. In the Network Connections window, right-click the network connection that is connected to the Internet subnet, and then click Rename.
  11. Enter Internet, and then press ENTER.
  12. Right-click Internet, and then click Properties.
  13. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
  14. Select Use the following IP address. In IP address, enter 131.107.0.2. In Subnet mask, enter 255.255.255.0.
  15. Click Advanced. On the IP Settings tab, click Add for IP Addresses.
  16. In IP address, enter 131.107.0.3. In Subnet mask, enter 255.255.255.0, and then click Add.
  17. Click the DNS tab.
  18. In DNS suffix for this connection, enter isp.example.com, and then click OK twice and then click Close. (A connection specific DNS suffix is not required for DirectAccess to work correctly).
  19. Close the Network Connections window.
  20. To check network communication between UAG1 and DC1, click Start, click All Programs, click Accessories, and then click Command Prompt.
  21. In the command window, enter ping dc1.corp.contoso.com and press ENTER. Verify that there are four responses from 10.0.0.1
  22. Close the command window.

C.      Rename the Computer and Join UAG1 to the corp.contoso.com Domain

Change the default computer name assigned during setup to UAG1 and join UAG1 to the corp.contoso.com domain.
  1. At the UAG1 computer or virtual machine, in the Initial Configuration Tasks window, click the Provide computer name and domain link.
  2. On the Computer Name tab, click the Change button.
  3. In the Computer Name/Domain Changes dialog box, in the Computer name text box, enter UAG1. In the Member of frame, select the Domain option. Enter corp.contoso.com in the text box. Click OK.
  4. In the Windows Security dialog box, in the User name text box enter Administrator and enter the CORP domain’s Administrator password. Click OK.
  5. Click OK in the Welcome to the domain dialog box.
  6. Click OK in the Computer Name/Domain Changes dialog box informing you that you must restart the computer.
  7. Click Close in the System Properties dialog box.
  8. Click Restart Now in the dialog box informing you that you must restart to apply the changes.
  9. Log on as CORP\User1

D.     Obtain the IP-HTTPS Listener Certificate on UAG1

The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections from DirectAccess clients on the Internet. The IP-HTTPS Listener requires a web site certificate to support the SSL connection between itself and the DirectAccess client. The common name on this certificate must be the name the external DirectAccess client uses to the connect to the IP-HTTPS Listener, and must be resolvable using an Internet based DNS server to the first of the two consecutive IP addresses bound to the external interface of the UAG DirectAccess server. Perform the following steps to obtain the IP-HTTPS certificate.
  1. At UAG1, click Start, type mmc, and then press ENTER. Click Yes at the User Account Control prompt.
  2. Click File, and then click Add/Remove Snap-ins.
  3. Click Certificates, click Add, click Computer account, click Next, select Local computer, click Finish, and then click OK.
  4. In the console tree of the Certificates snap-in, open Certificates (Local Computer)\Personal\Certificates.
  5. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
  6. Click Next twice.
  7. On the Request Certificates page, click Web Server 2003, and then click More information is required to enroll for this certificate.
  8. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select Common Name.
  9. In Value, type uag1.contoso.com, and then click Add.
  10. In Alternative name, for Type, select DNS.
  11. In Value, enter uag1.contoso.com, and then click Add.
  12. Click OK, click Enroll, and then click Finish.
  13. In the details pane of the Certificates snap-in, verify that a new certificate with the name uag1.contoso.com was enrolled with Intended Purposes of Server Authentication.
  14. Right-click the certificate and then click Properties.
  15. In the Friendly Name text box, enter IP-HTTPS Certificate, and then click OK.
  16. Close the console window. If you are prompted to save settings, click No.

E.      Install Forefront UAG on UAG1

Install the Forefront Unified Access Gateway software on UAG1.
  1. At UAG1, insert the Forefront UAG DVD into the optical drive. (Note: Ensure you install Forefront UAG from the DVD. Network installations are not supported.)
  2. Click Start, click Computer, double-click the DVD drive Forefront UAG 2010, and then double-click Setup.
  3. In the Setup window, under Prepare and Install, click Install Forefront UAG. Click Yes in the User Account Control dialog box.
  4. On the Welcome to the Forefront UAG Setup Wizard page, click Next.
  5. Read the License Terms, and if you choose to proceed, select I accept the License Terms for Microsoft Software, and then click Next.
  6. On the Select Installation Location page, click Next, and wait for the installation to complete successfully.
  7. On the You have successfully completed the Forefront UAG Setup page, click Restart now, and then click Next. Wait for the server to restart.
  8. Log on to UAG1 as CORP\User1.

F.      Run the UAG Getting Started Wizard

The UAG Getting Started Wizard walks you through the process of initial configuration of the UAG server. This will set up the basic information required to configure the networking settings on the server, define the server topology (standalone or array) and whether or not to join Microsoft update for updating the server.
  1. At UAG1, click Start, point to All Programs, click Microsoft Forefront UAG, and then click Forefront UAG Management.  Click Yes in the User Account Control dialog box. UAG will start to configure itself for the first time. The Getting Started Wizard splash screen appears.
  2. In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.
  3. On the Welcome to the Network Configuration Wizard page, click Next.
  4. On the Define Network Adapters page, select Corpnet in the Internal column, and Internet in the External column. Leave SSL Network tunneling as unassigned, and then click Next.
  5. On the Define Internal Network IP Address Range page, verify that the range that appears is 10.0.0.0 to 10.0.0.255, and then click Next.
  6. On the Completing the Network Configuration Wizard page, click Finish.
  7. On the Getting Started Wizard, click Define Server Topology.
  8. On the Welcome to the Server Management Wizard page, click Next.
  9. On the Select Configuration page, select Single server, and then click Next.
  10. On the Completing the Server Management Wizard page, click Finish.
  11. In the Getting Started Wizard, click Join Microsoft Update.
  12. On the Use Microsoft Update for Forefront UAG page, select I don’t want to use Microsoft Update, and then click OK. (NOTE: in a production environment it is highly recommended that you select the use Microsoft Update option).
  13. On the Getting Started Wizard page, click Close.
  14. In the Getting Started Wizard dialog box, when prompted Do you want to activate the configuration now, click Yes.
  15. On the Activate Configuration page, enter a password and confirm the password for the backup file that will save the current UAG configuration. Click Next.
  16. On the Activate Configuration page, confirm that there is a checkmark in the Back up configuration before performing this activation checkbox, then click Activate.
  17. Wait for the Activation completed successfully message, and then click Finish.
  18. To exit the Microsoft Forefront UAG Management console, click the File menu, click Exit, and then click Yes when prompted Do you want to close the Forefront UAG Management console.

G.     Run the UAG DirectAccess Configuration Wizard

DirectAccess is not enabled by default. To enable DirectAccess features and capabilities on UAG1, you need to run the DirectAccess Configuration wizard. After running the DirectAccess Configuration Wizard, two new Group Policy objects are created – one is linked to the computer account for the UAG DirectAccess server, and the second is linked to the DirectAccess clients security group (DA_Clients) you configured earlier. In addition, the IPv6 components, including support for IPv6 transition technologies and IPv6/IPv4 protocol transition technologies are enabled on the UAG DirectAccess server.
  1. Click Start, point to All Programs, click Microsoft Forefront UAG, and then click Forefront UAG Management. Click Yes in the User Account Control dialog box.
  2. In the left pane of the Forefront Unified Access Gateway console, click DirectAccess. In the Forefront UAG DirectAccess Configuration pane, in the Clients box, click Configure.
  3. On the UAG DirectAccess Client Configuration dialog box, click Add.
  4. In the Select Group dialog box, enter DA_Clients, click OK, and then click Finish. (Note that you must use the custom security group that created for the DirectAccess clients. Never use a built-in security group).
  5. In the DirectAccess Server box, click Configure.
  6. On the Connectivity page, in First Internet-facing IPv4 address, select 131.107.0.2. In Internal IPv4 address, select 10.0.0.2, and then click Next. (Note the information that appears regarding ISATAP being enabled on the UAG server, and that an ISATAP entry must be entered into DNS and that ISATAP must be removed from the Global Query Block List. This procedure was carried out earlier during configuration of DC1).
  7. On the Managing DirectAccess Services page, click Next. (Note: the default settings on this page enable both NAT64 and DNS64, which allow DirectAccess clients to communicate with IPv4 only servers and resources on the corpnet).
  8. On the Authentication Options page, for Browse and select a root or intermediate certificate that verifies certificates sent by DirectAccess clients, select Use root certificate, and then click Browse. In the list of certificates, click the corp-DC1-CA root certificate, and then click OK.
  9. For Select the certificate that authenticates the UAG DirectAccess server to a client connecting using IP-HTTPS, click Browse. In the list of certificates, click the IP-HTTPS certificate, click OK, and then click Finish.
  10. In the Infrastructure Servers box, click Configure.
  11. On the Network Location Server page, enter nls.corp.contoso.com, click Validate and wait for the notice Validation successful. The URL https://nls.corp.contoso.com is reachable, and then click Next.
  12. On the DNS Suffixes page, click Next. (Note: the DNS suffixes listed on this page determine what communications are sent through the DirectAccess tunnel to the DirectAccess server and to the corpnet.)
  13. On the Management Servers and DCs page, click the Domains\corp.contoso.com entry. Note in the Servers List that DC1.corp.contoso.com was automatically discovered. Click Finish. (Note: infrastructure servers are those servers that are accessed through the infrastructure tunnel, which is established before the use logs on. The infrastructure tunnel enables DirectAccess client computer management even when there is no logged on user). 
  14. In the Application Servers box, click Configure. Confirm that the Require end-to-edge authentication and encryption option is selected. Click Finish.
  15. In the Forefront UAG DirectAccess pane, click Generate Policies.
  16. In the Forefront UAG DirectAccess Configuration Review dialog box, click Apply Now. After the script has finished executing, in the DirectAccess Policy Configuration message box, click OK, and then click Close.
  17. In the Microsoft Forefront UAG Management console, click the File menu, and then click Activate. In the Activate Configuration dialog box, click Activate. Wait for the Activation completed successfully message, and then click Finish.
  18. To exit the Microsoft Forefront UAG Management console, click the File menu, click Exit, and then click Yes when prompted Do you want to close the Forefront UAG Management console.

H.     Confirm Group Policy Settings on UAG1

The UAG DirectAccess wizard configures GPOs and settings that are automatically deployed to the Active Directory. One GPO is assigned to the UAG DirectAccess server, and one is deployed to machines that belong to the DirectAccess Clients security group. The following steps confirm that the Group Policy settings were deployed to the UAG DirectAccess server.
  1. *Go to the DC1. At DC1, click Start, point to Administrative Tools and click Group Policy Management.
  2. Expand Forest: corp.contoso.com and then expand Domains and then expand corp.contoso.com.
  3. You will find two new GPOs linked to the default domain policy. UAG DirectAccess: Client{3491980e-ef3c-4ed3-b176-a4420a810f12} is applied to members of the DA_Clients security group. UAG DirectAccess: DaServer{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300} is applied to the UAG server. Confirm that the correct security filtering is done for each of these Group Policy Objects by clicking on the GPO and then viewing the entries in the Security Filtering section on the Scope tab in the right pane of the console.
  4. *Go to the UAG1. Open an elevated command prompt. Change the focus to c:\Users\User1\Desktop.
  5. At the command prompt, enter gpupdate /force
  6. At the command prompt, enter gpresult /scope computer /f /h report.html and press ENTER
  7. On the desktop, double click the report file. In the Group Policy Objects section, notice in the Group Policy Objects\Applied GPOs section that UAG DirectAccess: DAServer{ab991ef0-6fa9-4bd9-bc42-3c397ce8ad300} appears, shows that the DirectAccess server GPO has been applied to UAG1. Close the Internet Explorer window.
  8. Click Start and enter Firewall in the Search box and press ENTER.
  9. In the Windows Firewall with Advanced Security console, notice in the middle pane that it says that the Domain Profile is Active and Public Profile is Active. It is important that the Windows Firewall is enabled and both the Domain and Public Profiles are active. If the Windows Firewall with Advanced Security is disabled, or if Domain or Public profiles are disabled, then DirectAccess will not work correctly.
  10. In the left pane of the Windows Firewall with Advanced Security Console, click the Connection Security Rules node. Notice in the middle pane of the console that there are two connection security rules: UAG DirectAccess Gateway – Clients Access Enabling Tunnel – All  and UAG DirectAccess Gateway – Clients Corp Tunnel.  The first rule is used for the infrastructure tunnel and the second rule is used to establish the intranet tunnel. Both of these rules are delivered to UAG1 using Group Policy.
  11. Close the Windows Firewall with Advanced Security console.

I.       Confirm IPv6 Settings on UAG1

For the DirectAccess solution to function, the IPv6 settings on must be correct. The following steps confirm these setting on UAG1.
  1. At UAG1, click Start and right click on the command prompt and click Run as administrator. Click Yes in the User Account Control dialog box.
  2. In the command prompt window, enter ipconfig /all and press ENTER.
  3. The ipconfig /all display shows information related to the UAG1 networking configuration. There are several sections of interest. The Tunnel adapter 6TO4 Adapter section shows information that includes the Global IPv6 address used by UAG1 on its external interface. The Tunnel adapter isatap.corp.contoso.com section shows information regarding UAG1’s ISATAP interface; here you find the ISATAP address for UAG1. In the Tunnel adapter IPHTTPSInterface section, you’ll see information regarding the IP-HTTPS interface. If you are using the IP addressing scheme used in this lab, you should see the following addresses:
    6TO4 Adapter: 2002:836b:2::836b:2 and     2002:836b:2::836b:3
    ISATAP: 2002:836b:2:8000:0:5efe:10.0.0.2
    IPHTTPS: 2002:836b:2:8100:    c887:6a74:6ef0:bf (Note that the “debolded” values will vary due to how the IP-HTTPS address is generated)
  4. To see information regarding the Teredo interface on UAG1, enter netsh interface Teredo show state and press ENTER. The output should include an entry State: online

J.       Update IPv6 Settings on DC1

DC1 is capable of being an ISATAP host. However, this functionality might not be immediately available. You can expedite DC1 setting itself up as an ISATAP host by updating its IPv6 configuration.
  1. *At DC1, click Start and then right click the command prompt icon. Click Run as administrator.
  2. In the command prompt window, enter sc control iphlpsvc paramchange and press ENTER.
  3. Close the command prompt window after the command completes.

K.     Update IPv6 Settings on APP1

APP1 is capable of being an ISATAP host. However, this functionality might not be immediately available. You can expedite DC1 setting itself up as an ISATAP host by updating its IPv6 configuration.
  1. *At APP1, click Start and then right click the command prompt icon. Click Run as administrator.
  2. In the command prompt window, enter sc control iphlpsvc paramchange and press ENTER.
  3. Close the command prompt window after the command completes.

L.      Confirm IPv6 Address Registration in DNS

IPv6 capable hosts can communicate with one another over an IPv4 network with IPv6 using their ISATAP adapters. However, they must be able to resolve the destination host to an IPv6 address to use this capability. The following steps confirm that the IPv6 ISATAP addressees are registered in DNS.
  1. *At DC1, click Start, point to Administrative Tools and click DNS.
  2. In the DNS Manager, expand the server name, then expand the Forward Lookup Zones node in the left pane of the console. Click corp.contoso.com.
  3. Click the Name column in the right pane of the console so that computer names are listed alphabetically. For APP1, DC1 and UAG1 there should be an IPv4 address and IPv6 address. If there is no IPv6 address, return to the machine that does not have an IPv6 address and open an elevated command prompt. At the elevated command prompt enter ipconfig /registerdns. Then return to the DNS console on DC1 and confirm that the IPv6 address is registered in DNS. If the IPv6 address does not appear in the console, refresh the console view.
Note that the ISATAP addresses listed in the DNS resource records do not use the dotted decimal format for the last 32 bits of the IPv6 address that you see when using ipconfig to view IP addressing information on the hosts. However, these addresses represent the same information; the only difference is that the last 32 bits are represented in HEX instead of dotted decimal format.

M.    Confirm IPv6 Connectivity between DC1/APP1/UAG1

After activating the IPv6 settings on DC1, APP1 and UAG1, test IPv6 connectivity by using the ping utility
  1. *At DC1, click Start and right click the command prompt icon and click Run as administrator.
  2. In the command prompt window, enter ipconfig /flushdns to remove IPv4 address entries that might already be in the DNS client cache.
  3. In the command prompt window, enter ping UAG1 and press ENTER. You should see the ISATAP address of UAG1 in the reply, which is 2002:836b:2:8000:0:5efe:10.0.0.2.
  4. In the command prompt windows, enter ping APP1 and press ENTER. You should see the ISATAP address of DC2 in the reply, which is 2002:836b:2:8000:0:5efe:10.0.0.3. Close the command prompt window.
  5. *At UAG1, use an elevated command prompt window and ping DC1 and APP1 and confirm that the responses are from the ISATAP addresses of those servers. The close the command prompt window

5.    STEP5: Configure CLIENT1

CLIENT1 is a computer or virtual machine running Windows 7 that is used demonstrate how DirectAccess works in a number of scenarios. CLIENT1 is first connected to the corpnet to join the machine to the domain and receive the DirectAccess Group Policy settings. CLIENT1 is later moved to the simulated Internet to test DirectAccess connectivity over 6to4 and CLIENT1 is moved behind a NAT device to test both Teredo and IP-HTTPS DirectAccess connectivity.
NOTE:
CLIENT1 is a Windows 7 computer and after installation the default power plan is applied. CLIENT1 may go to sleep before you reach the end of the lab configuration. To prevent this from happening, select the High Performance power plan in the Control Panel.
The following operations configure CLIENT1:

A.     Install the Windows 7 operating system on the CLIENT1 computer or virtual machine
Windows 7 is required for DirectAccess client connectivity. The first step is to install Windows 7 on the DirectAccess computer or virtual machine.

B.     Join CLIENT1 to the CORP domain
DirectAccess supports only domain member client machines for authentication and Group Policy settings assignment. To meet this requirement, join CLIENT1 to the CORP domain.

C.     Add CLIENT1 to the DA_Clients Active Directory Security Group
The DirectAccess client settings are assigned only to members of the security group designated for DirectAccess clients. Place CLIENT1 in the DA_Clients security group so that the Group Policy settings are assigned to CLIENT1.

D.     Test IPv6 Configuration, Confirm Group Policy Settings and Machine Certificate on CLIENT1
Before moving CLIENT1 out of the corpnet and onto the simulated Internet and behind a NAT device, check the IPv6 configuration on CLIENT1, confirm that DirectAccess client Group Policy Settings are enabled on CLIENT1, and that CLIENT1 has the computer certificate required to establish the IPsec connections to the UAG DirectAccess server.

E.      Test Connectivity to a Network Share and Network Location Server
The final check on CLIENT1 before moving it outside the corpnet is to confirm connectivity to a network share on the corpnet and to the Network Location Server. Connectivity to the Network Location Server is required so that the DirectAccess client can determine if it is on-network or off-network.

A.     Install the Operating System on CLIENT1

Windows 7 is required for DirectAccess client connectivity. The first step is to install Windows 7 on the DirectAccess computer or virtual machine.
  1. Connect CLIENT1 to the Corpnet subnet.
  2. Start the installation of the Windows 7 Enterprise or Windows 7 Ultimate.
  3. When prompted for a user name, enter User1. When prompted for a computer name, enter CLIENT1.
  4. When prompted for a password, enter a strong password twice.
  5. When prompted for protection settings, click Use recommended settings.
  6. When prompted for your computer's current location, click Work network.

B.     Join CLIENT1 to the CORP Domain

DirectAccess supports only domain member client machines for authentication and Group Policy settings assignment. To meet this requirement, join CLIENT1 to the CORP domain.
  1. At CLIENT1, click Start, right-click Computer, and then click Properties.
  2. Under Computer name, domain, and workgroup settings, click Change settings.
  3. In the System Properties dialog box, click Change.
  4. In the Computer Name/Domain Changes dialog box, click Domain, enter corp.contoso.com, and then click OK.
  5. When prompted for a user name and password, enter the user name and password for the User1 domain account, and then click OK.
  6. When you see a dialog box that welcomes you to the corp.contoso.com domain, click OK.
  7. When you see a dialog box that prompts you to restart the computer, click OK.
  8. In the System Properties dialog box, click Close.
  9. In the dialog box that prompts you to restart the computer, do not click anything and proceed to the following procedure.

C.      Add CLIENT1 to the DA_Clients Security Group

The DirectAccess client settings are assigned only to members of the security group designated for DirectAccess clients. You will place CLIENT1 in the DA_Clients security group so that the Group Policy settings are assigned to CLIENT1.
  1. *On the DC1 computer or virtual machine, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, expand corp.contoso.com, and then click Users.
  3. In the details pane, double-click DA_Clients.
  4. In the DA_Clients Properties dialog box, click the Members tab, and then click Add.
  5. In the Select Users, Contacts, Computers, or Groups dialog box, click Object Types, click Computers, and then click OK.
  6. Under Enter the object names to select (examples), type CLIENT1, and then click OK.
  7. Verify that CLIENT1 is displayed below Members, and then click OK.
  8. Close the Active Directory Users and Computers console.
  9. *On CLIENT1, in the dialog box that prompts you to restart the computer, click Restart Now.
  10. After CLIENT1 has been restarted, click Switch User, then click Other User and log on to the CORP domain with the User1 account.

D.     Test IPv6 Configuration, Confirm Group Policy Settings and Machine Certificate on CLIENT1

Before moving CLIENT1 out of the corpnet and onto the simulated Internet and behind a NAT device on the Internet, check the IPv6 configuration on CLIENT1, confirm that DirectAccess client Group Policy Settings are enabled on CLIENT1, and that CLIENT1 has the computer certificate required to establish the IPsec connections to the UAG DirectAccess server.
  1. On the CLIENT1 computer or virtual machine, click Start and then click All Programs. Click Accessories and then right click command prompt. Click Run as administrator. Click Yes in the UAC dialog box.
  2. In the command prompt window, enter ping dc1 and press ENTER. Confirm that the reply comes from an IPv6 ISATAP address, 2002:836b:2:8000:0:5efe:10.0.0.1.
  3. Ping APP1 and UAG1 to confirm that both these machines reply with IPv6 ISATAP addresses, 2002:836b:2:8000:0:5efe:10.0.0.3 and 2002:836b:2:8000:0:5efe:10.0.0.2.
  4. In the command prompt window, enter netsh namespace show policy and press ENTER. This command shows the DNS Name Resolution Policy Table (NRPT) settings, which were provided to CLIENT1 via Group Policy. For more information about DirectAccess and the NRPT, please see http://technet.microsoft.com/en-us/library/dd637795(WS.10).aspx
  5. In the command prompt window, enter netsh namespace show effectivepolicy and press ENTER.  This command shows the current DNS name resolution policy table settings and indicates that the client is in the corporate network and DirectAccess settings are turned off.
  6. In the command prompt window, enter certutil –store my and press ENTER. The output will display information about the certificate installed on CLIENT1. The subject name on the certificate should be CN=CLIENT1.corp.contoso.com and the certificate template name (certificate type) should be Machine, Computer. This machine certificate was assigned using Group Policy autoenrollment and will be used to create the IPsec tunnels between CLIENT1 and UAG1 when CLIENT1 leaves the corporate network.

E.      Test Connectivity to a Network Share and the Network Location Server

The final check on CLIENT1 before moving it outside the corpnet is to confirm connectivity to a network share on the corpnet and to the Network Location Server. Connectivity to the Network Location Server is required so that the DirectAccess client can determine if it is on or off the corporate network.
  1. On CLIENT1, from the taskbar, click the Internet Explorer icon.
  2. In the Welcome to Internet Explorer 8 window, click Next. In the Turn on Suggested Sites window, click No, don’t turn on, and then click Next. In the Choose your settings dialog box, click Use express settings, and then click Finish.
  3. In the Toolbar, click Tools, and then click Internet Options. For Home page, click Use blank, and then click OK.
  4. In the Address bar, enter https://nls.corp.contoso.com/, and then press ENTER. You should see the default IIS 7 Web page on DC1.
  5. Close the Internet Explorer window.
  6. Click Start, enter \\DC1\Files, and then press ENTER.
  7. You should see a folder window with the contents of the Files file share.
  8. In the Files folder window, double-click the Example.txt file. You should see the contents of the Example.txt file. Close the example.txt - Notepad and the Files folder windows.

6.    STEP 6: Configure INET1

INET1 provides simulated Internet DNS and DHCP services to CLIENT1 when CLIENT1 is connected to the simulated Internet. CLIENT1, when connected to the simulated Internet needs to be able to resolve the public name of the UAG DirectAccess computer (uag1.contoso.com) to connect using the 6to4 IPv6 transition technology. INET1 also hosts a DHCP server to assign CLIENT1 a public IP address.
The following operations configure INET1 to perform these duties:

A.     Install the Windows Server 2008 R2 operating system on INET1
The first step is to install the operating system on the INET1 computer or virtual machine. In the lab, we use Windows Server 2008 R2. This is not a requirement for the DirectAccess solution, since in a production environment any OS might be used to provide DNS and DHCP services to the Internet-based DirectAccess client.

B.     Configure the TCP/IP Properties on INET1
Assign a public IP address to the INET1 computer or virtual machine’s interface.

C.     Rename the computer on INET1
Rename the computer from the default name provided by the OS installer to INET1.

D.     Install and Configure the DNS Server Role on INET1
The DNS server role is installed on INET1 so that the Internet connected DirectAccess client can resolve the name of the UAG DirectAccess server and establish a 6to4 connection to the resolved IP address.

E.      Install the DHCP server role on INET1
The DHCP server role is installed on INET1 so that the DirectAccess client can obtain a public IP address automatically after being connected to the Internet subnet or virtual switch.

A.     Install the Operating System

The first step is to install the operating system on INET1. In the lab environment, we use Windows Server 2008 R2. This is not a requirement for the DirectAccess solution, since in a production environment any OS might be used to provide DNS and DHCP services to the Internet-based DirectAccess client.
  1. At INET1, start the installation of Windows Server 2008 R2.
  2. Follow the instructions to complete the installation, specifying a strong password for the local Administrator account. Log on using the local Administrator account.
  3. Connect the network adapter to the Internet subnet or virtual switch.

B.     Configure TCP/IP Properties on INET1

Assign a public IP address to the INET1 computer or virtual machine’s interface.
  1. At INET1, in Initial Configuration Tasks, click Configure networking.
  2. In the Network Connections window, right-click Local Area Connection, and then click Properties.
  3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
  4. Select Use the following IP address. In IP address, enter 131.107.0.1. In Subnet mask, enter 255.255.255.0.
  5. Click Advanced, and then click the DNS tab.
  6. In DNS suffix for this connection, enter isp.example.com, and then click OK.
  7. Click OK, and then click Close to close the Local Area Connection Properties dialog box.
  8. Close the Network Connections window.
  9. Click Start, right-click Network, and then click Properties.
  10. In the Network and Sharing Center window, click Change advanced sharing settings.
  11. In the Advanced sharing settings window, click Turn on file and printer sharing, and then click Save changes. (Note: this is done so that inbound ICMP ping requests and outbound responses are allowed for INET1 to test connectivity. It is not required by the DirectAccess solution itself).
  12. Close the Network and Sharing Center window.

C.      Rename the Computer on INET1

Rename the computer from the default name provided by the OS installer to INET1.
  1. At INET1, in Initial Configuration Tasks, click Provide Computer Name and Domain.
  2. In the System Properties dialog box, on the Computer Name tab, click Change.
  3. In Computer Name, type INET1.
  4. Click OK.
  5. When you are prompted that you must restart the computer, click OK.
  6. On the System Properties dialog box, click Close.
  7. When you are prompted to restart the computer, click Restart Now.
  8. After the computer has restarted, log on with the local Administrator account.

D.     Install and Configure the DNS Server Role on INET1

The DNS server role is installed on INET1 so that the Internet connected DirectAccess client can resolve the name of the UAG DirectAccess server to create the 6to4 connection.
  1. At INET1, in the Initial Configuration Tasks window, click the Add Roles link. Click Next on the Before You Begin page.
  2. On the Select Server Roles page, select the DNS Server checkbox, and then click Next.
  3. Click Next twice and then click Install.
  4. Verify that the installation was successful, and then click Close.
  1. Click Start, point to Administrative Tools, and then click DNS.
  2. In the console tree of DNS Manager, expand INET1.
  3. Click Forward Lookup Zones, right-click Forward Lookup Zones, click New Zone, and then click Next.
  4. On the Zone Type page, click Next.
  5. On the Zone Name page, enter isp.example.com, and then click Next.
  6. On the Zone File page, click Next.
  7. On the Dynamic Update page, click Next, and then click Finish.
  8. In the console tree, expand Forward Lookup zones, right click isp.example.com, and then click New Host (A or AAAA).
  9. In Name, type INET1. In IP address, enter 131.107.0.1. Click Add Host.
  10. Click OK, and then click Done.
  11. In the console tree, right-click Forward Lookup Zones, click New Zone, and then click Next.
  12. On the Zone Type page, click Next.
  13. On the Zone Name page, enter contoso.com, and then click Next.
  14. On the Zone File page, click Next.
  15. On the Dynamic Update page, click Next, and then click Finish.
  16. In the console tree, right click contoso.com, and then click New Host (A or AAAA).
  17. In Name, enter uag1. In IP address, type 131.107.0.2.
  18. Click Add Host. Click OK, and then click Done.
  19. Close the DNS console.

E.      Install the DHCP Server Role on INET1

The DHCP server role is installed on INET1 so that the DirectAccess client can obtain a public IP address automatically after being connected to the Internet subnet or virtual switch.
  1. On INET1, in the Initial Configuration Tasks window, click the Add roles link.
  2. On the Before You Begin page, click Next.
  3. On the Select Server Roles page, select the DHCP Server check box, and then click Next twice.
  4. On the Select Network Connection Bindings page, verify that 131.107.0.1 is selected, and then click Next.
  5. On the Specify IPv4 DNS Server Settings page, verify that isp.example.com is listed under Parent domain.
  6. Type 131.107.0.1 under Preferred DNS server IP address, and click Validate. Verify that the result returned is Valid, and then click Next.
  7. On the Specify IPv4 WINS Server Settings page, accept the default setting of WINS is not required on this network, and then click Next.
  8. On the Add or Edit DHCP Scopes page, click Add.
  9. In the Add Scope dialog box, enter Internet next to Scope Name. Next to Starting IP Address, enter 131.107.0.100, next to Ending IP Address, enter 131.107.0.150, and next to Subnet Mask, enter 255.255.255.0.
  10. Select the Activate this scope check box, click OK, and then click Next.
  11. On the Configure DHCPv6 Stateless Mode page, select Disable DHCPv6 stateless mode for this server, and then click Next.
  12. On the Confirm Installation Selections page, click Install.
  13. Verify that the installation was successful, and then click Close.

7.    STEP7: Configure NAT1

NAT1 is a Windows 7 computer configured as a NAT device that separates a private network from the Internet. The built-in Internet Connection Service (ICS) is used to provide the NAT server functionality. ICS includes DHCP server-like functionality and automatically assigns IP addressing information to clients located behind the NAT1 ICS NAT device. NAT1 has two network interfaces – one connected to the simulated Internet and one connected to a Homenet subnet.
NOTE:
NAT1 is a Windows 7 computer and after installation the default power plan is applied. NAT1 may go to sleep before you reach the end of the lab configuration. You can prevent this from happening by selecting the High Performance power plan in the Control Panel.
Perform the following operations to configure NAT1 as a NAT device:

A.     Install the operating system on NAT1
The first step is to install the Windows 7 operating system. Note that this is not a requirement; you can use any NAT device to simulate NAT device functionality.

B.     Rename the interfaces on NAT1
Rename the network interfaces in the Network Connections window to make them easier to identify. Note that this is not required, but makes applying the correct settings on the appropriate interface easier.

C.     Disable 6to4 functionality on NAT1
Disable 6to4 functionality on NAT 1. The reason for this is that if you don’t disable 6to4 on NAT1, it will act as a 6to4 router and issue a native IPv6 address to CLIENT1 when it is connect to the Homenet subnet. This will prevent CLIENT1 from acting as a Teredo or IP-HTTPS DirectAccess client.

D.     Configure ICS on the External Interface of NAT1
Internet Connection Services enable NAT1 to act as a NAT device and DHCP server for clients located behind NAT1. This enables CLIENT1 to automatically obtain IP addressing information and connect to the simulated Internet when connected to the Homenet subnet behind NAT1.

A.     Install the OS on NAT1

The first step is to install the Windows 7 operating system. Note that this is not a requirement; you can use any NAT device to simulate NAT device functionality.
  1. At NAT1, connect one network adapter to the Internet subnet or virtual switch, and the other to the Homenet subnet or virtual switch.
  2. Start the installation of Windows 7 Enterprise Edition, or Windows 7 Ultimate Edition.
  3. When prompted for a user name, enter User1. When prompted for a computer name, enter NAT1.
  4. When prompted for a password, enter a strong password twice.
  5. If prompted for a Password Hint, enter a password hint.
  6. When prompted for protection settings, click Use recommended settings.
  7. When prompted for your computer's current location, click Public network.

B.     Rename the Network Interfaces on NAT1

In this step you rename the network interfaces in the Network Connections window to make them easier to identify. Note that this is not required, but makes applying the correct settings on the appropriate interface easier.
  1. Click Start, and then click Control Panel.
  2. Under Network and Internet, click View status and tasks, and then click Change adapter settings.
  3. In the Network Connections window, right-click the network connection that is connected to the Homenet subnet, and then click Rename.
  4. Enter Homenet, and then press ENTER.
  5. In the Network Connections window, right-click the network connection that is connected to the Internet subnet, and then click Rename.
  6. Enter Internet, and then press ENTER.
  7. Leave the Network Connections window open for the next procedure.
  8. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  9. To check network communication between NAT1 and INET1, in the command window, type ping inet1.isp.example.com, and then press ENTER.
  10. Verify that there are four responses from 131.107.0.1.

C.      Disable 6to4 on NAT1

In the lab environment we use a Windows 7 computer to simulate a NAT device located in a remote location. One issue with Windows 7 when configured as an Internet Connection Service server is that it can act as a 6to4 router. When this is the case, it will assign the CLIENT1 computer behind the NAT1 ICS computer a 6to4 address and prevent it from acting as a Teredo and IP-HTTPS client. In order to demonstrate both Teredo and IP-HTTPS functionality, 6to4 functionality on the NAT1 is disabled.
  1. In an elevated command prompt window, enter netsh interface 6to4 set state state=disabled, and then press ENTER. An Ok response is returned after the command completes.
  2. Close the command window.

D.     Configure ICS on the External Interface of NAT1

Internet Connection Services enable NAT1 to act as a NAT device and DHCP server for clients located behind NAT1. This enables CLIENT1 to automatically obtain IP addressing information and connect to the simulated Internet when connected to the Homenet subnet behind NAT1.
  1. At NAT1, in the Network Connections window, right-click Internet, and then click Properties.
  2. Click the Sharing tab, select Allow other network users to connect through this computer’s Internet connection, and then click OK.
  3. Right click the Homenet interface on NAT1 and click Status.
  4. In the Local Area Connection Status dialog box, on the General tab, click the Details button.
  5. In the Network Connection Details dialog box, notice that the internal interface has been assigned an IP address and subnet mask by the Internet Connection Service, using a network ID of 192.168.137.0/24. DHCP clients placed behind NAT1 obtain an IP address on this network ID and DNS server settings from the Internet Connection Services.
  6. Click Close in the Network Connection Details dialog box, and click Close in the Local Area Connection Status dialog box.
  7. Close the Network Connections window.

8.    STEP 8: Test DirectAccess Connectivity from the Internet

CLIENT1 is now ready for DirectAccess testing. In the first set of tests, you connect CLIENT1 to the simulated Internet. When connected to the simulated Internet, CLIENT1 is assigned a public IP address. When a DirectAccess client is assigned a public IP address, it will try to establish a connection to the DirectAccess server using an IPv6 6to4 connection over its 6to4 tunnel adapter. After connecting to the simulated Internet and establishing the DirectAccess connection, you perform a number of tests to confirm IPv6 connectivity and connectivity to corpnet assets from over the simulated Internet.
  1. On CLIENT1, log off from CLIENT1. Log on as CORP\User1.
  2. Unplug CLIENT1 from the corpnet switch and connect it to the Internet switch.
  3. Open an elevated command prompt. In the command prompt window, enter ipconfig /all and press ENTER.
  4. Examine the output  from the ipconfig command. CLIENT1 is now connected to the Internet and has a public IP address. When the DirectAccess client has a public IP address, it will use the 6to4 IPv6 transition technology to tunnel the IPv6 messages over an IPv4 Internet between the DirectAccess client and UAG DirectAccess server. Look at the information in the Tunnel adapter 6TO4 adapter. You see a tunnel adapter address that begins with 2002:836b, which is a globally routable address. You will also see a default gateway, which is the first of the two consecutive IPv6 6to4 IP addresses assigned to the UAG DirectAccess server. This address should be 2002:836b:2::836b:2. Note the DNS server entry in this section. This is the DNS server that is used to access any resource other than what is accessible over the DirectAccess connection.
  5. In the command prompt window, enter ipconfig /flushdns and press ENTER. This flushes name resolution entries that may still exist in the client DNS cache from when CLIENT1 was connected to the corpnet.
  6. In the command prompt window, enter ping dc1 and press ENTER. You should see replies from the ISATAP address assigned to DC1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.1
  7. In the command prompt window, enter ping app1 and press ENTER. You should see replies from the ISATAP address assigned to DC2, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.3
  8. In the command prompt window, enter ping uag1 and press ENTER. You should see replies from the ISATAP address assigned to UAG1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.2
  9. In the command prompt window, enter ping app3 and press ENTER. You should see replies from the NAT64 address assigned by UAG1 to APP3, which in this case is 2002:836b:2:8001::a00:4  The ability to ping APP3 is important, because success indicates that you were able to establish a connection using NAT64/DNS64, as APP3 is an IPv4 only resource.
  10. In the command prompt window, enter netsh namespace show effectivepolicy and press ENTER. The output shows the current settings for the Name Resolution Policy Table (NRPT). These settings indicate that all connections to .corp.contoso.com should be resolved by the DirectAccess DNS Server, which is the UAG DirectAccess server, with the IPv6 address of 2002:836b:3::836b:3. Also, note the NRPT entry indicating that there is an exemption for the name nls.corp.contoso.com; names on the exemption list are not answered by the DirectAccess DNS server. You can ping the DirectAccess DNS server IP address to confirm connectivity to the DirectAccess server; for example, you can ping  2002:836b:3::836b:3 in this example.
  11. Click the Internet Explorer icon, click the Tools menu and click Internet Options. In the Internet Options dialog box, on the General tab, click the Use Blank button to set the default Web page as blank. Close the Internet Explorer window.
  12. In the Internet Explorer address bar, enter http://app1.corp.contoso.com and press ENTER. You will see the default IIS site on APP1.
  13. In the Internet Explorer address bar, enter http://app3.corp.contoso.com and press ENTER. You will see the default web site on APP3.
  14. Click Start and in the Search box, enter \\App3\Files and press ENTER. Double click on the New Text Document file. This demonstrates that you were able to connect to an IPv4 only server using SMB to obtain a resource in the resource domain.
  15. Click Start and in the Search box, enter Firewall and press ENTER.
  16. In the Windows Firewall with Advanced Security console, notice that only the Public Profile is active. The Windows Firewall must be enabled for DirectAccess to work correctly. If for some reason that the Windows Firewall were disabled, DirectAccess connectivity would fail.
  17. Expand the Monitoring node in the left pane of the console and click the Connection Security Rules node. You should see the active connection security rules: UAG DirectAccess Client – Client Access Enabling Tunnel – All, UAG DirectAccess Client – Clients Corp Tunnel and UAG DirectAccess Client – Exempt NLA. Scroll the middle pane to the right to expose the 1st Authentication Methods and 2nd Authentication Methods columns. Notice that the first rule uses NTLMv2 to establish the infrastructure tunnel and the second rule uses Kerberos V5 to establish the intranet tunnel. The second tunnel is required to connect to APP1 and APP3, since they are not on the management servers list.
  18. In the left pane of the console, expand the Security Associations node and click the Main Mode node. Notice the infrastructure tunnel security associations using NTLMv2 and the intranet tunnel security association using Kerberos V5.  Right click the entry that shows User (Kerberos V5) as the 2nd Authentication Method and click Properties. On the General tab, notice the Second authentication Local ID is CORP\User1, indicating that User1 was able to successfully authenticate to the CORP domain using Kerberos.
  19. Click Start and right click on Computer and click Properties. Click the Remote Settings link in the left pane of the console. On the Remote tab, in the Remote Desktop section, select the Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure) and click OK. This enables Remote Desktop Connections from Windows Vista and above and Windows 2008 and above computers for remote management. We will use this feature to test the ability to remotely manage DirectAccess clients from management servers on the corpnet.
  20. *Move to the DC2 computer or virtual machine. Click Start and enter mstsc and press ENTER. In the Remote Desktop Connection dialog box, in the Computer text box, enter client1.corp.contoso.com and click Connect. In the Windows Security dialog box, select Use another account. In the User name text box enter CORP\User1 and enter User1’s password and click OK. The Remote Desktop Session is successfully established. Note that when you connect from an infrastructure server, you can establish the connection even before the user logs in, increasing your ability to manage DirectAccess client machines on the Internet.

    NOTE: You are able to “manage out” CLIENT1 without creating special Firewall Rules because it is acting as a 6to4 IPv6 host. In order to remotely manage Teredo and IP-HTTPS DirectAccess clients, you will need to configure special Firewall Rules that enable inbound access for the protocol or service and enable “edge traversal” for that Firewall Rule. This configuration is covered later in this lab.
  21. Close the Remote Desktop Connection window. Click OK in the Remote Desktop Connection dialog box that informs you that this will disconnect your session.
  22. *Return to CLIENT1. Log on as CORP\User1.
  23. Close the System Control Panel window and the Windows Firewall with Advanced Security console. Close all other open windows before moving to the next step.

9.    STEP 9: Test DirectAccess Connectivity from Behind a NAT Device

When a DirectAccess client is connected to the Internet from behind a NAT device or a Web proxy server, the DirectAccess client uses either Teredo or IP-HTTPS to connect to the DirectAccess server. If the NAT device enables outbound UDP port 3544 to the DirectAccess server’s public IP address, then Teredo is used. If Teredo access is not available, the DirectAccess client falls back to IP-HTTPS over outbound TCP port 443, which enables access through firewalls or Web proxy servers over the traditional SSL port. Teredo is the preferred access method, because of its superior performance over IP-HTTPS. In addition, if the web proxy requires authentication, the IP-HTTPS connection will fail. IP-HTTPS connections also fail if the web proxy performs outbound SSL inspection, due to the fact that the HTTPS session is terminated at the web proxy instead of the UAG DirectAccess server. In this section you will perform the same tests performed when connecting using a 6to4 connection in the previous section.
The following procedures are performed on CLIENT1:

A.     Test Teredo Connectivity. The first set of tests are performed when the DirectAccess client is configured to use Teredo. This is the automatic setting when the NAT device allows outbound access to UDP port 3544

B.     Test IP-HTTPS Connectivity. The second set of tests are performed when the DirectAccess client is configured to use IP-HTTPS. In order to demonstrate IP-HTTPS connectivity, Teredo is disabled on CLIENT1.

A.     Testing Teredo Connectivity

The DirectAccess client can use either Teredo or IP-HTTPS when connecting to the DirectAccess server from behind a NAT device. You will first examine the settings and test connectivity using Teredo.
  1. Unplug CLIENT1 from the Internet switch and connect it to the Homenet switch. If asked what type of network you want to define the current network, select Work Network.
  2. Open an elevated command prompt. In the command prompt window, enter ipconfig /all and press ENTER.
  3. Examine the output of the ipconfig command. This computer is now connected to the Internet from behind a NAT device and is assigned a private IPv4 address. When the DirectAccess client is behind a NAT device and assigned a private IPv4 address, the preferred IPv6 transition technology is Teredo. If you look at the output of the ipconfig command, you should see a section for Tunnel adapter Local Area Connection and then a Description Teredo Tunneling Pseudo-Interface, with an IP address that starts with 2001: consistent with being a Teredo address. You will not see a default gateway listed for the Teredo tunnel adapter. 
  4. In the command prompt window, enter ipconfig /flushdns and press ENTER. This will flush name resolution entries that may still exist in the client DNS cache from when CLIENT1 was connected to the Internet.
  5. In the command prompt window, enter ping dc1 and press ENTER. You should see replies from the ISATAP address assigned to DC1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.1
  6. In the command prompt window, enter ping app1 and press ENTER. You should see replies from the ISATAP address assigned to APP1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.3
  7. In the command prompt window, enter ping uag1 and press ENTER. You should see replies from the ISATAP address assigned to UAG1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.2
  8. In the command prompt window, enter ping app3 and press ENTER. You should see replies from the NAT64 address assigned by UAG1 to APP3, which in this case is 2002:836b:2:8001::a00:4
  9. In the command prompt window, enter netsh namespace show effectivepolicy and press ENTER. The output shows the current settings for the Name Resolution Policy Table (NRPT). These settings indicate that all connections to .corp.contoso.com should be resolved by the DirectAccess DNS Server, which is the UAG DirectAccess server, with the IPv6 address of 2002:836b:3::836b:3. Also, note the NRPT entry indicating that there is an exemption for the name nls.corp.contoso.com; names on the exemption list are not answered by the DirectAccess DNS server. You can ping the DirectAccess DNS server IP address to confirm connectivity to the DirectAccess server; for example, you can ping  2002:836b:3::836b:3 in this example.
  10. In the Internet Explorer address bar, enter http://app1.corp.contoso.com and press ENTER. You will see the default IIS site on DC2.
  11. In the Internet Explorer address bar, enter http://app3.corp.contoso.com and press ENTER. You will see the default web site on APP3.
  12. Click Start and in the Search box, enter \\App3\Files and press ENTER. Double click on the New Text Document file. This demonstrates that you were able to connect to an IPv4 only server using SMB to obtain a resource on an IPv4 only host.
  13. Click Start and in the Search box, enter Firewall and press ENTER.
  14. In the Windows Firewall with Advanced Security console, notice that only the Private profile is active. The Windows Firewall must be enabled for DirectAccess to work correctly. If for some reason the Windows Firewall were disabled, DirectAccess connectivity would fail.
  15. Expand the Monitoring node in the left pane of the console and click the Connection Security Rules node. You should see the active connection security rules: UAG DirectAccess Client – Client Access Enabling Tunnel – All, UAG DirectAccess Client – Clients Corp Tunnel and UAG DirectAccess Client – Exempt NLA. Scroll the middle pane to the right to expose the 1st Authentication Methods and 2nd Authentication Methods columns. Notice that the first rule uses NTLMv2 to establish the infrastructure tunnel and the second rule uses Kerberos V5 to establish the intranet tunnel.
  16. In the left pane of the console, expand the Security Associations node and click the Main Mode node. Notice the infrastructure tunnel security associations using NTLMv2 and the intranet tunnel security association using Kerberos V5.  Right click the entry that shows User (Kerberos V5) as the 2nd Authentication Method and click Properties. On the General tab, notice the Second authentication Local ID is CORP\User1, indicating that User1 was able to successfully authenticate to the CORP domain using Kerberos to establish the second tunnel (intranet tunnel).
  17. Close the System Control Panel window and the Windows Firewall with Advanced Security console. Close all other open windows before moving to the next step.

B.     Testing IP-HTTPS Connectivity

When the DirectAccess client is unable to establish a Teredo connection with the DirectAccess server (typically when a firewall or router has blocked outbound UDP port 3544), the DirectAccess client configures itself to use IP-HTTPS to tunnel IPv6 messages over the IPv4 Internet. In the following exercises you confirm that the host is configured as an IP-HTTPS host and check connectivity.
1.      Open an elevated command prompt. In the command prompt window, enter netsh interface teredo set state disabled and press ENTER. This disables Teredo on CLIENT1 and enables CLIENT1 to configure itself to use IP-HTTPS.
2.      Open an elevated command prompt. In the command prompt window, enter ipconfig /all and press ENTER. An Ok response appears when the command completes.
3.      Examine the output of the ipconfig command. This computer is now connected to the Internet from behind a NAT device and is assigned a private IPv4 address. Teredo is disabled and the DirectAccess client falls back to IP-HTTPS. When you look at the output of the ipconfig command, you see a section for Tunnel adapter iphttpsinterface with an IP address that starts with 2002:836b:2 consistent with this being an IP-HTTPS address. You will not see a default gateway listed for the IP-HTTPS tunnel adapter. 
4.      In the command prompt window, enter ipconfig /flushdns and press ENTER. This will flush name resolution entries that may still exist in the client DNS cache from when CLIENT1 was connected to the corpnet.
5.      In the command prompt window, enter ping dc1 and press ENTER. You should see replies from the ISATAP address assigned to DC1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.1
6.      In the command prompt window, enter ping app1 and press ENTER. You should see replies from the ISATAP address assigned to APP1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.3
7.      In the command prompt window, enter ping uag1 and press ENTER. You should see replies from the ISATAP address assigned to UAG1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.2
8.      In the command prompt window, enter ping app3 and press ENTER. You should see replies from the NAT64 address assigned by UAG1 to APP3, which in this case is 2002:836b:2:8001::a00:4
9.      In the command prompt window, enter netsh namespace show effectivepolicy and press ENTER. The output shows the current settings for the Name Resolution Policy Table (NRPT). These settings indicate that all connections to .corp.contoso.com should be resolved by the DirectAccess DNS Server, which is the UAG DirectAccess server, with the IPv6 address of 2002:836b:3::836b:3. Also, note the NRPT entry indicating that there is an exemption for the name nls.corp.contoso.com; names on the exemption list are not answered by the DirectAccess DNS server. You can ping the DirectAccess DNS server IP address to confirm connectivity to the DirectAccess server; for example, you can ping  2002:836b:3::836b:3 in this example.
10.   In the Internet Explorer address bar, enter http://app1.corp.contoso.com and press ENTER. You will see the default IIS site on APP1.
11.   In the Internet Explorer address bar, enter http://app3.corp.contoso.com and press ENTER. You will see the default web site on APP3.
12.   Click Start and in the Search box, enter \\App3\Files and press ENTER. Double click on the New Text Document file. This demonstrates that you were able to connect to an IPv4 only server using SMB to obtain a resource on an IPv4 only host.
13.   Click Start and in the Search box, enter Firewall and press ENTER.
14.   In the Windows Firewall with Advanced Security console, notice that only the Private profile is active. The Windows Firewall must be enabled for DirectAccess to work correctly. If for some reason that the Windows Firewall were disabled, DirectAccess connectivity would fail.
15.   Expand the Monitoring node in the left pane of the console and click the Connection Security Rules node. You should see the active connection security rules: UAG DirectAccess Client – Client Access Enabling Tunnel – All, UAG DirectAccess Client – Clients Corp Tunnel and UAG DirectAccess Client – Exempt NLA. Scroll the middle pane to the right to expose the 1st Authentication Methods and 2nd Authentication Methods columns. Notice that the first rule uses NTLMv2 to establish the infrastructure tunnel and the second rule uses Kerberos V5 to establish the intranet tunnel.
16.   In the left pane of the console, expand the Security Associations node and click the Main Mode node. Notice the infrastructure tunnel security associations using NTLMv2 and the intranet tunnel security association using Kerberos V5. When you right click the Kerberos security association, you will see authentication for CORP\User1. This indicates that the client was able to authenticate with the CORP domain using Kerberos to establish the second (intranet) tunnel.
17.   Close the System Control Panel window and the Windows Firewall with Advanced Security console. Close all other open windows before moving to the next step

10.                    STEP 10: Test Connectivity When Returning to the Corpnet

Many of your users will move between remote locations and the corpnet, so it’s important that when they return to the corpnet that they are able to access resources without having to make any configuration changes. UAG DirectAccess makes this possible because when the DirectAccess client returns to the corpnet, it is able to make a connection to the Network Location Server. Once the HTTPS connection is successfully established to the Network Location Server, the DirectAccess client disables it DirectAccess client configuration and uses a direct connection to the corpnet.
  1. Shut down CLIENT1 and then unplug CLIENT1 from the Home subnet or virtual switch and connect it to the Homenet subnet or virtual switch. Log on as CORP\User1.  If asked what type of network you want to define the current network, select Work Network.
  2. Open an elevated command prompt. In the command prompt window, enter ipconfig /all. The output will indicate that CLIENT1 has a local IP address, and that there is no active 6to4, Teredo or IP-HTTPS tunnel.  Note that CLIENT1 has an active ISATAP tunnel adapter.
  3. Test connectivity to the network share on APP3. Click Start and enter \\APP3\Files and press enter. You will be able to open the file in that folder.

11.                    STEP 11: Configure UAG2

UAG2 is the second member of a UAG DirectAccess array. When the array is configured, UAG1 is the Array Master and UAG2 is the second member of the array. UAG2 is installed and configured before enabling the array configuration.
Perform the following operations to configure UAG2:

A.     Install the operating system on UAG2.
Install Windows Server 2008 R2 on UAG2 as this is a requirement for installing Forefront UAG 2010.

B.     Configure TCP/IP Properties on UAG2.
After installing the operating system on UAG2, configure static IP addressing information on its internal and external network interface cards.

C.     Rename the UAG2 and Join it to the CORP Domain.
UAG2 is renamed and joined to the CORP domain. Domain membership is required for a UAG DirectAccess array.

D.     Import the IP-HTTPS Certificate into the UAG2 machine certificate store. To accept incoming IP-HTTPS requests, the UAG2 DirectAccess array member requires a copy of the web site certificate used by the IP-HTTPS on UAG1 installed in its machine certificate store.

A.     Install the OS on UAG2

The first step is to install Windows Server 2008 Enterprise Edition on UAG2.  This is required as Forefront UAG must be installed on Windows Server 2008 R2.
  1. On UAG2, start the installation of Windows Server 2008 R2 Enterprise Edition.
  2. Follow the instructions to complete the installation, specifying Windows Server 2008 R2 Enterprise Edition and a strong password for the local Administrator account. Log on using the local Administrator account.
  3. Connect the network adapter to the Corpnet subnet or the virtual switch representing the corpnet subnet.

B.     Configure TCP/IP Properties on UAG2

After installing the operating system on UAG2, configure its TCP/IP Properties to provide the server an IP address, subnet mask, DNS server address and connection specific suffix. Note that the connection specific suffix is not required for a working DirectAccess solution, but simplifies name resolution prior to completing the DNS infrastructure in the POC lab environment.
  1. At UAG2, in Initial Configuration Tasks, click Configure networking.
  2. In Network Connections, right-click the network connection that is connected to the Corpnet subnet or virtual switch, and then click Rename.
  3. Type Corpnet, and then press ENTER.
  4. Right-click Corpnet, and then click Properties.
  5. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
  6. Select Use the following IP address. In IP address, enter 10.0.0.19. In Subnet mask, type 255.255.255.0.
  7. Select Use the following DNS server addresses. In Preferred DNS server, type 10.0.0.1.
  8. Click Advanced, and then the DNS tab.
  9. In DNS suffix for this connection, type corp.contoso.com, click OK twice, and then click Close. (A connection specific DNS suffix is not required for DirectAccess to work correctly).
  10. In the Network Connections window, right-click the network connection that is connected to the Internet subnet, and then click Rename.
  11. Enter Internet, and then press ENTER.
  12. Right-click Internet, and then click Properties.
  13. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
  14. Select Use the following IP address. In IP address, enter 131.107.0.19. In Subnet mask, enter 255.255.255.0.
  15. Click Advanced then click the DNS tab.
  16. In DNS suffix for this connection, type isp.example.com, and then click OK twice and then click Close. (A connection specific DNS suffix is not required for DirectAccess to work correctly).
  17. Close the Network Connections window.
  18. To check network communication between UAG2 and DC1, click Start, click All Programs, click Accessories, and then click Command Prompt.
  19. In the command window, type ping dc1.corp.contoso.com and press ENTER. Verify that there are four responses from 10.0.0.1
  20. Close the command window.

C.      Rename the UAG2 Computer or Virtual Machine and Join the corp.contoso.com Domain

The installation routine created a default computer name. Change the computer name from its default to UAG2.
  1. On UAG2, in Initial Configuration Tasks, click Provide computer name and domain.
  2. In the System Properties dialog box, click Change. In the Computer Name/Domain Change dialog box, in the Computer name text box, enter UAG2. In the Member of frame, select the Domain option, and enter corp.contoso.com in the text box. Click OK.
  3. In the Computer Name/Domain Changes dialog box, enter CORP\User1 in the User name text box and the password in the Password text box. Click OK.
  4. After restarting, login using the local administrator account.

D.     Install the IP-HTTPS Certificate on UAG2 Computer

UAG2 will be joined to a UAG array with UAG1. In order to accept IP-HTTPS connections while part of the UAG DirectAccess array, UAG2 needs to use the same certificate as the IP-HTTPS listener as that used by UAG1. To do this, the IP-HTTPS certificate must be exported (with its private key) from UAG1 and import it into the machine configuration store on UAG2. The procedure starts out on UAG1, where the certificate export takes place.
  1. *On UAG1, click Start and enter mmc into the search box. Click Yes in the UAC dialog box.
  2. In the mmc console, click File and click Add/Remove Snap-in.
  3. In the Add or Remove Snap-ins dialog box, click Certificates and click Add.
  4. On the Certificates snap-in page, select Computer account and click Finish.
  5. On the Select Computer page, select Local computer and click Finish.
  6. Click OK in the Add or Remove Snap-ins dialog box.
  7. In the left pane of the console, navigate to Certificates (Local Computer)\Personal\Certificates.  Right click the uag1.contoso.com certificate, point to All Tasks and click Export.
  8. On the Welcome to the Certificate Export Wizard page, click Next.
  9. On the Export Private Key page, select Yes, export the private key and click Next.
  10. On the Export File Format, ensure that the Personal Information Exchange – PKCS #12 (.PFX) format is selected. Click Next.
  11. On the Password page, enter a password in the Password text box and confirm the password. Click Next.
  12. On the File to Export page, name the file IPHTTPSCert and save it to the desktop. Click Next.
  13. On the Completing the Certificate Export Wizard page, click Finish.
  14. In the Certificate Export Wizard dialog box, click OK.
 

12.                    STEP 12: Create the Networked Load Balanced UAG DirectAccess Array

Forefront UAG enables you to create arrays of DirectAccess servers. An array acts as a single logical server and provides centralized configuration and management for up to 8 UAG DirectAccess members in a single array. UAG DirectAccess arrays also support Network Load Balancing (NLB), which provides high availability and load balancing of connections to the UAG DirectAccess array.
The following procedures enable you to create and test a UAG DirectAccess array:

A.     Update ISATAP records in the DNS server to include future VIPs and DIPs ISATAP enabled hosts on the corporate network use the UAG server or array to receive configuration and routing information. Each member of the array can answer requests from ISATAP hosts from an internal Dedicated IP Address (DIP) or Virtual IP Address (VIP).  In this step DNS is updated with the new IP addresses for the ISATAP servers in the array.

B.     Change the Single Server IP addressing configuration on UAG1.  The IP addressing on UAG1 is changed to support the new IP addressing used for the array. The IP addressing changes are done in a way that creates minimum disruption to the DirectAccess configuration and does not require the DirectAccess client to receive new Group Policy settings to connect to the array.

C.     Change the UAG1 Single Server Configuration to an Array Manager. UAG1 was originally installed in single server mode. This step includes procedures that change UAG1 from single server mode to an Array Manager in a UAG DirectAccess array.

D.     Configure UAG2 as a New Node in the UAG DirectAccess Array. UAG DirectAccess arrays contain from 2 to 8 nodes. UAG1 is configured as the first node, and UAG2 is the second node. In this step install and configure UAG2 as the second member of the UAG DirectAccess array.

E.      Configure Network Load Balancing on the Array Manager (UAG1).  After the UAG DirectAccess configuration is complete is it ready to support Network Load Balancing to provide load balancing and high availability for DirectAccess client connections.

F.      Reconfigure and Apply New Configuration Settings for UAG DirectAccess. Setting enabled by Group Policy need to be updated after making the array and NLB configuration changes. This step reconfigures the DirectAccess settings and redeploys them.

G.     Start Network Load Balancing. Start Network Load Balancing after the configuration changes are made in the DirectAccess configuration.

H.     Test DirectAccess Client Connectivity through the UAG DirectAccess NLB Array. This step tests the UAG DirectAccess and validates the array and NLB configurations.

A.     Update ISATAP record in the DNS server to include future VIPs and DIPs

We will continue to use 10.0.0.2 for an ISATAP address on the network. However, we need to add two more addresses: one is the DIP in the internal interface on UAG2 and the other is the VIP that is shared on the internal interface of both servers in the UAG DirectAccess array. The new addresses are: 10.0.0.19, which is the DIP on UAG2, and 10.0.0.18, which will be the DIP on the internal interface of UAG1. When NLB is enabled. Therefore, we will add new Host (A) records for ISATAP: 10.0.0.18 and 10.0.0.19.
  1. At the DC1 computer or virtual machine, open the DNS console.
  2. In the DNS console, expand the server name and then expand the Forward Lookup Zones node. Click corp.contoso.com. Right click corp.contoso.com and click New Host (A or AAAA).
  3. In the New Host dialog box, enter isatap in the Name text box. In the IP address text box, enter 10.0.0.18. Click Add Host. Click OK in the DNS dialog box indicating that the record was successfully created.
  4. In the New Host dialog box, enter isatap in the Name text box. In the IP address text box, enter 10.0.0.19. Click Add Host. Click OK in the DNS dialog box indicating that the record was successfully created.
  5. Click Done in the New Host dialog box.
  6. Close the DNS console.

B.     Change the Single Server IP addressing configuration on UAG1

The IP addressing configuration on UAG1 now needs to be changed. The external IP addresses 131.107.0.2 and 131.107.0.3 must be removed. A single DIP on the external interface will be assigned: 131.107.0.18. On the internal interface, the current IP address 10.0.0.2 will be removed and replaced with 10.0.0.18.
  1. At the UAG1 computer or virtual machine, in the Initial Configuration Tasks console, click Configure Networking.
  2. In the Network Connections window, right click the Internet connection and click Properties.
  3. In the Internet Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) and then click Properties.
  4. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, in the IP address text box, change the IP address to 131.107.0.18.
  5. Click the Advanced button. On the IP Settings tab, in the IP addresses frame, select 131.107.0.3 and click Remove. Click OK.
  6. Click OK in the Internet Protocol Version 4 (TCPIPv4) Properties dialog box. Click Close in the Internet Properties dialog box.
  7. Right click the Corpnet connection and click Properties.
  8. In the Corpnet Properties dialog box, click the Internet Protocol Version 4 (TCP/IPv4) entry and click Properties.
  9. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, change the IP address in the IP address text box to 10.0.0.18. Click OK.
  10. Click Close in the Corpnet Properties dialog box.
  11. Close the Network Connections window.

C.      Change the UAG1 Single Server Configuration to an Array Manager

UAG1 is now ready to be configured as an Array Manager in a UAG server array. The Array Manager is the machine that hosts the configuration for the array and the Array Manager is the only machine where configuration is performed. You will not be able to run the UAG management console on any other machine in the array.
  1. At the UAG1 computer and array, open the Forefront UAG Management console.
  2. In the Forefront UAG Management console, click the Admin menu and then click Network Interfaces.
  3. On the Welcome to the Network Configuration Wizard page, click Next.
  4. On the Define Network Adapters page, confirm the settings for the Internal and External connections. Click Next.
  5. On the Define Internal Network IP Address Range page, click Next.
  6. On the Completing the Network Configuration Wizard page, click Finish.
  7. Click the Admin menu and click Array Management.
  8. On the Welcome to the Array Management Wizard page, click Next.
  9. On the Step 1 – Configure Array Settings page, select the Set this server as the array manager option and click Next.
  10. On the Step 2 – Specify Array Credentials page, in the user name text box enter User1 and enter User1’s password and confirm the password. The domain CORP should be filled in automatically in the Domain text box. Click Next.
  11. On the Step 3 – Defining Array Member Computers page, confirm that UAG1 is already entered. Click the Add button.
  12. In the Add/Edit Server text box, enter UAG2 in the Name text box and in the IP address text box, enter 10.0.0.19. Click OK. Note that all servers in the array are identified by their IPv4 DIP.
  13. On the Step 3 – Defining Array Member Computers page, click Next.
  14. On the Set Server as Array Manager page, click Finish.
  15. Click OK on the Configuration page indicating that the array manager was successfully configured.

D.     Configure UAG2 as a new node in the UAG DirectAccess Array

UAG2 has Windows Server 2008 R2 already installed on it and you have configured it’s IP addressing information and joined the server to the domain. At this point you will install the Forefront UAG software and configure the machine to be a member of the array.
  1. At the UAG2 computer or virtual machine, insert the Forefront Unified Access Gateway DVD.
  2. On the splash page, click Install Forefront UAG.
  3. Click Next on the Welcome to the Forefront UAG Setup Wizard page.
  4. On the License Terms page, select I accept the License Terms for Microsoft Software and click Next.
  5. On the Select Installation Location page, click Next.
  6. The installation will complete and ask if you want to restart. Choose the option to restart the computer and log on as CORP\User1.
  7. Open the Forefront UAG Management console.
  8. On the Welcome to Microsoft Forefront Unified Access Gateway 2010 page, click Configure Network Settings.
  9. On the Welcome to the Network Configuration Wizard page, click Next.
  10. On the Define Network Adapters page, set the Corpnet adapter as Internal and the Internet adapter as External. Click Next.
  11. On the Define Internal Network IP Address Range page, click Next.
  12. On the Completing the Network Configuration Wizard page, click Finish.
  13. On the Welcome to Microsoft Forefront Unified Access Gateway 2010 page, click Define Server Topology.
  14. On the Welcome to the Server Management Wizard page, click Next.
  15. On the Select Configuration page, select the Array member option, then click Next.
  16. On the Welcome to the Array Management Wizard page, click Next.
  17. On the Step 1 – Configure Array Settings page, select the Add this server to an array option and click Next.
  18. On the Step 2 – Select Array Manager page, enter the FQDN for UAG1 in the Array manager (IP address or FQDN): text box. The FQDN for UAG1 is uag1.corp.contoso.com. In the User Credentials frame, enter User1 in the User name text box, and then end the password for User1. In the Domain text box, enter CORP. click Next.
  19. On the Joining the Array page, click Finish.
  20. In the Configuration dialog box informing you that the server was successfully joined to the array, click OK.
  21. On the Completing the Server Management Wizard page, click Finish.
  22. On the Welcome to Microsoft Forefront Unified Access Gateway 2010 page, click Join Microsoft Update.
  23. On the Use Microsoft Update for Forefront UAG page, select I don’t want to use Microsoft Update and click OK.
  24. On the Welcome to Microsoft Forefront Unified Access Gateway 2010 page, click Close.
  25. In the Array Management Wizard dialog box, select the Exit the Forefront Forefront UAG console.

E.      Configure NLB on the Array Manager (UAG1)

UAG1 and UAG2 now belong to the same array.  You can now enable Network Load Balancing for the array. When Network Load Balancing (NLB) is enabled, one or members of the array can fail and as long as a single member remains online, users will be able to connect to the UAG DirectAccess server. The following procedure is performed on the Array Manager, UAG1.
  1. At the UAG1 computer or virtual machine, open the UAG Management console.
  2. In the UAG Management console, click the Admin menu and then click Network Load Balancing. (Note: if the UAG Management Console was open on UAG1 when UAG2 joined the array, close the console and restart it).
  3. In the Network Load Balancing dialog box, click Add. In the Configure Virtual IP Addresses dialog box, select the External option from the Network drop down list. In the Virtual IP address text box, enter 131.107.0.2 and in the Subnet mask text box enter 255.255.255.0.  Click OK.
  4. In the Network Load Balancing dialog box, click Add. In the Configure Virtual IP Addresses dialog box, select the External option from the Network drop down list. In the Virtual IP address text box, enter 131.107.0.3 and in the Subnet mask text box enter 255.255.255.0. Click OK.
  5. In the Network Load Balancing dialog box, click Add. In the Configure Virtual IP Addresses dialog box, select the Internal option from the Network drop down list. In the Virtual IP address text box, enter 10.0.0.2 and in the Subnet mask text box enter 255.255.255.0. Click OK.
  6. Click OK in the Network Load Balancing dialog box.
  7. Close the UAG Management console.
  8. In the Configuration dialog box, click Yes to save the changes.

F.      Reconfiguring and Applying new Configuration Settings for UAG DirectAccess

Now we are ready to apply the new settings to the UAG DirectAccess configuration. Perform the following steps on the Array Manager, UAG1.
  1. At the UAG1 computer or virtual machine, open the UAG Management console.
  2. In the UAG Management console, click the DirectAccess node in the left pane of the console.
  3. In the right pane of the UAG Management console, in the DirectAccess Server section, click Edit.
  4. On the Load Balancing page in the UAG DirectAccess Server Configuration wizard, confirm that the Windows Network Load Balancing option is selected and that you see a green circle with a checkmark in it with a message The array has all the required prerequisites for the select Load Balancing method next to it. Click Next.
  5. On the Connectivity page of the UAG DirectAccess Server Configuration Wizard, confirm that the Internet-facing and Internal  IP address values are automatically entered. The First Internet-facing IP4 address should be 131.107.0.2 and the Second Internet-facing IPv4 address should be 131.107.0.3. The Internal IP address should be 10.0.0.2. Note the message on the bottom of the page that informs you that you should enter 10.0.0.2, 10.0.0.18, and 10.0.0.19 as Host (A) record entries for ISATAP in DNS. Click Next.
  6. On the Managing DirectAccess Services page in the UAG DirectAccess Server Configuration wizard, click Next.
  7. On the Authentication Options page in the UAG DirectAccess Server Configuration wizard, click Finish.
  8. In the UAG Management console, click the File menu and then click Activate.
  9. In the Activate Configuration dialog box, click Activate.
  10. In the Activation Configuration dialog box, note that it says that it may take a few minutes for the array configuration change to complete and that you can use the Activation Monitor to track the progress of the configuration changes. Click Finish.
  11. You can use the Activation Monitor to confirm when activation is complete. Click Start and then click All Programs. Click Microsoft Forefront UAG and then click Forefront UAG Activation Monitor. In the left pane of the console, click on each array member and confirm in the right pane that UAG DirectAccess configuration was activated successfully message appears for each array member. You should see a green checkmark to the left of each member of the array.
  12. Close the Forefront Unified Access Gateway Activation Monitor.
  13. *Move to the DC1 computer or virtual machine. Click Start and point to Administrative Tools. Click Group Policy Management.
  14. In the Group Policy Management console, expand the Forest: corp.contoso.com node and then expand the Domains node. Expand the corp.contoso.com node and click on the UAG DirectAccess: DaServer {GUID} GPO.
  15. In the Security Filtering section, click Add. In the Select User, Computer, or Group dialog box, click the Object Types button. In the Object Types dialog box, put a checkmark in the Computers checkbox and click OK.
  16. In the Select User, Computer, or Group dialog box, in the Enter the object name to select text box, enter UAG2 and click Check Names. Click OK.
  17. Close the Group Policy Management console.
  18. *Move to the UAG2 computer or virtual machine. Open an elevated command prompt and enter gpupdate /force and press ENTER.
  19. Confirm that Connection Security Rule policies were applied to UAG2. Click Start and point to Administrative Tools. Click Windows Firewall with Advanced Security. In the Windows Firewall with Advanced Security console, click the Connection Security Rules node in the left pane of the console. In the middle pane, check the Enabled column. Both connection security rules should list Yes in that column.

G.     Start NLB

The array is now ready to start NLB. The UAG Web Monitor application is used to start NLB and view NLB status. Perform the following steps on the Array Manager, which is UAG1.
  1. At the UAG1 computer or virtual machine, open the UAG Management console.
  2. In the UAG Management console, click the Admin menu and click Web Monitor.
  3. Click OK in the Internet Explorer dialog box informing you about Java Components.
  4. In the left pane of the Web Monitor console, click the Array Monitor\Current Status link.
  5. In the Array Monitor\Current Status page, put a checkmark in the UAG1 and UAG2 checkboxes. In the select an option to apply checkbox, click the Start option. Click the Apply button.
  6. The NLB Status will start Converging. Click the Refresh button and you will see the Synchronization Status to be Updating.
  7. Click the Refresh button one more time and you will see the NLB Status as Converged and the Synchronization Status as Synched.

H.     Test Client Connectivity through the NLB Array

Now that the UAG NLB array is configured, converged and synchronized, you can test connectivity through the array. Before you begin testing, we recommend that you shut down both UAG1 and UAG2 for at least five minutes. There are a number of reasons for this, which include ARP cache timeouts and changes related to NLB. When validating NLB configuration in a test lab, you will need to be patient as changes in configuration will not be immediately reflected in connectivity ability until after a period of time has elapsed. This is important to keep in mind when you carry out the following tasks.
  1. Log on to the CLIENT1 computer or virtual machine. Move CLIENT1 to the HomeNet subject.
  2. Open an elevated command prompt on CLIENT1. At the command prompt, enter ipconfig /all and press ENTER. Examine the output and confirm that CLIENT1 has the Teredo address  2001:0:836b:2:3457:e52:7c94:ff9b.
  3. In the command prompt window, ping DC1, UAG1, UAG2, APP1 and APP3. You should receive replies from each of these resources. (Note: ping requests may fail to UAG1 or UAG2 because DNS64 is not using the IPv6 address listed in DNS. This is a known issue.)
  4. From the Run command, open the File shares on DC1 and APP3. The ability to open the File Share on APP3 indicates that the second tunnel, which requires Kerberos authentication for the user, is working correctly.
  5. Open Internet Explorer. From Internet Explorer, open the Web sites http://app1 and http://app3. The ability to open both Web sites confirms that both the first and second tunnels are up and functioning.
  6. *Return to the UAG1 computer or virtual machine. Perform a graceful shutdown.
  7. *Return to the CLIENT1 computer or virtual machine. Wait for 5 minutes. Then repeat steps 2-5. This demonstrates that CLIENT1 is still able to connect to the corpnet even after the UAG1 array member has failed.
  8. *Return to the UAG2 computer or virtual machine and perform a graceful shutdown.
  9. *Return to the UAG1 computer or virtual machine and start it.
  10. *Wait for 5 minutes, and then return to the CLIENT1 computer or virtual machine. Perform steps 2-5. This confirms that CLIENT1 was able to transparently fail over to UAG1 after UAG2 became unavailable.

13.                    Configure and Test Manage Out (Remote Management) Capabilities

DirectAccess uses two IPsec tunnels between DirectAccess client and server to enable communications to the corporate network. The first IPsec tunnel is the “infrastructure” tunnel. This tunnel is established after the DirectAccess client computer starts, but before the user logs on. Authentication is required for this tunnel, and both a computer certificate and the computer account in Active Directory are used to authenticate the first IPsec tunnel connection. The second tunnel is established after the user logs on. Authentication for this tunnel uses computer certificate and user (Kerberos) authentication in Active Directory.
The infrastructure tunnel provides bidirectional access to and from servers included in the management servers collection, as defined in the DirectAccess configuration wizard. These servers can connect to DirectAccess over the infrastructure tunnel, so that connectivity is enabled whenever the DirectAccess client computer is turned on, regardless of whether the user is logged on. The infrastructure tunnel enables “managed out” or remote management scenarios where administrators can apply patches, make configuration changes, and employ their full suite of configuration and management tools not only to computers on the corporate network, but to any DirectAccess client on the Internet.
The following procedures are performed to enable several “manage out” scenarios and allow you to test each of them:

A.     Create the DirectAccess Client Organizational Unit and Place CLIENT1 in the New OU. New firewall rules are required to enable some aspects of remote management of DirectAccess clients. Firewall rules can be configured on each client individually, but it is more efficient to use Group Policy to distribute the new firewall rules to all DirectAccess clients. Change could be made to the DirectAccess Client GPO created by the UAG DirectAccess wizard, but these settings are overwritten each time the wizard is run. Therefore, a new GPO is created to support these custom settings. The new GPO is then linked to an OU that is populated with the DirectAccess client computer accounts. In this step the OU is created.

B.     Create the DirectAccess GPO and Link it to the DirectAccess Client OU. The DirectAccess GPO is linked to the DirectAccess client OU. In this step you create and populate the DirectAccess client OU.

C.     Refresh the DirectAccess Client Configuration and Enable Remote Desktop Connections to CLIENT1. The DirectAccess clients need to refresh this Group Policy configuration to receive the new GPO settings. In this step the DirectAccess client refreshes it Group Policy configuration to receive the new firewall settings.

D.     “Manage Out” the DirectAccess Client. After the new firewall settings are deployed to the DirectAccess client, management servers on the corporate network can initiate connections to the DirectAccess client. In this step you validate the settings and establish connections from DC1 to CLIENT1, when CLIENT1 is acting as a DirectAccess client behind NAT1.

A.     Create the DirectAccess Client Organizational Unit and Place CLIENT1 in the New OU

“Manage out” or remote management scenarios for DirectAccess clients can take place in two ways. In the first scenario, the DirectAccess client contains one or more management agents that initiate connections to management servers on the corporate network over either the infrastructure or intranet tunnel. If the user is not logged on, the management agents can initiate connections to management servers over the infrastructure tunnel. If the user is logged on, either the infrastructure or intranet tunnel can be used. In the second scenario, management servers initiate connections to the DirectAccess client. Special Windows Firewall with Advanced Security firewall rules are required to enable management servers to initiate connections to Active Directory clients when the DirectAccess client is located behind a NAT device. These firewall rules must be configured for each desired protocol used to initiate the connection to the DirectAccess client, and then each of these rules must enable “Edge Traversal”.
The special firewall rules can be configured on each DirectAccess individually. However, this manual approach does not scale. A better solution is to use Active Directory Group Policy to configure and distribute the new firewall rules for the desired protocols with Edge Traversal enabled. While it is possible to configure these rules using the GPO created by the UAG DirectAccess wizard, these GPO settings are overwritten each time the wizard is run and the new GPO settings deployed. Therefore, a viable alternative is to create a new GPO for the DirectAccess clients and then create a new Organizational Unit for the DirectAccess clients. The new DirectAccess client GPO can be linked to the new OU to apply the firewall rules required for management servers to initiate connections to the DirectAccess clients.
Note:
DirectAccess client using the 6to4 IPv6 transition technology to connect to the DirectAccess server does not require special firewall rules with Edge Traversal. However, since 6to4 connections are likely to represent a small minority of the DirectAccess client connections, it is important to consider creating the Edge Traversal enabled firewall rule to enable outbound connections from management servers to the DirectAccess clients.
To apply the GPO settings to the DirectAccess clients, we create a Organizational Unit that will contain the DirectAccess clients. The DirectAccess GPO is linked to the new OU. The first step is to create the DirectAccess OU and place the CLIENT1 into this OU. The following steps are carried out on DC1.
  1. At the DC1 computer or virtual machine, open the Active Directory Users and Computers console.
  2. In the left pane of the Active Directory Users and Computers console, right click on corp.contoso.com, point to New and click on Organizational Unit.
  3. In the New Object – Organizational Unit dialog box, in the Name text box, enter DirectAccess Clients. Remove the checkmark from the Protect container from accidental deletion checkbox. (Note: disabling the OU from accidental deletion is not required for DirectAccess to work, it is done as a convenience for this lab). Click OK.
  4. In the left pane of the console, click the Computers node. In the right pane, right click CLIENT1 and click Move.
  5. In the Move dialog box, click on the DirectAccess Clients OU and click OK.

B.     Create the DirectAccess GPO and Link it to the DirectAccess Client Organizational Unit

DirectAccess clients that connect to the DirectAccess server using Teredo or IP-HTTPS need special Firewall Rules to support “manage out” connections. These firewall rules are created for each protocol needed to connect from the corpnet to the DirectAccess client. By default, there are no Firewall Rules that allow outbound management from management servers on the corporate network, so you must create rules to allow the required protocols. The best way to deploy these Firewall Rules is by configuring them in Group Policy so that the settings are automatically deployed. In this example we will create rules that allow management computers on the corpnet to connect to DirectAccess clients on the Internet using Ping, File Services and Remote Desktop Protocol. Perform the following steps on DC1.
  1. At the DC1 computer or virtual machine, open the Group Policy Management console.
  2. In the Group Policy Management console, expand Forest: corp.contoso.com and then expand Domains. Expand corp.contoso.com and click Group Policy Objects. Right click Group Policy Objects and click New.
  3. In the New GPO dialog box, in the Name text box, enter DirectAccess Clients GPO (note: this is an example, you can name the GPO anything you like). Click OK.
  4. Expand the Group Policy Objects node and right click DirectAccess Clients GPO. Click Edit.
  5. In the Group Policy Management Editor console, navigate to Computer Configuration\Policies\Windows Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security – LDAP://CN=\Inbound Rules. Right click Inbound Rules in the left pane of the console and click New Rule.
  6. On the Rule Type page, select the Predefined option. From the drop down list, select Remote Desktop. Click Next.
  7. On the Predefined Rules page, click Next.
  8. On the Action page, click Next.
  9. Right click the Inbound Rules page and click New.
  10. On the Rule Type page, select the Predefined option. Select the File and Printer Sharing option. Click Next.
  11. On the Predefined Rules page, click Next.
  12. On the Action page, click Finish.
  13. Right click the Remote Desktop (TCP-in) rule and click Properties. In the Remote Desktop (TCP-In) Properties dialog box, click the Advanced tab.
  14. On the Advanced tab, remove the checkmark from the Domain profile checkbox. In the Edge Traversal frame, select the Allow edge traversal from the drop down box. Click OK.
  15. Repeat steps 13-14 for all the inbound Firewall Rules.
  16. Close the Group Policy Management Editor console.
  17. In the left pane of the Group Policy Management console, right click the DirectAccess Clients OU and click Link an Existing GPO.
  18. In the Select GPO dialog box, select the DirectAccess Clients GPO Group Policy Object and click OK.
  19. Expand the DirectAccess Clients OU, and click on the DirectAccess Clients GPO. In the Security Filtering section in the right pane, click on the Authenticated Users entry and click Remove. Click Add. In the Select User, Computer, or Group dialog box, enter Domain Computers in the Enter the object name to select text box and click Check Names. Click OK. (Note: the reason why we use Domain Computers for security filtering is that the infrastructure tunnel uses the computer account to perform NTLMv2 authentication. Authenticated Users will not work because users do not authenticate until after they log on, and we want DirectAccess client computers to be available for management even when the DirectAccess client computer has no logged on user).
  20. In the left pane of the console, right click the Default Domain Policy GPO and click Edit.
  21. In the Group Policy Management Editor console, navigate to Computer Configuration\Policies\Windows Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security – LDAP://CN=\Inbound Rules. In the right pane of the console, right click on the Inbound ICMPv6 Echo Request rule you created earlier and click Properties.
  22. In the Inbound IMVPv6 Echo Request Properties dialog box, click the Advanced tab. On the Advanced tab, in the Edge Traversal frame, select the Allow edge traversal option from the drop down box. We are enabling edge traversal for this existing rule, instead of creating a new rule for the DirectAccess Clients GPO to simplify configuration. Click OK.
  23. Close the Group Policy Management Editor. Close the Group Policy Management console. Close Active Directory Users and Computers.

C.      Refresh the DirectAccess Client Configuration and Enable Remote Desktop Connections to CLIENT1

CLIENT1 needs to receive the Group Policy Firewall Rule related Group Policy settings. That can be done by initiating a Group Policy refresh while CLIENT1 is running as a DirectAccess client on the Internet. In addition, CLIENT1 needs to be configured to allow Remote Desktop connections before it can accept RDC connections from a management server on the corpnet. Perform the following steps on CLIENT1.
  1. CLIENT1 should be on the HomeNet subnet from a previous procedure. If CLIENT1 is not on the HomeNet subnet, move CLIENT1 to the HomeNet subnet and confirm connectivity to the corpnet.
  2. On CLIENT1, open an elevated command prompt. In the command prompt window, enter gpupdate /force and press ENTER. Wait for the command to complete and you receive a confirmation.
  3. Click Start and then right click Computer. Click Properties.
  4. Click Advanced system settings in the left pane of the System window.
  5. In the System Properties dialog box, click the Remote tab.
  6. On the Remote tab, select the Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure) option. Click OK. Close the System window.
  7. Click Start and type network in the search box. Click Network and Sharing Center.
  8. In the left pane of the Network and Sharing Center window, click the Change advanced sharing settings.
  9. In the Advanced sharing settings window, select the following options: Turn on network discovery, Turn on file and printer sharing and Turn on hsaring so anyone with network access can read and write files in the Public folders. Click Save Changes (Note: these options are turned on to demonstrate file share access over the management tunnel, these are not to be considered to be networking best practices).

D.     “Manage-Out” the DirectAccess Client

The DirectAccess client is now ready for remote management using the protocols configured in the Firewall Rules that allow for Edge Traversal. Perform the following procedures on DC1. The procedures are performed on DC1 because DC1 is the only computer that is on the management servers list and therefore the only one that can connect to CLIENT1 over the infrastructure tunnel. In addition, CLIENT1 will be restarted so that DC1 will be forced to use the infrastructure tunnel to connect to CLIENT1. The intranet tunnel is only available after the user logs on to the DirectAccess client computer.
  1. At the CLIENT1 computer or virtual machine, restart the operating system and do not log on.
  2. *Move to the DC1 computer or virtual machine. Click Start and in the Search box, enter mstsc and press ENTER.
  3. In the Remote Desktop Connection application, enter CLIENT1 in the Computer text box and click Connect.
  4. In the Windows Security dialog box, enter the credentials for CORP\User1 and click OK.
  5.  The Terminal Services client session opens and you now see the desktop on CLIENT1. Click Start and enter Firewall in the Search box. Click on Windows Firewall with Advanced Security.
  6. In the Windows Firewall with Advanced Security console, note that the Private Profile is Active.
  7. Expand the Monitoring node in the left pane of the console and expand Security Associations. Click on the Main Mode node. In the middle pane of the console, note that the 2nd Authentication Method is all User (NTLMv2). This indicates that only the infrastructure tunnel has been established to the DirectAccess server using the computer account of the DirectAccess client. This demonstrates that you were able to remotely manage CLIENT1 from DC1 over the infrastructure tunnel only.
  8. Click Start and click Log Off to log off the Terminal Services Client session.
  9. Open a command prompt and in the command prompt window enter ping client1 and press ENTER. You should receive ping replies from CLIENT1 at IP address 2001:0:836b:2:db:b03:7c94:ff9b
  10.  Click Start and enter \\CLIENT1 in the Search box and press ENTER. You will see a list of shared resources on CLIENT1. You can drill down on any of the folders and access files contained within them.