• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

So What are the Major DirectAccess Infrastructure Components?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> So What are the Major DirectAccess Infrastructure Components? Page: [1]
Login
Message << Older Topic   Newer Topic >>
So What are the Major DirectAccess Infrastructure Compo... - 17.Mar.2010 6:43:19 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
"So what are the major DirectAccess Infrastructure Componenets?"

That's a good question! Here's my general description:

Windows 7 or above clients - the DA client needs to have the capabilities to initiate the DA connection. The major components on the client include the new features included with the Windows Firewall with Advanced Security and Connection Security policies. Win7+ meets this requirement

Windows Server 2008 R2 - only required for the UAG DA server itself. No othe machine on the network needs to be Windows Server 2008 or above. However, it would help since they are IPv6 capabable, but it's definitely not required

PKI - you need certificates to DA. Computer certificates are required on the DA clients and UAG DA server. A Web site certificate is required on the Network Location Server (I'll talk about that next) and also for the UAG DA server. You should use a commerical certificate for the web site certificate on the UAG DA server, which will be used by the UAG DA server's IP-HTTPS listener.

Network Location Server - This is a Web server that the DA clients connect to using HTTPS. If the DA client can connect to this server using HTTPS, then it knows its on the corpnet and it turns off it's DA components. If the DA client can't connet to this server, then it turns on it's DA client components and connects to the UAG DA server over the Internet. The NLS should be highly available, but doesn't require any special configuration other than need to accept SSL connections. Since this is an internal server, a private certificate is fine.

Active Directory - Configuration settings and Authentication require AD. The UAG DA server and the DA clients need to belong to a AD domain. The UAG AD server and clients don't need to belong to the same forest, but if they don't, there needs to be a two-way trust between the DA server and DA client domain

There you go! Not that complicated and not stuff that you don't already work with just about every day. Make sure to check out the UAG DirectAccess when you get a chance.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: So What are the Major DirectAccess Infrastructure C... - 17.Mar.2010 8:47:18 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Win 7 also needs to be Enterprise/Ultimate edition IIRC.

Is "manage out" viable without a Windows Server 2008 DNS server? I am thinking about how you can connect to a DA client using it's IPv6 address if you cannot resolve the computer name to an IPv6 address?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 2
RE: So What are the Major DirectAccess Infrastructure C... - 17.Mar.2010 8:43:53 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jason,

Good point! Not all versions of Windows 7 are supported. I often forget about that and Debi reminds me of it when I forget, and now you do. :)

RE: manage out. Any DNS server that supports dynamic registrations for IPv6 addresses will work. So, if you had Infoblox, that would work. If you had Windows Server 2003 it would not work. Good point!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 3
RE: So What are the Major DirectAccess Infrastructure C... - 18.Mar.2010 4:48:08 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Yeah, I have been recommending Windows 2008 DNS as a minimum as in reality DA without 'manage out' is not quite the same...

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 4
RE: So What are the Major DirectAccess Infrastructure C... - 18.Mar.2010 8:17:56 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
I think that's the best way to go. The "manage out" at this point in time seems to be more interesting to IT than the end user experience. I guess that makes sense, eh?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> So What are the Major DirectAccess Infrastructure Components? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts