So What are the Major DirectAccess Infrastructure Components? (Full Version)

All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess



Message


tshinder -> So What are the Major DirectAccess Infrastructure Components? (17.Mar.2010 6:43:19 AM)

"So what are the major DirectAccess Infrastructure Componenets?"

That's a good question! Here's my general description:

Windows 7 or above clients - the DA client needs to have the capabilities to initiate the DA connection. The major components on the client include the new features included with the Windows Firewall with Advanced Security and Connection Security policies. Win7+ meets this requirement

Windows Server 2008 R2 - only required for the UAG DA server itself. No othe machine on the network needs to be Windows Server 2008 or above. However, it would help since they are IPv6 capabable, but it's definitely not required

PKI - you need certificates to DA. Computer certificates are required on the DA clients and UAG DA server. A Web site certificate is required on the Network Location Server (I'll talk about that next) and also for the UAG DA server. You should use a commerical certificate for the web site certificate on the UAG DA server, which will be used by the UAG DA server's IP-HTTPS listener.

Network Location Server - This is a Web server that the DA clients connect to using HTTPS. If the DA client can connect to this server using HTTPS, then it knows its on the corpnet and it turns off it's DA components. If the DA client can't connet to this server, then it turns on it's DA client components and connects to the UAG DA server over the Internet. The NLS should be highly available, but doesn't require any special configuration other than need to accept SSL connections. Since this is an internal server, a private certificate is fine.

Active Directory - Configuration settings and Authentication require AD. The UAG DA server and the DA clients need to belong to a AD domain. The UAG AD server and clients don't need to belong to the same forest, but if they don't, there needs to be a two-way trust between the DA server and DA client domain

There you go! Not that complicated and not stuff that you don't already work with just about every day. Make sure to check out the UAG DirectAccess when you get a chance.

Thanks!
Tom




Jason Jones -> RE: So What are the Major DirectAccess Infrastructure Components? (17.Mar.2010 8:47:18 AM)

Win 7 also needs to be Enterprise/Ultimate edition IIRC.

Is "manage out" viable without a Windows Server 2008 DNS server? I am thinking about how you can connect to a DA client using it's IPv6 address if you cannot resolve the computer name to an IPv6 address?

Cheers

JJ




tshinder -> RE: So What are the Major DirectAccess Infrastructure Components? (17.Mar.2010 8:43:53 PM)

Hi Jason,

Good point! Not all versions of Windows 7 are supported. I often forget about that and Debi reminds me of it when I forget, and now you do. :)

RE: manage out. Any DNS server that supports dynamic registrations for IPv6 addresses will work. So, if you had Infoblox, that would work. If you had Windows Server 2003 it would not work. Good point!

Thanks!
Tom




Jason Jones -> RE: So What are the Major DirectAccess Infrastructure Components? (18.Mar.2010 4:48:08 AM)

Yeah, I have been recommending Windows 2008 DNS as a minimum as in reality DA without 'manage out' is not quite the same...




tshinder -> RE: So What are the Major DirectAccess Infrastructure Components? (18.Mar.2010 8:17:56 AM)

I think that's the best way to go. The "manage out" at this point in time seems to be more interesting to IT than the end user experience. I guess that makes sense, eh?

Tom




Page: [1]