21 May 2012

DirectAccess UAG Array in 10 steps - expanded

Documentation for building DirectAccess with UAG is at best a little clumsy.  Jason Jones has an excellent 10 step guide and Dr Tom Schinder has excellent lab guides.  While following the combination of these two in my latest build I figured I would just write down the steps that needed expanding.   This is essentially my rough notes.

Original Sources:

Step 1: Configure Supporting Infrastructure
  • Create ISATAP, NLS and IP-HTTPS DNS records
On every Authorative DNS Server in the domain
Remove the ISATAP and WPAD entries from the DNS Block list
dnscmd /config /globalqueryblocklist
To see that the entries are remove see that they do not show up in the result of
dnscmd /info /globalqueryblocklist

Create ISATAP DNS Entry
On the DNS console 
Create a new Host A record ISATAP - the IP should be the internal IP of the UAG server
Create a new Host A record ISATAP - the IP should be the internal IP of the second UAG server
Create a new Host A record NLS the IP should be that of your NLS server

Confirm that you can resolve the DNS name with nslookup ISATAP

  • Create DirectAccess client and server security groups
From Active Directory users and Computers great a new group - "Direct Access Computers"
  • Create DirectAccess certificate templates
On the PKI server open 
MMC - Certificate Templates
Select the Web server Template - Duplicate - 2008 Enterprise
General Tab
Name : UAG NLS Webserver
Server Tab 
Check "Do not include revocation information in issued certificates"
Security Tab 
Authenticated users - Allow Enroll
Add domain computes - Allow Enroll
Request Handling Tab
Check Enable private key to be exported
certutil -ping  -- To force update the certificate templates availabale

Open MMC - Certification Authority
Select the CA Server
Select Certificate Templates - New - Certificate to issue
Select the UAG NLS Webserver template create earlier

Request and install a Computer certificate on each node
  • Create service account for UAG array management
From Active Directory users and Computers create a new account - add as a member of a group that has administrative access on all the Direct Access servers (UAG and NLS)

*** Create ICMP4 and ICMP6 Echo request firewall rules in Group Policy ***

Create or select a suitable Group Policy that can be applied to the DA clients and other DA associated servers.
Open the Group Policy Management console
Expand Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with advanced Security\

Inbound Rules add
Inbound ICMPv4 Echo
Inbound ICMPv6 Echo

Outbound Rules add
Outbound ICMPv4 Echo
Outbound ICMPv6 Echo

                        Specify – Protocol ICMPv4 or v6 - Customize – Check “Echo Requests” only

Step 2: Configure Network Location Servers
  • Create website and enrol/bind NLS certificate
  • Repeat for additional NLS servers and potentially implement NLB
Step 3: Prepare and Install UAG Servers
  • Install OS, activate, run Windows Update, join AD domain
  • Configure static routes – see here
By default the machines would be built with the default gateway as the internal network.  To enable you to remotely build the servers via RDP you need to ensure the routes are always configured to get to the internal

route add MASK -P

configure the external NIC with default gateway
remove the default gateway from the internal NIC

route print  

check that mask point to the externals default gateway.  If there is a duplicate route for the 

route delete

Re-set the external with the correct default gateway

  • Configure network interfaces and amend bind order – see here
Change the Binding order so that the internal binds first

Default Gateway should not be defined 
DNS Servers should be defined 
Register this connection’s address in DNS – Enabled 
File and Printer Sharing for Microsoft Networks – Enabled 
Client for Microsoft Networks – Enabled 
NetBIOS over TCP/IP – Default or Enabled

Default Gateway should be defined 
DNS Servers should not be defined 
Register this connection’s address in DNS – Disabled 
File and Printer Sharing for Microsoft Networks – Disabled 
Client for Microsoft Networks – Disabled 
NetBIOS over TCP/IP – Disabled
  • Enrol IP-HTTPS and IPsec certificates
On UAG01 - Request certficate
Import to UAG02
  • Install UAG + UAG and TMG updates
UAG SP1  -http://www.microsoft.com/en-us/download/details.aspx?id=13885 Includes TMG SP1 and SP1U1 and includes UAG Update 1 and 2

  • Repeat for additional UAG servers
Step 4: Configure UAG Array
  • Configure first UAG server as the array manager
Start UAG management
Complete Step 1 - Configure Network Settings
Step 2 Define Server Topology
Select Array Member
Select Set this server as the array manager
Specify the user account created earlier

Step 3 complete it and select yes or no to participate

Activate the changes
  • Add additional UAG servers to the ‘Managed Server Computers’ computer set in TMG
Open the TMG console
Select the Firewall Policy
From the Tool box - Network Object - Managed Server Computers

  • Join additional UAG servers to the array
Start UAG management
Complete Step 1 - Configure Network Settings
Step 2 Define Server Topology
Select Array Member
Select Add this server to an array
Specify the FQDN of the array manager
Specify the service account created earlier

Step 5: Configure UAG NLB
  • Define internal NLB virtual IP address with unicast mode
  • Define external NLB virtual IP addresses (at least two consecutive) with unicast mode
On the array manager open the UAG management console
From the Admin Menu select Network Load balancing
Add- External – Specify the first external VIP and additional ones
ADD – Internal – Specify a VIP
Apply the changes – Use the Activation Monitors to see that the changes are applied to both nodes.
  • Start NLB on each array member
Start the UAG Web Monitor console
Select Array Monitor
Check the Servers – from the drop down box select Start click apply

Step 6: Configure UAG DirectAccess
  • Enable NAT64/DNS64
Form The UAG Management console select Direct Access
Step 1 – Configure
Select “Allow DirectAccess client......”
Select your domain
Modify the Policies and give then appropriate names – UAG DirectAccess - <Role>
 Select Client group or OU

Step 2 – Configure
Select Windows Network Load Balancing
Proceed past the warning if you have installed 2008R2 SP1
Select the First external VIP
Select the Internal VIP
Take note of the IP addresses that need to be configured for ISATAP
Select the certificate created and installed earlier
For IPSec certificate authentication select the Intermediary form which you requested your computer certificate

  • Define appropriate NRPT entries (Name Resolution Policy table)

Step 3 - Configure
Specify the URL for the network location -NLS server and validate
Accept Default DNS entries
Add an exclusion for your WPAD specified proxy servers and wpad name
Management servers are servers that provide services such as Antivirus updates WSUS etc
When done – Apply Policy
Check the review and – Apply Now
If you get error for creating the GPO it might be because of the Replication that has not yet occurred.  In this case give it a few minutes and try again.
When activating the changes you might also get an error relating to the GPO not being present – for this also just wait it out for a few minutes and try again

Step 7: Configure DirectAccess Clients
  • Enrol IPsec certificates
Manually request or autenroll the computer with a “Computer Certificate”
  • Add clients to DirectAccess security group and reboot
Add the Computer account of the client machine to the “Direct Access Computers” group created earlier this is the one referenced in Direct Access Wizard
  • Install DCA client
Part 1  - Configure Group Policy
Downlaod the DCA zip file and extract the files
To be able to use the Direct Access components you need to add the ADMX and ADML files to your group policy central store.
One a domain controller copy the admx file to:
And copy the adml file to:
C:\Windows\SYSVOL\sysvol\ yourdomain.com \Policies\PolicyDefinitions\en-us
Allow a few minutes for replication to the Central Stores
Open the Group Policy Management console
Locate and edit the UAG DirectAccess Clients group policy (created by the UAG DA Wizard)
Expand the policy to Computer Configuration/Policies/Administrative Templates/DirectAccess Connectivity Assistant/
Corporate Resources - This will affect whether the DCA shows active or broken connection
Here specify resources that are normally accessible to DirectAccess clients.  In my case I specified a ping to two domain controller configured with IPv6
Read the description and specify values for Corporate Portal Site, Portal Name and Support Email
LocalNamesOn – Setting allows the client to manually switch between using domain and public DNS (useful for troubleshooting)

Part 2  - Deploy the MSI
Use whatever your preferred automation method is or manually install/

Step 8: Configure Active Directory and DNS
  • Add IPv6 prefixes and assign to AD sites
  • Add DNS reverse lookup zones for IPv6 prefixes

Step 9: Test DirectAccess
  • Test internal ISATAP
Open a command prompt and Ping the UAG internal IP address
The reply should come back with a ISATAP result as in hex: hex: hex: hex: hex: hex: should look something like 2002:a504:b1f:8000:0:5efe:
  • Test external Teredo, 6to4 and IP-HTTPS
Disconnect the machine from the internal network and connect to a direct internet link
IPconfig /all
Look for Tunnel Adapter IPHTTPSInterface
There should be a few IPv6 addresses listed there
Ping a host on the internal  network with IPv6 enabled
You should get an IPv6 ISATAP reply

Step 10: Complete Post-Installation Tasks
  • Define custom TMG rules for systems management (SCOM, SCCM, Cert Enrolment etc.)
  • Apply UAG SCW hardening template using Group Policy
  • Install and run UAG BPA


Jason Jones said...


I have my own build documents behind these 10 steps, but I have to be a bit careful about giving away too much intellectual property for my company! :)

Etienne Liebetrau said...

If nothing else - this illustrates that no matter how simple you try make the DirectAcess deployment it is a complex build. But it is creepy how well it works and is just always on

Thanks for the base template!

Meluso said...

Nice article! But I am waiting for Windows Server 2012 for DirectAccess. The deployment there seems simpler.

Etienne Liebetrau said...

Yes it is probably the way to go - if you have the option to wait till then....

Post a Comment