Hey folks – since the TLGs are typically put up only in the download center, it makes discoverability of some of the cool content inside of them hard when it comes to search engines. Therefore, I’m going to post the full text of the TLGs on the Edge Man blog. However, I recommend that you download the Word .doc version of the TLGs when you actually put together your Test Lab using the Test Lab Guides.
For a downloadable version of the Test Lab Guide – Demonstrate UAG SP1 RC DirectAccess Force Tunneling check out:
Forefront Unified Access Gateway (UAG) 2010 SP1 RC DirectAccess provides users with the experience of being seamlessly connected to their intranet any time they have Internet access. When DirectAccess is enabled, requests for intranet resources (such as e-mail servers, shared folders, or intranet Web sites) are securely directed to the intranet, without the need for users to connect to a VPN. DirectAccess enables increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside of the office. Forefront UAG SP1 RC DirectAccess extends the benefits of Windows DirectAccess across your infrastructure by enhancing availability and scalability, as well as simplifying deployments and ongoing management. For more information, see Overview of Forefront UAG DirectAccess.
IT professionals can benefit from UAG 2010 SP1 RC DirectAccess in many ways:
· Improved Manageability of Remote Users. Without DirectAccess, IT professionals can only manage mobile computers when users connect to a VPN or physically enter the office. With DirectAccess, IT professionals can manage mobile computers by updating Group Policy settings and distributing software updates any time the mobile computer has Internet connectivity, even if the user is not logged on. This flexibility allows IT professionals to manage remote computers on a regular basis and ensures that mobile users stay up-to-date with security and system health policies.
· Secure and Flexible Network Infrastructure. Taking advantage of technologies such as Internet Protocol version 6 (IPv6) and Internet Protocol security (IPsec), DirectAccess provides secure and flexible network infrastructure for enterprises. Below is a list of DirectAccess security and performance capabilities:
Authentication. DirectAccess authenticates the computer, enabling the computer to connect to the intranet before the user logs on. DirectAccess can also authenticate the user and supports two-factor authentication using smart cards.
Encryption. DirectAccess uses IPsec to provide encryption for communications across the Internet.
Access to IPv4-only intranet resources. UAG SP1 RC DirectAccess extends the value of Windows DirectAccess with NAT64/DNS64, an IPv6/IPv4 protocol transition technology that enables DirectAccess client connectivity to IPv4-only resources on the intranet.
· High availability and array configuration. UAG DirectAccess extends the value of Windows DirectAccess by adding integrated support for Network Load Balancing and array configuration, which work together to enable a highly available DirectAccess deployment.
· IT Simplification and Cost Reduction. By default, DirectAccess separates intranet from Internet traffic, which reduces unnecessary traffic on the intranet by sending only traffic destined for the intranet through the DirectAccess server. Optionally, IT can configure DirectAccess clients to send all traffic through the DirectAccess server, which is referred to as Force Tunneling.
The following figure shows a DirectAccess client on the Internet.
This paper contains instructions for configuring and demonstrating UAG SP1 RC DirectAccess using six server computers and two client computers. The starting point for this paper is a Test Lab based on the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess. The resulting DirectAccess test lab simulates an intranet, the Internet, and a home network and demonstrates DirectAccess functionality in different Internet connection scenarios when DirectAccess Force Tunneling is enabled.
Force tunneling is used when you want all traffic, both intranet and Internet, to go through the UAG DirectAccess server. The default setting for UAG DirectAccess is split tunneling. When Force Tunneling is enabled, all traffic must go through the DirectAccess tunnels. For a DirectAccess client to reach the Internet, the client must be configured to use a web proxy server, or to use the NAT64/DNS64 service on the UAG DirectAccess server to route connections to the Internet (sometimes referred to “bouncing” the connections off the UAG DirectAccess server to the Internet). This guide provides step by step instructions that allow you to demonstrate how to use both methods of Internet access for Force Tunneling enabled DirectAccess clients.
These instructions are designed for configuring a Test Lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network, and to show clearly the required functionality. This configuration is not designed to reflect best practices, nor does it reflect a required or recommended configuration for a production network. The configuration, including IP address assignment and all other configuration parameters, is designed to work only on a separate Test Lab network. For more information on planning and deploying DirectAccess with Forefront UAG for your production network, please see the Forefront UAG DirectAccess design guide and the Forefront UAG DirectAccess deployment guide
In this test lab scenario, Forefront UAG DirectAccess is deployed with:
The test lab consists of four subnets that simulate the following:
Computers on each subnet connect using either a physical or virtual hub or switch, as shown in the following figure.
This guide provides step by step instructions on how to build a test lab that will enable you to test the new UAG SP1 RC Force Tunneling configuration feature. Force Tunneling forces DirectAccess clients to always use the DirectAccess tunnels for any kind of communication, including both intranet and Internet communications. When you configure DirectAccess clients to use Force Tunneling, you can enable one of two methods of Internet access for the DirectAccess client.
These methods include:
· Web proxy – You can configure the force tunneling DirectAccess clients on the Internet to use a web proxy on your intranet to gain Internet access. When using the web proxy option, the DirectAccess clients are limited to using web proxy supported protocols when connecting to Internet resources, which typically are HTTP and HTTPS.
· UAG NAT64/DNS64 – If you need your force tunneling DirectAccess clients to access Internet using protocols other than those supported by a web proxy, and you configure them to use the UAG server’s NAT64/DNS64 service to route the connections through the UAG server to the Internet. You can put a web proxy or other web content filtering device in front of the UAG DirectAccess server if you want to control site access and perform malware filtering.
Note that the default configuration for DirectAccess clients is split tunneling. When split tunneling is enabled, connections to the intranet are forwarded through the DirectAccess IPsec tunnels and connections to the Internet are made through the client’s existing Internet connection. Force Tunneling represents a departure from the default configuration.
The following components are required for configuring Forefront UAG DirectAccess in the test lab:
The following steps describe how to configure the server and client computers, and configure the Forefront UAG DirectAccess server, in a test lab. Following these configurations you can verify DirectAccess connectivity from the Internet and Homenet subnets, and show how Force Tunneling DirectAccess clients connect to the Internet using both Internet access models (web proxy and NAT64/DNS64).
You must be logged on as a member of the Domain Admins group or as a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group.
· Step 1: Complete the UAG SP1 RC DirectAccess Test Lab Guide. The UAG SP1 RC Test Lab Guide provides step by step instructions on how to create a working DirectAccess solution. The steps in this Test Lab Guide build on the steps in the UAG SP1 RC Test Lab Guide.
· Step 2: Configure INET1 for Internet Access. INET1 is currently configured with a single network adapter that is connected to the Internet subnet. In this step you will add a second network adapter and connect that adapter to a “live” network that provides a path to the actual Internet. You will then install and configure RRAS on INET1 so that it can act as a NAT router for live Internet connections from UAG1 and TMG1.
· Step 3: Install and Configure TMG1. When force tunneling is enabled for DirectAccess clients, you can provide DirectAccess clients access to the Internet through a web proxy server. In this step you will install the operating system on TMG1 and then install Forefront Threat Management Gateway 2010 on TMG1 so that TMG1 can provide web proxy services to CLIENT1.
· Step 4: Configure the Default Gateway on UAG1 and DC1. UAG1 requires a path to the Internet. In this step you will configure UAG1 to use INET1 as its default gateway to provide that path. DC1 requires a path to the Internet to provide Internet name resolution. In this step you will configure DC1 to use TMG1 as its default gateway to provide that path.
· Step 5: Configure UAG1 for Force Tunneling and Web Proxy Access to the Internet. In this step you will configure UAG1 to require DirectAccess client Force Tunneling and enable Internet access for DirectAccess clients through the TMG web proxy on TMG1.
· Step 6: Update CLIENT1 and Test Proxy Access to the Internet. In this step you will update the Group Policy configuration on CLIENT1 and test its ability to reach the Internet through the web proxy on TMG1.
· Step 7: Configure UAG1 for Force Tunneling and NAT64/DNS64 Internet Access. In this step you will configure UAG1 to require DirectAccess client Force Tunneling and enable Internet access for DirectAccess clients through UAG1 by taking advantage of the UAG NAT64/DNS64 feature.
· Step 8: Update CLIENT1 and Test NAT64/DNS64 Access to the Internet. In this step you will update the Group Policy configuration on CLIENT1 and test its ability to reach the Internet through the NAT64/DNS64 service on UAG1.
· Step 9: Snapshot the Configuration – At the completion of the lab, snapshot the configuration so that you can later return to a working UAG DirectAccess Test Lab.
You will notice that there are several steps that begin with an asterisk (*). The * indicates that the step requires that you move to a computer or virtual machine that is different from the computer or virtual machine you were at when you completed the previous step within the same section.
This Test Lab Guide uses the UAG SP1 RC DirectAccess Test Lab Guide as a starting place. Please complete the steps in Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess before proceeding with the remainder of the steps in this guide. If you have already completed the steps in the UAG SP1 RC DirectAccess Test Lab Guide and have saved a disk image or a virtual machine snapshot of the working DirectAccess configuration, then you can restore the configuration and proceed to the next step.
In order to demonstrate a Force Tunneling DirectAccess client’s ability to access the Internet, you need a gateway to the live Internet. The Corpnet subnet, the Internet subnet, and the Homenet subnets you created when you completed the Base Configuration are isolated from the live network. In order to provide actual Internet access for CLIENT1 when acting as a DirectAccess client, you need to provide an Internet gateway that UAG1 and TMG1 can use to reach the Internet. INET1 will be this Internet gateway.
You will perform the following operations to configure INET1:
A. Add and Configure a Second Network Adapter on INET1. INET1 is currently connected to the Internet subnet. The first step is to add a second network adapter to INET1 and connect that adapter to a “live” network that provides access to the Internet.
B. Install the Routing and Remote Access Service. In this step you will install the Routing and Remote Access Service on INET1 so that it can provide NAT-based access to the Internet for UAG1 and TMG1.
C. Configure INET1 as a NAT server. In this step you will configure the Routing and Remote Access service so that INET1 can act as a NAT server.
The first step is to install a second network adapter on INET1. This adapter must be connected to your live network and be assigned IP addressing information that enables it to reach the Internet through your existing Internet gateway. If your live network is configured to provide addressing information through DHCP, you can configure this second network adapter to use DHCP. If your network doesn’t provide IP addressing information that would enable Internet access automatically, then you will need to manually configure the IP addressing information on the second adapter to provide INET1 Internet access. In both cases, make sure that the IP addressing information provided includes a DNS server that can resolve Internet host names so that you can test Internet connectivity from INET1.
After the second adapter is installed and configured, test Internet connectivity on INET1. To test Internet connectivity, open a command prompt on INET1 and enter ping www.arin.net and press ENTER. You should receive four responses to your ping request. You can then close the command prompt window.
Now that you have installed the second network adapter on INET1, you are ready to install the Routing and Remote Access service. Perform the following steps to install the Routing and Remote Access Service on INET1:
You are now ready to configure INET1 as a NAT server. Perform the following steps to configure INET1 as a NAT server:
When Force Tunneling is enabled for DirectAccess clients, they cannot access the Internet the Internet directly as split tunneling is disabled. There are two methods available that provide DirectAccess clients Internet access when Force Tunneling is enabled: Internet access through a web proxy device, or Internet access through the UAG DirectAccess server’s NAT64/DNS64 service. When Internet access is enabled through a web proxy, only HTTP and HTTPS Internet access is enabled.
In this step you will perform the following procedures:
A. Install the Operating System on TMG1. TMG1 is a new computer that is in first introduced in this Test Lab Guide. There you need to start by installing the operating system on the TMG1 computer or virtual machine. TMG1 must have two network adapters installed prior to installing the operating system.
B. Configure TCP/IP Properties on TMG1. After installation of the operating system is complete, the next step is to configure the IP addressing settings on the internal and external interfaces of TMG1.
C. Rename TMG1 and Join TMG1 to the CORP Domain. As a security best practice, the TMG firewall should be configured as a domain member. In this step you will rename the computer or virtual machine to TMG1 and join it to the CORP domain.
D. Install Forefront Threat Management Gateway (TMG) 2010 Standard Edition. After the operating system is installed and IP addressing is assigned, and the machine renamed and joined to the domain, the next step is to install the Threat Management Gateway 2010 software.
E. Configure the TMG Firewall for Internet Access. By default, the TMG firewall does not allow traffic to pass through it. In this step you will configure the TMG firewall to allow Internet traffic outbound.
Perform the following steps to install the operating system on the TMG1 computer or virtual machine:
Perform the following steps to configure the TCP/IP Properties on the adapters installed on TMG1:
Perform the following steps to rename the TMG1 computer or virtual machine and join it to the CORP domain:
TMG1 will act as a web proxy server to support Internet access for Force Tunneling enabled DirectAccess clients. Perform the following steps to install Threat Management Gateway (TMG) 2010, which will provide web proxy services to CLIENT1:
By default, the TMG firewall does not pass any traffic. In this step you will configure the TMG firewall with important initial configuration settings and then create a firewall rule that allows outbound traffic. Perform the following steps to configure the firewall and create the firewall rule:
When DirectAccess clients are configured for Internet access using the UAG NAT64/DNS64 services, the UAG server must be able to forward the connections to the Internet. This requires that UAG1 be configured with a default gateway that provides a route to the Internet. The default gateway for UAG1 is the Internet subnet interface on INET1. DC1 needs a gateway to the Internet in order to resolve Internet host names for the UAG server’s DNS64 service and for the web proxy service on TMG1. DC1 will use TMG1 as its gateway to the Internet.
The following operations are performed to configure UAG1 and DC1:
A. Configure the Default Gateway on UAG1. In this step you will configure UAG1 to use the Internet subnet interface on INET1 as its default gateway.
B. Configure the Default Gateway on DC1. In this step you will configure DC1 to use the Corpnet subnet interface on TMG1 as its default gateway.
Perform the following steps to configure the default gateway on UAG1:
Perform the following steps to configure the default gateway on DC1:
When DirectAccess clients are configured to use Force Tunneling, they are not able to reach the Internet except through the DirectAccess tunnel. There are two methods available for providing the Force Tunneling DirectAccess client access to the Internet: web proxy and NAT64/DNS64. In this step you will configure Force Tunneling on the UAG DirectAccess server so that Internet access is provided by the web proxy on TMG1. Perform the following steps to configure Force Tunneling and web proxy Internet access:
In this step you will update the Group Policy settings on CLIENT1 so that it uses Force Tunneling when acting as a DirectAccess client. You will then move CLIENT1 to the Homenet subnet to test the force tunneling configuration. After CLIENT1 connects to the Internet, you will review the log file entries on TMG1 to prove that the Internet connection was make through the web proxy.
The following operations configure CLIENT1:
A. Update Group Policy on CLIENT1. CLIENT1 needs updated Group Policy to enable Force Tunneling. In this step you will update Group Policy on CLIENT1.
B. Test Internet Access from CLIENT1 when Connected to Homenet. In this step you will move CLIENT1 to the Homenet subnet and test DirectAccess and Internet connectivity using Force Tunneling.
C. View CLIENT1 Internet Activity in TMG1 Log Files. In this step you will review the log file on TMG1 to confirm that CLIENT1 accessed the Internet through the TMG1 web proxy.
Perform the following steps to update Group Policy on CLIENT1:
In this step, you will connect CLIENT1 to the Homenet subnet and test Internet access across the DirectAccess tunnel through the web proxy on TMG1. Perform the following steps to test Internet access from the CLIENT1 DirectAccess client:
To demonstrate that the web connections were made over the web proxy on TMG1, we will look at the log file on the TMG1 computer or virtual machine. Perform the following steps to view the log file:
The second method DirectAccess clients configured for Force Tunneling can use to access the Internet is by using the NAT64/DNS64 service. When you use the UAG NAT64/DNS64 service, the connection is routed to the Internet by the UAG DirectAccess server. Perform the following steps to configure Force Tunneling to enable DirectAccess client access to the Internet through the NAT64/DNS64 services:
In this step you will update the Group Policy settings on CLIENT1 so that it uses Force Tunneling when acting as a DirectAccess client. After CLIENT1 connects to the Internet, you will review the log file entries on TMG1 to prove that the Internet connection was make through the web proxy.
A. Update Group Policy on CLIENT1. CLIENT1 is currently connected to the Homenet subnet. You will update Group Policy over the DirectAccess connection.
B. Test Internet Access from CLIENT1 when Connected to Homenet. In this step you will test Internet access from CLIENT1 through the UAG NAT64/DNS64 services.
C. View CLIENT1 Internet Activity in UAG1 TMG Log Files. In this step you will view the TMG log files on UAG1 to demonstrate that Internet connectivity is provided through UAG1.
Perform the following steps to test Internet access from CLIENT1 to the Internet:
Perform the following steps to view the TMG log file on the UAG1 machine:
This completes the DirectAccess test lab. To save this configuration so that you can quickly return to a working DirectAccess configuration from which you can test other DirectAccess modular TLGs, TLG extensions, or for your own experimentation and learning, do the following:
For procedures to configure the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess on which this document is based, see the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess.
For the design and configuration of your pilot or production deployment of DirectAccess, see the Forefront UAG DirectAccess design guide and the Forefront UAG DirectAccess deployment guide.
For information about troubleshooting DirectAccess, see the DirectAccess Troubleshooting Guide.
For information about troubleshooting DirectAccess in a Test Lab, see the Test Lab Guide: Troubleshoot UAG DirectAccess.
For a comprehensive list of UAG DirectAccess Test Lab Guides, see the TechNet wiki Test Lab Guide clearinghouse at Test Lab Guides.
For more information about DirectAccess, see the DirectAccess Getting Started Web page and the DirectAccess TechNet Web page.
Tom Shinder firstname.lastname@example.org Knowledge Engineer, Microsoft DAIP iX/SCD iX UAG Direct Access/Anywhere Access Group (AAG) The “Edge Man” blog (DA all the time): http://blogs.technet.com/tomshinder/default.aspx Follow me on Twitter: http://twitter.com/tshinder Facebook: http://www.facebook.com/tshinder
At first glance I thought that perhaps SP1 will remove the need for non-NAT'd public IP addresses on the external interface of UAG. Then I realised that the Internet connection in this test lab is only used to demonstrate outbound Internet access.
This test lab cannot be used to demonstrate DirectAccess when CLIENT1 is connected to the Internet.
Thanks for the feedback!
Are you saying that when CLIENT1 is connected to the simulated Internet, it cannot access the Internet when connected to the Internet subnet (the simulated Internet), or when CLIENT1 is connected to the real Internet?
It does demonstrate CLIENT1's ability to connect to the real Internet through the TMG web proxy or UAG server when connected to the Homenet subnet.
Do you have more detailed instructions for setting this up for Direct Access?