Hey folks – since the TLGs are typically put up only in the download center, it makes discoverability of some of the cool content inside of them hard when it comes to search engines. Therefore, I’m going to post the full text of the TLGs on the Edge Man blog. However, I recommend that you download the Word .doc version of the TLGs when you actually put together your Test Lab using the Test Lab Guides.

For a downloadable version of the Test Lab Guide – Demonstrate UAG SP1 RC DirectAccess with SSTP check out:

http://go.microsoft.com/fwlink/?LinkId=206283

==================================================

Introduction

DirectAccess is a new feature in the Windows 7 and Windows Server 2008 R2 operating systems that gives users the experience of being seamlessly connected to their intranet any time they have Internet access. With DirectAccess enabled, requests for intranet resources (such as e-mail servers, shared folders, or intranet Web sites) are securely directed to the intranet, without requiring users to connect to a VPN. DirectAccess provides increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside the office.

Forefront Unified Access Gateway (UAG) SP1 RC extends the value of the Windows DirectAccess solution by adding features that meet the requirements of many enterprise deployments:

  • Support for arrays of up to 8 UAG DirectAccess servers where configuration is done once on an array master and is automatically deployed to all other members of the array
  • Support for Network Load Balancing, which enables the UAG DirectAccess SP1 RC array to be highly available without requiring the use of an external hardware load balancer
  • Support for IPv4-only networks, network segments, or server or application resources with the help of NAT64/DNS64 IPv6/IPv4 transition technologies.

To learn more about UAG DirectAccess, see the following resources:

· Forefront UAG DirectAccess Design Guide

· Forefront UAG DirectAccess Deployment Guide

UAG SP1 RC supports hosting multiple roles on a single UAG server or UAG array. For example, you might want to host both the DirectAccess server and SSTP VPN server roles on the same server or array. Windows 7 clients that are configured DirectAccess clients will automatically use DirectAccess to connect to intranet resources. Windows 7 clients that are not domain members, or who are not configured as DirectAccess clients can use SSTP to connect to the intranet using a network level VPN connection. In addition, DirectAccess clients hosting applications that are not compatible with DirectAccess can connect to the SSTP VPN when they need to use the non-compatible application.

clip_image001Note

Non-Windows 7 operating systems (such as Windows Vista, Windows XP) can use the UAG Network Connector to connect to the intranet using a network level SSL VPN connection. However, you cannot host the Network Connector application on the same server or array that is also hosting DirectAccess. To support network level VPN connectivity for non-Windows 7 clients, you will need to deploy a second UAG server or array.

In this guide

This guide provides step-by-step instructions for configuring UAG DirectAccess SP1 RC with SSTP in a test lab so that you can see how it works. You will set up and deploy UAG DirectAccess SP1 RC using five server computers, two client computers, Windows Server 2008 R2 Enterprise edition, and Windows 7 Ultimate Edition. The Test Lab simulates intranet, Internet, and a home networks, and demonstrates a co-located Forefront UAG DirectAccess and SSTP VPN server role deployment. The starting point for this paper is the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess .

clip_image002Important:

These instructions are designed for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network, and to show clearly the required functionality. This configuration is not designed to reflect best practices, nor does it reflect a required or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed to work only on a separate test lab network. For more information on planning and deploying DirectAccess with Forefront UAG, please see the Forefront UAG DirectAccess design guide and the Forefront UAG DirectAccess deployment guide

Overview of the test lab scenario

In this test lab scenario, Forefront UAG DirectAccess SP1 RC is deployed with:

  • One computer running Windows Server 2008 R2 Enterprise Edition (DC1), that is configured as an intranet domain controller, Domain Name System (DNS) server, Dynamic Host Configuration Protocol (DHCP) server, and an enterprise root certification authority (CA).
  • One intranet member server running Windows Server 2008 R2 Enterprise Edition (UAG1), that is configured as a Forefront UAG SP1 RC DirectAccess and SSTP VPN server.
  • One intranet member server running Windows Server 2008 R2 Enterprise Edition (APP1) that is configured as a general application server and network location server.
  • One intranet member server running Windows Server 2003 SP2 (APP3) that is configured as an IPv4 only web and file server. This server is used to highlight the UAG’s NAT64/DNS64 capabilities.
  • One standalone server running Windows Server 2008 R2 Enterprise Edition (INET1) that is configured as an Internet DNS and DHCP server.
  • One standalone client computer running Windows 7 Ultimate Edition (NAT1), that is configured as a network address translator (NAT) device using Internet Connection Sharing.
  • One roaming domain member client computer running Windows 7 Ultimate Edition (CLIENT1) that is configured as a DirectAccess client.

The test lab consists of three subnets that simulate the following:

  • A home network named Homenet (192.168.137.0/24) connected to the Internet subnet by NAT1.
  • The Internet subnet (131.107.0.0/24).
  • The Corpnet subnet (10.0.0.0/24) separated from the Internet by the Forefront UAG DirectAccess server.

Computers on each subnet connect using either a physical or virtual hub or switch, as shown in the following figure.

clip_image004

Configuration component requirements

The following components are required for configuring Forefront UAG DirectAccess in the test lab:

  • The product disc or files for Windows Server 2008 R2 Enterprise Edition.
  • The product disc or files for Windows Server 2003 Enterprise SP2
  • The product disc or files for of Windows 7 Ultimate.
  • Five computers or virtual machines that meet the minimum hardware requirements for Windows Server 2008 R2 Enterprise; two of these computers has two network adapters installed.
  • One computer or virtual machine that meets the minimum hardware requirements for Windows Server 2003 SP2
  • Two computers or virtual machines that meet the minimum hardware requirements for Windows 7 Ultimate; one of these computers has two network adapters installed (NAT1).
  • The product disc or a downloaded version of Microsoft Forefront Unified Access Gateway (UAG) SP1 RC.

This Test Lab Guide demonstrates a combined UAG SP1 RC DirectAccess and SSTP deployment.

clip_image005Important

The following instructions are for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. It is important to remember that this configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.

Attempting to adapt this test lab configuration to a pilot or production deployment can result in configuration or functionality issues. To ensure proper configuration and operation of UAG DirectAccess and SSTP, please refer to the Forefront UAG DirectAccess Deployment Guide for the steps to configure the UAG DirectAccess server and supporting infrastructure servers.

Steps for configuring the test lab

The following sections describe how to configure UAG1 as both a DirectAccess and SSTP VPN server. After UAG1 is configured, this guide provides steps for demonstrating the DirectAccess and SSTP VPN functionality for CLIENT1 when it is connected to the Homenet subnet.

clip_image001[1]Note

You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group. For all tasks described in this document you can use the CONTOSO\User1 account created when you went through the steps in the UAG DirectAccess Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess.

The following procedures are performed to enable and allow you to test the UAG SP1 RC DCA:

· Step 1: Complete the Demonstrate UAG SP1 RC DirectAccess Test Lab Guide – The first step is to complete all the steps in the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess.

· Step 2: Create the HTTPS Trunk. UAG uses the concept of “trunk” as the primary listener for incoming SSL connections to a UAG portal page. In this step you will create an SSL Trunk that can be used to create a portal page that includes the SSTP VPN application.

· Step 3: Configure the Remote Network Access Settings. The SSTP application requires configuration of a number of settings before it can be deployed. In this step you will configure these settings.

· Step 4: Add the SSTP Remote Network Access Application to the Trunk. In order for users to access the SSTP VPN application, that application must be added to a trunk. In this step you will add the SSTP application to the HTTPS trunk.

· Step 5: Activate the Configuration and View Activation in the Activation Monitor. You need to activate the configuration after adding the SSTP VPN application to the trunk. In this step you will activate the configuration and view the activation process in the Activation Monitor.

· Step 6: Test DirectAccess and SSTP Connectivity. After activation is complete, you are ready to test both DirectAccess and SSTP connectivity. In this step you will confirm DirectAccess connectivity and then start an SSTP VPN connection through the portal.

· Step 7: Snapshot the configuration. After completing the Test Lab, take a snapshot of the working UAG DirectAccess with SSTP Test Lab so that you can return to it later to test additional scenarios.

clip_image001[2]Note

You will notice that there are several steps that begin with an asterisk (*). The * indicates that the step requires that you move to a computer or virtual machine that is different from the computer or virtual machine you were at when you completed the previous step.

STEP 1: Complete the Demonstrate UAG SP1 RC DirectAccess Test Lab Guide

The first step is to complete all the steps in the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess. After completing the steps in that Test Lab Guide you will have the core infrastructure required to complete this Test Lab Guide on how to configure the UAG DirectAccess DCA. If you have already completed the steps in that Test Lab Guide and saved a snapshot or disk image of the Test Lab, you can restore the snapshot or image and begin with the next step.

STEP 2: Create the HTTPS Trunk

UAG uses the concept of “trunk” as the primary listener for incoming SSL connections to a UAG portal page. In this step you will create an SSL Trunk that can be used to create a portal page that includes the SSTP VPN application.

  1. At the UAG1 computer or virtual machine, log on as CORP\User1. Click Start and then click All Programs. Click Microsoft Forefront UAG and then click Forefront UAG Management.
  2. In the right pane of the console, click Allow remote access to the UAG server via an HTTPS trunk.
  3. On the Welcome to the Create Trunk Wizard page, click Next.
  4. On the Step 1 – Select Trunk Type page, select the Portal trunk option and click Next.
  5. On the Step 2 – Setting the Trunk page, in the Trunk name text box, enter HTTPSTrunk. In the Public host name text box, enter uag1.contoso.com. In the External Web Site section, confirm that the IP address is 131.107.0.2. Confirm that the HTTP port is 80 and confirm that the HTTPS port is 443. Click Next.
  6. On the Step 3 – Authentication page, click the Add button. In the Authentication and Authorization Servers dialog box, click the Add button.
  7. In the Add Authentication Server dialog box, in the Server type drop down list, confirm that Active Directory is selected. In the Server Name text box, enter dc1.corp.contoso.com. In the Connection Settings section, select Use local Active Directory forest authentication. In the Search Settings section, click the ellipses (…) button. In the Search Root (Base DN) dialog box, confirm that the Select Base DN entry is CN=Users,DC=corp,DC=contoso,DC=com. Click OK. In the Server access section, in the User (domain\user) text box, enter CORP\User1. In the Password text box, enter User1’s password. Click OK.
  8. In the Authentication and Authorization Servers dialog box, click Select. On the Step 3 – Authentication page, confirm that User selects from a server list is selected and that there is a checkmark in the Show server names checkbox. Click Next.
  9. On the Step 4 – Certificate page, confirm that uag1.contoso.com appears in the Server certificate drop down list. Click Next.
  10. On the Step – 5 Endpoint Security page, select the Use Forefront UAG access policies option and click Next.
  11. On the Step 6 – Endpoint Policies page, in the Nonprivileged access policy dropdown box, select Always. Note that we select Always in this Test Lab because the default access policy requires that clients have antivirus software installed. In this Test Lab CLIENT1 does not have antivirus software installed so we need to change from the default Nonprivileged access policy to one that will allow a system without antivirus software to access the portal. Click Next.
  12. On the Completing the Create Trunk Wizard page, click Finish.
  13. In the Trunk Configuration section, click the Configure button. On the Advanced Trunk Configuration [HTTPSTrunk] page, click the Session tab. In the Default Sessions Settings section, in the Inactive session timeout (seconds) text box, enter 1800. In the Trigger automatic logoff after text box, enter 1440. Click OK.
  14. Click the File menu and click Activate. On the Activate Configuration page, click the Activate button. Click Finish when the activation completes.

STEP 3: Configure the Remote Network Access Settings

The SSTP application requires configuration of a number of settings before it can be deployed. In this step you will configure these settings.

  1. In the Microsoft Forefront Unified Access Gateway Management console, click the Admin menu and point to Remote Network Access. Click on SSL Network Tunneling (SSTP)… .
  2. In the SSL Network Tunneling Configuration dialog box, on the General tab, put a checkmark in the Enable remote client VPN access checkbox. In the Maximum VPN Client connections text box, enter 10. In the SSL Tunneling VPN Trunk section, from the Trunk drop down list, select HTTPSTrunk. Confirm that is says uag1.contoso.com in the Public host name box.
  3. Click the Protocols tab. Confirm that there is a checkmark in the Secure Socket Tunneling Protocol (SSTP). Note that while there are checkboxes for Point-to-Point Tunneling Protocol (PPTP) and Layer Two Tunneling Protocol (L2TP)/IPsec, they are not functional. UAG SP1 does not support PPTP or L2TP/IPsec network level VPN protocols.
  4. Click the IP Address Assignment tab. Select the Assign address using DHCP. Note that you can use this option only when you have a single server deployment. If you have a UAG array and want to enable SSTP support, you will need to assign a static address pool to each of the servers in the array and the addresses used in each pool must be different on each server.
  5. Click on the User Groups tab. On this tab you can limit SSTP access on a per group basis to selected assets on the intranet. In this test lab we will not enable this feature. Click OK.

STEP 4: Add the SSTP Remote Network Access Application to the Trunk

In order for users to access the SSTP VPN application, that application must be added to a trunk. In this step you will add the SSTP application to the HTTPS trunk.

  1. In the right pane of the console, in the Applications section, click the Add button.
  2. On the Welcome to the Add Application Wizard page, click Next.
  3. On the Step – 1 page, select the Client/server and legacy option. From the drop down list, select Remote Network Access. Click Next.
  4. On the Step 2 – Configure Application page, in the Application name text box, enter SSTP VPN. Click Next.
  5. On the Step 3 – Select Endpoint Policies page, in the Access policy drop down box, select Always. The reason we select this option in the Test Lab is that the default setting requires the client to have antivirus software installed, and in this Test Lab CLIENT1 does not have antivirus software installed. Click Next.
  6. On the Step 4 – Configure Server Settings page, make no changes and accept the default values. Click Next.
  7. On the Step 5 – Portal Link page, make no changes and click Next.
  8. On the Step 6 – Authorization page, confirm that there is a checkmark in the Authorize all users checkbox and click Next.
  9. On the Completing the Add Application Wizard page, click Finish.

STEP 5: Activate the Configuration and View Activation in the Activation Monitor

You need to activate the configuration after adding the SSTP VPN application to the trunk. In this step you will activate the configuration and view the activation process in the Activation Monitor.

  1. Click Start and then click All Programs. Click Microsoft Forefront UAG and then click Forefront UAG Activation Monitor. In the Use Account Control dialog box, click Yes. It may take a minute or two for the Activation Monitor to open. Maximize the Activation Monitor after it opens, and then minimize the window.
  2. In the Microsoft Forefront Unified Access Gateway Management console, click the File menu and then click Activate. In the Activate Configuration dialog box, click the Activate button.
  3. Maximize the Forefront Unified Access Gateway Activation Monitor. Click the UAG1 node in the left pane of the console. Notice in the right pane that it tells you the time when the activation started. Click the Options button. In the Autorefresh Interval (sec) text box, enter 10 and then click OK.
  4. When the activation completes, scroll through the output in the right pane. This provides you information about what happened during the activation process. At the bottom of the output, you should see Activation completed successfully. Minimize the Forefront Unified Access Gateway Activation Monitor console.
  5. In the Activate Configuration dialog box, click Finish.

STEP 6: Test DirectAccess and SSTP Connectivity

After activation is complete, you are ready to test both DirectAccess and SSTP connectivity. In this step you will confirm DirectAccess connectivity and then start an SSTP VPN connection through the portal.

  1. *Move the CLIENT1 computer to Homenet subnet and then log on as CORP\User1.
  2. Open an elevated command prompt. In the command prompt window enter ipconfig and press ENTER. You should see an IPv6 address assigned to Tunnel adapter Teredo Tunneling Pseudo-Interface. In the command prompt window, enter ping dc1 and press ENTER. You should see four responses from the ISATAP address assigned to DC1. In the command prompt window, enter net view \\dc1 and press ENTER. You should see a list of shares on DC1. This indicates that the infrastructure tunnel is working properly over DirectAccess.
  3. In the command prompt window, enter ping app1 and press ENTER. You should see four responses from the ISATAP address assigned to APP1. This indicates that name resolution is working correctly. At the command prompt window, enter net view \\app1 and press ENTER. You should see a list of shares on APP1. This indicates that the intranet tunnel is working correctly over DirectAccess.
  4. In the command prompt window, enter netsh namespace show effectivepolicy and press ENTER. You should see that the Name Resolution Policy Table is active and it shows that there are two entries in the NRPT.
  5. Open Internet Explorer. In the address bar, enter https://uag1.contoso.com and press ENTER. Endpoint components will be downloaded to CLIENT1. In the information bar in Internet Explorer, click the This website want to install the following add-on…” and then click Install This Add-on for All Users on This Computer. Click Yes in the User Account Control dialog box. In the Forefront UAG endpoint components dialog box, put a checkmark in the do not show this message again checkbox and click Yes. You will see Downloading Endpoint Component Manager on the web page with a progress bar. In the Security Alert dialog box, put a checkmark in the Trust this site checkbox and then select the Always option. Click Trust. The web page will now say Checking for device compliance.
  6. The Application and Network Access Portal page should now appear. If you see a mobile log on page, close Internet Explorer and open it again and go to https://uag1.contoso.com. In the User name text box, enter CORP\User1 and in the Password text box, enter User1’s password. Click Log On.
  7. The Application and Network Access Portal now appears. You can see an entry for SSTP VPN in both the left and right panes of the console. Click the SSTP VPN link in the right pane of the console. A new web page window will open. That web page will disappear and you will see an icon with a balloon that says Forefront UAG Remote network Access Connection started. Right click on the icon and click Show Status. In the Portal Activity dialog box, in the Active Connections section, you will see the URL that CLIENT1 is connect to and the time that Remote Network Access started. In the Launched Applications section, you will see the application is SSTP VPN. Click Hide.
  8. Return to the elevated command prompt window. In the command prompt window, enter ipconfig and press ENTER. You will see an IPv4 address assigned to PPP adapter UAGSSTPVPN. You will also see an ISATAP address assigned based on the PPP adapter’s IPv4 address; this enables CLIENT1 to communicate with IPv6 only servers on the intranet through the SSTP VPN connection.
  9. In the command prompt window, enter ping dc1 and press ENTER. You will see four responses from the IPv6 ISATAP address of DC1. In the command prompt window, enter ping app1 and press ENTER. You will see four responses from the IPv6 ISATAP addresses assigned to APP1. In the command prompt window, enter ping app3 and press ENTER. In this case you see four responses from the IPv4 address assigned to APP3. Remember, APP3 is an IPv4 only resource. In the command prompt window, enter netsh namespace show effectivepolicy. You should see the output say Note: DirectAccess settings would be turned off when computer is inside corporate network. The reason for this is that when the SSTP connection was established, CLIENT1 was able to resolve the name of the Network Location Server (nls.corp.contoso.com), which causes the NRPT to disable itself.
  10. Click Start and then in the Search box enter wf.msc and press ENTER. In the Windows Firewall with Advanced Security console, navigate to the Monitoring\Security Associations\Main Mode node in the left pane of the console. Note that there are no security associations, indicating that DirectAccess has been disabled. Click the top node, Windows Firewall with Advanced Security on Local Computer. In the right pane you will see that Domain Profile is Active – this is the reason why DirectAccess is disabled, as the DirectAccess related Connection Security Rules that establish the DirectAccess IPsec tunnels are not available when the Domain Profile is active on the DirectAccess client computer.
  11. Right click the Remote Network Access icon in the System Notification Area. Click Disconnect Remote Network Access. In the Windows Firewall with Advanced Security console, click Refresh in the right pane. Notice that the Domain Profile is no longer active and the current profile is Public Profile is Active. Network Location Awareness determined that CLIENT1 was no longer connected to the intranet and changed the Firewall Profile settings. Navigate to the Monitoring\Security Associations\Main Mode node in the left pane of the console. You will see a Main Mode security association, indicating that the DirectAccess intranet tunnel has come up automatically.
  12. Return to the elevated command prompt. In the command prompt window, enter ping APP3 and press ENTER. Notice that this time there are four responses from an IPv6 address. This IPv6 address is generated by the NAT64 feature in UAG.
  13. Close the command prompt window. Close the Windows Firewall with Advanced Security console. Close Internet Explorer. Click Yes in the SSL Application Tunneling dialog box.

STEP 7: Snapshot the Configuration

This completes the UAG SP1 RC DirectAccess with SSTP test lab. To save this configuration so that you can quickly return to a working UAG SP1 RC DirectAccess Connectivity Assistant configuration from which you can test other DirectAccess modular TLGs, TLG extensions, or for your own experimentation and learning, do the following:

  1. On all physical computers or virtual machines in the test lab, close all windows and then perform a graceful shutdown.
  2. If your lab is based on virtual machines, save a snapshot of each virtual machine and name the snapshots TLG UAG DirectAccess SP1RC SSTP. If your lab uses physical computers, create disk images to save the DirectAccess test lab configuration.

Additional Resources

For more information on UAG and SSTP, see Setting up Remote Network Access.

For procedures to configure the Base Configuration test lab on which this document is based, see the Test Lab Guide: Base Configuration.

For procedures to configure UAG SP1 RC DirectAccess on which this document is based, see the Test Lab Guide: Demonstrate Forefront UAG SP1 RC DirectAccess.

For a comprehensive list of Test Lab Guides, please see Test Lab Guides.

For a list of UAG DirectAccess related Test Lab Guides, please see UAG DirectAccess Test Lab Guide Portal Page

For the design and configuration of your pilot or production deployment of DirectAccess, see the Forefront UAG DirectAccess design guide and the Forefront UAG DirectAccess deployment guide.

For information about troubleshooting DirectAccess, see the DirectAccess Troubleshooting Guide.

For information on troubleshooting UAG DirectAccess in a Test Lab, see Test Lab Guide: Troubleshooting UAG DirectAccess.

For more information about DirectAccess, see the DirectAccess Getting Started Web page and the DirectAccess TechNet Web page.

==================================================

Tom Shinder
tomsh@microsoft.com
Knowledge Engineer, Microsoft DAIP iX/Forefront iX 
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time):
http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter:
http://twitter.com/tshinder
Facebook:
http://www.facebook.com/tshinder