Tuesday, 19 October 2010

Deploying Forefront UAG DirectAccess in 8 Easy Steps!

Based upon recently spending some time creating customer build guides, I thought it might be useful to provide a high-level list of steps for deploying Forefront UAG DirectAccess. This is not a exhaustive step-by-step walkthrough, but should cover the key high-level tasks involved. More detail can be found in the Forefront UAG DirectAccess TechNet documentation or by looking at Tom’s excellent Test Lab Guides (TLGs).

These steps are based upon deploying Forefront UAG DirectAccess using a single server topology combined with ISATAP to support IPv6 intranet connectivity and NAT64 to support IPv4 intranet resources. This is a likely scenario for deployments with a relatively small number of users and an existing IPv4 based intranet. 

Please Note: This deployment scenario does not include NAP or Smartcard authentication.

Step 1: Configure Supporting Infrastructure

  • Create ISATAP, NLS and IP-HTTPS DNS records
  • Create DirectAccess client and server security groups
  • Create DirectAccess certificate templates

Step 2: Configure Network Location Server

  • Create website and enrol/bind NLS certificate

Step 3: Prepare and Install UAG Server

  • Install OS, activate, run Windows Update, join AD domain
  • Configure network interfaces and amend bind order – see here
  • Configure static routes – see here
  • Enrol IP-HTTPS and IPsec certificates
  • Install UAG + UAG Update 1 + UAG Update 2 + TMG SP1 + TMG SP1U1

Step 4: Configure UAG DirectAccess

  • Enable NAT64/DNS64
  • Define appropriate NRPT entries

Step 5: Configure DirectAccess Clients

  • Enrol IPsec certificates
  • Add clients to DirectAccess security group and reboot
  • Install DCA client

Step 6: Configure Active Directory and DNS

  • Add IPv6 prefixes and assign to AD sites
  • Add DNS reverse lookup zones for IPv6 prefixes

Step 7: Test DirectAccess

  • Test internal ISATAP
  • Test external Teredo, 6to4 and IP-HTTPS

Step 8: Complete Post-Installation Tasks

Hopefully this provides some structure to the recommended deployment process and should allow you to define a high-level checklist of the key tasks for a single server deployment.

Happy DA deployment! 


  1. This is awesome Jason, love your Blog.
    I have some questions as I am setting this up as a personal project:
    1. After you have upgraded UAG what version should it be? I have 4.0.1773.10100
    2. I don't think I have done Step 6, do you have any info on this?

    1. Thanks!

      A1: The blog post is a little out of date now; the latest version is 4.0.1773.10190 from here: http://support.microsoft.com/kb/2649262

      A2: Check here: http://technet.microsoft.com/en-us/library/ee382285(v=ws.10).aspx



    2. Thanks Jason, but I've tried these updates before and they always get towards the end then Roll Back. Have you come across this before as I would like to get my UAG server updated. Thanks

    3. I've sorted the issue thanks, it was the wrong update. Regards

  2. My ISP doesn't support assigning two public IPs on single NIC. What can I do? Nice blog.

    1. Look at Windows Server 2012 DirectAccess which supports NAT and single IP address! :)