Tuesday, 19 October 2010

Deploying a Forefront UAG DirectAccess Array in 10 Easy Steps!

Following on from my previous blog post, I thought it might be useful to also provide a high-level list of steps for deploying Forefront UAG DirectAccess, this time using an array topology for a more highly available solution. Again, this is not an exhaustive step-by-step walkthrough, but it should cover the key high-level tasks involved. More detail can be found in the Forefront UAG DirectAccess TechNet documentation or by looking at Tom’s excellent Test Lab Guides (TLGs).

These steps are based upon deploying Forefront UAG DirectAccess using an array topology combined with ISATAP to support IPv6 intranet connectivity and NAT64 to support IPv4 intranet resources. This is a likely scenario for deployments with a larger number of users, or specific high availability needs, and an existing IPv4 based intranet. 

Please Note: This deployment scenario does not include NAP or Smartcard authentication.

Step 1: Configure Supporting Infrastructure

  • Create ISATAP, NLS and IP-HTTPS DNS records
  • Create DirectAccess client and server security groups
  • Create DirectAccess certificate templates
  • Create service account for UAG array management

Step 2: Configure Network Location Servers

  • Create website and enrol/bind NLS certificate
  • Repeat for additional NLS servers and potentially implement NLB

Step 3: Prepare and Install UAG Servers

  • Install OS, activate, run Windows Update, join AD domain
  • Configure network interfaces and amend bind order – see here
  • Configure static routes – see here
  • Enrol IP-HTTPS and IPsec certificates
  • Install UAG + UAG Update 1 + UAG Update 2 + TMG SP1 + TMG SP1U1
  • Repeat for additional UAG servers

Step 4: Configure UAG Array

  • Configure first UAG server as the array manager
  • Add additional UAG servers to the ‘Managed Server Computers’ computer set in TMG
  • Join additional UAG servers to the array

Step 5: Configure UAG NLB 

  • Define internal NLB virtual IP address with unicast mode
  • Define external NLB virtual IP addresses (at least two) with unicast mode
  • Start NLB on each array member

Step 6: Configure UAG DirectAccess

  • Enable NAT64/DNS64
  • Define appropriate NRPT entries

Step 7: Configure DirectAccess Clients

  • Enrol IPsec certificates
  • Add clients to DirectAccess security group and reboot
  • Install DCA client

Step 8: Configure Active Directory and DNS

  • Add IPv6 prefixes and assign to AD sites
  • Add DNS reverse lookup zones for IPv6 prefixes

Step 9: Test DirectAccess

  • Test internal ISATAP
  • Test external Teredo, 6to4 and IP-HTTPS

Step 10: Complete Post-Installation Tasks

  • Define custom TMG rules for systems management (SCOM, SCCM, Cert Enrolment etc.)
  • Apply UAG SCW hardening template using Group Policy
  • Install and run UAG BPA

Hopefully this provides some structure to the recommended deployment process and should allow you to define a high-level checklist of the key tasks for an array deployment.

Happy DA array deployment! 


  1. Your the first to lay it out in such a detailed and complete way. Technet has just so many holes in it that leave you scratching your head.

    Thank you,

  2. Hi i accidently deleted my forefront UAG endpoint client version 4 i cant seem to find out how to install it manually. im not an IT Admin doing a course on Enterprise admin. Im assuming our IT pushed it through Group Policy to my PC. Currently im working from home. Please help me web4usk@gmail.com