Test Lab Guide – Demonstrate UAG SP1 RC DirectAccess Connectivity Assistant - Blog Version
Hey folks – since the TLGs are typically put up only in the download center, it makes discoverability of some of the cool content inside of them hard when it comes to search engines. Therefore, I’m going to post the full text of the TLGs on the Edge Man blog. However, I recommend that you download the Word .doc version of the TLGs when you actually put together your Test Lab using the Test Lab Guides.
For a downloadable version of the Test Lab Guide – Demonstrate UAG SP1 RC DirectAccess Connectivity Assistant check out:
DirectAccess is a new feature in the Windows 7 and Windows Server 2008 R2 operating systems that gives users the experience of being seamlessly connected to their intranet any time they have Internet access. With DirectAccess enabled, requests for intranet resources (such as e-mail servers, shared folders, or intranet Web sites) are securely directed to the intranet, without requiring users to connect to a VPN. DirectAccess provides increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside the office.
Forefront Unified Access Gateway (UAG) SP1 RC extends the value of the Windows DirectAccess solution by adding features that meet the requirements of many enterprise deployments:
- Support for arrays of up to 8 UAG DirectAccess servers where configuration is done once on an array master and is automatically deployed to all other members of the array
- Support for Network Load Balancing, which enables the UAG DirectAccess SP1 RC array to be highly available without requiring the use of an external hardware load balancer
- Support for IPv4-only networks, network segments, or server or application resources with the help of NAT64/DNS64 IPv6/IPv4 transition technologies.
To learn more about UAG DirectAccess, see the following resources:
The Microsoft DirectAccess Connectivity Assistant (DCA) supports a DirectAccess client computer that is running Windows 7 by clearly indicating the state of DirectAccess connectivity to corporate network resources. It provides easy access to troubleshooting information and makes it simple to create and send log files to support personnel.
Without the DCA, when a user’s Internet connection (for example, http://www.bing.com) appears to be available, but corporate network resources are not accessible, there is no way that the user can verify if the problem is caused by DirectAccess not working correctly. This can result in user frustration and increased Help Desk support calls. The DCA clearly indicates the operational status of DirectAccess by using an icon in the notification area and informational messages. This helps the user identify the problem area and helps direct troubleshooting efforts.
If DirectAccess is not working correctly, the DCA clearly indicates the status by changing the icon in the notification area and by sending informational messages that provide more detail about the failure. The DCA provides the user with easy access to an extranet URL. For example, this URL might point to a Web site that hosts support information for the organization’s user community. The user can easily send diagnostic log files to the DirectAccess support staff. The log files can contain the default information. The UAG SP1 RC DCA includes comprehensive advanced diagnostics built-in. The administrator can also include a script in the DCA configuration that creates additional diagnostic information that is included in the log files sent to the support team.
In this guide
This guide provides step-by-step instructions for configuring UAG DirectAccess SP1 RC with the DirectAccess Connectivity Assistant in a test lab so that you can see how it works. You will set up and deploy UAG DirectAccess SP1 RC using five server computers, two client computers, Windows Server 2008 R2 Enterprise edition, and Windows 7 Ultimate Edition. The Test Lab simulates intranet, Internet, and a home networks, and demonstrates the Forefront UAG DirectAccess Connectivity Assistant. The starting point for this paper is the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess .
These instructions are designed for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network, and to show clearly the required functionality. This configuration is not designed to reflect best practices, nor does it reflect a required or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed to work only on a separate test lab network. For more information on planning and deploying DirectAccess with Forefront UAG, please see the Forefront UAG DirectAccess design guide and the Forefront UAG DirectAccess deployment guide
Overview of the test lab scenario
In this test lab scenario, Forefront UAG DirectAccess SP1 RC is deployed with:
- One computer running Windows Server 2008 R2 Enterprise Edition (DC1), that is configured as an intranet domain controller, Domain Name System (DNS) server, Dynamic Host Configuration Protocol (DHCP) server, and an enterprise root certification authority (CA).
- One intranet member server running Windows Server 2008 R2 Enterprise Edition (UAG1), that is configured as a Forefront UAG DirectAccess SP1 RC server.
- One intranet member server running Windows Server 2008 R2 Enterprise Edition (APP1) that is configured as a general application server and network location server.
- One intranet member server running Windows Server 2003 SP2 (APP3) that is configured as an IPv4 only web and file server. This server is used to highlight the UAG’s NAT64/DNS64 capabilities.
- One standalone server running Windows Server 2008 R2 Enterprise Edition (INET1) that is configured as an Internet DNS and DHCP server.
- One standalone client computer running Windows 7 Ultimate Edition (NAT1), that is configured as a network address translator (NAT) device using Internet Connection Sharing.
- One roaming domain member client computer running Windows 7 Ultimate Edition (CLIENT1) that is configured as a DirectAccess client.
The test lab consists of three subnets that simulate the following:
- A home network named Homenet (192.168.137.0/24) connected to the Internet subnet by NAT1.
- The Internet subnet (220.127.116.11/24).
- The Corpnet subnet (10.0.0.0/24) separated from the Internet by the Forefront UAG DirectAccess server.
Computers on each subnet connect using either a physical or virtual hub or switch, as shown in the following figure.
Configuration component requirements
The following components are required for configuring Forefront UAG DirectAccess in the test lab:
- The product disc or files for Windows Server 2008 R2 Enterprise Edition.
- The product disc or files for Windows Server 2003 Enterprise SP2
- The product disc or files for of Windows 7 Ultimate.
- Five computers or virtual machines that meet the minimum hardware requirements for Windows Server 2008 R2 Enterprise; two of these computers has two network adapters installed.
- One computer or virtual machine that meets the minimum hardware requirements for Windows Server 2003 SP2
- Two computers or virtual machines that meet the minimum hardware requirements for Windows 7 Ultimate; one of these computers has two network adapters installed (NAT1).
- The product disc or a downloaded version of Microsoft Forefront Unified Access Gateway (UAG) SP1 RC.
This Test Lab Guide demonstrates the UAG DirectAccess SP1 RC DirectAccess Connectivity Assistant.
For more information about the different modes of NAP, see Stages of a NAP Deployment.
The following instructions are for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. It is important to remember that this configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.
Attempting to adapt this test lab configuration to a pilot or production deployment can result in configuration or functionality issues. To ensure proper configuration and operation of UAG DirectAccess , please refer to the Forefront UAG DirectAccess Deployment Guide for the steps to configure the UAG DirectAccess server and supporting infrastructure servers.
Steps for configuring the test lab
The following sections describe how to configure UAG1, DC1 and CLIENT1 for UAG SP1 RC and the DCA. After UAG1, DC1 and CLIENT1 are configured, this guide provides steps for demonstrating the DCA functionality for CLIENT1 when it is connected to the Homenet subnet.
You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group. For all tasks described in this document you can use the CONTOSO\User1 account created when you went through the steps in the UAG DirectAccess Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess.
The following procedures are performed to enable and allow you to test the UAG SP1 RC DCA:
· Step 1: Complete the Demonstrate UAG SP1 RC DirectAccess Test Lab Guide – The first step is to complete all the steps in the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess.
· Step 2: Configure INET1 with a Help.txt file. The DCA can provide DirectAccess users information about a web site they can go to in order to get help with DirectAccess related problems. In this step you will configure a web page that CLIENT1 can reach to get that help.
· Step 3: Install and Configure the Web Server Role on DC1. The DCA uses a number of connectivity verifiers to determine intranet connectivity over the DirectAccess IPsec tunnels. In this step you will configure DC1 as a web server so that the DCA can use HTTPS to DC1 for a connectivity verifier.
· Step 4: Run the UAG DirectAccess DCA Configuration Wizard on UAG1. UAG SP1 RC includes a new integrated DCA wizard that automatically configures and deploys GPO settings that enable the DCA. In this step you will run the UAG SP1 RC DCA wizard.
· Step 5: Update Group Policy on CLIENT1 and Test DCA Functionality. The new DCA settings are deploy via the DirectAccess clients GPO. In this step you will update Group Policy on CLIENT1 and then test some of the DCA features.
· Step 6: Snapshot the configuration. After completing the Test Lab, take a snapshot of the working UAG DirectAccess with NAP Test Lab so that you can return to it later to test additional scenarios.
You will notice that there are several steps that begin with an asterisk (*). The * indicates that the step requires that you move to a computer or virtual machine that is different from the computer or virtual machine you were at when you completed the previous step.
STEP 1: Complete the Demonstrate UAG SP1 RC DirectAccess Test Lab Guide
The first step is to complete all the steps in the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess. After completing the steps in that Test Lab Guide you will have the core infrastructure required to complete this Test Lab Guide on how to configure the UAG DirectAccess DCA. If you have already completed the steps in that Test Lab Guide and saved a snapshot or disk image of the Test Lab, you can restore the snapshot or image and begin with the next step.
STEP 2: Configure INET1 with the Help.txt File
The DCA can expose to DirectAccess users a link to a location where they can find help. This location is configured in the UAG DirectAccess DCA wizard. In this step you will configure a Help.txt file that CLIENT1 will connect to when acting as a DirectAccess client.
- *At the INET1 computer or virtual machine, log on as Administrator. Click the Start button, click the Windows Explorer icon in the Task Bar.
- In Windows Explorer, navigate to C:\inetpub\wwwroot. In the right pane of the Windows Explorer windows, right click in an empty area, point to New and click Text Document.
- Rename New Text Document to help and press ENTER to save the new name.
- Double click on the help text document. In the help – Notepad window enter This is the place to get help with your DirectAccess problems.
- Close the help – Notepad window. In the Notepad dialog box, click Save.
- Close the Windows Explorer window.
STEP 3: Install and Configure the Web Server Role on DC1
The UAG DCA uses connectivity verifiers to determine DirectAccess connectivity to the intranet over the DirectAccess tunnels. Connectivity verifiers can use HTTP, HTTPS and SMB to assess the current connectivity status to the intranet over the DirectAccess IPsec tunnels. In this step you install the web server role on DC1 and then bind a certificate to the web site so that the DCA can establish an SSL session with DC1 to determine intranet connectivity.
- *At the DC1 computer or virtual machine, log on as User1.
- Open the Server Manager console if it does not open automatically. In the left pane of the Server Manager console, click Roles. In the right pane of the console, click the Add Roles link.
- On the Before You Begin page, click Next. On the Select Server Roles page, select Web Server (IIS) and click Next. On the Introduction to Web Server (IIS) page, click Next.
- On the Select Role Services page, click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close.
- Click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.
- In the left pane of the Internet Information Services (IIS) Manager, navigate to DC1 (CORP\User1)\Sites\Default Web Site. In the Actions pane, click Bindings.
- In the Site Bindings dialog box, click Add. In the Add Site Binding dialog box, from the Type drop down box, select https. From the SSL certificate drop down box, select DC1.corp.contoso.com. Click OK. In the Site Bindings dialog box, click Close.
- Close the Internet Information Services (IIS) Manager console.
STEP 4: Run the UAG DirectAccess DCA Configuration Wizard on UAG1
UAG SP1 RC includes a new wizard that enables you to configure the DCA so that you don’t have to manually configure Group Policy to support the DCA. In this step you will run the DCA wizard so that it will automatically provision Group Policy to configure the DCA on DirectAccess clients.
- *At the UAG1 computer or virtual machine log on as User1. Click Start and then click All Programs. Click Microsoft Forefront UAG and then click Forefront UAG Management.In the User Account Control dialog box, click Yes.
- In the left pane of the console, click DirectAccess. In the right pane of the console, in the Step 1 Clients and GPOs section, click the Client Connectivity Assistant link.
- In the Client Connectivity Assistant Configuration wizard, on the Client Connectivity page, select the Yes, configure application settings option. Confirm that there is a checkmark in the Allow users to use local name resolution instead of sending requests through corporate DNS servers. Click Next.
- On the Connection Verification page, click Add. In the Connectivity Verifier Details dialog box, select File from the Connectivity method drop down box. In the Verification server name, IP address or URL text box, enter \\APP1\Files\example.txt. Click the Validate Connectivity button. You should see a Validation dialog box informing you that A connection to the connectivity verifier was established. Click OK and then click OK again.
- Click Add. In the Connectivity Verifier Details dialog box, select the HTTP option from the Connectivity method drop down list. In the Verification server name, IP address, or URL text box, enter http://app1.corp.contoso.com. Click the Validate Connectivity button. You should see a Validation dialog box informing you that A connection to the connectivity verifier was established. Click OK and then click OK again.
- Click Add. In the Connectivity Verifier Details dialog box, select the HTTPS option from the Connectivity method drop down list. In the Verification server name, IP address, or URL text box, enter http://dc1.corp.contoso.com. Click the Validate Connectivity button. You should see a Validation dialog box informing you that A connection to the connectivity verifier was established. Click OK and then click OK again.
- On the Connection Verification page, click Next.
- On the Troubleshooting Portal page, select the This site (URL): option. In the text box below that option, enter http://inet1.isp.example.com/help.txt. In the Friendly name for URL link: text box, enter DirectAccess Help Center. Click Next.
- On the Diagnostic Logging page, in the Send client log files to text box, enter firstname.lastname@example.org. Click Finish.
- In the right pane of the console, click the Apply Policy button. On the Forefront UAG DirectAccess Configuration Review page, click Apply Now. In the DirectAccess Policy Configuration dialog box, click OK. Click Close on the Forefront UAG DirectAccess Configuration Review page.
- Open an elevated command prompt. In the command prompt window, enter gpupdate /force and press ENTER. Close the command prompt window.
- In the right pane of the console, click the Activate button. In the Activate Configuration dialog box, click Activate. Click Finish when the activation is complete. Close the UAG management console.
STEP 5: Update Group Policy, Install the DCA and Test DCA Functionality on CLIENT1
In this step you will update Group Policy on CLIENT1 so that it receives the new DCA related settings. Then you will install the DCA client software and finally test DCA functionality when CLIENT1 is located on the Homenet subnet.
Update Group Policy on CLIENT1:
- *Connect CLIENT1 to the Corpnet subnet. Wait until the network icon in the notification area of the desktop displays a yellow caution sign.
- Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. Click Yes at the User Account Control prompt.
- In the command prompt window, enter gpupdate /force and press ENTER. Wait for the command to complete and then close the command prompt window.
Install the DCA software on CLIENT1:
- On CLIENT1, insert the UAG SP1 RC DVD into the computer or mount the UAG SP1 RC .iso file on the virtual machine. In the AutoPlay dialog box, click Open folder to view files.
- Navigate to the UAG\Microsoft Forefront Unified Access Gateway\common\bin\da\dca folder. Double click on the Microsoft_DirectAccess_Connectivity_Assistant file.
- In the Microsoft DirectAccess Connectivity Assistant Setup wizard, on the MICROSOFT PRE-RELEASE SOFTWARE LICENSE TERMS page, put a checkmark in the I accept the terms in the License Agreement checkbox and click Install. In the user Account Control dialog box, click Yes. On the Completed the Microsoft DirectAccess Connectivity Assistant Setup Wizard page, click Finish.
- You should now see the DCA icon in the system notification area.
Test DCA Functionality on CLIENT1:
- Move CLIENT1 to the Homenet subnet and wait for the network icon in the system notification area to stop spinning. Right click the Taskbar and click Properties. In the Taskbar and Start Menu Properties dialog box, in the Nofication Area section, click Customize. On the Nofication Area Icons page, put a checkmark in the Always show all icons and notifications on the taskbar and click OK. Click OK in the Taskbar and Start Menu Properties dialog box.
- At this point you might notice a red “x” on the DCA icon. Open an elevated command prompt on CLIENT1. In the command prompt window enter net view \\dc1 and press ENTER. You should see a list of shares on DC1. In the command prompt window, enter net view \\app1 and press ENTER. If you receive a network path was not found error, then in the command prompt window enter ipconfig /flushdns and press ENTER. After that command completes, enter in the command prompt windows net view \\app1 and press ENTER. You should see a list of share on APP1. You should also see the red “x” disappear from the DCA icon.
- *Move to the APP1 computer or virtual machine. Open Windows Explorer and navigate to the C:\Files folder. Right click the Example file and click Rename. Rename the file to Example1 and press ENTER to save the file with the new name. Notice that a new empty file is created with the same name.
- *Move to the DC1 computer or virtual machine. Click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager. In the Internet Information Services (IIS) Manager console, in the left pane, click DC1 (CORP\User1) . In the Actions pane, click Stop.
- *Move to the CLIENT1 computer or virtual machine and wait a few moments. You will notice that the DCA icon now has a red “x” on it. Right click the DCA icon and click Advanced Diagnostics.
- Notice under Advanced Log File that is says generating logs while it creates the log files. When it says Open logs directory click the Open logs directory link. Double click DcaDefaultLog.
- On the DirectAccess Connectivity Assistant Logs web page, note in the Probes List section a line that reads FAIL – The server name resolved successfully, but failed to access HTTP: https://dc1.corp.contoso.com. Note that the other two connectivity verifiers that you configured show as PASS. Also note that there is a connectivity verifier that you didn’t configure – a ping test to the UAG DirectAccess server itself (PASS – PING: 2002:836b:3::836b:3). Scroll through the rest of the page to view the detailed information collected by the DCA client software. Close Internet Explorer. Close Windows Explorer.
- In the DCA dialog box, notice that the entry you make in the wizard DirectAccess Help Center appears, and under that is the URL you configured for the Help page. Click the http://inet1.isp.example.com link. You should see the help page that reads This is the place to get help with your DirectAccess problems. Close Internet Explorer. Note the Email Logs button. If there were an email client application installed on CLIENT1, you could click that button and it would automatically email the log files to email@example.com, as you configure in the DCA wizard. Click Close in the Microsoft DirectAccess Connectivity Assistant dialog box. Close all open windows on CLIENT1.
- *Move to the DC1 computer or virtual machine. In the Internet Information Services (IIS) Manager console, in the Actions pane, click Start. Close all open windows on DC1.
It is important to note that the DCA icon may show a red “x” even when there is connectivity to the intranet. The red “x” appears when any of the connectivity verifiers is unavailable to the DirectAccess client. It is recommended that you specify a diverse set of resources for your connectivity verifiers. This diversity helps ensure that a failure to access a resource is an unambiguous indication of a problem with DirectAccess rather than a problem with another component.
For example, if all of the specified resources are behind a network address translating application layer gateway (NAT64), the failure of DCA to access the test resources might indicate a failure of the NAT64 rather than a failure of DirectAccess. Instead, identify one resource behind the NAT64, another behind an ISATAP gateway, and so on. Also note that you must not use the Network Location Server as a connectivity verifier, since the name of the Network Location Server cannot be resolved by the DirectAccess client.
STEP 6: Snapshot the Configuration
This completes the UAG SP1 RC DirectAccess Connectivity Assistant test lab. To save this configuration so that you can quickly return to a working UAG SP1 RC DirectAccess Connectivity Assistant configuration from which you can test other DirectAccess modular TLGs, TLG extensions, or for your own experimentation and learning, do the following:
1. On all physical computers or virtual machines in the test lab, close all windows and then perform a graceful shutdown.
2. If your lab is based on virtual machines, save a snapshot of each virtual machine and name the snapshots TLG UAG DirectAccess SP1RC DCA. If your lab uses physical computers, create disk images to save the DirectAccess test lab configuration.
For procedures to configure the Base Configuration test lab on which this document is based, see the Test Lab Guide: Base Configuration.
For procedures to configure UAG SP1 RC DirectAccess on which this document is based, see the Test Lab Guide: Demonstrate Forefront UAG SP1 RC DirectAccess.
For a comprehensive list of UAG DirectAccess Test Lab Guides, please see Test Lab Guides.
For information about troubleshooting DirectAccess, see the DirectAccess Troubleshooting Guide.
For information on troubleshooting UAG DirectAccess in a Test Lab, see Test Lab Guide: Troubleshooting UAG DirectAccess.
Knowledge Engineer, Microsoft DAIP iX/Forefront iX
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time): http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: https://twitter.com/tshinder