Identifying and configuring application servers
Updated: February 1, 2011
Applies To: Unified Access Gateway
This topic describes how to determine which Forefront Unified Access Gateway (UAG) DirectAccess access model to use, and how to identify an application server that requires additional authentication.
Forefront UAG DirectAccess uses the following access models:
End-to-edge—Allows DirectAccess clients to connect to all resources inside the intranet, by using IPsec-based tunnel policies that require authentication and encryption until they reach the Forefront UAG DirectAccess server. The IPsec sessions terminate by default at the Forefront UAG DirectAccess server, which also functions as the IPsec Gateway.
It is recommended that you use the end-to-edge access model for initial deployments.
End-to-end—Extends the end–to-edge IPsec policies all the way to the specified application servers. The DirectAccess clients use an IPsec transport policy that requires that the authentication and traffic protection of IPsec sessions is terminated at the specified application servers. In this case, the Forefront UAG DirectAccess server forwards the authenticated and traffic protected IPsec sessions to the application servers. Additionally, you can encrypt the data payload between the DirectAccess client and an application server by changing the data protection (quick mode) settings.
DirectAccess clients can still connect to all other resources inside the intranet, using the end-to-edge access model.
To identify an application server that requires additional authentication
From the Forefront UAG DirectAccess Configuration Wizard, in the Application Servers box, click Configure.
To enable Require end-to-edge authentication and encryption (the default selection), click Finish.
To enable end-to-end authentication and encryption for specified servers:
Click Require end-to-end authentication and encryption to specified application servers.
If you want to change the IPsec cryptography settings, click Edit IPsec cryptography settings, select the relevant Protocol, Integrity and Encryption, and then click OK.
Forefront UAG DirectAccess (UP1 release),supports the Suite B cryptographic algorithms that were added to IPsec in Windows Vista Service Pack 1, in Windows Server 2008, and in Windows 7
Click Add, select the security group(s) containing the application servers that you want to enable for end-to-end authentication and encryption, click OK, and then click Finish. Clicking Remove removes the currently selected security group from the list.
Application servers that are added to the application server security group must be running Windows 2008 or above.
Applications servers that are added to security groups after the GPO has been generated, are not automatically updated in the DirectAccess client application server list. This means that any new application server added to the security group, or any application server that has its IP address changed after the GPO has been generated, is inaccessible to the DirectAccess client in both clear and encrypted modes.
To resolve this, after adding a new application server to the specified security group, or after changing the IP address of an application server, do the following:
- From the Forefront UAG DirectAccess Configuration Wizard, in the Application Servers box, click Edit, and then click Finish.
- Click Generate Policies, click Apply Now, or click Export Script. For more information, see Applying or exporting the Forefront UAG DirectAccess configuration. After this is completed, any newly added application servers or application servers with changed IP addresses will be accessible to the DirectAccess clients.
For instructions on configuring the next step of the Forefront UAG DirectAccess Configuration Wizard, see Applying or exporting the Forefront UAG DirectAccess configuration.