Deploying a Forefront UAG DirectAccess Array in 10 Easy Steps!
This is not an exhaustive step-by-step walkthrough, but it should cover the key
high-level tasks involved. More detail can be found in the Forefront UAG DirectAccess TechNet documentation or by looking
at Tom’s excellent Test Lab Guides (TLGs).
These steps are based upon deploying Forefront UAG DirectAccess using an
array topology combined with ISATAP to support IPv6 intranet connectivity and
NAT64 to support IPv4 intranet resources. This is a likely scenario for
deployments with a larger number of users, or specific high availability needs,
and an existing IPv4 based intranet.
Step 1: Configure Supporting
Infrastructure
Please Note: This deployment scenario does not include NAP or Smartcard authentication. |
- Create ISATAP, NLS and IP-HTTPS DNS records
- Create DirectAccess client and server security groups
- Create DirectAccess certificate templates
- Create service account for UAG array management
- Create website and enrol/bind NLS certificate
- Repeat for additional NLS servers and potentially implement NLB
- Install OS, activate, run Windows Update, join AD domain
- Configure network interfaces and amend bind order – see here
- Configure static routes – see here
- Enrol IP-HTTPS and IPsec certificates
- Install UAG + UAG Update 1 + UAG Update 2 + TMG SP1 + TMG SP1U1
- Repeat for additional UAG servers
- Configure first UAG server as the array manager
- Add additional UAG servers to the ‘Managed Server Computers’ computer set in TMG
- Join additional UAG servers to the array
- Define internal NLB virtual IP address with unicast mode
- Define external NLB virtual IP addresses (at least two) with unicast mode
- Start NLB on each array member
- Enable NAT64/DNS64
- Define appropriate NRPT entries
- Enrol IPsec certificates
- Add clients to DirectAccess security group and reboot
- Install DCA client
- Add IPv6 prefixes and assign to AD sites
- Add DNS reverse lookup zones for IPv6 prefixes
- Test internal ISATAP
- Test external Teredo, 6to4 and IP-HTTPS
- Define custom TMG rules for systems management (SCOM, SCCM, Cert Enrolment etc.)
- Apply UAG SCW hardening template using Group Policy
- Install and run UAG BPA
No comments:
Post a Comment