This is the text of the Test Lab Guide - Demonstrate UAG SP1 RC DirectAccess Remote Management Test Lab Guide, which you can download at http://go.microsoft.com/fwlink/?LinkId=205210 

Table of Contents



I am posting the entire text of the Test Lab Guide here with the goal that the community can improve on the Test Lab Guide by adding new options, demonstrating new features, or just correct errors in the text :)  In fact, you can make any changes you like - that is the nature of a wiki. I'm looking forward to seeing how you all can make this great Test Lab Guide even better!

Introduction

Forefront Unified Access Gateway (UAG SP1 RC) provides users with the experience of being seamlessly connected to their intranet any time they have Internet access. When DirectAccess is enabled, requests for intranet resources (such as e-mail servers, shared folders, or intranet Web sites) are securely directed to the intranet, without the need for users to connect to a VPN. DirectAccess enables increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside of the office. Forefront UAG SP1 RC DirectAccess extends the benefits of Windows DirectAccess across your infrastructure by enhancing availability and scalability, as well as simplifying deployments and ongoing management. For more information, see Overview of Forefront UAG DirectAccess.

About this guide

This Test Lab Guide provides step-by-step instructions for configuring Forefront UAG SP1 RC DirectAccess Remote Management in a test lab so that you can see how it works. You will set up and deploy Forefront UAG SP1 RC DirectAccess using 5 server computers, two client computers, Windows Server 2008 R2 Enterprise Edition, Windows Server 2003 Enterprise Edition SP2, and Windows 7 Ultimate Edition. The Test Lab simulates intranet, Internet, and a home networks, and demonstrates Forefront UAG SP1 RC DirectAccess in different Internet connection scenarios.
Important:
These instructions are designed for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network, and to show clearly the required functionality. This configuration is not designed to reflect best practices, nor does it reflect a required or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed to work only on a separate test lab network. For more information on planning and deploying DirectAccess with Forefront UAG SP1 RC, please see the Forefront UAG DirectAccess design guide and the Forefront UAG ;">These instructions are designed for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network, and to show clearly the required functionality. This configuration is not designed to reflect best practices, nor does it reflect a required or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed to work only on a separate test lab network. For more information on planning and deploying DirectAccess with Forefront UAG SP1 RC, please see the  
This Test Lab Guides builds on the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess. You will need to complete all the steps in that guide before you can complete the steps in this Test Lab Guide.

Overview of the test lab scenario

In this test lab scenario, Forefront UAG SP1 RC DirectAccess is deployed with:
  • One computer running Windows Server 2008 R2 Enterprise Edition (DC1), that is configured as an intranet domain controller, Domain Name System (DNS) server, Dynamic Host Configuration Protocol (DHCP) server, and an enterprise root certification authority (CA).
  • One intranet member server running Windows Server 2008 R2 Enterprise Edition (UAG1), that is configured as a Forefront UAG SP1 RC DirectAccess server.
  • One intranet member server running Windows Server 2008 R2 Enterprise Edition (APP1) that is configured as a general application server and network location server.
  • One intranet member server running Windows Server 2003 Enterprise Edition SP2 (APP3) that is configured as an IPv4 only web and file server. This server is used to highlight the NAT64/DNS64 capabilities.
  • One standalone server running Windows Server 2008 R2 (INET1) that is configured as an Internet DNS and DHCP server.
  • One standalone client computer running Windows 7 Ultimate Edition (NAT1), that is configured as a network address translator (NAT) device using Internet Connection Sharing.
  • One roaming member client computer running Windows 7 Enterprise or Ultimate (CLIENT1) that is configured as a DirectAccess client.
The test lab consists of three subnets that simulate the following:
  • A home network named Homenet (192.168.137.0/24) connected to the Internet by a NAT.
  • The Internet (131.107.0.0/24).
  • An intranet named Corpnet (10.0.0.0/24) separated from the Internet by the Forefront UAG SP1 RC DirectAccess server.
Computers on each subnet connect using either a physical or virtual hub or switch, as shown in the following figure.

Configuration component requirements

The following components are required for configuring Forefront UAG SP1 RC DirectAccess in the test lab:
  • The product disc or files for Windows Server 2008 R2 Enterprise Edition.
  • The product disc or files for Windows Server 2003 Enterprise SP2
  • The product disc or files for of Windows 7 Ultimate.
  • Four computers or virtual machines that meet the minimum hardware requirements for Windows Server 2008 R2 Enterprise; one of these computers has two network adapters installed.
  • One computer or virtual machine that meets the minimum hardware requirements for Windows Server 2003 SP2
  • Two computers or virtual machines that meet the minimum hardware requirements for Windows 7 Ultimate; one of these computers has two network adapters installed.
  • The product disc or a downloaded version of Microsoft Forefront Unified Access Gateway (UAG SP1 RC).

Steps for configuring the test lab

The following steps describe how to configure the server and client computers, in a test lab. Following these configurations you can verify DirectAccess connectivity from the Internet and Homenet subnets. In addition, you will see how you can manage DirectAccess clients from management computers on the intranet. This Test Lab Guide also highlights a new feature included in UAG SP1 RC, which allows you to limit DirectAccess client connectivity to the intranet tunnel only, which enables continuous management of DirectAccess clients without allowing users to access resources on the intranet.
Note:
You must be logged on as a member of the Domain Admins group or as a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group.
 
You will perform the following steps to demonstrate UAG SP1 RC DirectAccess remote management in this Test Lab Guide:

·         Step 1: Complete the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess – This Test Lab Guide builds on the configuration created after completing ther of the Domain Admins group.

 
You will perform the following steps to demonstrate UAG SP1 RC DirectAccess remote management in this Test Lab Guide:

·         Step 1: Complete the Test Lab Guid steps in Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess.

·         Step 2: Configure Remote Management – In this step you will create the DirectAccess client OU, create and configure a DirectAccess client GPO and refresh the remote access client configuration and enabling remote desktop connectivity to DirectAccess clients.

·         Step 3: Test Remote Management of DirectAccess Clients – After the new firewall settings are deployed to the DirectAccess client, management servers on the corporate network can initiate connections to the DirectAccess client. In this step you validate the settings and establish connections from DC1 to CLIENT1, when CLIENT1 is acting as a DirectAccess client behind NAT1.

·         Step 4: Limit DirectAccess Client to Only the Management Tunnel. In this step you will configure UAG1 to limit DirectAccess client connectivity to only the infrastructure tunnel.

·         Step 5: Snapshot the Configuration. After completing the Test Lab, take a snapshot of the working UAG SP1 RC DirectAccess NLB array so that you can return to it later to test additional scenarios.

STEP 1: Complete the Demonstrate UAG SP1 RC DirectAccess Test Lab Guide

The first step is to complete all the steps in the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess. After completing the steps in that Test Lab Guide you will have the core infrastructure required to complete this Test Lab Guide on how to configure UAG SP1 RC DirectAccess remote management.  If you have already completed the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess Test Lab Guide and saved the configuration in either a virtual machine snapshot or disk image for a physical deployment, you can restore that configuration and begin with the next step.

STEP 2: Configure Remote Management

DirectAccess uses two IPsec tunnels between DirectAccess client and server to enable communications to the corporate network. The first IPsec tunnel is the “infrastructure” tunnel. This tunnel is established after the DirectAccess client computer starts, but before the user logs on. Authentication is required for this tunnel, and both a computer certificate and the computer account in Active Directory are used to authenticate the first IPsec tunnel connection. The second tunnel (the intranet tunnel) is established after the user logs on and allows the user to access network resources. Authentication for this tunnel uses computer certificate and user (Kerberos) authentication in Active Directory.
The infrastructure tunnel provides bidirectional access to and from servers included in the management servers collection, as defined in the DirectAccess configuration wizard. These servers can connect to DirectAccess clients over the infrastructure tunnel, so that connectivity is enabled whenever the DirectAccess client computer is turned on, regardless of whether the user is logged on. The infrastructure tunnel enables remote management scenarios where administrators can apply patches, make configuration changes, and employ their full suite of configuration and management tools not only to computers on the corporate network, but to any DirectAccess client on the Internet.
You will perform the following procedures to enable several remote management scenarios:

A.      Create the DirectAccess Client Organizational Unit and Place CLIENT1 in the New OU. New firewall rules are required to enable some aspects of remote management of DirectAccess trators can apply patches, make configuration changes, and employ their full suite of configuration and management tools not only to computers on the corporate network, but to any DirectAccess client on the Internet.