The product disc or files for of Windows 7 Ultimate. 0pt;">Configuration component requirements
The following components are required for configuring Forefront UAG DirectAccess in the test lab:
- The product disc or files for Windows Server 2008 R2 Enterprise Edition.
- The product disc or files for Win
- Five computers or virtual machines that meet the minimum hardware requirements for Windows Server 2008 R2 Enterprise; two of these computers has two network
adapters installed.
- One computer or virtual machine that meets the minimum hardware requirements for Windows Server 2003 SP2
- Two computers or virtual machines that meet the minimum hardware requirements for Windows 7 Ultimate; one of these computers has two network adapters installed
(NAT1).
- The product disc or a downloaded version of Microsoft Forefront Unified Access Gateway (UAG) SP1 RC.
This Test Lab Guide demonstrates the UAG DirectAccess SP1 RC DirectAccess Connectivity Assistant.
Important
The following instructions are for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services
provided on the network and to clearly show the desired functionality. It is important to remember that this configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The
configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.
Attempting to adapt this test lab configuration to a pilot or production deployment can result in configuration or functionality issues. To ensure proper
configuration and operation of UAG DirectAccess , please refer to the Forefront UAG DirectAccess Deployment Guide
for the steps to configure the UAG DirectAccess server and supporting infrastructure servers.
The following sections describe how to configure UAG1, DC1 and CLIENT1 for UAG SP1 RC and the DCA. After UAG1, DC1 and CLIENT1 are configured, this guide provides
steps for demonstrating the DCA functionality for CLIENT1 when it is connected to the Homenet subnet.
Note
You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to complete the tasks described in this
guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group. For all tasks described
in this document you can use the CONTOSO\User1 account created when you went through the steps in the UAG DirectAccess
Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess.
The following procedures are performed to enable and allow you to test the UAG SP1 RC DCA:
·
Step 1: Complete the Demonstrate UAG SP1 RC DirectAccess Test Lab Guide –
The first step is to complete all the steps in the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess.
·
Step 1: Complete the Demonstrate UAG SP1 RC DirectAccess Test Lab Guide –
The first step is to complete all the steps in the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess.
·
Step 2: Configure INET1 with a Help.txt file. The DCA can provide DirectAccess users information about a web site they can go to in order to get help with DirectAccess related
problems. In this step you will configure a web page that CLIENT1 can reach to get that help.
·
Step 3: Install and Configure the Web Server Role on DC1. The DCA uses a number of connectivity verifiers to determine intranet connectivity over the DirectAccess IPsec tunnels.
In this step you will configure DC1 as a web server so that the DCA can use HTTPS to DC1 for a connectivity verifier.
·
Step 4: Run the UAG DirectAccess DCA Configuration Wizard on UAG1. UAG SP1 RC includes a new integrated DCA wizard that automatically configures and deploys GPO settings that
enable the DCA. In this step you will run the UAG SP1 RC DCA wizard.
·
Step 5: Update Group Policy on CLIENT1 and Test DCA Functionality. The new DCA settings are deploy via the DirectAccess clients GPO. In this step you will update Group Policy
on CLIENT1 and then test some of the DCA features.
·
Step 6:
Snapshot the configuration. After completing the Test Lab, take a snapshot of the working UAG DirectAccess with NAP Test Lab so that you can return to it later to test additional scenarios.
Note
You will notice that there are several steps that begin with an asterisk (*). The * indicates that the step requires that you move to a computer or virtual
machine that is different from the computer or virtual machine you were at when you completed the previous step.
The first step is to complete all the steps in the
Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess. After completing
the steps in that Test Lab Guide you will have the core infrastructure required to complete this Test Lab Guide on how to configure the UAG DirectAccess DCA. If you have already completed the steps in that Test Lab Guide and saved a snapshot or disk image
of the Test Lab, you can restore the snapshot or image and begin with the next step.
STEP 2:
Configure INET1 with the Help.txt File
The DCA can expose to DirectAccess users a link to a location where they can find help. This location is configured in the UAG DirectAccess DCA wizard. In this
step you will configure a Help.txt file that CLIENT1 will connect to when acting as a DirectAccess client.
- *At the INET1 computer or virtual machine, log on as Administrator. Click the
Start button, click the Windows Explorer icon in the Task Bar.
- In Windows Explorer, navigate to
C:\inetpub\wwwroot. In the right pane of the Windows Explorer windows, right click in an empty area, point to
New and click Text Document.
- Rename
New Text Document to help and press ENTER to save the new name.
- Double click on the
help text document. In the help – Notepad window enter
This is the place to get help with your DirectAccess problems.
- Close the
help – Notepad window. In the Notepad dialog box, click
Save.
- Close the Windows Explorer window.
STEP 3:
Install and Configure the Web Server Role on DC1
The UAG DCA uses connectivity verifiers to determine DirectAccess connectivity to the intranet over the DirectAccess tunnels. Connectivity verifiers can use
HTTP, HTTPS and SMB to assess the current connectivity status to the intranet over the DirectAccess IPsec tunnels. In this step you install the web server role on DC1 and then bind a certificate to the web site so that the DCA can establish an SSL session
with DC1 to determine intranet connectivity.
- *At the DC1 computer or virtual machine, log on as User1.
- Open the
Server Manager console if it does not open automatically. In the left pane of the
Server Manager console, click Roles. In the right pane of the console, click the
Add Roles link.
- On the
Before You Begin page, click Next. On the
Select Server Roles page, select Web Server (IIS) and click
Next. On the Introduction to Web Server (IIS) page, click
Next.
- On the
Select Role Services page, click Next. On the
Confirm Installation Selections page, click Install. On the
Installation Results page, click Close.
- Click
Start and point to Administrative Tools. Click
Internet Information Services (IIS) Manager.
- In the left pane of the
Internet Information Services (IIS) Manager, navigate to
DC1 (CORP\User1)\Sites\Default Web Site. In the Actions pane, click
Bindings.
- In the
Site Bindings dialog box, click Add. In the
Add Site Binding dialog box, from the Type drop down box, select
https. From the SSL certificate drop down box, select
DC1.corp.contoso.com. Click OK. In the
Site Bindings dialog box, click Close.
- Close the
Internet Information Services (IIS) Manager console.
STEP 4:
Run the UAG DirectAccess DCA Configuration Wizard on UAG1
UAG SP1 RC includes a new wizard that enables you to configure the DCA so that you don’t have to manually configure Group Policy to support the DCA. In this
step you will run the DCA wizard so that it will automatically provision Group Policy to configure the DCA on DirectAccess clients.
- *At the UAG1 computer or virtual machine log on as User1. Click
Start and then click All Programs. Click
Microsoft Forefront UAG and then click Forefront UAG Management.In the
User Account Control dialog box, click Yes.
- In the left pane of the console, click
DirectAccess. In the right pane of the console, in the Step 1 Clients and GPOs section, click the
Client Connectivity Assistant link.
- In the
Client Connectivity Assistant Configuration wizard, on the
Client Connectivity page, select the Yes, configure application settings option. Confirm that there is a checkmark in the
Allow users to use local name resolution instead of sending requests through corporate DNS servers. Click
Next.
- On the
Connection Verification page, click Add. In the
Connectivity Verifier Details dialog box, select File from the
Connectivity method drop down box. In the Verification server name, IP address or URL text box, enter
\\APP1\Files\example.txt. Click the
Validate Connectivity button. You should see a Validation dialog box informing you that
A connection to the connectivity verifier was established. Click
OK and then click OK again.
- Click
Add. In the Connectivity Verifier Details dialog box, select the
HTTP option from the Connectivity method drop down list. In the
Verification server name, IP address, or URL text box, enter
http://app1.corp.contoso.com. Click the
Validate Connectivity button. You should see a Validation dialog box informing you that
A connection to the connectivity verifier was established. Click
OK and then click OK again.
- Click
Add. In the Connectivity Verifier Details dialog box, select the
HTTPS option from the Connectivity method drop down list. In the
Verification server name, IP address, or URL text box, enter
http://dc1.corp.contoso.com. Click the
Validate Connectivity button. You should see a Validation dialog box informing you that
A connection to the connectivity verifier was established. Click
OK and then click OK again.
- On the
Connection Verification page, click Next.
- On the
Troubleshooting Portal page, select the This site (URL): option. In the text box below that option, enter
http://inet1.isp.example.com/help.txt. In
the Friendly name for URL link: text box, enter DirectAccess Help Center. Click
Next.
- On the
Diagnostic Logging page, in the Send client log files to text box, enter
user1@corp.contoso.com. Click
Finish.
- In the right pane of the console, click the
Apply Policy button. On the Forefront UAG DirectAccess Configuration Review page, click
Apply Now. In the DirectAccess Policy Configuration dialog box, click
OK. Click Close on the Forefront UAG DirectAccess Configuration Review page.
- Open an elevated command prompt. In the command prompt window, enter
gpupdate /force and press ENTER. Close the command prompt window.
- In the right pane of the console, click the
Activate button. In the Activate Configuration dialog box, click
Activate. Click Finish when the activation is complete. Close the UAG management console.
STEP 5:
Update Group Policy, Install the DCA and Test DCA Functionality on CLIENT1
In this step you will update Group Policy on CLIENT1 so that it receives the new DCA related settings. Then you will install the DCA client software and finally
test DCA functionality when CLIENT1 is located on the Homenet subnet.
Update Group Policy on CLIENT1:
- *Connect CLIENT1 to the Corpnet subnet. Wait until the network icon in the notification area of the desktop displays a yellow caution sign.
- Click
Start, click All Programs, click Accessories, right-click
Command Prompt, and then click Run as administrator. Click
Yes at the User Account Control prompt.
- In the command prompt window, enter
gpupdate /force and press ENTER. Wait for the command to complete and then close the command prompt window.
Install the DCA software on CLIENT1:
- On CLIENT1, insert the UAG SP1 RC DVD into the computer or mount the UAG SP1 RC .iso file on the virtual machine. In the
AutoPlay dialog box, click Open folder to view files.
- Navigate to the
UAG\Microsoft Forefront Unified Access Gateway\common\bin\da\dca folder. Double click on the
Microsoft_DirectAccess_Connectivity_Assistant file.
- In the
Microsoft DirectAccess Connectivity Assistant Setup wizard, on the
MICROSOFT PRE-RELEASE SOFTWARE LICENSE TERMS page, put a checkmark in the
I accept the terms in the License Agreement checkbox and click
Install. In the user Account Control dialog box, click
Yes. On the Completed the Microsoft DirectAccess Connectivity Assistant Setup Wizard page, click
Finish.
- You should now see the DCA icon in the system notification area.
Test DCA Functionality on CLIENT1:
- Move CLIENT1 to the Homenet subnet and wait for the network icon in the system notification area to stop spinning. Right click the Taskbar and click
Properties. In the Taskbar and Start Menu Properties dialog box, in the
Nofication Area section, click Customize. On the
Nofication Area Icons page, put a checkmark in the Always show all icons and notifications on the taskbar and click
OK. Click OK in the Taskbar and Start Menu Properties dialog box.
- At this point you might notice a red “x” on the DCA icon. Open an elevated command prompt on CLIENT1. In the command prompt window enter
net view \\dc1 and press ENTER. You should see a
list of shares on DC1. In the command prompt window, enter net view
\\app1 and press ENTER. If you receive a
network path was not found error, then in the command prompt window enter
ipconfig /flushdns and press ENTER. After that command completes, enter in the command prompt windows
net view \\app1 and press ENTER. You should see
a list of share on APP1. You should also see the red “x” disappear from the DCA icon.
- *Move to the APP1 computer or virtual machine. Open Windows Explorer and navigate to the
C:\Files folder. Right click the Example file and click
Rename. Rename the file to Example1 and press ENTER to save the file with the new name. Notice that a new empty file is created with the same name.
- *Move to the DC1 computer or virtual machine. Click
Start and point to Administrative Tools. Click
Internet Information Services (IIS) Manager. In the Internet Information Services (IIS) Manager console, in the left pane, click
DC1 (CORP\User1). In the Actions pane, click
Stop.
- *Move to the CLIENT1 computer or virtual machine and wait a few moments. You will notice that the DCA icon now has a red “x” on it. Right click the DCA icon
and click Advanced Diagnostics.
- Notice under
Advanced Log File that is says generating logs while it creates the log files. When it says
Open logs directory click the Open logs directory link. Double click
DcaDefaultLog.
- On the
DirectAccess Connectivity Assistant Logs web page, note in the
Probes List section a line that reads FAIL – The server name resolved successfully, but failed to access HTTP:
https://dc1.corp.contoso.com. Note that
the other two connectivity verifiers that you configured show as Notice under
Advanced Log File that is says generating logs while it creates the log files. When it says
Open logs directory click the Open logs directory link. Double click
DcaDefaultLogPASS. Also note that there is a connectivity verifier that you didn’t configure – a ping test to the UAG DirectAccess server itself (PASS – PING: 2002:836b:3::836b:3).
Scroll through the rest of the page to view the detailed information collected by the DCA client software. Close Internet Explorer. Close Windows Explorer.
- In the DCA dialog box, notice that the entry you make in the wizard
DirectAccess Help Center appears, and under that is the URL you configured for the Help page. Click the
http://inet1.isp.example.com link. You should see
the help page that reads This is the place to get help with your DirectAccess problems. Close Internet Explorer. Note the
Email Logs button. If there were an email client application installed on CLIENT1, you could click that button and it would automatically email the log files to
user1@corp.contoso.com, as you configure in the DCA wizard. Click
Close in the Microsoft DirectAccess Connectivity Assistant dialog box. Close all open windows on CLIENT1.
- *Move to the DC1 computer or virtual machine. In the
Internet Information Services (IIS) Manager console, in the
Actions pane, click Start. Close all open windows on DC1.
It is important to note that the DCA icon may show a red “x” even when there is connectivity to the intranet. The red “x” appears when any of the connectivity
verifiers is unavailable to the DirectAccess client. It is recommended that you specify a diverse set of resources for your connectivity verifiers. This diversity helps ensure that a failure to access a resource is an unambiguous indication of a problem with
DirectAccess rather than a problem with another component.
For example, if all of the specified resources are behind a network address translating application layer gateway (NAT64), the failure of DCA to access the test
resources might indicate a failure of the NAT64 rather than a failure of DirectAccess. Instead, identify one resource behind the NAT64, another behind an ISATAP gateway, and so on. Also note that you must not use the Network Location Server as a connectivity
verifier, since the name of the Network Location Server cannot be resolved by the DirectAccess client.
This completes the UAG SP1 RC DirectAccess Connectivity Assistant test lab. To save this configuration so that you can quickly return to a working UAG SP1 RC
DirectAccess Connectivity Assistant configuration from which you can test other DirectAccess modular TLGs, TLG extensions, or for your own experimentation and learning, do the following:
1.
On all physical computers or virtual machines in the test lab, close all windows and then perform a graceful shutdown.
2.
If your lab is based on virtual machines, save a snapshot of each virtual machine and name the snapshots
TLG UAG DirectAccess SP1RC DCA. If your lab uses physical computers, create disk images to save the DirectAccess test lab configuration.
For a comprehensive list of UAG DirectAccess Test Lab Guides, please see
Test Lab Guides.