Resources For IT Professionals

United Kingdom (Proper English-like)

Skip to locale bar

•  

Test Lab Guide: Demonstrate Forefront UAG SP1 RC DirectAccess Connectivity Assistant - Community Edition - TechNet Articles - United States (English) - TechNet Wiki

·         Forefront UAG DirectAccess Design Guide

·         Forefront UAG DirectAccess Deployment Guide

In this guide

Overview of the test lab scenario

• One computer running Windows Server 2008 R2 Enterprise Edition (DC1), that is configured as an intranet domain controller, Domain Name System (DNS) server, Dynamic Host Configuration Protocol (DHCP) server, and an enterprise root certification authority (CA).
• One intranet member server running Windows Server 2008 R2 Enterprise Edition (UAG1), that is configured as a Forefront UAG DirectAccess SP1 RC server.
• One intranet member server running Windows Server 2008 R2 Enterprise Edition (APP1) that is configured as a general application server and network location server.
• One intranet member server running Windows Server 2003 SP2 (APP3) that is configured as an IPv4 only web and file server. This server is used to highlight the UAG’s NAT64/DNS64 capabilities.
• One standalone server running Windows Server 2008 R2 Enterprise Edition (INET1) that is configured as an Internet DNS and DHCP server.
• One standalone client computer running Windows 7 Ultimate Edition (NAT1), that is configured as a network address translator (NAT) device using Internet Connection Sharing.
• One roaming domain member client computer running Windows 7 Ultimate Edition (CLIENT1) that is configured as a DirectAccess client.

• A home network named Homenet (192.168.137.0/24) connected to the Internet subnet by NAT1.
• The Internet subnet (131.107.0.0/24).
• The Corpnet subnet (10.0.0.0/24) separated from the Internet by the Forefront UAG DirectAccess server.

Configuration component requirements

• The product disc or files for Windows Server 2008 R2 Enterprise Edition.
• The product disc or files for Windows Server 2003 Enterprise SP2
• The product disc or files for of Windows 7 Ultimate. 0pt;">Configuration component requirements
  The following components are required for configuring Forefront UAG DirectAccess in the test lab:
  • The product disc or files for Windows Server 2008 R2 Enterprise Edition.
  • The product disc or files for Win
  • Five computers or virtual machines that meet the minimum hardware requirements for Windows Server 2008 R2 Enterprise; two of these computers has two network adapters installed.
  • One computer or virtual machine that meets the minimum hardware requirements for Windows Server 2003 SP2
  • Two computers or virtual machines that meet the minimum hardware requirements for Windows 7 Ultimate; one of these computers has two network adapters installed (NAT1).
  • The product disc or a downloaded version of Microsoft Forefront Unified Access Gateway (UAG) SP1 RC.
  This Test Lab Guide demonstrates the UAG DirectAccess SP1 RC DirectAccess Connectivity Assistant.
  For more information about the different modes of NAP, see Stages of a NAP Deployment.

  Important

  The following instructions are for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. It is important to remember that this configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.

  Attempting to adapt this test lab configuration to a pilot or production deployment can result in configuration or functionality issues. To ensure proper configuration and operation of UAG DirectAccess , please refer to the Forefront UAG DirectAccess Deployment Guide for the steps to configure the UAG DirectAccess server and supporting infrastructure servers.

  Steps for configuring the test lab

  The following sections describe how to configure UAG1, DC1 and CLIENT1 for UAG SP1 RC and the DCA. After UAG1, DC1 and CLIENT1 are configured, this guide provides steps for demonstrating the DCA functionality for CLIENT1 when it is connected to the Homenet subnet.

  Note

  You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group. For all tasks described in this document you can use the CONTOSO\User1 account created when you went through the steps in the UAG DirectAccess Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess.

  The following procedures are performed to enable and allow you to test the UAG SP1 RC DCA:

  ·         Step 1: Complete the Demonstrate UAG SP1 RC DirectAccess Test Lab Guide – The first step is to complete all the steps in the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess.

  ·         Step 1: Complete the Demonstrate UAG SP1 RC DirectAccess Test Lab Guide – The first step is to complete all the steps in the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess.

  ·         Step 2: Configure INET1 with a Help.txt file. The DCA can provide DirectAccess users information about a web site they can go to in order to get help with DirectAccess related problems. In this step you will configure a web page that CLIENT1 can reach to get that help.

  ·         Step 3: Install and Configure the Web Server Role on DC1. The DCA uses a number of connectivity verifiers to determine intranet connectivity over the DirectAccess IPsec tunnels. In this step you will configure DC1 as a web server so that the DCA can use HTTPS to DC1 for a connectivity verifier.

  ·         Step 4: Run the UAG DirectAccess DCA Configuration Wizard on UAG1. UAG SP1 RC includes a new integrated DCA wizard that automatically configures and deploys GPO settings that enable the DCA. In this step you will run the UAG SP1 RC DCA wizard.

  ·         Step 5: Update Group Policy on CLIENT1 and Test DCA Functionality. The new DCA settings are deploy via the DirectAccess clients GPO. In this step you will update Group Policy on CLIENT1 and then test some of the DCA features.

  ·         Step 6: Snapshot the configuration. After completing the Test Lab, take a snapshot of the working UAG DirectAccess with NAP Test Lab so that you can return to it later to test additional scenarios.

  Note

  You will notice that there are several steps that begin with an asterisk (*). The * indicates that the step requires that you move to a computer or virtual machine that is different from the computer or virtual machine you were at when you completed the previous step.

  STEP 1: Complete the Demonstrate UAG SP1 RC DirectAccess Test Lab Guide

  The first step is to complete all the steps in the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess. After completing the steps in that Test Lab Guide you will have the core infrastructure required to complete this Test Lab Guide on how to configure the UAG DirectAccess DCA.  If you have already completed the steps in that Test Lab Guide and saved a snapshot or disk image of the Test Lab, you can restore the snapshot or image and begin with the next step.

  STEP 2: Configure INET1 with the Help.txt File

  The DCA can expose to DirectAccess users a link to a location where they can find help. This location is configured in the UAG DirectAccess DCA wizard. In this step you will configure a Help.txt file that CLIENT1 will connect to when acting as a DirectAccess client.
  1. *At the INET1 computer or virtual machine, log on as Administrator. Click the Start button, click the Windows Explorer icon in the Task Bar.
  2. In Windows Explorer, navigate to C:\inetpub\wwwroot. In the right pane of the Windows Explorer windows, right click in an empty area, point to New and click Text Document.
  3. Rename New Text Document to help and press ENTER to save the new name.
  4. Double click on the help text document. In the help – Notepad window enter This is the place to get help with your DirectAccess problems.
  5. Close the help – Notepad window. In the Notepad dialog box, click Save.
  6. Close the Windows Explorer window.

  STEP 3: Install and Configure the Web Server Role on DC1

  The UAG DCA uses connectivity verifiers to determine DirectAccess connectivity to the intranet over the DirectAccess tunnels. Connectivity verifiers can use HTTP, HTTPS and SMB to assess the current connectivity status to the intranet over the DirectAccess IPsec tunnels. In this step you install the web server role on DC1 and then bind a certificate to the web site so that the DCA can establish an SSL session with DC1 to determine intranet connectivity.
  1. *At the DC1 computer or virtual machine, log on as User1.
  2. Open the Server Manager console if it does not open automatically. In the left pane of the Server Manager console, click Roles. In the right pane of the console, click the Add Roles link.
  3. On the Before You Begin page, click Next. On the Select Server Roles page, select Web Server (IIS) and click Next. On the Introduction to Web Server (IIS) page, click Next.
  4. On the Select Role Services page, click Next. On the Confirm Installation Selections page, click Install. On the Installation Results page, click Close.
  5. Click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.
  6. In the left pane of the Internet Information Services (IIS) Manager, navigate to DC1 (CORP\User1)\Sites\Default Web Site. In the Actions pane, click Bindings.
  7. In the Site Bindings dialog box, click Add. In the Add Site Binding dialog box, from the Type drop down box, select https. From the SSL certificate drop down box, select DC1.corp.contoso.com. Click OK. In the Site Bindings dialog box, click Close.
  8. Close the Internet Information Services (IIS) Manager console.

  STEP 4: Run the UAG DirectAccess DCA Configuration Wizard on UAG1

  UAG SP1 RC includes a new wizard that enables you to configure the DCA so that you don’t have to manually configure Group Policy to support the DCA. In this step you will run the DCA wizard so that it will automatically provision Group Policy to configure the DCA on DirectAccess clients.
  1. *At the UAG1 computer or virtual machine log on as User1. Click Start and then click All Programs. Click Microsoft Forefront UAG and then click Forefront UAG Management.In the User Account Control dialog box, click Yes.
  2. In the left pane of the console, click DirectAccess. In the right pane of the console, in the Step 1 Clients and GPOs section, click the Client Connectivity Assistant link.
  3. In the Client Connectivity Assistant Configuration wizard, on the Client Connectivity page, select the Yes, configure application settings option. Confirm that there is a checkmark in the Allow users to use local name resolution instead of sending requests through corporate DNS servers. Click Next.
  4. On the Connection Verification page, click Add. In the Connectivity Verifier Details dialog box, select File from the Connectivity method drop down box. In the Verification server name, IP address or URL text box, enter \\APP1\Files\example.txt. Click the Validate Connectivity button. You should see a Validation dialog box informing you that A connection to the connectivity verifier was established. Click OK and then click OK again.
  5. Click Add. In the Connectivity Verifier Details dialog box, select the HTTP option from the Connectivity method drop down list. In the Verification server name, IP address, or URL text box, enter http://app1.corp.contoso.com. Click the Validate Connectivity button. You should see a Validation dialog box informing you that A connection to the connectivity verifier was established. Click OK and then click OK again.
  6. Click Add. In the Connectivity Verifier Details dialog box, select the HTTPS option from the Connectivity method drop down list. In the Verification server name, IP address, or URL text box, enter http://dc1.corp.contoso.com. Click the Validate Connectivity button. You should see a Validation dialog box informing you that A connection to the connectivity verifier was established. Click OK and then click OK again.
  7. On the Connection Verification page, click Next.
  8. On the Troubleshooting Portal page, select the This site (URL): option. In the text box below that option, enter http://inet1.isp.example.com/help.txt. In the Friendly name for URL link: text box, enter DirectAccess Help Center. Click Next.
  9. On the Diagnostic Logging page, in the Send client log files to text box, enter user1@corp.contoso.com. Click Finish.
  10. In the right pane of the console, click the Apply Policy button. On the Forefront UAG DirectAccess Configuration Review page, click Apply Now. In the DirectAccess Policy Configuration dialog box, click OK. Click Close on the Forefront UAG DirectAccess Configuration Review page.
  11. Open an elevated command prompt. In the command prompt window, enter gpupdate /force and press ENTER. Close the command prompt window.
  12. In the right pane of the console, click the Activate button. In the Activate Configuration dialog box, click Activate. Click Finish when the activation is complete. Close the UAG management console.

  STEP 5: Update Group Policy, Install the DCA and Test DCA Functionality on CLIENT1

  In this step you will update Group Policy on CLIENT1 so that it receives the new DCA related settings. Then you will install the DCA client software and finally test DCA functionality when CLIENT1 is located on the Homenet subnet.
  Update Group Policy on CLIENT1:
  1. *Connect CLIENT1 to the Corpnet subnet. Wait until the network icon in the notification area of the desktop displays a yellow caution sign.
  2. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. Click Yes at the User Account Control prompt.
  3. In the command prompt window, enter gpupdate /force and press ENTER. Wait for the command to complete and then close the command prompt window.
  Install the DCA software on CLIENT1:
  1. On CLIENT1, insert the UAG SP1 RC DVD into the computer or mount the UAG SP1 RC .iso file on the virtual machine. In the AutoPlay dialog box, click Open folder to view files.
  2. Navigate to the UAG\Microsoft Forefront Unified Access Gateway\common\bin\da\dca folder. Double click on the Microsoft_DirectAccess_Connectivity_Assistant file.
  3. In the Microsoft DirectAccess Connectivity Assistant Setup wizard, on the MICROSOFT PRE-RELEASE SOFTWARE LICENSE TERMS page, put a checkmark in the I accept the terms in the License Agreement checkbox and click Install. In the user Account Control dialog box, click Yes. On the Completed the Microsoft DirectAccess Connectivity Assistant Setup Wizard page, click Finish.
  4. You should now see the DCA icon in the system notification area.
  Test DCA Functionality on CLIENT1:
  1. Move CLIENT1 to the Homenet subnet and wait for the network icon in the system notification area to stop spinning. Right click the Taskbar and click Properties. In the Taskbar and Start Menu Properties dialog box, in the Nofication Area section, click Customize. On the Nofication Area Icons page, put a checkmark in the Always show all icons and notifications on the taskbar and click OK. Click OK in the Taskbar and Start Menu Properties dialog box.
  2. At this point you might notice a red “x” on the DCA icon. Open an elevated command prompt on CLIENT1. In the command prompt window enter net view \\dc1 and press ENTER. You should see a list of shares on DC1. In the command prompt window, enter net view \\app1 and press ENTER. If you receive a network path was not found error, then in the command prompt window enter ipconfig /flushdns and press ENTER. After that command completes, enter in the command prompt windows net view \\app1 and press ENTER. You should see a list of share on APP1. You should also see the red “x” disappear from the DCA icon.
  3. *Move to the APP1 computer or virtual machine. Open Windows Explorer and navigate to the C:\Files folder. Right click the Example file and click Rename. Rename the file to Example1 and press ENTER to save the file with the new name. Notice that a new empty file is created with the same name.
  4. *Move to the DC1 computer or virtual machine. Click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager. In the Internet Information Services (IIS) Manager console, in the left pane, click DC1 (CORP\User1). In the Actions pane, click Stop.
  5. *Move to the CLIENT1 computer or virtual machine and wait a few moments. You will notice that the DCA icon now has a red “x” on it. Right click the DCA icon and click Advanced Diagnostics.
  6. Notice under Advanced Log File that is says generating logs while it creates the log files. When it says Open logs directory click the Open logs directory link. Double click DcaDefaultLog.
  7. On the DirectAccess Connectivity Assistant Logs web page, note in the Probes List section a line that reads FAIL – The server name resolved successfully, but failed to access HTTP: https://dc1.corp.contoso.com. Note that the other two connectivity verifiers that you configured show as Notice under Advanced Log File that is says generating logs while it creates the log files. When it says Open logs directory click the Open logs directory link. Double click DcaDefaultLogPASS. Also note that there is a connectivity verifier that you didn’t configure – a ping test to the UAG DirectAccess server itself (PASS – PING: 2002:836b:3::836b:3). Scroll through the rest of the page to view the detailed information collected by the DCA client software. Close Internet Explorer. Close Windows Explorer.
  8. In the DCA dialog box, notice that the entry you make in the wizard DirectAccess Help Center appears, and under that is the URL you configured for the Help page. Click the http://inet1.isp.example.com link. You should see the help page that reads This is the place to get help with your DirectAccess problems. Close Internet Explorer. Note the Email Logs button. If there were an email client application installed on CLIENT1, you could click that button and it would automatically email the log files to user1@corp.contoso.com, as you configure in the DCA wizard. Click Close in the Microsoft DirectAccess Connectivity Assistant dialog box. Close all open windows on CLIENT1.
  9. *Move to the DC1 computer or virtual machine. In the Internet Information Services (IIS) Manager console, in the Actions pane, click Start. Close all open windows on DC1.
  It is important to note that the DCA icon may show a red “x” even when there is connectivity to the intranet. The red “x” appears when any of the connectivity verifiers is unavailable to the DirectAccess client. It is recommended that you specify a diverse set of resources for your connectivity verifiers. This diversity helps ensure that a failure to access a resource is an unambiguous indication of a problem with DirectAccess rather than a problem with another component.
  For example, if all of the specified resources are behind a network address translating application layer gateway (NAT64), the failure of DCA to access the test resources might indicate a failure of the NAT64 rather than a failure of DirectAccess. Instead, identify one resource behind the NAT64, another behind an ISATAP gateway, and so on. Also note that you must not use the Network Location Server as a connectivity verifier, since the name of the Network Location Server cannot be resolved by the DirectAccess client.

  STEP 6: Snapshot the Configuration

  This completes the UAG SP1 RC DirectAccess Connectivity Assistant test lab. To save this configuration so that you can quickly return to a working UAG SP1 RC DirectAccess Connectivity Assistant configuration from which you can test other DirectAccess modular TLGs, TLG extensions, or for your own experimentation and learning, do the following:
  1.       On all physical computers or virtual machines in the test lab, close all windows and then perform a graceful shutdown.
  2.       If your lab is based on virtual machines, save a snapshot of each virtual machine and name the snapshots TLG UAG DirectAccess SP1RC DCA. If your lab uses physical computers, create disk images to save the DirectAccess test lab configuration.

  Additional Resources

  For procedures to configure the Base Configuration test lab on which this document is based, see the Test Lab Guide: Base Configuration.
  For procedures to configure UAG SP1 RC DirectAccess on which this document is baseG DirectAccess SP1RC DCA. If your lab uses physical computers, create disk images to save the DirectAccess test lab configuratid, see the Test Lab Guide: Demonstrate Forefront UAG SP1 RC DirectAccess.
  For a comprehensive list of UAG DirectAccess Test Lab Guides, please see Test Lab Guides.
  For the design and configuration of your pilot or production deployment of DirectAccess, see the Forefront UAG DirectAccess design guide and the Forefront UAG DirectAccess deployment guide.
  For information about troubleshooting DirectAccess, see the DirectAccess Troubleshooting Guide.
  For information on troubleshooting UAG DirectAccess in a Test Lab, see Test Lab Guide: Troubleshooting UAG DirectAccess.
  For more information about DirectAccess, see the DirectAccess Getting Started Web page and the DirectAccess TechNet Web page.