Warning about this blog post
Information included in this blog post is based on UAG 2010 SP1 Release Candidate bits available since October 21, at this location. RTM release of UAG 2010 SP1 could include changes. For this reason, consider this blog post as a technical preview.
Setup of UAG 2010 SP1 RC
First new appears since Setup of UAG SP1 RC. First Windows Identity foundation is not a part of the UAG Setup. This is a requirement for ADFSv2. There will have many to say about this but it is not the focus of this blog post.
Second news at the setup level, TMG is now installed with it recently release SP1. You will only have to patch TMG with the first update available today.
New DirectAccess console
This new DirectAccess console include design improvements but also technical ones. At first view, we see that the UAG team made huge effort to include many post-configuration of the RTM UAG release in the new console.
Client side configuration
Just like UAG 2010 RTM, the new console start with the client side configuration and here is one of the new technical improvements. In UAG RTM, any user using a Windows 7 managed computer can access to the company internal network. In UAG 2010 SP1, a new mode appears. Clients computers will be able to access corporate network (and be managed from this network) but users wont be able to access the network. In this configuration, DirectAccess is only used to enhance computer management located outside the corporate network. That’s something I will develop later in a dedicated blog post.
Initially, UAG DirectAccess only cover a single Active Directory domain. In UAG 2010 SP1 RC, you can manage multiple domains because GPO can be linked to multiple domains. The only missing this is a UAG resource forest scenario. That’s something I will develop later in a dedicated blog post series.
Initially, UAG link all group policies at the root of the Active Directory Domain. That was bad. Even with correct filtering, that was bad. With UAG SP1, you will be able to change GPO name and link during DirectAccess configuration and even export theses GPO. Now you can link theses GPO later.
Another improvement of the client-side configuration is the ability to filter GPO with organizational units rather than with group membership. Good point.
DirectAccess Connectivity Assistant
This is another Client side improvement. This is an optional step of the client-side configuration. With UAG 2010 SP1 RC, you will be able to include the DAC (Release 1.5) in the DirectAccess client-side Group Policy. You don’t need to create an additional GPO to configure DAC.
DAC configuration can include multiple resource tests such as HTTP, HTTPS and file access. Failure on these tests will generate a pop-up on the client computer to communicate with the user.
In case of failure, you can redirect the user to a simple web site with information or to the UAG portal collocated on the same UAG server.
At final stage of the DAC configuration, you must provide the email address to use when users want to send collected traces for troubleshooting purpose.
Note : You will find the DirectAccess Connectivity Wizard package in <UAG installation directory>\Common\Bin\DA\DAC
Server side Configuration
This part also include many technical improvements. Let’ start with the standard configuration.
Nothing brand new at this stage. You still need to select the correct IP address for the external and internal facing interface. You just have to respect DirectAccess requirements to continue the configuration.
Some cosmetic improvement. You now have a dedicated interface to select the IP-HTTPS certificate. Nothing really new.
If there is a dedicated interface for IP-HTTPS certificate selection, there is also a dedicated interface for IPSEC authentication.
And now something really new. An important improvement for DirectAccess scenarios. Until now DirectAccess allow you to use Smartcard for IPSEC tunnels authentication, but not for logon. Until now smartcard logon was performed in cache mode. With UAG 2010 SP1 RC we will be able to configure Smart Card or One Time Password device. Great improvement.
Another great improvement is the NAP integration. You can now select between monitoring and enforcement mode for NAP.
NAP configuration is now fully integrated in UAG DirectAccess configuration. No need for an additional group policy for NAP client configuration. Great.
NAP configuration is not complete if you do not designate one or more Health Registration Authorities and select a Certificate template for System Health Authentication application policy.
Note that UAG DirectAccess can :
- Install the Health Registration Authority on the UAG Server
- Configure the Health Registration Authority on the UAG Server
- Configure the Connection Request Policy
- Configure the two Network Policies
- Configure two Health Policies (watch out, high level of requirement)
- Configure DomainHRA and NonDomainHra on the IIS located on the UAG Server
- Configure NAP on the client side for NAP IPSEC enforcement and enabling security center
UAG DirectAccess console wont :
- Install a PKI for NAP certificates
- Create the System Health Authentication certificate template
- Manage NAP exception for UAG or domain controllers or other critical servers
By default, DirectAccess is deployed in Split mode. In UAG 2010 RTM we had to configure some group policy parameters to switch to “Force Tunneling mode”. With UAG 2010 SP1 RC, this is built-in in an optional configuration step.
Just like client-side configuration UAG 2010 SP1 RC allow you to filter server-side group policy by server name or organizational unit.
Nothing new on this configuration step. The Network Location Server must be reachable in HTTPS and provide a content in response.
Nothing new on this configuration step. Theses DNS suffixes will be declared in the Name Resolution Policy Table included in the client-side Group Policy, just like the name resolution option.
This configuration step will allow you to provide additional domains to be included in the DirectAccess infrastructure.
Nothing really new on this configuration step unless that management servers are automatically detected.
This final configuration step is optional, if you want to configure End-to-End authentication or encryption configuration.
And at last, the weak point of UAG 2010 RTM with the monitoring of DirectAccess. Initial release of UAG only provide a PowerShell commandlet that collect information about current sessions. With UAG 2010 SP1 RC, you will find a real monitoring solution including health of all components involved in UAG DirectAccess
New Web monitor console also provide a graphical interface to search for DirectAccess session based on multiple criteria’s :
- Client computer account
- User account
- Certificate subject name
- IPV6 source address
In less than a year, the UAG team provide two updates for his product, but none of them provide real enhancement for DirectAccess. With this UAG 2010 SP1 RC, UAG team bring new deployment scenarios and a greater flexibility in DirectAccess deployment. I don’t know hen the RTM is expected but follow the Edge Man blog. Sure this guy will provide new deployment guide very soon.
Stay tuned. I will also develop some of these coll new DirectAccess feature.
BenoîtS – Simple and Secure by Design but Business compliant.