Test Lab Guide: Demonstrate Forefront UAG DirectAccess Network Load Balancing and Array Configuration

Microsoft CorporationPublished: July 2010

AbstractDirectAccess is a new feature in the Windows® 7 and Windows Server® 2008 R2 operating systems that enables remote users to securely access intranet shared folders, Web sites, and applications without connecting to a virtual private network (VPN). Forefront UAG DirectAccess extends the benefits of Windows DirectAccess across your infrastructure by enhancing availability and scalability, as well as simplifying deployments and ongoing management. This paper contains step-by-step instructions for extending the Test Lab Guide: Demonstrate UAG DirectAccess to demonstrate UAG DirectAccess Network Load Balancing and array configuration with a simulated Internet, intranet, and home network.

Copyright InformationThis document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2010 Microsoft Corporation. All rights reserved.

Last Updated July 26, 2010

Microsoft, Windows, Active Directory, Internet Explorer, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

ContentsIntroduction.................................................................................................................................................1

In this guide.............................................................................................................................................1

Overview of the test lab scenario................................................................................................................1

Configuration component requirements.....................................................................................................3

Steps for configuring the test lab................................................................................................................4

STEP 1: Complete the UAG DirectAccess Test Lab Guide.........................................................................4

STEP 2: Install and Configure UAG2.........................................................................................................4

A. Install the Operating System on UAG2........................................................................................5

B. Configure TCP/IP Properties on UAG2.........................................................................................5

C. Rename UAG2 and Join it to the CORP Domain...........................................................................6

D. Install the IP-HTTPS Certificate on UAG2.....................................................................................7

STEP 3: Create the Networked Load Balanced UAG DirectAccess Array..................................................8

A. Update ISATAP records on the DNS server to include future VIPs and DIPs................................9

B. Install Update 1 and KB 977342 on UAG1....................................................................................9

C. Change the Single Server IP addressing configuration on UAG1................................................10

D. Change the UAG1 Single Server Configuration to an Array Manager........................................11

E. Configure UAG2 as a new node in the UAG DirectAccess Array................................................12

F. Configure NLB on the Array Manager (UAG1)...........................................................................13

G. Reconfigure and Apply new Configuration Settings for UAG DirectAccess................................14

H. Start Network Load Balancing on the Array...............................................................................16

STEP 4: Test DirectAccess Client Connectivity through the NLB Array...................................................16

STEP 5: Snapshot the Configuration......................................................................................................17

Additional Resources.................................................................................................................................17

IntroductionForefront Unified Access Gateway (UAG) provides users with the experience of being seamlessly connected to their intranet any time they have Internet access. When DirectAccess is enabled, requests for intranet resources (such as e-mail servers, shared folders, or intranet Web sites) are securely directed to the intranet, without the need for users to connect to a VPN. DirectAccess enables increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside of the office. Forefront UAG DirectAccess extends the benefits of Windows DirectAccess across your infrastructure by enhancing availability and scalability, as well as simplifying deployments and ongoing management. For more information, see Overview of Forefront UAG DirectAccess.

In this guideThis guide provides step-by-step instructions for configuring an NLB enabled Forefront UAG DirectAccess array in a test lab so that you can see how it works. You will set up and deploy Forefront UAG DirectAccess using six server computers, two client computers, Windows Server 2008 R2 Enterprise edition, and Windows 7 Ultimate Edition. The Test Lab simulates intranet, Internet, and a home networks, and demonstrates Forefront UAG DirectAccess in different Internet connection scenarios. The starting point for this paper is the Test Lab Guide: Demonstrate UAG DirectAccess.

Important:

These instructions are designed for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network, and to show clearly the required functionality. This configuration is not designed to reflect best practices, nor does it reflect a required or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed to work only on a separate test lab network. For more information on planning and deploying DirectAccess with Forefront UAG, please see the Forefront UAG DirectAccess design guide and the Forefront UAG DirectAccess deployment guide

Overview of the test lab scenarioIn this test lab scenario, Forefront UAG DirectAccess is deployed with:

One computer running Windows Server 2008 R2 Enterprise Edition (DC1), that is configured as an intranet domain controller, Domain Name System (DNS) server, Dynamic Host Configuration Protocol (DHCP) server, and an enterprise root certification authority (CA).

One intranet member server running Windows Server 2008 R2 Enterprise Edition (UAG1), that is configured as the first Forefront UAG DirectAccess server in a Forefront UAG DirectAccess server array.

1

One intranet member server running Windows Server 2008 R2 Enterprise Edition (UAG2), that is configured as the second Forefront UAG DirectAccess server in a Forefront UAG DirectAccess server array.

One intranet member server running Windows Server 2008 R2 Enterprise Edition (APP1) that is configured as a general application server and network location server. This server is used to complete a Forefront UAG DirectAccess server array to highlight centralized configuration and Network Load Balancing high availability.

One intranet member server running Windows Server 2003 SP2 (APP3) that is configured as an IPv4 only web and file server. This server is used to highlight the NAT64/DNS64 capabilities.

One standalone server running Windows Server 2008 R2 Enterprise Edition (INET1) that is configured as an Internet DNS and DHCP server.

One standalone client computer running Windows 7 Ultimate Edition (NAT1), that is configured as a network address translator (NAT) device using Internet Connection Sharing.

One roaming member client computer running Windows 7 Ultimate (CLIENT1) that is configured as a DirectAccess client.

The test lab consists of three subnets that simulate the following:

A home network named Homenet (192.168.137.0/24) connected to the Internet by a NAT.

The Internet (131.107.0.0/24).

An intranet named Corpnet (10.0.0.0/24) separated from the Internet by the Forefront UAG DirectAccess server.

Computers on each subnet connect using either a physical or virtual hub or switch, as shown in the following figure.

2

Configuration component requirementsThe following components are required for configuring Forefront UAG DirectAccess in the test lab:

The product disc or files for Windows Server 2008 R2 Enterprise Edition.

The product disc or files for Windows Server 2003 Enterprise SP2

The product disc or files for of Windows 7 Ultimate.

Six computers or virtual machines that meet the minimum hardware requirements for Windows Server 2008 R2 Enterprise; two of these computers has two network adapters installed.

One computer or virtual machine that meets the minimum hardware requirements for Windows Server 2003 SP2

Two computers or virtual machines that meet the minimum hardware requirements for Windows 7 Ultimate; one of these computers has two network adapters installed.

The product disc or a downloaded version of Microsoft Forefront Unified Access Gateway (UAG) RTM.

3

Steps for configuring the test labThe following steps describe how to configure the server and client computers, and configure the Forefront UAG DirectAccess server, in a test lab. Following these configurations you can verify DirectAccess connectivity from the Internet and Homenet subnets.

Note:

You must be logged on as a member of the Domain Admins group or as a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group.

In this Test Lab Guide you will build an NLB enabled UAG DirectAccess array by performing the following steps:

Step 1: Complete the Demonstrate UAG DirectAccess Test Lab Guide – The first step is to complete all the steps in the Test Lab Guide: Demonstrate UAG DirectAccess.

Step 2: Install and Configure UAG2 – UAG2 is acts as the second DirectAccess server in a Forefront UAG DirectAccess array.

Step 3: Create a Networked Load Balanced UAG DirectAccess Array – UAG1 is configured as a Array Master in a Forefront UAG DirectAccess array. UAG2 is joined to the array and Network Load Balancing is configured for the array.

Step 4: Test DirectAccess Client Connectivity through the NLB Array. After NLB and array configuration is complete you can test DirectAccess client connectivity through the array.

Step 5: After completing the Test Lab, take a snapshot of the working UAG DirectAccess NLB array so that you can return to it later to test additional scenarios.

STEP 1: Complete the UAG DirectAccess Test Lab Guide The first step is to complete all the steps in the Test Lab Guide: Demonstrate UAG DirectAccess. After completing the steps in that Test Lab Guide you will have the core infrastructure required to complete this Test Lab Guide on how to configure UAG DirectAccess NLB enabled arrays. If you have already completed the steps in that Test Lab Guide and saved a snapshot or disk image of the Test Lab, you can restore the snapshot or image and begin with the next step.

STEP 2: Install and Configure UAG2UAG2 is the second member of a UAG DirectAccess array. When the array is configured, UAG1 is the Array Master and UAG2 is the second member of the array. UAG2 is installed and configured before enabling the array configuration.

You will perform the following steps to configure UAG2:

4

A. Install the operating system on UAG2.Install Windows Server 2008 R2 Enterprise Edition on UAG2.

B. Configure TCP/IP Properties on UAG2. After installing the operating system on UAG2, configure static IP addressing information on its internal and external network interface cards.

C. Rename UAG2 and Join it to the CORP Domain. Rename the computer to UAG2 and join it to the CORP domain. Domain membership is required for a UAG DirectAccess array.

D. Install the IP-HTTPS Certificate on UAG2. To accept incoming IP-HTTPS requests, the UAG2 DirectAccess array member requires a copy of the web site certificate used by the IP-HTTPS on UAG1 installed in its machine certificate store.

A. Install the Operating System on UAG2The first step is to install Windows Server 2008 Enterprise Edition on UAG2. This is required as Forefront UAG must be installed on Windows Server 2008 R2.

1. On UAG2, start the installation of Windows Server 2008 R2 Enterprise Edition.

2. Follow the instructions to complete the installation, specifying Windows Server 2008 R2 Enterprise Edition and a strong password for the local Administrator account. Log on using the local Administrator account.

3. Connect the network adapter to the Corpnet subnet or the virtual switch representing the corpnet subnet.

B. Configure TCP/IP Properties on UAG2After installing the operating system on UAG2, configure its TCP/IP Properties to provide the server IP address, subnet mask, DNS server address information as well as a connection specific suffix. Note that the connection specific suffix is not required for a working DirectAccess solution, but simplifies name resolution and ISATAP adapter names.

1. At UAG2, in Initial Configuration Tasks, click Configure networking.

2. In Network Connections, right-click the network connection that is connected to the Corpnet subnet or virtual switch, and then click Rename.

3. Type Corpnet, and then press ENTER.

4. Right-click Corpnet, and then click Properties.

5. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

6. Select Use the following IP address. In IP address, enter 10.0.0.19. In Subnet mask, type 255.255.255.0.

7. Select Use the following DNS server addresses. In Preferred DNS server, type 10.0.0.1.

5

8. Click Advanced, and then the DNS tab.

9. In DNS suffix for this connection, type corp.contoso.com, click OK twice, and then click Close. (A connection specific DNS suffix is not required for DirectAccess to work correctly).

10. In the Network Connections window, right-click the network connection that is connected to the Internet subnet, and then click Rename.

11. Enter Internet, and then press ENTER.

12. Right-click Internet, and then click Properties.

13. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

14. Select Use the following IP address. In IP address, enter 131.107.0.19. In Subnet mask, enter 255.255.255.0.

15. Click Advanced then click the DNS tab.

16. In DNS suffix for this connection, type isp.example.com, and then click OK twice and then click Close. (A connection specific DNS suffix is not required for DirectAccess to work correctly).

17. Close the Network Connections window.

18. To check network communication between UAG2 and DC1, click Start, click All Programs, click Accessories, and then click Command Prompt.

19. In the command window, type ping dc1.corp.contoso.com and press ENTER. Verify that there are four responses from 10.0.0.1 or the ISATAP address 2002:836b:2:8000:0:5efe:10.0.0.1

20. Close the command window.

C. Rename UAG2 and Join it to the CORP DomainThe installation routine created a default computer name. Change the computer name from its default to UAG2.

1. On UAG2, in Initial Configuration Tasks, click Provide computer name and domain.

2. In the System Properties dialog box, click Change. In the Computer Name/Domain Change dialog box, in the Computer name text box, enter UAG2. In the Member of frame, select the Domain option, and enter corp.contoso.com in the text box. Click OK.

3. In the Computer Name/Domain Changes dialog box, enter CORP\User1 in the User name text box and the password in the Password text box. Click OK.

4. In the Computer Name/Domain Changes dialog box, click OK.

5. In the System Properties dialog box, click Close.

6

6. In the Microsoft Windows dialog box, click Restart Now.

7. After restarting, login as CORP\User1.

D. Install the IP-HTTPS Certificate on UAG2 UAG2 will be joined to a UAG array with UAG1. In order to accept IP-HTTPS connections while part of the UAG DirectAccess array, UAG2 needs to use the same certificate as the IP-HTTPS listener as that used by UAG1. To do this, the IP-HTTPS certificate must be exported (with its private key) from UAG1 and imported into the machine configuration store on UAG2. The procedure starts out on UAG1, where the certificate export takes place.

1. *On UAG1, click Start and enter mmc into the search box. Click Yes in the UAC dialog box.

2. In the mmc console, click File and click Add/Remove Snap-in.

3. In the Add or Remove Snap-ins dialog box, click Certificates and click Add.

4. On the Certificates snap-in page, select Computer account and click Next.

5. On the Select Computer page, select Local computer and click Finish.

6. Click OK in the Add or Remove Snap-ins dialog box.

7. In the left pane of the console, navigate to Certificates (Local Computer)\Personal\Certificates. Right click the uag1.contoso.com certificate, point to All Tasks and click Export.

8. On the Welcome to the Certificate Export Wizard page, click Next.

9. On the Export Private Key page, select Yes, export the private key and click Next.

10. On the Export File Format, ensure that the Personal Information Exchange – PKCS #12 (.PFX) format is selected. Click Next.

11. On the Password page, enter a password in the Password text box and confirm the password. Click Next.

12. On the File to Export page, name the file IPHTTPSCert and save it to the desktop. Click Next.

13. On the Completing the Certificate Export Wizard page, click Finish.

14. In the Certificate Export Wizard dialog box, click OK.

15. Copy the certificate to the UAG2 computer or virtual machine.

16. *On UAG2, click Start and then enter mmc in the Search box. Press ENTER.

17. In the MMC console, click File and then click Add/Remove Snap-in.

18. In the Add or Remove Snap-ins dialog box, click Certificates and then click Add.

7

19. On the Certificates snap-in page, select Computer account and click Next.

20. On the Select Computer page, select Local computer and click Finish.

21. Click OK in the Add or Remove Snap-ins dialog box.

22. In the left pane of the console, navigate to Certificates (Local Computer)\Personal\Certificates. Right click the Certificates node and point to All Tasks. Click Import.

23. On the Welcome to the Certificate Import Wizard page, click Next.

24. On the File to Import page, use the Browse button to locate the certificate. Select the certificate and then click Next.

25. On the Password page, enter the password in the Password text box and then click Next.

26. On the Certificate Store page, click Next.

27. On the Completing the Certificate Import Wizard page, click Finish.

28. In the Certificate Import Wizard dialog box, click OK.

STEP 3: Create the Networked Load Balanced UAG DirectAccess ArrayForefront UAG enables you to create arrays of DirectAccess servers. An array acts as a single logical server and provides centralized configuration and management for up to 8 UAG DirectAccess members in a single array. UAG DirectAccess arrays also support Network Load Balancing (NLB), which provides high availability and load balancing of connections to the UAG DirectAccess array.

The following procedures enable you to create and test a UAG DirectAccess array:

A. Update ISATAP records on the DNS server to include future VIPs and DIPs ISATAP enabled hosts on the corporate network use the UAG server or array to receive configuration and routing information. Each member of the array can answer requests from ISATAP hosts from an internal Dedicated IP Address (DIP) or Virtual IP Address (VIP). In this step DNS is updated with the new IP addresses for the ISATAP servers in the array.

B. Install Update 1 and KB 977342 on UAG1. UAG Update 1 includes a number of updates that should be enabled to support a UAG DirectAccess NLB enabled array. In addition, you will need to install hotfix KB 977342.

C. Change the Single Server IP addressing configuration on UAG1. The IP addressing on UAG1 is changed to support the new IP addressing used for the array. The IP addressing changes are done in a way that creates minimum disruption to the DirectAccess configuration and does not require the DirectAccess client to receive new Group Policy settings to connect to the array.

D. Change the UAG1 Single Server Configuration to an Array Manager. UAG1 was originally installed in single server mode. This step includes procedures that change UAG1 from single server mode to an Array Manager in a UAG DirectAccess array.

8

E. Configure UAG2 as a New Node in the UAG DirectAccess Array. UAG DirectAccess arrays contain from 2 to 8 nodes. UAG1 is configured as the first node, and UAG2 is the second node. In this step install and configure UAG2 as the second member of the UAG DirectAccess array.

F. Configure Network Load Balancing on the Array Manager (UAG1). After the UAG DirectAccess configuration is complete is it ready to support Network Load Balancing to provide load balancing and high availability for DirectAccess client connections.

G. Reconfigure and Apply New Configuration Settings for UAG DirectAccess. Setting enabled by Group Policy need to be updated after making the array and NLB configuration changes. This step reconfigures the DirectAccess settings and redeploys them.

H. Start Network Load Balancing on the Array. Start Network Load Balancing after the configuration changes are made in the DirectAccess configuration.

I. Test DirectAccess Client Connectivity through the UAG DirectAccess NLB Array. This step tests the UAG DirectAccess and validates the array and NLB configurations.

A. Update ISATAP records on the DNS server to include future VIPs and DIPsWe will continue to use 10.0.0.2 for an ISATAP address on the network. However, we need to add two more addresses: one is the Dedicated IP Address (DIP) on the internal interface on UAG2 and the other is the new DIP that will later be assigned to UAG1. The new addresses are: 10.0.0.19, which is the DIP on UAG2, and 10.0.0.18, which will be the DIP on the internal interface of UAG1 when NLB is enabled. Therefore, we will add new Host (A) records for ISATAP: 10.0.0.18 and 10.0.0.19.

1. *At the DC1 computer or virtual machine, open the DNS console.

2. In the DNS console, expand the server name and then expand the Forward Lookup Zones node. Click corp.contoso.com. Right click corp.contoso.com and click New Host (A or AAAA).

3. In the New Host dialog box, enter ISATAP in the Name text box. In the IP address text box, enter 10.0.0.18. Click Add Host. Click OK in the DNS dialog box indicating that the record was successfully created.

4. In the New Host dialog box, enter ISATAP in the Name text box. In the IP address text box, enter 10.0.0.19. Click Add Host. Click OK in the DNS dialog box indicating that the record was successfully created.

5. Click Done in the New Host dialog box.

6. Close the DNS console.

B. Install Update 1 and KB 977342 on UAG1UAG Update 1 includes a number of updates that should be enabled to support a UAG DirectAccess NLB enabled array. In addition, you will need to install hotfix KB 977342.

1. *Download KB 977342 from http://support.microsoft.com/kb/977342 and copy it to UAG1.

9

2. Double click on the downloaded hotfix file. Click Yes in the dialog box asking if you want to install Hotfix for Windows (KB977342).

3. On the Installation complete page, click Restart Now.

4. After UAG1 restarts, log on as CORP\User1.

5. Download UAG Update 1 from http://www.microsoft.com/downloads/details.aspx?FamilyID=a862c57f-5c27-4cd0-8528-91b3cc5cd758&displaylang=en and copy it to UAG1. Use the instructions on the download page to install Update 1.

6. After the installation is complete, restart UAG1 and then log on as CORP\User1.

C. Change the Single Server IP addressing configuration on UAG1The IP addressing configuration on UAG1 now needs to be changed. The external IP addresses 131.107.0.2 and 131.107.0.3 must be removed, as they will later be configured as VIPs on both members of the UAG DirectAccess NLB array. A single DIP on the external interface will be assigned: 131.107.0.18. On the internal interface, the current IP address 10.0.0.2 will be removed and replaced with 10.0.0.18, which will be the new DIP on the internal interface of UAG1.

1. At the UAG1 computer or virtual machine, open the Network Connections window.

2. In the Network Connections window, right click the Internet connection and click Properties.

3. In the Internet Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) and then click Properties.

4. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, in the IP address text box, change the IP address to 131.107.0.18.

5. Click the Advanced button. On the IP Settings tab, in the IP addresses frame, select 131.107.0.3 and click Remove. Click OK.

6. Click OK in the Internet Protocol Version 4 (TCPIPv4) Properties dialog box. Click Close in the Internet Properties dialog box.

7. Right click the Corpnet connection and click Properties.

8. In the Corpnet Properties dialog box, click the Internet Protocol Version 4 (TCP/IPv4) entry and click Properties.

9. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, change the IP address in the IP address text box to 10.0.0.18. Click OK.

10. Click Close in the Corpnet Properties dialog box.

11. Close the Network Connections window.

10

D. Change the UAG1 Single Server Configuration to an Array Manager UAG1 is now ready to be configured as an Array Manager in a UAG server array. The Array Manager is the machine that hosts the configuration for the array and the Array Manager is the only machine where configuration is performed. You will not be able to run the UAG management console on any other machine in the array.

1. At the UAG1 computer, open the Forefront UAG Management console.

2. In the Forefront UAG Management console, click the Admin menu and then click Network Interfaces.

3. On the Welcome to the Network Configuration Wizard page, click Next.

4. On the Define Network Adapters page, confirm the settings for the Internal and External connections. Click Next.

5. On the Define Internal Network IP Address Range page, click Next.

6. On the Completing the Network Configuration Wizard page, click Finish.

7. Click the Admin menu and click Array Management.

8. On the Welcome to the Array Management Wizard page, click Next.

9. On the Step 1 – Configure Array Settings page, select the Set this server as the array manager option and click Next.

10. On the Step 2 – Specify Array Credentials page, in the user name text box enter User1 and enter User1’s password and confirm the password. The domain CORP should be filled in automatically in the Domain text box. Click Next.

11. On the Step 3 – Defining Array Member Computers page, confirm that UAG1 is already entered. Click the Add button.

12. In the Add/Edit Server text box, enter UAG2 in the Name text box and in the IP address text box, enter 10.0.0.19. Click OK. Note that all servers in the array are identified by their internal IPv4 DIP.

13. On the Step 3 – Defining Array Member Computers page, click Next.

14. On the Set Server as Array Manager page, click Finish.

15. Click OK on the Configuration page indicating that the array manager was successfully configured.

16. Close the UAG Management console.

11

E. Configure UAG2 as a new node in the UAG DirectAccess ArrayUAG2 has Windows Server 2008 R2 already installed on it and you have configured it’s IP addressing information and joined the server to the domain. At this point you will install the Forefront UAG software and configure the machine to be a member of the array.

1. *At the UAG2 computer or virtual machine, insert the Forefront Unified Access Gateway DVD.

2. On the splash page, click Install Forefront UAG.

3. Click Next on the Welcome to the Forefront UAG Setup Wizard page.

4. On the License Terms page, select I accept the License Terms for Microsoft Software and click Next.

5. On the Select Installation Location page, click Next.

6. The installation will complete and ask if you want to restart. Choose the option to restart the computer and log on as CORP\User1.

7. Download KB 977342 from http://support.microsoft.com/kb/977342 and copy it to UAG2.

8. Double click on the downloaded hotfix file. Click Yes in the dialog box asking if you want to install Hotfix for Windows (KB977342).

9. On the Installation complete page, click Restart Now.

10. After UAG1 restarts, log on as CORP\User1.

11. Download UAG Update 1 from http://www.microsoft.com/downloads/details.aspx?FamilyID=a862c57f-5c27-4cd0-8528-91b3cc5cd758&displaylang=en and copy it to UAG2. Use the instructions on the download page to install Update 1.

12. After the installation is complete, restart UAG2 and then log on as CORP\User1.

13. Open the Forefront UAG Management console.

14. On the Welcome to Microsoft Forefront Unified Access Gateway 2010 page, click Configure Network Settings.

15. On the Welcome to the Network Configuration Wizard page, click Next.

16. On the Define Network Adapters page, set the Corpnet adapter as Internal and the Internet adapter as External. Click Next.

17. On the Define Internal Network IP Address Range page, click Next.

18. On the Completing the Network Configuration Wizard page, click Finish.

12

19. On the Welcome to Microsoft Forefront Unified Access Gateway 2010 page, click Define Server Topology.

20. On the Welcome to the Server Management Wizard page, click Next.

21. On the Select Configuration page, select the Array member option, then click Next.

22. On the Welcome to the Array Management Wizard page, click Next.

23. On the Step 1 – Configure Array Settings page, select the Add this server to an array option and click Next.

24. On the Step 2 – Select Array Manager page, enter the FQDN for UAG1 in the Array manager (IP address or FQDN): text box. The FQDN for UAG1 is uag1.corp.contoso.com. In the User Credentials frame, enter User1 in the User name text box, and then end the password for User1. In the Domain text box, enter CORP. click Next.

25. On the Joining the Array page, click Finish.

26. In the Configuration dialog box informing you that the server was successfully joined to the array, click OK.

27. On the Completing the Server Management Wizard page, click Finish.

28. On the Welcome to Microsoft Forefront Unified Access Gateway 2010 page, click Join Microsoft Update.

29. On the Use Microsoft Update for Forefront UAG page, select I don’t want to use Microsoft Update and click OK.

30. On the Welcome to Microsoft Forefront Unified Access Gateway 2010 page, click Close.

31. In the Array Management Wizard dialog box, select the Exit the Forefront Forefront UAG console.

F. Configure NLB on the Array Manager (UAG1)UAG1 and UAG2 now belong to the same array. You can now enable Network Load Balancing for the array. When Network Load Balancing (NLB) is enabled, one or more members of the array can fail and as long as a single member remains online, users will be able to connect to the UAG DirectAccess server. The following procedure is performed on the Array Manager, UAG1.

1. *At the UAG1 computer or virtual machine, open the UAG Management console.

2. In the UAG Management console, click the Admin menu and then click Network Load Balancing. (Note: if the UAG Management Console was open on UAG1 when UAG2 joined the array, close the console and restart it).

13

3. In the Network Load Balancing dialog box, click Add. In the Configure Virtual IP Addresses dialog box, select the External option from the Network drop down list. In the Virtual IP address text box, enter 131.107.0.2 and in the Subnet mask text box enter 255.255.255.0. Click OK.

4. In the Network Load Balancing dialog box, click Add. In the Configure Virtual IP Addresses dialog box, select the External option from the Network drop down list. In the Virtual IP address text box, enter 131.107.0.3 and in the Subnet mask text box enter 255.255.255.0. Click OK.

5. In the Network Load Balancing dialog box, click Add. In the Configure Virtual IP Addresses dialog box, select the Internal option from the Network drop down list. In the Virtual IP address text box, enter 10.0.0.2 and in the Subnet mask text box enter 255.255.255.0. Click OK.

6. Confirm that the NLB mode is set to Unicast. UAG DirectAccess supports only unicast mode NLB.

7. Click OK in the Network Load Balancing dialog box.

8. Close the UAG Management console.

9. In the Configuration dialog box, click Yes to save the changes.

G. Reconfigure and Apply new Configuration Settings for UAG DirectAccess Now we are ready to apply the new settings to the UAG DirectAccess configuration. Perform the following steps on the Array Manager, UAG1.

1. *At the UAG1 computer or virtual machine, open the UAG Management console.

2. In the UAG Management console, click the DirectAccess node in the left pane of the console.

3. In the right pane of the UAG Management console, in the DirectAccess Server section, click Edit.

4. On the Load Balancing page in the UAG DirectAccess Server Configuration wizard, confirm that the Windows Network Load Balancing option is selected and that you see a green circle with a checkmark in it with a message The array has all the required prerequisites for the selected Load Balancing method next to it. Click Next.

5. On the Connectivity page of the UAG DirectAccess Server Configuration Wizard, confirm that the Internet-facing and Internal IP address values are automatically entered. The First Internet-facing IP4 address should be 131.107.0.2 and the Second Internet-facing IPv4 address should be 131.107.0.3. The Internal IP address should be 10.0.0.2. Note the message on the bottom of the page that informs you that you should enter 10.0.0.2, 10.0.0.18, and 10.0.0.19 as Host (A) record entries for ISATAP in DNS. Click Next.

6. On the Managing DirectAccess Services page in the UAG DirectAccess Server Configuration wizard, click Next.

14

7. On the Authentication Options page in the UAG DirectAccess Server Configuration wizard, click Finish.

8. In the UAG Management console, click the File menu and then click Activate.

9. In the Activate Configuration dialog box, click Activate.

10. In the Activation Configuration dialog box, note that it says that it may take a few minutes for the array configuration change to complete and that you can use the Activation Monitor to track the progress of the configuration changes. Click Finish.

11. If you receive an error that says that NLB could not be activated – attempt to activate the configuration again.

12. Click Start and then click All Programs. Click Microsoft Forefront UAG and then click Forefront UAG Activation Monitor. In the left pane of the console, click on each array member and confirm in the right pane that UAG DirectAccess configuration was activated successfully message appears for each array member. You should see a green checkmark to the left of each member of the array.

13. Close the Forefront Unified Access Gateway Activation Monitor.

14. *Move to the DC1 computer or virtual machine. Click Start and point to Administrative Tools. Click Group Policy Management.

15. In the Group Policy Management console, expand the Forest: corp.contoso.com node and then expand the Domains node. Expand the corp.contoso.com node and click on the UAG DirectAccess: DaServer {GUID} GPO.

16. In the Security Filtering section, click Add. In the Select User, Computer, or Group dialog box, click the Object Types button. In the Object Types dialog box, put a checkmark in the Computers checkbox and click OK.

17. In the Select User, Computer, or Group dialog box, in the Enter the object name to select text box, enter UAG2 and click Check Names. Click OK.

18. Close the Group Policy Management console.

19. *Move to the UAG2 computer or virtual machine. Open an elevated command prompt and enter gpupdate /force and press ENTER.

20. Confirm that Connection Security Rule policies were applied to UAG2. Click Start and enter wf.msc in the Search box and press ENTER. In the Windows Firewall with Advanced Security console, click the Connection Security Rules node in the left pane of the console. In the middle pane, see the Enabled column. Both connection security rules should list Yes in that column.

15

H. Start Network Load Balancing on the ArrayThe array is now ready to start NLB. The UAG Web Monitor application is used to start NLB and view NLB status. Perform the following steps on the Array Manager, which is UAG1.

1. *At the UAG1 computer or virtual machine, open the UAG Management console.

2. In the UAG Management console, click the Admin menu and click Web Monitor.

3. Click OK in the Internet Explorer dialog box informing you about Java Components.

4. In the left pane of the Web Monitor console, click the Array Monitor\Current Status link.

5. In the Array Monitor\Current Status page, put a checkmark in the UAG1 and UAG2 checkboxes. In the select an option to apply checkbox, click the Start option. Click the Apply button.

6. The NLB Status will start Converging. Click the Refresh button and you will see the Synchronization Status to be Updating.

7. Click the Refresh button one more time and you will see the NLB Status as Converged and the Synchronization Status as Synched.

8. You may have to click the refresh button several times to see the Converged and Synched results.

STEP 4: Test DirectAccess Client Connectivity through the NLB ArrayNow that the UAG NLB array is configured, converged and synchronized, you can test connectivity through the array. Before you begin testing, we recommend that you shut down both UAG1 and UAG2 for at least five minutes. There are a number of reasons for this, which include ARP cache timeouts and changes related to NLB. When validating NLB configuration in a test lab, you will need to be patient as changes in configuration will not be immediately reflected in connectivity until after a period of time has elapsed. This is important to keep in mind when you carry out the following tasks.

1. *Move CLIENT1 to the Homenet subnet. Log on to the CLIENT1 computer or virtual machine.

2. Open an elevated command prompt on CLIENT1. At the command prompt, enter ipconfig /all and press ENTER. Examine the output and confirm that CLIENT1 has the Teredo address 2001:0:836b:2:3457:e52:7c94:ff9b. If you do not see a Teredo address, it could be that Teredo is disabled. Run the command netsh interface teredo show state and press ENTER. If the state is offline, then run the command netsh interface teredo set state enterpriseclient and press ENTER. Repeat the ipconfig /all command and you should see the Teredo address.

3. In the command prompt window, ping DC1, UAG1, UAG2, APP1 and APP3. You should receive replies from each of these resources. (Note: ping requests may fail to UAG1 or UAG2 because DNS64 is not using the IPv6 address listed in DNS. This is a known issue.)

16

4. From the Run command, open the File shares on DC1 and APP3. The ability to open the File Share on APP3 indicates that the second tunnel, which requires Kerberos authentication for the user, is working correctly.

5. Open Internet Explorer. From Internet Explorer, open the Web sites http://app1 and http://app3. The ability to open both Web sites confirms that both the first and second tunnels are up and functioning. Close Internet Explorer.

6. *Return to the UAG1 computer or virtual machine. Perform a graceful shutdown.

7. *Return to the CLIENT1 computer or virtual machine. Wait for 5 minutes. Then repeat steps 2-5. This demonstrates that CLIENT1 is still able to connect to the corpnet even after the UAG1 array member has failed.

8. *Return to the UAG2 computer or virtual machine and perform a graceful shutdown.

9. *Return to the UAG1 computer or virtual machine and start it.

10. *Wait for 5 minutes, and then return to the CLIENT1 computer or virtual machine. Perform steps 2-5. This confirms that CLIENT1 was able to transparently fail over to UAG1 after UAG2 became unavailable.

STEP 5: Snapshot the ConfigurationThis completes the DirectAccess test lab. To save this configuration so that you can quickly return to a working UAG DirectAccess with NLB array configuration from which you can test other DirectAccess modular TLGs, TLG extensions, or for your own experimentation and learning, do the following:

1. On all physical computers or virtual machines in the test lab, close all windows and then perform a graceful shutdown.

2. If your lab is based on virtual machines, save a snapshot of each virtual machine and name the snapshots UAG DirectAccess Array and NLB. If your lab uses physical computers, create disk images to save the DirectAccess test lab configuration

Additional ResourcesFor procedures to configure the Base Configuration test lab on which this document is based, see the Test Lab Guide: Base Configuration.

For the design and configuration of your pilot or production deployment of DirectAccess, see the Forefront UAG DirectAccess design guide and the Forefront UAG DirectAccess deployment guide.

For information about troubleshooting DirectAccess, see the DirectAccess Troubleshooting Guide.

For more information about DirectAccess, see the DirectAccess Getting Started Web page and the DirectAccess TechNet Web page.

17