Share via


Applying or exporting the Forefront UAG DirectAccess configuration in SP1

Updated: February 1, 2011

Applies To: Unified Access Gateway

On completion of the Forefront Unified Access Gateway (UAG) DirectAccess Configuration Wizard, you can apply the configuration settings immediately or export them to an export script. In the event that the exported configuration script fails to link to the domain names, you can link to the Forefront UAG DirectAccess Group Policy objects (GPOs).

This topic describes:

Applying the configuration settings

To apply the configuration settings

  1. After you have completed the Forefront UAG DirectAccess Configuration Wizard, from the main Forefront UAG DirectAccess Configuration screen, click Apply Policy. The Forefront UAG DirectAccess Configuration Review appears.

  2. Select one of the following options:

    • Apply Now—Places the configuration settings into the Group Policy objects (GPOs). To apply the GPO on the Forefront UAG DirectAccess server, from the Windows command prompt run the command: gpupdate /force.

      Note

      This can only be performed by a domain administrator.

      For deployments using GPOs created by the Forefront UAG DirectAccess Configuration Wizard:

      • For the client GPO—If there are client domains in which the domain administrator who runs the script does not have domain administrator permissions, export and then send the script to the domain administrator of the client domain to run.

      • For the Forefront UAG DirectAccess server GPO—The script must be run by the domain administrator of the Forefront UAG DirectAccess server domain.

      • For the Application server GPO—The script must be run by a domain administrator for each domain containing an application server.

      For deployments using pre-created GPOs—The script can be run by anyone with edit GPO permissions, or by a domain administrator of the relevant domain.

      Note

      Before activating the configuration in the Forefront UAG Management console, confirm that the IPsec configuration of the Forefront UAG DirectAccess server is in effect, as follows:

      1. On the taskbar, click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security.

      2. On the console, click Connection Security Rules.

      3. Forefront UAG DirectAccess rules should appear in the list of Connection Security Rules and should show Yes in the Enabled column.

    • Print Review—Creates a reader friendly summary of the proposed configuration settings.

  3. From the main Forefront UAG DirectAccess Configuration screen, click Activate to activate the configuration.

Exporting the configuration settings

To export the configuration settings

  1. After you have completed the Forefront UAG DirectAccess Configuration Wizard, from the main Forefront UAG DirectAccess Configuration screen, click Export Policy. The Forefront UAG DirectAccess Configuration Review appears.

  2. To export the configuration settings, click Export Script. This exports the configuration settings to a script that can be saved, forwarded, and then applied by a domain administrator. To run a script, the domain administrator must ensure that the computer can run unsigned scripts, as follows:

    1. On the taskbar, click Start, click All Programs, click Accessories, click Windows PowerShell, right-click Windows PowerShell, and then click Run as administrator.

    2. From the PowerShell command prompt, type set–executionpolicy unrestricted and press ENTER twice.

    3. From the PowerShell command prompt, run the script containing the Forefront UAG DirectAccess Configuration. Note that providing customized values for script parameters is not supported for this release.

    4. When the script has finished running, from the Windows command prompt run the command: gpupdate /force.

      Note

      Before activating the configuration in the Forefront UAG Management console, confirm that the IPsec configuration of the Forefront UAG DirectAccess server is in effect, as follows:

      1. On the taskbar, click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security.

      2. On the console, click Connection Security Rules.

      3. Forefront UAG DirectAccess rules should appear in the list of Connection Security Rules and should show Yes in the Enabled column.

    5. If you want to modify the exported file, follow the instructions in Modifying the Forefront UAG DirectAccess export script in SP1. Otherwise, from the main Forefront UAG DirectAccess Configuration screen, click Activate to activate the configuration.

Linking to the Group Policy objects (GPOs)

When using Forefront UAG DirectAccess generated GPOs, the Forefront UAG DirectAccess Configuration Wizard script, creates the GPOs on the domains specified in Forefront UAG DirectAccess configuration Wizard, and attempts to link to all the selected client domain roots (in security group mode), or to all the selected OUs (in OU mode). The Forefront UAG DirectAccess Configuration script should be run by a domain administrator of the selected domain. If however there are client domains in which the domain administrator who runs the script does not have domain administrator permissions, you can create links to those client GPOs and enable a domain administrator from a different domain to update the client GPOs in those additional domains.

When the domain administrator does not have the correct GPO permissions, or link permissions to the additional domains, when the script runs, it displays a message including the domain names to which the script failed to create or modify a GPO, or link to a GPO, and continues running.

The domain administrators of the domains to which the script failed to link to the GPO, should do the following:

  1. Click Start, click Administrative Tools, and then click Group Policy Management.

  2. In the console tree, open the relevant Forest, and right-click the domain to which the script failed to link.

  3. Click Link an Existing GPO, and in Look in this domain, select the domain in which Forefront UAG DirectAccess is deployed. This is where the GPOs reside.

  4. In Group Policy objects, select all of the UAG DirectAccess GPOs, and click OK.