In this tutorial we will show you how to configure Forefront TMG as a DirectAccess server .
Note that this tutorial will only cover the steps needed to configure Forefront TMG as a DirectAccess Server. Configuring the DirectAccess server is completely outside the scope of the article.
One important issue you need to know is that Forefront TMG does not accept IPv6 traffic or allows it to go through, so we must first change this behavior before Forefront TMG is installed to allow saving. the following amount:
In addition, Forefront TMG integrates with Windows DirectAccess's IPSec Denial of Service Protection (DoSP) component to ensure that only IPSec traffic is allowed.
Attention:
We need to install and configure Windows Server 2008 R2 DirectAccess before installing Forefront TMG.
First, install the Windows Server 2008 R2 DirectAccess management console as shown in the figure below.
Figure 1: Installing the Windows Server 2008 R2 DirectAccess feature
After the management console has been installed, launch the DirectAccess management and configuration interface, then test all the functions before installing Forefront TMG.
Figure 2: DirectAccess management interface
After verifying the successful DirectAccess installation and configuration, we must change the Registry with a new key before installing Forefront TMG. This key is to prevent Forefront TMG from disabling IPv6 protocol support during the Forefront TMG installation.
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftRATStingrayDebugISACTRL]
"CTRL_SKIP_DISABLE_IPV6_PROTOCOLS" = dword: 00000001
Figure 3: The script enabled the IPv6 protocol support for Forefront TMG
After the Registry has been successfully changed, install Forefront TMG the way you installed the regular Forefront TMG server. When installing Forefront TMG, we must change the Forefront TMG configuration with a script that allows IPv6 support. Copy the following code into a blank Notepad file and save it with the .VBS extension.
set o = createobject ("fpc.root")
setarr = o.Arrays.Item (1)
set policy = arr.ArrayPolicy
set IPV6Settings = policy.IPv6Settings
IPV6Settings.DirectAccessEnabled = vbTrue
arr.save
Figure 4: Save the script under .VBS tail
Save the script with the .VBS extension and run it from the command line with the following command:
Cscript DA-Enable.VBS
Because the Forefront TMG configuration changes, you will have to wait a bit until the configuration is synchronized. You will see the configuration status in the Forefront TMG management console as shown in the figure below.
Figure 5: Wait for the synchronization process to complete
The script will create four new system policy rules for DirectAccess to support IPv6 traffic.
Figure 6: Some of Forefront TMG's new system policies
'Act as a Direct Access server' button
Forefront TMG Beta and RC have an IPv6 tab in the IP preferences section of the management interface to configure Forefront TMG as the DirectAccess Server (see the picture below).
Figure 7: Act as a Direct Access Server button
However, after the RTM version is released, the IPv6 tab is removed from the Forefront TMG console.
Figure 8: You will see the DirectAccess button in Forefront TMG Beta and RC versions
Hide IPv6 log entries
Forefront TMG has an option that allows you to hide IPv6 traffic from the Real-time monitoring tab. Since Forefront TMG does not support IPv6, this is an option to hide the entries for easier viewing within the TMG record.
Figure 9: Hide IPv6 log entries
If you want more functionality and flexibility, you can use Forefront UAG for your DirectAccess scenario. Using Forefront UAG will have the following advantages:
ncG1vNJzZmismaXArq3KnmWcp51ksLC6xaKerqqVYrOwvsSfqaimpGLBrrOMmqpmrJiaeqW10Z6arZmTmLK0v4ysnKuulac%3D