Better security, simpler deployment, and easier management
Monitoring and Logging
Another area of improvement is monitoring. Forefront UAG SP1 introduces integrated monitoring of DirectAccess connections in the Forefront UAG Web Monitor tool. The DirectAccess monitor provides a list of currently logged on users, including machine and user account, IPv6 source address, level of access (infrastructure or intranet), and health status if NAP is being used.
This information, which Figure 5 shows, is persisted in the local SQL Server database. You can use the Forefront Threat Management Gateway (TMG) management tool, which is also included in the Forefront UAG SP1 installation, to view the historical data. You can also configure logging to a remote SQL Server machine, which is great for consolidating logs from servers in an array.
Figure 5: DirectAccess monitoring with the Forefront UAG Web Monitor tool
Speaking of arrays, the Web Monitor tool now includes a consolidated status view of all the DirectAccess servers in an array, indicating the health condition for each array member, as Figure 6 shows. The Web Monitor tool can be used remotely from any browser, providing operators an easy way to quickly check the status of the DirectAccess infrastructure.
Figure 6: Health monitoring of Forefront UAG array members
Forefront UAG SP1 incorporates several improvements to ease DirectAccess deployment. The UAG DirectAccess Configuration Wizard can now configure DirectAccess settings across multiple domains, as well as use existing GPOs for client, gateway, and application server configuration instead of creating new ones. The flexibility also exists to link these GPOs to organizational units (OUs) instead of using groups and to customize the names of the GPOs directly from the wizard.
NAP configuration is also integrated into the UAG DirectAccess Configuration Wizard. If NAP is selected, Forefront UAG SP1 sets up Health Registration Authority (HRA) and Network Policy Server (NPS) on the UAG server and configures the network policies for reporting and enforcing system health requirements on the DirectAccess clients. The NAP components report into the Forefront UAG monitoring and logging infrastructure, so administrators can see the latest information in the Web Monitor tool and query the SQL Server database for historical data about client health status.
On the client side, the DCA tool configuration is now part of the UAG DirectAccess Configuration Wizard, and its settings are incorporated into the client configuration GPO. Deploying the tool still isn’t part of the wizard, but because the tool installation package consists of a single Windows Installer (MSI) file, organizations could even use the same GPO to install it.
An All-Around Better Solution
Overall, Forefront UAG SP1 is a huge step forward in making DirectAccess more secure, simpler to deploy, and easier to operate. With the increasing mobility of the workforce and the trend toward deperimeterization reaching many enterprises, no Windows 7 deployment is complete without a remote access and management technology—and DirectAccess is now an even stronger contender for this role.