*** Only tested the below configuration with 6to4 and Teredo ***
UAG DirectAccess provides many other benefits which Windows 2008 R2 DirectAccess does not provide by default, like: NAT64 and DNS64 which helps to communicate with IPv4 only machines such as XP and Windows 2003. Using the UAG DirectAccess you can now provide one stop remote connectivity solution without any major changes in your internal environment.
I tried configuring the UAG DirectAccess and faced a lot of challenges initially. So, I thought it would be wise to write a blog on how to configure the UAG DirectAccess.
I assume that you have already installed the UAG on a Windows 2008 R2 machine.
First, you need to create a security group in your current AD (no need to change the AD to Windows 2008/R2 for DirectAccess. You may use your Windows 2003 AD). Add the Windows 7 ultimate/enterprise laptops which will connect remotely using the DirectAccess functionality to this security group. Now, click the first step in under the DirectAccess console and add the security group which we created.
Second, You need to assign a /96 bit IPv6 address to the internal interface of the UAG Server. Assign Two publicly routable IPv4 addresses on the external NIC of the UAG Server.
Third, click on the step 2 on the DirectAccess console and define the internet-facing and internal network. If you want UAG to use the NAT64 and DNS64 when communicating with IPv4 machines then you need to select the IPv6 address you assigned in the previous step. If you have internal machines capable of the holding IPv6 addresses then you may skip the previous step.
Then Click Next.
Next, you need to enable the NAT64 and DNS64. Click Next
Next, assign a /48 bit prefix for your organization. For more information check http://blogs.technet.com/edgeaccessblog/archive/2009/10/13/deep-dive-into-uag-directaccess-ipv6-and-directaccess.aspx
Next, select the Root CA and the Server Authentication certificate to be used by the IP-HTTPS. Click Finish
Fourth, click step 3 and define the URL for the Network Location Server. This server helps the DirectAccess client machines to determine whether they are on internal network or external network.
Click next
Next, provide the DNX suffix for your organization. Provide all DNS Suffixes if you have different domains and exclude the UAG’s FQDN and the NLS Server from the NRPT (Name Resolution Policy Table)
Add the IP/Prefix for the DC and the management servers.
Fifth, click step 4 and define how the users will be authenticated. For more information check http://technet.microsoft.com/en-us/library/dd637823(WS.10).aspx and http://technet.microsoft.com/en-us/library/dd857232.aspx
Click Finish
At Last, click Finish and Apply the changes. the changes will create appropriate group policies in the Active Directory domain. Windows 7 client machines which will use the DirectAccess Connectivity, they should get these policies at least once to connect.
Active the UAG configuration to make the configuration work properly.
Inderjeet 