As part of the UAG DirectAccess (RTM) solution we suggest an improved way of managing the Access Enabling Servers, aka “First Tunnel”. These are the machines inside the domain which require access prior to the remote user’s logon. Machine’s such as Domain Controllers, NAP and various remediation servers require access in order to validate the client as a healthy domain joined machine; thus allowing secure access to the rest of the corporate resources.
The “Management Servers and DCs” User Interface:
This UI enables easy control and management of the servers that are published as “Access Enabling” for your organization. List your domains your NAP and remediation servers with ease, sit back and watch the IPSec policies at work.
You can organize your servers into logical groups, making it easier to audit changes and developments of your organization.
· The new UI is divided into logical groups, making it easier tracking down specific machines based on their roles.
· You can add servers using a name, an IPv6 address or an IPv4 address. The result is that names and IPv4 addresses are resolved to actual v6 IPs (Native and/or ISATAP and/or NAT64) only at the final “Policy Generation” step, this way when networking changes occur you just regenerate the policies.
· The “Domains” group is unique, while you are required to add/remove domains manually. The DCs themselves are discovered and listed automatically. This is called a “discoverable” group, which means that members (servers) cannot be added or removed. However it is possible to “uncheck” (see below) them.
In future releases more groups (such as Windows Updates) may become “discoverable” groups, to ease the management process further.
· “Refresh” button causes all discoverable groups in tree to list their servers based on the most current information. For example, new DCs are added and deprecated DCs are removed, resulting in an up-to-date list of all the domains and their DCs.
· Unchecking a server will remove it from the final resolved list of the “Access Enabling” tunnel. This is useful when you want to list all servers of a specific group for future use, but currently want to grant access only to few. This is a practical way to balance existing health and remediation servers in favor of local and remote clients.
· Adding groups of your own, either to the “Management” or “Other” tree roots as you see fit. The groups are a loose logical arrangement, it is up to you to use the built-in groups or just add some of your own.
· Adding a single server. You can add a server name, IP address or a whole IPv6 prefix with a single click.
· Adding a list of server. This is a more advanced feature to populate large lists, either manually or by pasting from external lists (spread sheets, txt etc.).
· The end.
Managing the edge of your organization just made simpler with UAG.
Authors: Max Braitmaiere; Yaniv Naor
Reviewer: Meir Mendelovich