An important consideration for UAG is whether to have the server as a domain member or not. From a security perspective, the less connection the server has to other infrastructure, the better, and so most organizations would prefer to have the server be a stand-alone server (member of a workgroup that is). However, some UAG features and scenarios necessitate domain membership. Also, even when not a domain member, UAG usually needs to provide it's users with access to the published applications based on the user's domain membership. In that case, even though the server does not have to be a member, it does need the type of access a domain member would need in order to authenticate the user. For example, free passage for the RPC (Remote Procedure Call) protocol is necessary to let UAG query a user's group membership.
As mentioned before, the following specific scenarios do require explicit domain membership:
ADFS
Publishing applications that use Kerberos Constrained Delegation (KCD) to authenticate users
Publishing the UAG File-Access application
DirectAccess
SSTP VPN
UAG Array
We will discuss these scenarios in further detail in Chapter 6, and Chapter 11. Please note that if your plan is to use this server for DirectAccess, then you might need to address some additional requirements. In that case, don't start the installation before reading Chapter 11.