UAG supports several types of remote connectivity that are beyond simple application publishing, and these sometimes require additional considerations. The first such scenario is, of course, DirectAccess—a.k.a. the VPN Celebrity of 2010. DirectAccess configuration is pushed out to clients using Group Policy, so this has to be factored in as well. Just having a group policy active is not enough, of course. UAG will create the proper policy, but collateral policies may need to be adjusted. For example, the local Firewall service on each client needs to be on (although the Firewall itself can be off). If your organization's group policy has been defined to set Firewalls to off, you might have to go in and change that.
Another consideration for DirectAccess is to have an elaborate infrastructure of digital certificates, also known as PKI or Public Key Infrastructure set up, in order to satisfy the requirements that are imposed by the highly secure IPSec tunnels, which are the fundamental tunnels used by DA. The UAG servers need to have digital certificates with their public hostnames, and the Certificate Authority (CA) that issued those needs to be trusted by the clients. In fact, you will have to have each client computer connect to the corporate network at least once to obtain the DirectAccess Group Policy, so if you were counting on sending out an email with instructions and going home early, think again. We will discuss DirectAccess in more detail in Chapter 11.
Another way of providing remote connectivity with UAG is SSL Network Tunneling, formerly known as Network Connector, and its successor, SSTP (Secure Socket Tunneling Protocol) . Network Connector has been around for ages, and as such, it has some limitations, the most important being that it is unable to support Windows 7 clients. SSTP can be a suitable solution for some scenarios, because it supports Windows 7. SSL Network Tunneling is not difficult to configure, but it does require careful planning of the IP and Network configuration assignment, as well as the split-tunneling mode. You will have to configure SSL Network Tunneling with an IP pool that does not overlap with your Network's range. You can also assign a specific IP range and Networking configuration so as to control the client's access to various servers. For example, you might feel that connecting clients should have access to RDP to their own corporate computers from home, but not to the corporate servers—or the other way around.
You could also decide to set your NC clients to a non- split tunneling mode, which routes their connection to internet servers through the corporate network instead of directly through their local ISP. The advantages and disadvantages of each of those will be discussed in Chapter 5.
SSTP has a configuration that's somewhat similar to NC, although SSTP can be used by Windows 7 clients, which NC cannot. Many companies will have to set up both an NC option and an SSTP one to cover all their clients. SSTP is a little simpler to plan and configure—you simply enable it, and set a range of IP addresses for connecting clients. You can even set it to assign the IPs from DHCP in non-array scenarios, which is probably the most convenient for almost everybody.
Chapter 5, which discusses remote connectivity, will also discuss topics that are not categorized as VPN, but are still more related to connectivity than to simple application publishing. Of these technologies, it's worth noting File Access and Drive Mapping, as these pose additional requirements and considerations. File Access allows connecting clients to browse network shares, retrieve and save files, and more. Drive Mapping maps a server's share as a temporary network drive that allows the user to retrieve data from places like their own folder on the company's file server, or from generally available network shares. These two, however, require that the UAG server has access to the shares itself. This is not about file-level permissions, but more about ports and protocols. File Access and Drive Mapping use RPC, which may require special routing and IP configuration if an internal firewall or load balancer is in use.