(Tutorial) Configuring Direct Access On Server 2012 R2 - Jack Stromberg

2/1/2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
Jack Stromberg
A site about stuff
[Tutorial] Configuring Direct Access on Server 2012 R2

This tutorial will cover deployment of Windows Server 2012 R2s latest version of DirectAccess . While there are multiple ways to configure Direct Access, I tried to pull together what I believe are the best/recommended practices and what I believe would be a common deployment between organizations. If you have any thoughts/feedback on how to improve this deployment, please leave a comment below. Before beginning, if you are curious what DirectAccess is, here is a brief overview of what it is and what it will allow us to accomplish.
DirectAccess, also known as Unified Remote Access, is a VPN-like technology that provides intranet connectivity to client computers when they are connected to the Internet. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections are designed to connect automatically as soon as the computer connects to the Internet. DirectAccess was introduced in Windows Server 2008 R2, providing this service to Windows 7 and Windows 8 Enterprise edition clients. http://en.wikipedia.org/wiki/DirectAccess
Prerequisites Domain Admin rights to complete the tutorial below Windows Server 2012 R2 machine Two network cards One in your internal network, the other in your DMZ
Joined to your domain

Latest Windows Updates (seriously, apply these, there are updates released specifically for DirectAccess)
DMZ
PKI Setup (Public Key Infrastructure to issue self-signed certificates) Custom template setup for issuing servers with an intended purpose of Server Authentication
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/ 1/35
2/1/2014
Certificate auto-enrollment has been configured Active Directory Security Group designated with Computer Objects allowed to use DirectAccess 1. Login to your Server 2012 R2 server we will be using for installing the Direct Access 2. Ensure all windows updates have been applied.
3. Open up Server Manager
4. Select Manage -> Add Roles and Features
5. Click Next > on the Before you Begin step
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
2/35
2/1/2014
6. Ensure Role-based or feature-based installation is checked and click Next >
7. Select Next > on the Select destination server step
3/35
2/1/2014
8. Check Remote Access and click Next >
9. Click Next > on the Select Features step
4/35
2/1/2014
10. Click Next > on the Remote Access step
11. Check DirectAccess and VPN (RAS)
5/35
2/1/2014
12. Click the Add Features button on the dialog box that prompts
13. Check DirectAccess and VPN (RAS) and then click Next >
6/35
2/1/2014
14. Click Next > on the Web Server Role (IIS) page
15. Click Next > on the Role Services page
7/35
2/1/2014
16. Check the Restart the destination server automatically if required checkbox and click Yes on the dialog box.
8/35
2/1/2014
17. Click Install
18. Click Close when the install has completed
9/35
2/1/2014
19. Back in Server Manager, click on Tools -> Remote Access Management (You can ignore the warning icon, the Open the Getting Started Wizard will only do a quick setup of DirectAccess. We want to do a full deployment).
10/35
2/1/2014
Here is what the quick deployment looks like. Dont click on this.
20. On the Remote Access Management Console, click on DirectAccess and VPN on the top left and then click on the Run the Remote Access Setup Wizard.
21. On the Configure Remote Access window, select Deploy DirectAccess only
11/35
2/1/2014
22. Click on the Configure button for Step 1: Remote Clients
23. Select Deploy full DirectAccess for client access and remote management and click Next >
12/35
2/1/2014
24. 25. Click on the Add button
26. 27. Select the security group inside of Active Directory that will contain computer objects allowed to use DirectAccess and click OK
13/35
2/1/2014
28. Optionally, uncheck or check Enable DirectAccess for mobile computers only as well as Use force tunneling and click Next > 1. If Enable DirectAccess for mobile computers is checked, WMI will query the machine to determine if it is a laptop/tablet. If WMI determines the machine is not a mobile device, the group policy object will not be applied to those machines in the security group. In short, if checked, DirectAccess will not be applied to computers that are desktops or VMs placed inside the security group. 2. If Use force tunneling is enabled, mobile computers will always connect to the DirectAccess server regardless if the client is directly attached to local network or is remote.
3. 29. Double click on the Resource | Type row 1. What this step is trying to do is find a resource on the internal network that the client can ping to ensure the DirectAccess client has successfully connected to the internal network.
14/35
2/1/2014
30. Select whether you want the client to verify it has connected to the internal network via a HTTP response or network ping, optionally click the validate button to test the connection, and then click Add 1. You may want to add a couple resources for failover testing purposes, however it isnt recommended to list every resource on your internal network.
31. Enter in your Helpdesk email address and DirectAccess connection name (this name will show up as the name of the connection a user would use), and check Allow DirectAccess clients to use local name resolution and click Finish . 1. Based on what I could find, checking Allow DirectAccess clients to use local name resolution will allow the DirectAccess client to use the DNS server published by DHCP on the physical network they are connected to. In the event the Network Location server is unavailable, the client would then use the local DNS server for name resolution; allowing the client to at least access some things via DNS.
15/35
2/1/2014
32. Click on Configure next to Step 2: Remote Access Server
33. On the Remote Access Server Setup page, select Behind an edge device (with two network adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect back to your environment, and then click Next > 1. NOTE: By default, your domains FQDN will be used, so if you have a .local domain, you will want to switch this to your actual .com, .net, .org, .whatever. 2. As an additional side note, hereis some information from the following KB article on what the differences are between each of the topologies. From what I gather, using the dual NIC configuration is Microsofts best practice from a security standpoint. Two adaptersWith two network adapters, Remote Access can be configured with one network adapter connected directly to the Internet, and the other is connected to the internal network. Or alternatively the server is installed behind an edge device such as a firewall or a router. In this configuration one network adapter is connected to the
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/ 16/35
2/1/2014
perimeter network, the other is connected to the internal network. Single network adapterIn this configuration the Remote Access server is installed behind an edge device such as a firewall or a router. The network adapter is connected to the internal network.
34. On the Network Adapters step, select your External (DMZ) and Internal (LAN) adapters.
35. Leave the Remote Access Setup screen open and right click on Start button and select
Run
17/35
2/1/2014
36. Type mmc and select OK
37. Click File -> Add/Remove Snap-in
18/35
2/1/2014
38. Select Certificates and click Add >
39. Select Computer account and click Next >
19/35
2/1/2014
40. Ensure Local Computer is selected and click Finish
41. Click OK on the Add or Remove Snap-ins machine
20/35
2/1/2014
42. Expand Certificates (Local Computer) -> Personal -> Certificates, right click on Certificates and select Request New Certificate
43. Click Next on the Before You Begin screen
21/35
2/1/2014
44. Click Next on the Select Certificate Enrollment Policy
45. Select your template that will support server authentication and click More information is required to enroll for this certificate. Click here to configure settings.
22/35
2/1/2014
46. On the Subject tab, enter the following values (substituting in your companys information): Common name: da.mydomain.com Country: US Locality: Honolulu Organization : My Company Organization Unit: Information Technology State: Hawaii
23/35
2/1/2014
47. On the Private Key tab, expand Key options and check Make private key exportable. Click Apply when done.
24/35
2/1/2014
48. Click Enroll.
25/35
2/1/2014
49. Click Finish .
50. Go back to the Remote Access Setup screen and click Browse
51. Select your da.mydomain.com certificate we just created and click OK.
26/35
2/1/2014
52. Click Next >
53. Check Use computer certificates and check Use an intermediate certificate and then click Browse
27/35
2/1/2014
54. Select the certificate authority that will be issuing the client certificates and click click OK
28/35
2/1/2014
55. Optionally, you may enable Enable Windows 7 client computers to connect via DirectAccess as well as Enforce corporate compliance for DirectAccess clients with NAP. Note: Configuring these two options are not covered in the scope of this tutorial. Click Finish when done.
29/35
2/1/2014
56. Click on Configure next to Step 3: Infrastructure Servers
57. On the Remote Access Setup screen, check The network location server is deployed on a remote web server (recommended), type in the website address to the Network Location Server, and click Next > 1. So for whatever reason, there arent many articles explaining what exactly the network location server is and how to set it up. From what I gather, the Network Location Server is merely a server with a website running on it that the client can contact to ensure it has reached the internal network. The webpage can be the default IIS webpage; just ensure the website is NOT accessible externally.
30/35
2/1/2014
58. Specify any additional DNS servers you wish to use for name resolution, ensure Use local name resolution if the name does not exist in DNS or DNS servers are unreachable when the client computer is on a private network (recommended) is checked and click Next >
59. Check Configure DirectAccess clients with DNS client suffix search list, ensure your local domains suffix has been added, and click Next >
31/35
2/1/2014
60. Click Finish on the Management page.
61. Click the Configure. button on Step 4: Application Servers
32/35
2/1/2014
62. Check Do not extend authentication to application servers and click Finish
63. Click Finish on the Remote Access Management Console page
33/35
2/1/2014
64. Click Apply on the Remote Access Review page
65. Click Close once direct access has successfully finished deploying
34/35
2/1/2014
66. Login to one of your Windows 8.X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull down the latest group policy.
67. At this point, you should now be able to login to your network via DirectAccess! NOTES: Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment. Once you click on the link, in the bottom left corner, you will find two steps to some good KB articles: http://technet.microsoft.com/en-us/library/jj134262.aspx Here is another article from Microsoft with a more indepth explanation about where to place the Network Location Server: http://technet.microsoft.com/en-us/library/ee382275(v=ws.10).aspx
This entry was posted in Active Directory, Networking and tagged DirectAccess, Remote Access, Unified Remote Access, Windows Server 2012 R2 on December 16, 2013 [http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/] by Jack.
35/35

(Tutorial) Configuring Direct Access On Server 2012 R2 - Jack Stromberg

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

(Tutorial) Configuring Direct Access On Server 2012 R2 - Jack Stromberg

Enviado por

Direitos autorais:

Formatos disponíveis

2/1/2014

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

[Tutorial] Configuring Direct Access on Server 2012 R2

Joined to your domain

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

3. Open up Server Manager

4. Select Manage -> Add Roles and Features

5. Click Next > on the Before you Begin step

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

6. Ensure Role-based or feature-based installation is checked and click Next >

7. Select Next > on the Select destination server step

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

8. Check Remote Access and click Next >

9. Click Next > on the Select Features step

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

10. Click Next > on the Remote Access step

11. Check DirectAccess and VPN (RAS)

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

15. Click Next > on the Role Services page

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

17. Click Install

18. Click Close when the install has completed

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

22. Click on the Configure button for Step 1: Remote Clients

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

24. 25. Click on the Add button

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

32. Click on Configure next to Step 2: Remote Access Server

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

36. Type mmc and select OK

37. Click File -> Add/Remove Snap-in

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

38. Select Certificates and click Add >

39. Select Computer account and click Next >

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

40. Ensure Local Computer is selected and click Finish

41. Click OK on the Add or Remove Snap-ins machine

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

43. Click Next on the Before You Begin screen

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

44. Click Next on the Select Certificate Enrollment Policy

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

48. Click Enroll.

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

49. Click Finish .

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

52. Click Next >

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

56. Click on Configure next to Step 3: Infrastructure Servers

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

60. Click Finish on the Management page.