Escolar Documentos
Profissional Documentos
Cultura Documentos
Jack Stromberg
A site about stuff
DirectAccess, also known as Unified Remote Access, is a VPN-like technology that provides intranet connectivity to client computers when they are connected to the Internet. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections are designed to connect automatically as soon as the computer connects to the Internet. DirectAccess was introduced in Windows Server 2008 R2, providing this service to Windows 7 and Windows 8 Enterprise edition clients. http://en.wikipedia.org/wiki/DirectAccess
Prerequisites Domain Admin rights to complete the tutorial below Windows Server 2012 R2 machine Two network cards One in your internal network, the other in your DMZ
DMZ
PKI Setup (Public Key Infrastructure to issue self-signed certificates) Custom template setup for issuing servers with an intended purpose of Server Authentication
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/ 1/35
2/1/2014
Certificate auto-enrollment has been configured Active Directory Security Group designated with Computer Objects allowed to use DirectAccess 1. Login to your Server 2012 R2 server we will be using for installing the Direct Access 2. Ensure all windows updates have been applied.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
2/35
2/1/2014
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
3/35
2/1/2014
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
4/35
2/1/2014
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
5/35
2/1/2014
12. Click the Add Features button on the dialog box that prompts
13. Check DirectAccess and VPN (RAS) and then click Next >
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
6/35
2/1/2014
14. Click Next > on the Web Server Role (IIS) page
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
7/35
2/1/2014
16. Check the Restart the destination server automatically if required checkbox and click Yes on the dialog box.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
8/35
2/1/2014
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
9/35
2/1/2014
19. Back in Server Manager, click on Tools -> Remote Access Management (You can ignore the warning icon, the Open the Getting Started Wizard will only do a quick setup of DirectAccess. We want to do a full deployment).
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
10/35
2/1/2014
Here is what the quick deployment looks like. Dont click on this.
20. On the Remote Access Management Console, click on DirectAccess and VPN on the top left and then click on the Run the Remote Access Setup Wizard.
21. On the Configure Remote Access window, select Deploy DirectAccess only
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
11/35
2/1/2014
23. Select Deploy full DirectAccess for client access and remote management and click Next >
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
12/35
2/1/2014
26. 27. Select the security group inside of Active Directory that will contain computer objects allowed to use DirectAccess and click OK
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
13/35
2/1/2014
28. Optionally, uncheck or check Enable DirectAccess for mobile computers only as well as Use force tunneling and click Next > 1. If Enable DirectAccess for mobile computers is checked, WMI will query the machine to determine if it is a laptop/tablet. If WMI determines the machine is not a mobile device, the group policy object will not be applied to those machines in the security group. In short, if checked, DirectAccess will not be applied to computers that are desktops or VMs placed inside the security group. 2. If Use force tunneling is enabled, mobile computers will always connect to the DirectAccess server regardless if the client is directly attached to local network or is remote.
3. 29. Double click on the Resource | Type row 1. What this step is trying to do is find a resource on the internal network that the client can ping to ensure the DirectAccess client has successfully connected to the internal network.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
14/35
2/1/2014
30. Select whether you want the client to verify it has connected to the internal network via a HTTP response or network ping, optionally click the validate button to test the connection, and then click Add 1. You may want to add a couple resources for failover testing purposes, however it isnt recommended to list every resource on your internal network.
31. Enter in your Helpdesk email address and DirectAccess connection name (this name will show up as the name of the connection a user would use), and check Allow DirectAccess clients to use local name resolution and click Finish . 1. Based on what I could find, checking Allow DirectAccess clients to use local name resolution will allow the DirectAccess client to use the DNS server published by DHCP on the physical network they are connected to. In the event the Network Location server is unavailable, the client would then use the local DNS server for name resolution; allowing the client to at least access some things via DNS.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
15/35
2/1/2014
33. On the Remote Access Server Setup page, select Behind an edge device (with two network adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect back to your environment, and then click Next > 1. NOTE: By default, your domains FQDN will be used, so if you have a .local domain, you will want to switch this to your actual .com, .net, .org, .whatever. 2. As an additional side note, hereis some information from the following KB article on what the differences are between each of the topologies. From what I gather, using the dual NIC configuration is Microsofts best practice from a security standpoint. Two adaptersWith two network adapters, Remote Access can be configured with one network adapter connected directly to the Internet, and the other is connected to the internal network. Or alternatively the server is installed behind an edge device such as a firewall or a router. In this configuration one network adapter is connected to the
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/ 16/35
2/1/2014
perimeter network, the other is connected to the internal network. Single network adapterIn this configuration the Remote Access server is installed behind an edge device such as a firewall or a router. The network adapter is connected to the internal network.
34. On the Network Adapters step, select your External (DMZ) and Internal (LAN) adapters.
35. Leave the Remote Access Setup screen open and right click on Start button and select
Run
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
17/35
2/1/2014
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
18/35
2/1/2014
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
19/35
2/1/2014
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20/35
2/1/2014
42. Expand Certificates (Local Computer) -> Personal -> Certificates, right click on Certificates and select Request New Certificate
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
21/35
2/1/2014
45. Select your template that will support server authentication and click More information is required to enroll for this certificate. Click here to configure settings.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
22/35
2/1/2014
46. On the Subject tab, enter the following values (substituting in your companys information): Common name: da.mydomain.com Country: US Locality: Honolulu Organization : My Company Organization Unit: Information Technology State: Hawaii
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
23/35
2/1/2014
47. On the Private Key tab, expand Key options and check Make private key exportable. Click Apply when done.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
24/35
2/1/2014
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
25/35
2/1/2014
50. Go back to the Remote Access Setup screen and click Browse
51. Select your da.mydomain.com certificate we just created and click OK.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
26/35
2/1/2014
53. Check Use computer certificates and check Use an intermediate certificate and then click Browse
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
27/35
2/1/2014
54. Select the certificate authority that will be issuing the client certificates and click click OK
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
28/35
2/1/2014
55. Optionally, you may enable Enable Windows 7 client computers to connect via DirectAccess as well as Enforce corporate compliance for DirectAccess clients with NAP. Note: Configuring these two options are not covered in the scope of this tutorial. Click Finish when done.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
29/35
2/1/2014
57. On the Remote Access Setup screen, check The network location server is deployed on a remote web server (recommended), type in the website address to the Network Location Server, and click Next > 1. So for whatever reason, there arent many articles explaining what exactly the network location server is and how to set it up. From what I gather, the Network Location Server is merely a server with a website running on it that the client can contact to ensure it has reached the internal network. The webpage can be the default IIS webpage; just ensure the website is NOT accessible externally.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
30/35
2/1/2014
58. Specify any additional DNS servers you wish to use for name resolution, ensure Use local name resolution if the name does not exist in DNS or DNS servers are unreachable when the client computer is on a private network (recommended) is checked and click Next >
59. Check Configure DirectAccess clients with DNS client suffix search list, ensure your local domains suffix has been added, and click Next >
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
31/35
2/1/2014
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
32/35
2/1/2014
62. Check Do not extend authentication to application servers and click Finish
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
33/35
2/1/2014
65. Click Close once direct access has successfully finished deploying
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
34/35
2/1/2014
66. Login to one of your Windows 8.X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull down the latest group policy.
67. At this point, you should now be able to login to your network via DirectAccess! NOTES: Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment. Once you click on the link, in the bottom left corner, you will find two steps to some good KB articles: http://technet.microsoft.com/en-us/library/jj134262.aspx Here is another article from Microsoft with a more indepth explanation about where to place the Network Location Server: http://technet.microsoft.com/en-us/library/ee382275(v=ws.10).aspx
This entry was posted in Active Directory, Networking and tagged DirectAccess, Remote Access, Unified Remote Access, Windows Server 2012 R2 on December 16, 2013 [http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/] by Jack.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
35/35