Configuring Direct Access on Server 2012 R2

[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 1 van 39
Jack Stromberg
A site about stuff
[Tutorial] Configuring Direct Access on Server
2012 R2
This tutorial will cover deployment of Windows Server 2012 R2′s latest version of DirectAccess.
While there are multiple ways to configure Direct Access, I tried to pull together what I believe
are the best/recommended practices and what I believe would be a common deployment
between organizations. If you have any thoughts/feedback on how to improve this deployment,
please leave a comment below.
Before beginning, if you are curious what DirectAccess is, here is a brief overview of what it is
and what it will allow us to accomplish.
DirectAccess, also known as Unified Remote Access, is a VPN-like technology that
provides intranet connectivity to client computers when they are connected to the Internet.
Unlike many traditional VPN connections, which must be initiated and terminated by explicit
user action, DirectAccess connections are designed to connect automatically as soon as the
computer connects to the Internet. DirectAccess was introduced in Windows Server 2008 R2,
providing this service to Windows 7 and Windows 8 “Enterprise” edition clients.
http://en.wikipedia.org/wiki/DirectAccess
Prerequisites
• Domain Admin rights to complete the tutorial below
• Windows Server 2012 R2 machine
• Two network cards – One in your internal network, the other in your DMZ
• Joined to your domain
• Latest Windows Updates
(seriously, apply these, there are updates released specifically for DirectAccess)
• DMZ
• PKI Setup (Public Key Infrastructure to issue self-signed certificates)
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 2 van 39
• Custom template setup for issuing servers with an intended purpose of Server
Authentication
• Certificate auto-enrollment has been configured
• Active Directory Security Group designated with Computer Objects allowed to use
DirectAccess
1. Login to your Server 2012 R2 server we will be using for installing the Direct Access
2. Ensure all windows updates have been applied.
3. Open up Server Manager
4. Select Manage -> Add Roles and Features
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 3 van 39
5. Click Next > on the Before you Begin step
6. Ensure Role-based or feature-based installation is checked and click Next >
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 4 van 39
7. Select Next > on the Select destination server step
8. Check Remote Access and click Next >
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 5 van 39
9. Click Next > on the Select Features step
10. Click Next > on the Remote Access step
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 6 van 39
11. Check DirectAccess and VPN (RAS)
12. Click the Add Features button on the dialog box that prompts
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 7 van 39
13. Check DirectAccess and VPN (RAS) and then click Next >
14. Click Next > on the Web Server Role (IIS) page
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 8 van 39
15. Click Next > on the Role Services page
16. Check the Restart the destination server automatically if required checkbox and click
Yes on the dialog box.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 9 van 39
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 10 van 39
17. Click Install
18. Click Close when the install has completed
19. Back in Server Manager, click on Tools -> Remote Access Management (You can ignore
the warning icon, the Open the Getting Started Wizard will only do a quick setup of
DirectAccess. We want to do a full deployment).
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 11 van 39
Here is what the quick deployment looks like. Don’t click on this.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 12 van 39
20. On the Remote Access Management Console, click on DirectAccess and VPN on the top
left and then click on the Run the Remote Access Setup Wizard.
21. On the Configure Remote Access window, select Deploy DirectAccess only
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 13 van 39
22. Click on the Configure… button for Step 1: Remote Clients
23. Select Deploy full DirectAccess for client access and remote management and click
Next >
24.
25. Click on the Add… button
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 14 van 39
26.
27. Select the security group inside of Active Directory that will contain computer objects
allowed to use DirectAccess and click OK
28. Optionally, uncheck or check Enable DirectAccess for mobile computers only as well as Use
force tunneling and click Next >
1. If Enable DirectAccess for mobile computers is checked, WMI will query the machine
to determine if it is a laptop/tablet. If WMI determines the machine is not a “mobile
device”, the group policy object will not be applied to those machines in the security
group. In short, if checked, DirectAccess will not be applied to computers that are
desktops or VMs placed inside the security group.
2. If Use force tunneling is checked, computers will always use the direct access server
when remote. For example, if the user surfs the web to a public website like
jackstromberg.com, the traffic will go through the DirectAccess tunnel and back to
the machine, rather than directly to the ISP. Generally, this is used for strict
compliance environments that want all network traffic to flow through a central
gateway.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 15 van 39
3.
29. Double click on the Resource | Type row
1. What this step is trying to do is find a resource on the internal network that the client
can “ping” to ensure the DirectAccess client has successfully connected to the internal
network.
30. Select whether you want the client to verify it has connected to the internal network via a
HTTP response or network ping, optionally click the validate button to test the connection,
and then click Add
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 16 van 39
1. You may want to add a couple resources for failover testing purposes, however it
isn’t recommended to list every resource on your internal network.
31. Enter in your Helpdesk email address and DirectAccess connection name (this name
will show up as the name of the connection a user would use), and check Allow
DirectAccess clients to use local name resolution and click Finish.
1. Based on what I could find, checking Allow DirectAccess clients to use local name
resolution will allow the DirectAccess client to use the DNS server published by DHCP
on the physical network they are connected to. In the event the Network Location
server is unavailable, the client would then use the local DNS server for name
resolution; allowing the client to at least access some things via DNS.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 17 van 39
32. Click on Configure… next to Step 2: Remote Access Server
33. On the Remote Access Server Setup page, select Behind an edge device (with two
network adapters) and ensure you specify a public facing DNS record that DirectAccess
will use to connect back to your environment, and then click Next >
1. NOTE: By default, your domain’s FQDN will be used, so if you have a .local domain,
you will want to switch this to your actual .com, .net, .org, .whatever.
2. As an additional side note, hereis some information from the following KB article on
what the differences are between each of the topologies. From what I gather, using
the dual NIC configuration is Microsoft’s best practice from a security standpoint.
• Two adapters—With two network adapters, Remote Access can be configured
with one network adapter connected directly to the Internet, and the other is
connected to the internal network. Or alternatively the server is installed
behind an edge device such as a firewall or a router. In this configuration one
network adapter is connected to the perimeter network, the other is connected
to the internal network.
• Single network adapter—In this configuration the Remote Access server is
installed behind an edge device such as a firewall or a router. The network
adapter is connected to the internal network.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 18 van 39
34. On the Network Adapters step, select your External (DMZ) and Internal (LAN) adapters.
35. Leave the Remote Access Setup screen open and right click on Start button and select
Run
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 19 van 39
36. Type mmc and select OK
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 20 van 39
37. Click File -> Add/Remove Snap-in…
38. Select Certificates and click Add >
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 21 van 39
39. Select Computer account and click Next >
40. Ensure Local Computer is selected and click Finish
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 22 van 39
41. Click OK on the Add or Remove Snap-ins machine
42. Expand Certificates (Local Computer) -> Personal -> Certificates, right click on
Certificates and select Request New Certificate…
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 23 van 39
43. Click Next on the Before You Begin screen
44. Click Next on the Select Certificate Enrollment Policy
45. Select your template that will support server authentication and click More information is
required to enroll for this certificate. Click here to configure settings.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 24 van 39
46. On the Subject tab, enter the following values (substituting in your company’s
information):
Common name: da.mydomain.com
Country: US
Locality: Honolulu
Organization: My Company
Organization Unit: Information Technology
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 25 van 39
State: Hawaii
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 26 van 39
47. On the Private Key tab, expand Key options and check Make private key exportable.
Click Apply when done.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 27 van 39
48. Click Enroll.
49. Click Finish.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 28 van 39
50. Go back to the Remote Access Setup screen and click Browse…
51. Select your da.mydomain.com certificate we just created and click OK.
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 29 van 39
52. Click Next >
53. Check Use computer certificates and check Use an intermediate certificate and then
click Browse…
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 30 van 39
54. Select the certificate authority that will be issuing the client certificates and click click OK
55. Optionally, you may enable Enable Windows 7 client computers to connect via DirectAccess
as well as Enforce corporate compliance for DirectAccess clients with NAP. Note:
Configuring these two options are not covered in the scope of this tutorial. Click Finish
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
[Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
pagina 31 van 39
when done.
56. Click on Configure… next to Step 3: Infrastructure Servers
57. On the Remote Access Setup screen, check The network location server is deployed on
a remote web server (recommended), type in the website address to the Network
Location Server, and click Next >
1. So for whatever reason, there aren’t many articles explaining what exactly the
network location server is and how to set it up. From what I gather, the Network
Location Server is merely a server with a website running on it that the client can
contact to ensure it has reached the internal network. The webpage can be the
http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
20-8-2014
default IIS webpage; just ensure the website is NOT accessible externally.
ERROR: stackunderflow
OFFENDING COMMAND: ~
STACK:

Download Report