DirectAccess Configuration, Tips, Tricks, and Best Practices Tech Ed North America 2010 9/13/2018 10:18 PM Required Slide SESSION CODE: WSV306 DirectAccess Configuration, Tips, Tricks, and Best Practices Rand Morimoto, Ph.D., MCITP, CISSP Author, “Windows 2008 R2 Unleashed” President, Convergent Computing Start Time 1:30pm © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
How Today’s Session is Structured This is a Level 400 session, so NO marketing fluff! I will jump right into the installation/configuration of DirectAccess, and will be stopping at key points in the installation process where extra tips, tricks, and clarifications are commonly needed Blog (includes deployment whitepaper and demo script for today’s session) http://www.networkworld.com/community/morimoto
Assumptions You have a good command of Active Directory Group Policies You have a good familiarity of navigating through Windows Control Panel and Networking You have a conceptual knowledge of DNS, IPSec, and IPv6 (I will expand your understanding of these technologies in this session. This is where most implementers get hung-up when deploying DirectAccess…)
Tunnel over IPv4 UDP, HTTPS, etc. DirectAccess – Background Slide Internet DirectAccess Client (Windows 7) DirectAccess Server (Server 2008 R2) Tunnel over IPv4 UDP, HTTPS, etc. Encrypted IPsec+ESP Native IPv6 6to4 Teredo IP-HTTPS
My Implementation Environment Active Directory 2008 SP2 or Active Directory 2008 R2 Domain Controller Active Directory Certification Authority A Windows 2008 R2 Server running the DirectAccess feature A Windows 7 Enterprise or Ultimate client system (An application server in my internal network)
My Implementation Environment (con’t)
Configuration #1: End-to-Edge Access Model For end-to-edge protection, DirectAccess clients establish an IPsec session to an IPsec gateway server (which by default is the same computer as the DirectAccess server). The IPsec gateway server then forwards unprotected traffic, shown in red, to application servers on the intranet. This architecture does not require IPsec on the intranet and works with any IPv6-capable application servers.
Configuration #2: End-to-End Access Model With end-to-end protection, DirectAccess clients establish an IPsec session through the DirectAccess server to each application server to which they connect. This provides the highest level of security because you can configure access control on the DirectAccess server. However, this architecture requires that application servers run Windows Server 2008 SP2 or Windows Server 2008 R2 and use both IPv6 and IPsec.
Configuration #1½: Selected Server Access Corporate Network Trusted, compliant, healthy machine Direct Access Server Server 2008 R2 or UAG Internet DC & DNS (Server 2008 SP2/R2) Windows 7 client Applications & Data (non-IPsec enabled) For Selected Server Access, the DirectAccess Setup Wizard allows you to configure one of the following for the selected server access model: The only servers that DirectAccess clients can communicate with are selected intranet servers using Internet Protocol security (IPsec) peer authentication and end-to-end data integrity. The only servers that DirectAccess clients can communicate with are selected intranet servers using IPsec peer authentication but no IPsec protection. Communications between DirectAccess clients and selected intranet servers must perform IPsec peer authentication and end-to-end data integrity. Communications with all other intranet endpoints use clear text. Communications between DirectAccess clients and intranet servers must perform IPsec peer authentication but no IPsec protection. Communications with all other intranet endpoints use clear text.
Step #1: Enabling IPv6 in the Enterprise DirectAccess Server (Server 2008 R2) Line of Business Applications Using ISATAP IPv6 IPv6 IPv4 Windows Server 2008/R2 On all internal DCs, run PowerShell command: Dnscmd /config /globalqueryblocklist wpad
Line of Business Applications --or– Setup NAT64 DirectAccess Server (Server 2008 R2) Line of Business Applications Windows Server 2003 Non-Windows NAT64 DNS-ALG IPv6 IPv4
Step 2: Configuring Network Location Server Any INTERNAL server running Web services Create a DNS name (like nls.yourdomain.com) Associate this new NLS DNS name to an IP Address of an Internal Web server NLS tells the DirectAccess clients whether they are “inside” or “outside” of the network. *** Make sure this system is HIGHLY available!!! *** Step 3: Create Group(s) for the DA Clients Create a security group (Global or Universal) Add Win7 client systems into this group Remember, systems are no longer really part of a “site” as they are now universally roaming systems. So you define the group of systems by policy of what you want the systems to have access to, not where they arbitrarily are.
Step 4: Configuring Windows Firewall for DirectAccess Allow inbound and outbound ICMPv6 Echo Request messages Create a Group Policy or configure each system individually Step 5: Configuring the Network Location Server Enroll the server with a certificate and configure for SSL access Step 6: Certificate Auto-Enrollment Make sure all systems in the Direct Access group of client systems have a valid client authentication certificate
Step 7: Installing and Configuring DirectAccess (server) Add a certificate to the DirectAccess server Add the DirectAccess feature on the server Run the DirectAccess setup
Step 8: Finalizing Configurations Make sure DA client systems are in the DA policy group Run Gpupdate / force on all systems to make sure new policies have been applied (servers for firewall policy, clients for firewall and certificate auto-enrollment policies) Stop/Start the iphlpsvc on all servers and test to make sure that all systems can resolve the isatap.yourdomain.com DNS entry that was created during the DirectAccess setup wizard (note: stop/start may not be necessary, configuration should be picked up and applied after the GPUpdate is run) Use ping (ipaddress) -6 to make sure you can ping servers and systems internally
Step 9: Testing DirectAccess (Internally) With the client system internal, run IPConfig and check to make sure you have a local address Access a file on a fileserver or SharePoint using an internal http(s) connection
Step 10: Testing DirectAccess (Externally) With the client system external, run IPConfig and check to make sure you have an external IP address Access a file on a fileserver or SharePoint using an internal http(s) connection > netsh dns show state (output is different when inside and outside)
Step 11: Testing DirectAccess (Externally using IP-HTTPS) Step 10 tested external access using the automatically generated Teredo 2001: address Now to verify that external access is working using IP-HTTPS, disable Teredo: Netsh interface teredo set state disable Netsh interface httpstunnel show interfaces Re-access your fileserver and your Web server with an internal address, see if you still have access now over IP-HTTPS
Teredo IPv4 Internet IPv4 private NAT Device Teredo server & relay Teredo Host Private IPv4 address Private IPv4 address Public IPv4 address Teredo provides connectivity when the host is behind one or more NATs The NAT will probably not support tunnelling IPv6 within IPv4 (protocol 41) Teredo tunnels IPv6 in UDP
IP-HTTPS Tunnel IPv6 in HTTPS IPv6 Intranet IPHTTPS Host IPv4 Internet IPv6 Host NAT Device IPHTTPS server Certificate X Web server with CRL IPHTTPS can be used if a host behind NAT cannot tunnel using Teredo Firewall blocking port 3544 IPHTTPS encapsulates IPv6 in HTTPS Most firewalls will pass HTTPS Challenges Certificates required Host must have access to the CRL distribution point
DirectAccess Monitoring Built-in to the DirectAccess feature installed on the DA server Provides server monitoring information on DirectAccess components
Replacing the DirectAccess Server with a UAG Server UAG and DirectAccess better together: Extends access to line of business servers with IPv4 support Access for down level and non Windows clients Enhances scalability and management Simplifies deployment and administration Hardened Edge Solution MANAGED IPv6 Windows7 IPv6 Always On Windows7 DirectAccess UNMANAGED Vista XP IPv4 Extend support to IPv4 servers SSL VPN DirectAccess Server Non Windows IPv4 + + PDA IPv4 UAG uses wizards and tools to simplify deployments and ongoing management. UAG enhances scale and management with integrated LB and array capabilities. UAG is a hardened edge appliance available in HW and virtual options UAG improves adoption and extends access to existing infrastructure UAG provides access for down level and non Windows clients
Step 7: Installing and Configuring UAG Same steps as before for Step 1 – Step 6 Add a certificate to the UAG server Install UAG on the server Run the UAG DirectAccess setup Same steps as before for Step 8 – Step 11
Additional Benefits of Having UAG Windows 7 clients now can access internal servers that do not have IPv6 enabled Windows XP clients can now do SSL VPN access to secured and encrypted servers
Configuring End-to-End Access In the UAG or DA Management Console, in the Application Servers box, click Edit and choose “Require end to end authentication and encryption…” (note: e2e authentication inside of the tunnel) Select the security group that has Windows 2008 or later servers you want to enable end to end protection Create policy “groups” of servers by employee roles
Testing End-to-End Access Check to make sure remote client still has access to internal servers Open Windows Firewall Advanced Security snap-in Expand monitoring / security associations, click Quick Mode and verify that the IPsec session still exists for the application servers(s)
Diagnostics Internet Explorer Diagnose Problem Button It has been enhanced to troubleshoot DirectAccess Networking Icon (right click) Troubleshoot problems option. Supports providing a location. Also has a DirectAccess Entry Point Control Panel, Troubleshooting Connect to a Workplace place using DirectAccess Command Prompt (Elevated) NETSH TRACE START SCENARIO=DIRECTACCESS REPORT=YES CAPTURE=YES
INFRASTRUCTURE PLANNING AND DESIGN (IPD) GUIDE DirectAccess What are IPD Guides? Guidance & best practices for infrastructure planning of Microsoft technologies Direct Access Guide Benefits Presents common scenarios, decisions, and practices in an easy-to-follow, step-by-step process for designing DirectAccess infrastructure Provides a straightforward explanation of the infrastructure required to allow client connectivity from any network to resources on the corporate network Assists the reader in deploying DirectAccess for situations where the organization hasn’t started IPv6 implementation “At the end of the day, IT operations is really about running your business as efficiently as you can so you have more dollars left for innovation. IPD guides help us achieve this.” It’s a free download! Go to www.microsoft.com/ipd Check out the entire IPD series for streamlined IT _infrastructure planning Peter Zerger, Consulting Practice Lead for Management Solutions, AKOS Technology Services
Related Content Breakout Sessions Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Tech Ed North America 2010 9/13/2018 10:18 PM Related Content Breakout Sessions WSV207 – “End-to-End Remote Connectivity with DirectAccess” Interactive Sessions WSV11-INT – “Designing a DirectAccess Infrastructure with Microsoft Unified Access Gateway (UAG)” WSV10-INT – “We Come in Peace, or IPv6 Does Note Bite” Hands-on Labs WSV05-HOL – “Implementing DirectAccess (v3.0)” © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Resources Learning Required Slide www.microsoft.com/teched Tech Ed North America 2010 9/13/2018 10:18 PM Required Slide Resources Learning Sessions On-Demand & Community Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning Resources for IT Professionals Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Complete an evaluation on CommNet and enter to win! Tech Ed North America 2010 9/13/2018 10:18 PM Required Slide Complete an evaluation on CommNet and enter to win! © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year
Tech Ed North America 2010 9/13/2018 10:18 PM © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Required Slide Tech Ed North America 2010 9/13/2018 10:18 PM © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.