Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft DirectAccess & Work Folders NICHOLAS A. HAY MONROE COUNTY ISD

Similar presentations


Presentation on theme: "Microsoft DirectAccess & Work Folders NICHOLAS A. HAY MONROE COUNTY ISD"— Presentation transcript:

1 Microsoft DirectAccess & Work Folders NICHOLAS A. HAY MONROE COUNTY ISD NICHOLAS.HAY@MONROEISD.US

2 What is DirectAccess? The VPN that doesn’t require any configuration or user interaction to use. Once a internet connection is initiated, the DirectAccess connects on the device. DirectAccess establishes IPsec tunnels from the client to the DirectAccess server, and uses IPv6 to reach intranet resources or other DirectAccess clients. This technology encapsulates the IPv6 traffic over IPv4 to be able to reach the intranet over the Internet, which still (mostly) relies on IPv4 traffic. - Wikipedia Uses IPv6 to route traffic through the Direct Access connection. Don’t worry, you don’t need to be an expert at IPv6. Requires Windows Server 2008R2 or newer Client Requirements Windows 7 Enterprise or Ultimate Windows 8 Enterprise This works based on DNS entries and servers you specify during setup.

3 What is DirectAccess? Windows 2008 R2 Server required IPv6 to be used end to end. This was resolved with Windows 2012 with NAT64 to allow this to work through an IPv4 network. A DirectAccess client can use one of several tunneling technologies, depending on the configuration of the network the client is connected to. The client can use 6to4, Teredo tunneling, or IP-HTTPS, provided the server is configured correctly to be able to use them. For example, a client that is connected to the Internet directly will use 6to4, but if it is inside a NATed network, it will use Teredo instead. In addition, Windows Server 2012 provides two backward compatibility services DNS64 and NAT64, which allows DirectAccess clients to communicate with servers inside the corporate network even if those servers are only capable of IPv4 networking. - Wikipedia6to4Teredo tunnelingIP-HTTPSNATedDNS64NAT64

4 Why use DirectAccess? If a device leaves the network, you can give them an on premise experience as long as they have a reliable network connection. Users can get mapped drives. Ability to push out GPO’s/policies at all times. Ability to give users applications that you don’t want to open up on the outside world.

5 DirectAccess and Firewall IP-HTTPS is the default protocol of the “simple” DirectAccess wizard in Windows Server 2012 if you choose the topology “behind an edge device”. If you are doing an Edge deployment with a single server, like I did, you can create a firewall rule to allow TCP/443 to this server. That is all that is needed to get this to work in this deployment. There are 2 other deployment options you can select from when configuring.

6 Direct AccessServer Installation This guide below is what you can use to install DirectAccess. Many of the slides about installation and configuring has been taken from this resource. http://jackstromberg.com/2013/12/tutorial-configuring-direct-access- on-server-2012-r2/ http://jackstromberg.com/2013/12/tutorial-configuring-direct-access- on-server-2012-r2/ In Server Manager on 2012 R2, you need to click on Manage and Add Role or Feature.

7 DirectAccess Server Installation Add Remote Access Role.

8 DirectAccess Server Installation Add Remote Access Role Configuration. Click on DirectAccess and VPN (RAS) and follow through with defaults on the wizard.

9 DirectAccess Server Configuration In server Manager under Tools, click on Remote Access Management. You can configure the warning on the quick deployment in Server Manager.

10 DirectAccess Server Configuration Click on Run the Remote Access Setup Wizard.

11 DirectAccess Server Configuration Click Deploy DirectAccess Only.

12 DirectAccess Server Configuration Go through the steps in the wizard.

13 DirectAccess Server Configuration During Step 1, select Deploy full DirectAccess and you will need to have an AD group that you will add computers to that will use the DirectAccess feature.

14 DirectAccess Server Configuration There are two checkboxes you can check on step 1. If you check the first option, it will restrict access to laptops based on a WMI query. The other option to force tunneling will tunnel all traffic through the DA connection, which I would not recommend.

15 DirectAccess Server Configuration You don’t need to put in a lot of resources to validate if the internal network is online since this is only used to determine if you are online with DirectAccess on the client. The connection name is what is shown to users when they are or are not connected.

16 DirectAccess Server Configuration Step 2: configure Remote Access Server There are 3 options. I deployed behind an edge device (with a single network adapter). Select the appropriate option for your configuration. Follow the link in an earlier slide about setting up a certificate on this device for remote access.

17 DirectAccess Server Configuration Step 3: Infrastructure Servers The network location server is a internal only web server that the client can connect to and ensure it is reachable. I did the second option and used my wildcard certificate for SSL on the IIS server.

18 DirectAccess Server Configuration Step 3: Infrastructure Servers Use local name resolution if the name does not exist in DNS or DNS servers are unreachable when the client computer is on a private network (recommended).

19 DirectAccess Server Configuration If you would like to remove a device from connecting via direct access, you can add a name suffix of the hostname.domain.com and under DNS Server Address, leave it blank. You can also add other domain names here that you want to go through the DA connection by supply a DNS IP address. Direct access works using DNS servers. If you don’t have a DNS entry for a server, you won’t be able to connect to the device using DA, i.e. network switches.

20 DirectAccess Server Configuration Step 3: Infrastructure Servers Ensure all your local domain’s suffixes are listed.

21 DirectAccess Server Configuration Step 4: See link from earlier slide. When done, click finish and apply the remote access configuration.

22 DirectAccess Server Configuration Next step on a computer in your domain that is running Windows 7 or 8 Enterprise, add the computer object to your DirectAccess group and do a gpupdate and reboot. You should see if you are connected in the network connections.

23 DA Client Network There are some tunnel adapters created when you have a direct access connection. With the options we configured earlier in this presentation it will only route traffic through the DA that we specify and the other traffic will go out the internet connection.

24 Direct Access Questions?

25 What are Work Folders? Think of Work Folders like OneDrive, Google Drive, or Dropbox besides the data resides on your local file servers. Data can be encrypted, forcibly by IT. If you copy files from your Work Folder to another location, the file is still encrypted and policies are enforced. See this link on how to de-encrypt files (http://windows.microsoft.com/en-us/windows-8/work-folders-faq).http://windows.microsoft.com/en-us/windows-8/work-folders-faq Staff and students can connect to corporate files from their home computers that run Windows 7 or 8. Windows 7 requires an installation to enable this feature. iPad and other devices support is coming in the future. Can enforce policies, such as lock screen on devices before user is able to use Work Folders. This can integrate with existing Folder Redirection file server structure so you can do both this and Work folders side by side.

26 Work Folders Compared to Other Products

27 Configuring Work Folders Installation Guide http://blogs.technet.com/b/canitpro/archive/2013/11/13/step-by-step-creating-a- work-folders-test-lab-deployment-in-windows-server-2012-r2.aspx http://blogs.technet.com/b/canitpro/archive/2013/11/13/step-by-step-creating-a- work-folders-test-lab-deployment-in-windows-server-2012-r2.aspx Requirements AD Server on network File Server running Windows 2012 R2 Server IIS server on Fire Server with SSL certificate Firewall TCP/443 opened with DNS entry on firewall if you open this up on the outside world.

28 Configuring Work Folders In Server Manager, click on Add and Remove Roles and Features. Under Roles > File and Storage Services, check Work Folders or to do this via Powershell, type Add-WindowsFeature FS-SyncShareService

29 Configuring Work Folders In Server Manager for File and Storage Services, click on New Sync Share Wizard. There are 2 path options. The first option is for an existing file share that you may be already using with Folder Redirection. Select the local path option if this is a new one. See link earlier about the permissions needed for the root folder.

30 Configuring Work Folders Now you will need to configure the folder structure. User Alias will work with existing folder redirection or home folders. Sync only the following subfolder: By default, all the folders/files under the user folder will be synced to the devices. This checkbox allows the admin to specify a single subfolder to be synced to the devices. For example, the user folder might contain the following folders as part of a Folder Redirection deployment:

31 Configuring Work Folders Towards the end is where you can tell it to encrypt Work Folders and require a lock screen and require a password. The password policy enforces the following configuration on user PCs and devices: Minimum password length of 6 Autolock screen set to be 15 minutes or less Maximum password retry of 10 or less If the device doesn’t meet the policy, user will not be able to configure the Work Folders

32 Configuring Work Folders By default, server will check for data changes every 5 minutes. You can decrease this time by running this command (1 min in the example below). This will increase server load time. Set-SyncServerSetting -MinimumChangeDetectionMins 1 Also, be sure to set up DNS entries and firewall settings for TCP/443 to make this work if you are opening this outside your network.

33 Work Folders Client Configuration In Control Panel > System and Security > Work Folders click on Set up Work Folders.

34 Work Folders Client Configuration User would type in their email address and AD credentials. If client computer is domain joined, it will not prompt them to login.

35 Work Folders Client Configuration Before it is set up, the user will have to consent to any security policies you configured during the server setup.

36 Work Folders Client Configuration When done, users will see a Work Folders icon in their File Manager window. When encryption is on, the file/folder will be colored green.

37 Work Folder Status If you go to Work Folders in Control Panel, you can view any errors and sync status of this.

38 What we did with Direct Access and Work Folders We implemented these two features and are currently in the testing phase. We have users that are not on campus and are in the local districts the majority of the time. Enabling these two items will allow us to backup their files to the server to handle any hardware failure on the computers and it will allow us to protect the data by encrypting work related files. We did not open up the Work Folders on the firewall and the devices will connect to these with the DirectAccess connection we configured on the devices.

39 What we did with Direct Access and Work Folders We set up folder redirection for Staff Desktop, My Documents, Downloads, and IE Favorites folders to point to their user profile\Work Folders\{Desktop,Docs,Downloads,IEFavs}

40 What we did with Direct Access and Work Folders We set up folder redirection for Staff Desktop, My Documents, Downloads, and IE Favorites folders to point to their user profile\Work Folders\{Desktop,Docs,Downloads,IEFavs}

41 What we did with Direct Access and Work Folders Even if you don’t implement Direct Access and you don’t want to open up the File Server TCP/443 on the firewall, if users come back to campus, the files will sync to the servers and this may still be useful. Files are copied to the local device and can be accessed even without connecting to the server.

42 Work Folder Questions?


Download ppt "Microsoft DirectAccess & Work Folders NICHOLAS A. HAY MONROE COUNTY ISD"

Similar presentations


Ads by Google