BLOG ������

Windows 2012 - Direct Access

Direct Access on Windows 2012 have become way easier to implement on windows 2012. The below is the Step By Step guide on how to do it.

Now Explaining a bit more about the Scenario, the below diagram illustrates the setup

The Two Direct Access Servers will exist in a 2 LEG DMZ, meaning they will each have 2 NICs that belong to 2 Different subnets and those subnets should not be routable to each other.

Additionally, both the interfaces will be load balanced, The External VIP will be NAT’ed to 1 Public IP address, while the Internal Interface VIP will be routable to the Internal Subnets.

A name of your choice will be published in the External DNS and should point to the Externally NAT’ed VIP of the DA Servers. (This you will also use in the upcoming configuration)

Inorder to be able to deploy Remote Access feature, the following server prerequisites should be prepared

[X] File And Storage Services FileAndStorage-Services [X] Storage Services Storage-Services [X] Remote Access RemoteAccess [X] DirectAccess and VPN (RAS) DirectAccess-VPN [X] Web Server (IIS) Web-Server [X] Web Server Web-WebServer [X] Common HTTP Features Web-Common-Http [X] Default Document Web-Default-Doc [X] Directory Browsing Web-Dir-Browsing [X] HTTP Errors Web-Http-Errors [X] Static Content Web-Static-Content [X] Health and Diagnostics Web-Health [X] HTTP Logging Web-Http-Logging [X] Performance Web-Performance [X] Static Content Compression Web-Stat-Compression [X] Security Web-Security [X] Request Filtering Web-Filtering [X] IP and Domain Restrictions Web-IP-Security [X] Management Tools Web-Mgmt-Tools [X] IIS Management Console Web-Mgmt-Console [X] IIS Management Scripts and Tools Web-Scripting-Tools [X] .NET Framework 4.5 Features NET-Framework-45-Fea… [X] .NET Framework 4.5 NET-Framework-45-Core [X] WCF Services NET-WCF-Services45 [X] TCP Port Sharing NET-WCF-TCP-PortShar… [X] Group Policy Management GPMC [X] Network Load Balancing NLB [X] RAS Connection Manager Administration Kit (CMAK) CMAK [X] Remote Server Administration Tools RSAT [X] Feature Administration Tools RSAT-Feature-Tools [X] Network Load Balancing Tools RSAT-NLB [X] Role Administration Tools RSAT-Role-Tools [X] Remote Access Management Tools RSAT-RemoteAccess [X] Remote Access GUI and Command-Line T… RSAT-RemoteAccess-Mgmt [X] Remote Access module for Windows Pow… RSAT-RemoteAccess-Po… [X] User Interfaces and Infrastructure User-Interfaces-Infra [X] Graphical Management Tools and Infrastructure Server-Gui-Mgmt-Infra [X] Server Graphical Shell Server-Gui-Shell [X] Windows Internal Database Windows-Internal-Dat… [X] Windows PowerShell PowerShellRoot [X] Windows PowerShell 3.0 PowerShell [X] Windows PowerShell ISE PowerShell-ISE [X] WoW64 Support WoW64-Support

Certificates Preparation

The Following certificates needs to be imported in the local certificates of each machine

Issuer	Name	Purpose	Location
Public	*.yourdomain.com	IP-HTTPS Authentication	Both Servers
Private	DAServer1	IP-SEC	DA01
Private	DAServer2	IP-SEC	DA02

Additionally you need to have client certificates issued to all DA clients based on “Machine Template” from your internal CA. And for Windows 7 Specifically you need to have the Certificate Revocation Lists published externally and available in the list of CDPs on the certificate.

Windows 8 Does not require this.

 

Other Preparations

You should also create a DNS Record for the Network Location Server, which is pointing to the Internal VIP of the DA Servers

DirectAccess-NLS.yourdomain.local –> 192.168.1.200

This record should not be resolvable externally, as it is used by the Direct Access client to determine their location and thus either activate or does not activate the direct access. If the client is able to resolve that record they know they are internal and thus does not Activate Direct Access. If they are not able to resolve it, they know they are external and activates the Direct Access.

Remote Access Role Installation

The Following steps were performed to configure the feature

Once the prerequisites are deployed, open the Remote Access Management console

Click Run the Getting Started Wizard

Choose deploy Direct Access only

In this scenario, The Direct Access Servers are deployed with 2 NICs, one is connected to the Internal and One connected to the External DMZ, Thus Choosing the option “Behind an edge device with 2 network adapters”.

The External name of the Direct Access service is “da.yourdomain.com”. Click Next

Click the Here button, and you are presented with the below

Under remote clients click change

You will be presented with the configuration specifics of the remote access clients as below

Click to remove the default security group and add the one created specifically for the DA Clients.

Click next to configure the Network connectivity assistant

The Resources you can configure are as below

Resource	Type
Domain Controller	PING
ANy Internal Website you might have	HTTP

The Direct Access Connection Name is “DirectAccess”

Click Finish to end the Remote Clients Section Configuration

Then Click on change under the remote access server

The following screen will be shown, having the configuration from the initial wizard

Click next as there are no modifications required

Configure the network adapters as below

Choose the DMZ adapter as the adapter connected to the External Network and the LAN adapter as the one connected to the Internal Network

Select the Wild Card certificate imported in the local certificates store for use with the IP-HTTPS authentication.

Click Finish

Next click on the Infrastructure Servers Change button

Accept the default given values and press next

And Click Finish

On the Main Screen Click OK, then apply the settings

Network Load Balancing Configuration

After the deployment of the first node, and without the configuration of the second node. Click Enable Load Balancing

The Following prompts for the load balancing method, choose Network load balancing

Fill in the IPv4 of the External Interface

 

Then Fill in the IPv4 of the Internal Interface

The Information above was filled with the below attributes

Interface	IP
External DIP	The Public VIP to be Natted
Internal DIP	The Private VIP to Routable internally

Click Finish to see the below

 

Proceed to adding the second node click add server and select the second node

Click commit to verify the below

Once the second node is added you should see the below

Direct Access Enablement for Machines

The Only Required action to enable Direct Access on the client is to put the computer account in the “All Users – Direct Access” Security group.

Relate Post : Windows 2012R2/16 - How to setup Work Folder using Group Policy Windows Server 2012 - Rename AD Domain Name Windows Server 2012 and Windows 8 install .NET 3.0 Windows Server 2012 - Set Up your First (root) Domain Controller Windows Server - Manage RDS RemoteApp with Windows PowerShell Windows Server 2012 - Creating a Fine –Grained Password Policy Windows Server - DFS Staging folders and Conflict and Deleted folders Windows - Change Ownership of a File or Folder Using Takeown Command-Line Tool Windows Server - IIS and X-Forwarded-For Header (behide Proxy or LB) Windows Server 2012 - DFS Configuration
Comments :
No Comments

Post your comment:

Post your comment by Guest :

Verify Code :