You probably know that DirectAccess is now more easier to install with Windows Server 2012 and Windows 8.
The Web already contains a lot of excellent guides and labs about DirectAccess. In particular, I recommend you to read:
In this series, I propose to play with a real case : How to implement DirectAccess at home behind a common Web access. I've got only 1 public IPv4 address, a poor router (ISP box), one internal Lan... but a Windows Server 2012 Infrastructure !!
As proposed by a friend of mine, Yves D., that article could be called "DirectAccess made in APPOLO XIII: Let's try to reach home with what's to hand." :o)
PART 1: IMPLEMENTING A BASIC DIRECTACCESS CONFIGURATION WITH IP-HTTPS ON WINDOWS SERVER 2012 CORE
1. Just a few reminders
In this first part, the goal is only to be able to access my datacenter (Ok... my VMs) from my laptop connected to the Internet through my mobile phone. At home, I've got a common Internet access with only one public IPv4, one LAN and my remote access server has only one ethernet card.
DirectAccess provides 3 protocols for IPv4 on the Internet:
- 6to4
- Teredo
- IP-HTTPS
Unfortunatly, 6to4 doesn't support NAT and Teredo requires 2 consecutive public IP addresses.
We will use IP-HTTPS to implement our DirectAccess tunnel.
2. Preparing Windows Server 2012 Core
Only one question: Why a Core edition ?
Saying experts, "installing a core server reduces dramatically
the attack surface and could reduce up to 70% the updates to install." I think it's an important point.
Moreover, everything on Windows Server can be made with powershell or remotely. That's certainly the right time to test !
Install normally Windows Server 2012 core Edition, choose a password and logon.
Launch a powershell console with the command line start powershell
Assign a IP address. At home, I use IP addresses like 192.168.XXX.XXX
New-NetIPAddress <ServerIpAddress> -InterfaceAlias <InterfaceName> -PrefixLength 24 -DefaultGateway <GatewayIpAddress>
Set the DNS server
Set-DnsClientServerAddress -InterfaceAlias <InterfaceName> -ServerAddresses <DnsServer1, DnsServer2...>
Rename the server with the cmdlet rename-computer <computerName>
Restart the server with restart-computer
Insert the server in Active Directory with the cmdlet add-computer <Domaine Name>
and restart the server with restart-computer
Just one question: Have you ever configured a server so quickly ?
Powershell is great !!!
Now, we install the Remote Access. You can add the role from an other server with Server Manager
You can also just type the command
Install-WindowsFeature RemoteAccess -IncludeManagementTools
I'm sure now you love powershell ;o)
3. Prepare your network
Add on your public DNS a record to your public IP address.
For exemple on my DNS, I created the A record da.nomizo.fr to my public IP address.
On your router, forward the 443/TCP from your public IP address to your server (same port)
Note:
Technet says :
If you are deploying Remote Access with a single network adapter, and installing the network location server on the Remote Access server, TCP port 62000 should also be exempted.
Note: This exemption is on the Remote Access server, while all other exemptions are on the edge firewall.
Ok, that's not really clear ! That means that if you have a firewall between your Remote Access server and your internal network (for example if the server is in DMZ), you have to allow your clients (on the internal network) to join your DirectAccess server on port 62000/TCP.
Look at DirectAccess Server GPO. Inbound rule for port 62000 is a domain profile rule, not a public one !
4. Configure the Remote Access role for Direct Access
The goal is now to install Direct Access as basically as possible. In the next parts, we will improve the configuration.
Connect a Windows Server 2012 or a Windows 8 computer and open Server Manager
On Windows 8, you need to install the
Remote Server Administration Tools (RSAT)
Click right on
All Servers and Select
Add Servers
Add your Remote Access server
Select the
Remote Access node
Click right on the server and Select
Remote Access Management
Note: On a Windows Server 2012, if you don't see Remote Access Management, you need to install the corresponding Administration Tools : Simply add the Remote Access Management Tools feature on the server you are connected on.
Now that the remote access console is opened, click on
Run the Getting Started Wizard
Select
Deploy DirectAccess only
Select
Behind an edge device (with a single network adapter)
Provide the public DNS name of your remote access server (the name you provided in the 2nd step in your public DNS). You can also provide your public IP address.
You can click directly on finish. However, I recommend to modify certain settings.
Click on
here, to edit the wizard settings
Settings will be published on servers and clients with two GPO.
I recommend to limit the scope of the clients GPO with a dedicated security group.
In the section
Remote Clients, click on
Change
Create and Provide a security group that will contains the DirectAccess clients.
Unselect Enable DirectAccess for mobile computers only
Click on Next
You can provide custom information for helpdesk email address and DirectAccess connection name
Click on Finish
Click on
Finish
GPO and settings are applied
Click on
Close
5. Configuration Overview
DirectAccess is now configured on servers and clients sides.
Here is what I get on the different configuration panels:
Remote Clients:
Remote Access Server:
Infrastructure Servers:
Note: if you have WSUS or SCCM servers, they will be automatically added in the previous panel. In a lab, you can remove them if they are not always turn on and if you want to prevent alerts in the DirectAccess Dashboard.
6. Tests with client
Add your test computer account in the
DirectAccess client security group
Connect your test computer to your internal network and force policy refresh (gpupdate /force).
In the network panel, you should see a new connection with a specific icon. DirectAccess is not enabled because you're already connected to your internal network.
Connect your test computer on an external network. The directAccess client detects that you are not on the internal network and tries to contact the directAccess server.
For your information, here is the network configuration of my test computer.
After few time (it can take up to 2 minutes, we will improve that in the
2nd part), my directAccess connection is connected.
I can access the shares of my domain controller
If I try to ping my domain controller. I see that my domain controller use an IPv6 address, even if I never configured IPv6 on that server. In the 3rd part of this series, dedicated to troubleshooting, I will provide you more information about that IPv6 address.
You don't have to configure or to support IPv6 in your internal lab.
I can even contact my NAS that support only IPv4
In the Remote Access Management Console, in the Remote Client Status, you get all the information about the clients currently connected.
In that case, my client is connected with IP-HTTPS protocol. Users and Computers are authenticated with Kerberos.
In the next parts, I will show you how we can improve that configuration.
See you soon
Julien