[Tutorial] Configuring Direct Access on Server 2012 R2 _ Jack Stromberg
-
Upload
moamed-mohamed -
Category
Documents
-
view
67 -
download
0
description
Transcript of [Tutorial] Configuring Direct Access on Server 2012 R2 _ Jack Stromberg
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 135
Jack StrombergA site about stuff
[Tutorial] Configuring Direct Access on Server2012 R2
This tutorial will cover deployment of Windows Server 2012 R2primes latest version of DirectAccess While
there are multiple ways to configure Direct Access I tried to pull together what I believe are the
bestrecommended practices and what I believe would be a common deployment between
organizations If you have any thoughtsfeedback on how to improve this deployment please leave a
comment below
Before beginning if you are curious what DirectAccess is here is a brief overview of what it is and what it
will allow us to accomplish
DirectAccess also known as Unified Remote Access is a VPN-like technology that
provides intranet connectivity to client computers when they are connected to the Internet Unlike
many traditional VPN connections which must be initiated and terminated by explicit user action
DirectAccess connections are designed to connect automatically as soon as the computer connects to
the Internet DirectAccess was introduced in Windows Server 2008 R2 providing this service
to Windows 7 and Windows 8 rdquoEnterpriserdquo edition clients
httpenwikipediaorgwikiDirectAccess
Prerequisites
Domain Admin rights to complete the tutorial below
Windows Server 2012 R2 machine
Two network cards ndash One in your internal network the other in your DMZ
Joined to your domain
Latest Windows Updates
(seriously apply these there are updates released specifically for DirectAccess)
DMZ
PKI Setup (Public Key Infrastructure to issue self-signed certificates)
Custom template setup for issuing servers with an intended purpose of Server
Authentication
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 235
Certificate auto-enrollment has been configured
Active Directory Security Group designated with Computer Objects allowed to use DirectAccess
1 Login to your Server 2012 R2 server we will be using for installing the Direct Access
2 Ensure all windows updates have been applied
3 Open up Server Manager
4 Select Manage -gt Add Roles and Features
5 Click Next gt on the Before you Begin step
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 335
6 Ensure Role-based or feature-based installation is checked and click Next gt
7 Select Next gt on the Select destination server step
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 435
8 Check Remote Access and click Next gt
9 Click Next gt on the Select Features step
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 535
10 Click Next gt on the Remote Access step
11 Check DirectAccess and VPN (RAS)
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 635
12 Click the Add Features button on the dialog box that prompts
13 Check DirectAccess and VPN (RAS) and then click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 735
14 Click Next gt on the Web Server Role (IIS) page
15 Click Next gt on the Role Services page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 835
16 Check the Restart the destination server automatically if required checkbox and click Yes on
the dialog box
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 935
17 Click Install
18 Click Close when the install has completed
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1035
19 Back in Server Manager click on Tools -gt Remote Access Management (You can ignore the
warning icon the Open the Getting Started Wizard will only do a quick setup of DirectAccess We
want to do a full deployment)
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1135
Here is what the quick deployment looks like Donrsquot click on this
20 On the Remote Access Management Console click on DirectAccess and VPN on the top left and
then click on the Run the Remote Access Setup Wizard
21 On the Configure Remote Access window select Deploy DirectAccess only
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1235
22 Click on the Configurehellip button for Step 1 Remote Clients
23 Select Deploy full DirectAccess for client access and remote management and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1335
24
25 Click on the Addhellip button
26
27 Select the security group inside of Active Directory that will contain computer objects allowed to
use DirectAccess and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1435
28 Optionally uncheck or check Enable DirectAccess for mobile computers only as well as Use force
tunneling and click Next gt
1 If Enable DirectAccess for mobile computers is checked WMI will query the machine to
determine if it is a laptoptablet If WMI determines the machine is not a ldquomobile devicerdquo the
group policy object will not be applied to those machines in the security group In short if
checked DirectAccess will not be applied to computers that are desktops or VMs placed
inside the security group
2 If Use force tunneling is enabled mobile computers will always connect to the DirectAccess
server regardless if the client is directly attached to local network or is remote
3
29 Double click on the Resource | Type row
1 What this step is trying to do is find a resource on the internal network that the client can
ldquopingrdquo to ensure the DirectAccess client has successfully connected to the internal network
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1535
30 Select whether you want the client to verify it has connected to the internal network via a HTTP
response or network ping optionally click the validate button to test the connection and then click
Add
1 You may want to add a couple resources for failover testing purposes however it isnrsquot
recommended to list every resource on your internal network
31 Enter in your Helpdesk email address and DirectAccess connection name (this name will show
up as the name of the connection a user would use) and check Allow DirectAccess clients to use
local name resolution and click Finish
1 Based on what I could find checking Allow DirectAccess clients to use local name resolution
will allow the DirectAccess client to use the DNS server published by DHCP on the physical
network they are connected to In the event the Network Location server is unavailable the
client would then use the local DNS server for name resolution allowing the client to at least
access some things via DNS
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1635
32 Click on Configurehellip next to Step 2 Remote Access Server
33 On the Remote Access Server Setup page select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment and then click Next gt
1 NOTE By default your domainrsquos FQDN will be used so if you have a local domain you will
want to switch this to your actual com net org whatever
2 As an additional side note hereis some information from the following KB article on what the
differences are between each of the topologies From what I gather using the dual NIC
configuration is Microsoftrsquos best practice from a security standpoint
Two adaptersmdashWith two network adapters Remote Access can be configured with
one network adapter connected directly to the Internet and the other is connected to
the internal network Or alternatively the server is installed behind an edge device such
as a firewall or a router In this configuration one network adapter is connected to the
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1735
perimeter network the other is connected to the internal network
Single network adaptermdashIn this configuration the Remote Access server is installed
behind an edge device such as a firewall or a router The network adapter is connected
to the internal network
34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters
35 Leave the Remote Access Setup screen open and right click on Start button and select
Run
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 235
Certificate auto-enrollment has been configured
Active Directory Security Group designated with Computer Objects allowed to use DirectAccess
1 Login to your Server 2012 R2 server we will be using for installing the Direct Access
2 Ensure all windows updates have been applied
3 Open up Server Manager
4 Select Manage -gt Add Roles and Features
5 Click Next gt on the Before you Begin step
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 335
6 Ensure Role-based or feature-based installation is checked and click Next gt
7 Select Next gt on the Select destination server step
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 435
8 Check Remote Access and click Next gt
9 Click Next gt on the Select Features step
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 535
10 Click Next gt on the Remote Access step
11 Check DirectAccess and VPN (RAS)
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 635
12 Click the Add Features button on the dialog box that prompts
13 Check DirectAccess and VPN (RAS) and then click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 735
14 Click Next gt on the Web Server Role (IIS) page
15 Click Next gt on the Role Services page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 835
16 Check the Restart the destination server automatically if required checkbox and click Yes on
the dialog box
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 935
17 Click Install
18 Click Close when the install has completed
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1035
19 Back in Server Manager click on Tools -gt Remote Access Management (You can ignore the
warning icon the Open the Getting Started Wizard will only do a quick setup of DirectAccess We
want to do a full deployment)
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1135
Here is what the quick deployment looks like Donrsquot click on this
20 On the Remote Access Management Console click on DirectAccess and VPN on the top left and
then click on the Run the Remote Access Setup Wizard
21 On the Configure Remote Access window select Deploy DirectAccess only
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1235
22 Click on the Configurehellip button for Step 1 Remote Clients
23 Select Deploy full DirectAccess for client access and remote management and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1335
24
25 Click on the Addhellip button
26
27 Select the security group inside of Active Directory that will contain computer objects allowed to
use DirectAccess and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1435
28 Optionally uncheck or check Enable DirectAccess for mobile computers only as well as Use force
tunneling and click Next gt
1 If Enable DirectAccess for mobile computers is checked WMI will query the machine to
determine if it is a laptoptablet If WMI determines the machine is not a ldquomobile devicerdquo the
group policy object will not be applied to those machines in the security group In short if
checked DirectAccess will not be applied to computers that are desktops or VMs placed
inside the security group
2 If Use force tunneling is enabled mobile computers will always connect to the DirectAccess
server regardless if the client is directly attached to local network or is remote
3
29 Double click on the Resource | Type row
1 What this step is trying to do is find a resource on the internal network that the client can
ldquopingrdquo to ensure the DirectAccess client has successfully connected to the internal network
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1535
30 Select whether you want the client to verify it has connected to the internal network via a HTTP
response or network ping optionally click the validate button to test the connection and then click
Add
1 You may want to add a couple resources for failover testing purposes however it isnrsquot
recommended to list every resource on your internal network
31 Enter in your Helpdesk email address and DirectAccess connection name (this name will show
up as the name of the connection a user would use) and check Allow DirectAccess clients to use
local name resolution and click Finish
1 Based on what I could find checking Allow DirectAccess clients to use local name resolution
will allow the DirectAccess client to use the DNS server published by DHCP on the physical
network they are connected to In the event the Network Location server is unavailable the
client would then use the local DNS server for name resolution allowing the client to at least
access some things via DNS
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1635
32 Click on Configurehellip next to Step 2 Remote Access Server
33 On the Remote Access Server Setup page select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment and then click Next gt
1 NOTE By default your domainrsquos FQDN will be used so if you have a local domain you will
want to switch this to your actual com net org whatever
2 As an additional side note hereis some information from the following KB article on what the
differences are between each of the topologies From what I gather using the dual NIC
configuration is Microsoftrsquos best practice from a security standpoint
Two adaptersmdashWith two network adapters Remote Access can be configured with
one network adapter connected directly to the Internet and the other is connected to
the internal network Or alternatively the server is installed behind an edge device such
as a firewall or a router In this configuration one network adapter is connected to the
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1735
perimeter network the other is connected to the internal network
Single network adaptermdashIn this configuration the Remote Access server is installed
behind an edge device such as a firewall or a router The network adapter is connected
to the internal network
34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters
35 Leave the Remote Access Setup screen open and right click on Start button and select
Run
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 335
6 Ensure Role-based or feature-based installation is checked and click Next gt
7 Select Next gt on the Select destination server step
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 435
8 Check Remote Access and click Next gt
9 Click Next gt on the Select Features step
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 535
10 Click Next gt on the Remote Access step
11 Check DirectAccess and VPN (RAS)
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 635
12 Click the Add Features button on the dialog box that prompts
13 Check DirectAccess and VPN (RAS) and then click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 735
14 Click Next gt on the Web Server Role (IIS) page
15 Click Next gt on the Role Services page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 835
16 Check the Restart the destination server automatically if required checkbox and click Yes on
the dialog box
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 935
17 Click Install
18 Click Close when the install has completed
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1035
19 Back in Server Manager click on Tools -gt Remote Access Management (You can ignore the
warning icon the Open the Getting Started Wizard will only do a quick setup of DirectAccess We
want to do a full deployment)
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1135
Here is what the quick deployment looks like Donrsquot click on this
20 On the Remote Access Management Console click on DirectAccess and VPN on the top left and
then click on the Run the Remote Access Setup Wizard
21 On the Configure Remote Access window select Deploy DirectAccess only
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1235
22 Click on the Configurehellip button for Step 1 Remote Clients
23 Select Deploy full DirectAccess for client access and remote management and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1335
24
25 Click on the Addhellip button
26
27 Select the security group inside of Active Directory that will contain computer objects allowed to
use DirectAccess and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1435
28 Optionally uncheck or check Enable DirectAccess for mobile computers only as well as Use force
tunneling and click Next gt
1 If Enable DirectAccess for mobile computers is checked WMI will query the machine to
determine if it is a laptoptablet If WMI determines the machine is not a ldquomobile devicerdquo the
group policy object will not be applied to those machines in the security group In short if
checked DirectAccess will not be applied to computers that are desktops or VMs placed
inside the security group
2 If Use force tunneling is enabled mobile computers will always connect to the DirectAccess
server regardless if the client is directly attached to local network or is remote
3
29 Double click on the Resource | Type row
1 What this step is trying to do is find a resource on the internal network that the client can
ldquopingrdquo to ensure the DirectAccess client has successfully connected to the internal network
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1535
30 Select whether you want the client to verify it has connected to the internal network via a HTTP
response or network ping optionally click the validate button to test the connection and then click
Add
1 You may want to add a couple resources for failover testing purposes however it isnrsquot
recommended to list every resource on your internal network
31 Enter in your Helpdesk email address and DirectAccess connection name (this name will show
up as the name of the connection a user would use) and check Allow DirectAccess clients to use
local name resolution and click Finish
1 Based on what I could find checking Allow DirectAccess clients to use local name resolution
will allow the DirectAccess client to use the DNS server published by DHCP on the physical
network they are connected to In the event the Network Location server is unavailable the
client would then use the local DNS server for name resolution allowing the client to at least
access some things via DNS
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1635
32 Click on Configurehellip next to Step 2 Remote Access Server
33 On the Remote Access Server Setup page select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment and then click Next gt
1 NOTE By default your domainrsquos FQDN will be used so if you have a local domain you will
want to switch this to your actual com net org whatever
2 As an additional side note hereis some information from the following KB article on what the
differences are between each of the topologies From what I gather using the dual NIC
configuration is Microsoftrsquos best practice from a security standpoint
Two adaptersmdashWith two network adapters Remote Access can be configured with
one network adapter connected directly to the Internet and the other is connected to
the internal network Or alternatively the server is installed behind an edge device such
as a firewall or a router In this configuration one network adapter is connected to the
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1735
perimeter network the other is connected to the internal network
Single network adaptermdashIn this configuration the Remote Access server is installed
behind an edge device such as a firewall or a router The network adapter is connected
to the internal network
34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters
35 Leave the Remote Access Setup screen open and right click on Start button and select
Run
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 435
8 Check Remote Access and click Next gt
9 Click Next gt on the Select Features step
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 535
10 Click Next gt on the Remote Access step
11 Check DirectAccess and VPN (RAS)
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 635
12 Click the Add Features button on the dialog box that prompts
13 Check DirectAccess and VPN (RAS) and then click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 735
14 Click Next gt on the Web Server Role (IIS) page
15 Click Next gt on the Role Services page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 835
16 Check the Restart the destination server automatically if required checkbox and click Yes on
the dialog box
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 935
17 Click Install
18 Click Close when the install has completed
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1035
19 Back in Server Manager click on Tools -gt Remote Access Management (You can ignore the
warning icon the Open the Getting Started Wizard will only do a quick setup of DirectAccess We
want to do a full deployment)
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1135
Here is what the quick deployment looks like Donrsquot click on this
20 On the Remote Access Management Console click on DirectAccess and VPN on the top left and
then click on the Run the Remote Access Setup Wizard
21 On the Configure Remote Access window select Deploy DirectAccess only
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1235
22 Click on the Configurehellip button for Step 1 Remote Clients
23 Select Deploy full DirectAccess for client access and remote management and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1335
24
25 Click on the Addhellip button
26
27 Select the security group inside of Active Directory that will contain computer objects allowed to
use DirectAccess and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1435
28 Optionally uncheck or check Enable DirectAccess for mobile computers only as well as Use force
tunneling and click Next gt
1 If Enable DirectAccess for mobile computers is checked WMI will query the machine to
determine if it is a laptoptablet If WMI determines the machine is not a ldquomobile devicerdquo the
group policy object will not be applied to those machines in the security group In short if
checked DirectAccess will not be applied to computers that are desktops or VMs placed
inside the security group
2 If Use force tunneling is enabled mobile computers will always connect to the DirectAccess
server regardless if the client is directly attached to local network or is remote
3
29 Double click on the Resource | Type row
1 What this step is trying to do is find a resource on the internal network that the client can
ldquopingrdquo to ensure the DirectAccess client has successfully connected to the internal network
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1535
30 Select whether you want the client to verify it has connected to the internal network via a HTTP
response or network ping optionally click the validate button to test the connection and then click
Add
1 You may want to add a couple resources for failover testing purposes however it isnrsquot
recommended to list every resource on your internal network
31 Enter in your Helpdesk email address and DirectAccess connection name (this name will show
up as the name of the connection a user would use) and check Allow DirectAccess clients to use
local name resolution and click Finish
1 Based on what I could find checking Allow DirectAccess clients to use local name resolution
will allow the DirectAccess client to use the DNS server published by DHCP on the physical
network they are connected to In the event the Network Location server is unavailable the
client would then use the local DNS server for name resolution allowing the client to at least
access some things via DNS
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1635
32 Click on Configurehellip next to Step 2 Remote Access Server
33 On the Remote Access Server Setup page select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment and then click Next gt
1 NOTE By default your domainrsquos FQDN will be used so if you have a local domain you will
want to switch this to your actual com net org whatever
2 As an additional side note hereis some information from the following KB article on what the
differences are between each of the topologies From what I gather using the dual NIC
configuration is Microsoftrsquos best practice from a security standpoint
Two adaptersmdashWith two network adapters Remote Access can be configured with
one network adapter connected directly to the Internet and the other is connected to
the internal network Or alternatively the server is installed behind an edge device such
as a firewall or a router In this configuration one network adapter is connected to the
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1735
perimeter network the other is connected to the internal network
Single network adaptermdashIn this configuration the Remote Access server is installed
behind an edge device such as a firewall or a router The network adapter is connected
to the internal network
34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters
35 Leave the Remote Access Setup screen open and right click on Start button and select
Run
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 535
10 Click Next gt on the Remote Access step
11 Check DirectAccess and VPN (RAS)
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 635
12 Click the Add Features button on the dialog box that prompts
13 Check DirectAccess and VPN (RAS) and then click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 735
14 Click Next gt on the Web Server Role (IIS) page
15 Click Next gt on the Role Services page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 835
16 Check the Restart the destination server automatically if required checkbox and click Yes on
the dialog box
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 935
17 Click Install
18 Click Close when the install has completed
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1035
19 Back in Server Manager click on Tools -gt Remote Access Management (You can ignore the
warning icon the Open the Getting Started Wizard will only do a quick setup of DirectAccess We
want to do a full deployment)
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1135
Here is what the quick deployment looks like Donrsquot click on this
20 On the Remote Access Management Console click on DirectAccess and VPN on the top left and
then click on the Run the Remote Access Setup Wizard
21 On the Configure Remote Access window select Deploy DirectAccess only
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1235
22 Click on the Configurehellip button for Step 1 Remote Clients
23 Select Deploy full DirectAccess for client access and remote management and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1335
24
25 Click on the Addhellip button
26
27 Select the security group inside of Active Directory that will contain computer objects allowed to
use DirectAccess and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1435
28 Optionally uncheck or check Enable DirectAccess for mobile computers only as well as Use force
tunneling and click Next gt
1 If Enable DirectAccess for mobile computers is checked WMI will query the machine to
determine if it is a laptoptablet If WMI determines the machine is not a ldquomobile devicerdquo the
group policy object will not be applied to those machines in the security group In short if
checked DirectAccess will not be applied to computers that are desktops or VMs placed
inside the security group
2 If Use force tunneling is enabled mobile computers will always connect to the DirectAccess
server regardless if the client is directly attached to local network or is remote
3
29 Double click on the Resource | Type row
1 What this step is trying to do is find a resource on the internal network that the client can
ldquopingrdquo to ensure the DirectAccess client has successfully connected to the internal network
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1535
30 Select whether you want the client to verify it has connected to the internal network via a HTTP
response or network ping optionally click the validate button to test the connection and then click
Add
1 You may want to add a couple resources for failover testing purposes however it isnrsquot
recommended to list every resource on your internal network
31 Enter in your Helpdesk email address and DirectAccess connection name (this name will show
up as the name of the connection a user would use) and check Allow DirectAccess clients to use
local name resolution and click Finish
1 Based on what I could find checking Allow DirectAccess clients to use local name resolution
will allow the DirectAccess client to use the DNS server published by DHCP on the physical
network they are connected to In the event the Network Location server is unavailable the
client would then use the local DNS server for name resolution allowing the client to at least
access some things via DNS
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1635
32 Click on Configurehellip next to Step 2 Remote Access Server
33 On the Remote Access Server Setup page select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment and then click Next gt
1 NOTE By default your domainrsquos FQDN will be used so if you have a local domain you will
want to switch this to your actual com net org whatever
2 As an additional side note hereis some information from the following KB article on what the
differences are between each of the topologies From what I gather using the dual NIC
configuration is Microsoftrsquos best practice from a security standpoint
Two adaptersmdashWith two network adapters Remote Access can be configured with
one network adapter connected directly to the Internet and the other is connected to
the internal network Or alternatively the server is installed behind an edge device such
as a firewall or a router In this configuration one network adapter is connected to the
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1735
perimeter network the other is connected to the internal network
Single network adaptermdashIn this configuration the Remote Access server is installed
behind an edge device such as a firewall or a router The network adapter is connected
to the internal network
34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters
35 Leave the Remote Access Setup screen open and right click on Start button and select
Run
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 635
12 Click the Add Features button on the dialog box that prompts
13 Check DirectAccess and VPN (RAS) and then click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 735
14 Click Next gt on the Web Server Role (IIS) page
15 Click Next gt on the Role Services page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 835
16 Check the Restart the destination server automatically if required checkbox and click Yes on
the dialog box
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 935
17 Click Install
18 Click Close when the install has completed
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1035
19 Back in Server Manager click on Tools -gt Remote Access Management (You can ignore the
warning icon the Open the Getting Started Wizard will only do a quick setup of DirectAccess We
want to do a full deployment)
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1135
Here is what the quick deployment looks like Donrsquot click on this
20 On the Remote Access Management Console click on DirectAccess and VPN on the top left and
then click on the Run the Remote Access Setup Wizard
21 On the Configure Remote Access window select Deploy DirectAccess only
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1235
22 Click on the Configurehellip button for Step 1 Remote Clients
23 Select Deploy full DirectAccess for client access and remote management and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1335
24
25 Click on the Addhellip button
26
27 Select the security group inside of Active Directory that will contain computer objects allowed to
use DirectAccess and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1435
28 Optionally uncheck or check Enable DirectAccess for mobile computers only as well as Use force
tunneling and click Next gt
1 If Enable DirectAccess for mobile computers is checked WMI will query the machine to
determine if it is a laptoptablet If WMI determines the machine is not a ldquomobile devicerdquo the
group policy object will not be applied to those machines in the security group In short if
checked DirectAccess will not be applied to computers that are desktops or VMs placed
inside the security group
2 If Use force tunneling is enabled mobile computers will always connect to the DirectAccess
server regardless if the client is directly attached to local network or is remote
3
29 Double click on the Resource | Type row
1 What this step is trying to do is find a resource on the internal network that the client can
ldquopingrdquo to ensure the DirectAccess client has successfully connected to the internal network
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1535
30 Select whether you want the client to verify it has connected to the internal network via a HTTP
response or network ping optionally click the validate button to test the connection and then click
Add
1 You may want to add a couple resources for failover testing purposes however it isnrsquot
recommended to list every resource on your internal network
31 Enter in your Helpdesk email address and DirectAccess connection name (this name will show
up as the name of the connection a user would use) and check Allow DirectAccess clients to use
local name resolution and click Finish
1 Based on what I could find checking Allow DirectAccess clients to use local name resolution
will allow the DirectAccess client to use the DNS server published by DHCP on the physical
network they are connected to In the event the Network Location server is unavailable the
client would then use the local DNS server for name resolution allowing the client to at least
access some things via DNS
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1635
32 Click on Configurehellip next to Step 2 Remote Access Server
33 On the Remote Access Server Setup page select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment and then click Next gt
1 NOTE By default your domainrsquos FQDN will be used so if you have a local domain you will
want to switch this to your actual com net org whatever
2 As an additional side note hereis some information from the following KB article on what the
differences are between each of the topologies From what I gather using the dual NIC
configuration is Microsoftrsquos best practice from a security standpoint
Two adaptersmdashWith two network adapters Remote Access can be configured with
one network adapter connected directly to the Internet and the other is connected to
the internal network Or alternatively the server is installed behind an edge device such
as a firewall or a router In this configuration one network adapter is connected to the
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1735
perimeter network the other is connected to the internal network
Single network adaptermdashIn this configuration the Remote Access server is installed
behind an edge device such as a firewall or a router The network adapter is connected
to the internal network
34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters
35 Leave the Remote Access Setup screen open and right click on Start button and select
Run
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 735
14 Click Next gt on the Web Server Role (IIS) page
15 Click Next gt on the Role Services page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 835
16 Check the Restart the destination server automatically if required checkbox and click Yes on
the dialog box
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 935
17 Click Install
18 Click Close when the install has completed
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1035
19 Back in Server Manager click on Tools -gt Remote Access Management (You can ignore the
warning icon the Open the Getting Started Wizard will only do a quick setup of DirectAccess We
want to do a full deployment)
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1135
Here is what the quick deployment looks like Donrsquot click on this
20 On the Remote Access Management Console click on DirectAccess and VPN on the top left and
then click on the Run the Remote Access Setup Wizard
21 On the Configure Remote Access window select Deploy DirectAccess only
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1235
22 Click on the Configurehellip button for Step 1 Remote Clients
23 Select Deploy full DirectAccess for client access and remote management and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1335
24
25 Click on the Addhellip button
26
27 Select the security group inside of Active Directory that will contain computer objects allowed to
use DirectAccess and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1435
28 Optionally uncheck or check Enable DirectAccess for mobile computers only as well as Use force
tunneling and click Next gt
1 If Enable DirectAccess for mobile computers is checked WMI will query the machine to
determine if it is a laptoptablet If WMI determines the machine is not a ldquomobile devicerdquo the
group policy object will not be applied to those machines in the security group In short if
checked DirectAccess will not be applied to computers that are desktops or VMs placed
inside the security group
2 If Use force tunneling is enabled mobile computers will always connect to the DirectAccess
server regardless if the client is directly attached to local network or is remote
3
29 Double click on the Resource | Type row
1 What this step is trying to do is find a resource on the internal network that the client can
ldquopingrdquo to ensure the DirectAccess client has successfully connected to the internal network
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1535
30 Select whether you want the client to verify it has connected to the internal network via a HTTP
response or network ping optionally click the validate button to test the connection and then click
Add
1 You may want to add a couple resources for failover testing purposes however it isnrsquot
recommended to list every resource on your internal network
31 Enter in your Helpdesk email address and DirectAccess connection name (this name will show
up as the name of the connection a user would use) and check Allow DirectAccess clients to use
local name resolution and click Finish
1 Based on what I could find checking Allow DirectAccess clients to use local name resolution
will allow the DirectAccess client to use the DNS server published by DHCP on the physical
network they are connected to In the event the Network Location server is unavailable the
client would then use the local DNS server for name resolution allowing the client to at least
access some things via DNS
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1635
32 Click on Configurehellip next to Step 2 Remote Access Server
33 On the Remote Access Server Setup page select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment and then click Next gt
1 NOTE By default your domainrsquos FQDN will be used so if you have a local domain you will
want to switch this to your actual com net org whatever
2 As an additional side note hereis some information from the following KB article on what the
differences are between each of the topologies From what I gather using the dual NIC
configuration is Microsoftrsquos best practice from a security standpoint
Two adaptersmdashWith two network adapters Remote Access can be configured with
one network adapter connected directly to the Internet and the other is connected to
the internal network Or alternatively the server is installed behind an edge device such
as a firewall or a router In this configuration one network adapter is connected to the
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1735
perimeter network the other is connected to the internal network
Single network adaptermdashIn this configuration the Remote Access server is installed
behind an edge device such as a firewall or a router The network adapter is connected
to the internal network
34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters
35 Leave the Remote Access Setup screen open and right click on Start button and select
Run
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 835
16 Check the Restart the destination server automatically if required checkbox and click Yes on
the dialog box
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 935
17 Click Install
18 Click Close when the install has completed
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1035
19 Back in Server Manager click on Tools -gt Remote Access Management (You can ignore the
warning icon the Open the Getting Started Wizard will only do a quick setup of DirectAccess We
want to do a full deployment)
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1135
Here is what the quick deployment looks like Donrsquot click on this
20 On the Remote Access Management Console click on DirectAccess and VPN on the top left and
then click on the Run the Remote Access Setup Wizard
21 On the Configure Remote Access window select Deploy DirectAccess only
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1235
22 Click on the Configurehellip button for Step 1 Remote Clients
23 Select Deploy full DirectAccess for client access and remote management and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1335
24
25 Click on the Addhellip button
26
27 Select the security group inside of Active Directory that will contain computer objects allowed to
use DirectAccess and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1435
28 Optionally uncheck or check Enable DirectAccess for mobile computers only as well as Use force
tunneling and click Next gt
1 If Enable DirectAccess for mobile computers is checked WMI will query the machine to
determine if it is a laptoptablet If WMI determines the machine is not a ldquomobile devicerdquo the
group policy object will not be applied to those machines in the security group In short if
checked DirectAccess will not be applied to computers that are desktops or VMs placed
inside the security group
2 If Use force tunneling is enabled mobile computers will always connect to the DirectAccess
server regardless if the client is directly attached to local network or is remote
3
29 Double click on the Resource | Type row
1 What this step is trying to do is find a resource on the internal network that the client can
ldquopingrdquo to ensure the DirectAccess client has successfully connected to the internal network
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1535
30 Select whether you want the client to verify it has connected to the internal network via a HTTP
response or network ping optionally click the validate button to test the connection and then click
Add
1 You may want to add a couple resources for failover testing purposes however it isnrsquot
recommended to list every resource on your internal network
31 Enter in your Helpdesk email address and DirectAccess connection name (this name will show
up as the name of the connection a user would use) and check Allow DirectAccess clients to use
local name resolution and click Finish
1 Based on what I could find checking Allow DirectAccess clients to use local name resolution
will allow the DirectAccess client to use the DNS server published by DHCP on the physical
network they are connected to In the event the Network Location server is unavailable the
client would then use the local DNS server for name resolution allowing the client to at least
access some things via DNS
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1635
32 Click on Configurehellip next to Step 2 Remote Access Server
33 On the Remote Access Server Setup page select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment and then click Next gt
1 NOTE By default your domainrsquos FQDN will be used so if you have a local domain you will
want to switch this to your actual com net org whatever
2 As an additional side note hereis some information from the following KB article on what the
differences are between each of the topologies From what I gather using the dual NIC
configuration is Microsoftrsquos best practice from a security standpoint
Two adaptersmdashWith two network adapters Remote Access can be configured with
one network adapter connected directly to the Internet and the other is connected to
the internal network Or alternatively the server is installed behind an edge device such
as a firewall or a router In this configuration one network adapter is connected to the
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1735
perimeter network the other is connected to the internal network
Single network adaptermdashIn this configuration the Remote Access server is installed
behind an edge device such as a firewall or a router The network adapter is connected
to the internal network
34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters
35 Leave the Remote Access Setup screen open and right click on Start button and select
Run
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 935
17 Click Install
18 Click Close when the install has completed
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1035
19 Back in Server Manager click on Tools -gt Remote Access Management (You can ignore the
warning icon the Open the Getting Started Wizard will only do a quick setup of DirectAccess We
want to do a full deployment)
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1135
Here is what the quick deployment looks like Donrsquot click on this
20 On the Remote Access Management Console click on DirectAccess and VPN on the top left and
then click on the Run the Remote Access Setup Wizard
21 On the Configure Remote Access window select Deploy DirectAccess only
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1235
22 Click on the Configurehellip button for Step 1 Remote Clients
23 Select Deploy full DirectAccess for client access and remote management and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1335
24
25 Click on the Addhellip button
26
27 Select the security group inside of Active Directory that will contain computer objects allowed to
use DirectAccess and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1435
28 Optionally uncheck or check Enable DirectAccess for mobile computers only as well as Use force
tunneling and click Next gt
1 If Enable DirectAccess for mobile computers is checked WMI will query the machine to
determine if it is a laptoptablet If WMI determines the machine is not a ldquomobile devicerdquo the
group policy object will not be applied to those machines in the security group In short if
checked DirectAccess will not be applied to computers that are desktops or VMs placed
inside the security group
2 If Use force tunneling is enabled mobile computers will always connect to the DirectAccess
server regardless if the client is directly attached to local network or is remote
3
29 Double click on the Resource | Type row
1 What this step is trying to do is find a resource on the internal network that the client can
ldquopingrdquo to ensure the DirectAccess client has successfully connected to the internal network
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1535
30 Select whether you want the client to verify it has connected to the internal network via a HTTP
response or network ping optionally click the validate button to test the connection and then click
Add
1 You may want to add a couple resources for failover testing purposes however it isnrsquot
recommended to list every resource on your internal network
31 Enter in your Helpdesk email address and DirectAccess connection name (this name will show
up as the name of the connection a user would use) and check Allow DirectAccess clients to use
local name resolution and click Finish
1 Based on what I could find checking Allow DirectAccess clients to use local name resolution
will allow the DirectAccess client to use the DNS server published by DHCP on the physical
network they are connected to In the event the Network Location server is unavailable the
client would then use the local DNS server for name resolution allowing the client to at least
access some things via DNS
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1635
32 Click on Configurehellip next to Step 2 Remote Access Server
33 On the Remote Access Server Setup page select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment and then click Next gt
1 NOTE By default your domainrsquos FQDN will be used so if you have a local domain you will
want to switch this to your actual com net org whatever
2 As an additional side note hereis some information from the following KB article on what the
differences are between each of the topologies From what I gather using the dual NIC
configuration is Microsoftrsquos best practice from a security standpoint
Two adaptersmdashWith two network adapters Remote Access can be configured with
one network adapter connected directly to the Internet and the other is connected to
the internal network Or alternatively the server is installed behind an edge device such
as a firewall or a router In this configuration one network adapter is connected to the
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1735
perimeter network the other is connected to the internal network
Single network adaptermdashIn this configuration the Remote Access server is installed
behind an edge device such as a firewall or a router The network adapter is connected
to the internal network
34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters
35 Leave the Remote Access Setup screen open and right click on Start button and select
Run
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1035
19 Back in Server Manager click on Tools -gt Remote Access Management (You can ignore the
warning icon the Open the Getting Started Wizard will only do a quick setup of DirectAccess We
want to do a full deployment)
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1135
Here is what the quick deployment looks like Donrsquot click on this
20 On the Remote Access Management Console click on DirectAccess and VPN on the top left and
then click on the Run the Remote Access Setup Wizard
21 On the Configure Remote Access window select Deploy DirectAccess only
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1235
22 Click on the Configurehellip button for Step 1 Remote Clients
23 Select Deploy full DirectAccess for client access and remote management and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1335
24
25 Click on the Addhellip button
26
27 Select the security group inside of Active Directory that will contain computer objects allowed to
use DirectAccess and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1435
28 Optionally uncheck or check Enable DirectAccess for mobile computers only as well as Use force
tunneling and click Next gt
1 If Enable DirectAccess for mobile computers is checked WMI will query the machine to
determine if it is a laptoptablet If WMI determines the machine is not a ldquomobile devicerdquo the
group policy object will not be applied to those machines in the security group In short if
checked DirectAccess will not be applied to computers that are desktops or VMs placed
inside the security group
2 If Use force tunneling is enabled mobile computers will always connect to the DirectAccess
server regardless if the client is directly attached to local network or is remote
3
29 Double click on the Resource | Type row
1 What this step is trying to do is find a resource on the internal network that the client can
ldquopingrdquo to ensure the DirectAccess client has successfully connected to the internal network
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1535
30 Select whether you want the client to verify it has connected to the internal network via a HTTP
response or network ping optionally click the validate button to test the connection and then click
Add
1 You may want to add a couple resources for failover testing purposes however it isnrsquot
recommended to list every resource on your internal network
31 Enter in your Helpdesk email address and DirectAccess connection name (this name will show
up as the name of the connection a user would use) and check Allow DirectAccess clients to use
local name resolution and click Finish
1 Based on what I could find checking Allow DirectAccess clients to use local name resolution
will allow the DirectAccess client to use the DNS server published by DHCP on the physical
network they are connected to In the event the Network Location server is unavailable the
client would then use the local DNS server for name resolution allowing the client to at least
access some things via DNS
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1635
32 Click on Configurehellip next to Step 2 Remote Access Server
33 On the Remote Access Server Setup page select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment and then click Next gt
1 NOTE By default your domainrsquos FQDN will be used so if you have a local domain you will
want to switch this to your actual com net org whatever
2 As an additional side note hereis some information from the following KB article on what the
differences are between each of the topologies From what I gather using the dual NIC
configuration is Microsoftrsquos best practice from a security standpoint
Two adaptersmdashWith two network adapters Remote Access can be configured with
one network adapter connected directly to the Internet and the other is connected to
the internal network Or alternatively the server is installed behind an edge device such
as a firewall or a router In this configuration one network adapter is connected to the
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1735
perimeter network the other is connected to the internal network
Single network adaptermdashIn this configuration the Remote Access server is installed
behind an edge device such as a firewall or a router The network adapter is connected
to the internal network
34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters
35 Leave the Remote Access Setup screen open and right click on Start button and select
Run
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1135
Here is what the quick deployment looks like Donrsquot click on this
20 On the Remote Access Management Console click on DirectAccess and VPN on the top left and
then click on the Run the Remote Access Setup Wizard
21 On the Configure Remote Access window select Deploy DirectAccess only
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1235
22 Click on the Configurehellip button for Step 1 Remote Clients
23 Select Deploy full DirectAccess for client access and remote management and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1335
24
25 Click on the Addhellip button
26
27 Select the security group inside of Active Directory that will contain computer objects allowed to
use DirectAccess and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1435
28 Optionally uncheck or check Enable DirectAccess for mobile computers only as well as Use force
tunneling and click Next gt
1 If Enable DirectAccess for mobile computers is checked WMI will query the machine to
determine if it is a laptoptablet If WMI determines the machine is not a ldquomobile devicerdquo the
group policy object will not be applied to those machines in the security group In short if
checked DirectAccess will not be applied to computers that are desktops or VMs placed
inside the security group
2 If Use force tunneling is enabled mobile computers will always connect to the DirectAccess
server regardless if the client is directly attached to local network or is remote
3
29 Double click on the Resource | Type row
1 What this step is trying to do is find a resource on the internal network that the client can
ldquopingrdquo to ensure the DirectAccess client has successfully connected to the internal network
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1535
30 Select whether you want the client to verify it has connected to the internal network via a HTTP
response or network ping optionally click the validate button to test the connection and then click
Add
1 You may want to add a couple resources for failover testing purposes however it isnrsquot
recommended to list every resource on your internal network
31 Enter in your Helpdesk email address and DirectAccess connection name (this name will show
up as the name of the connection a user would use) and check Allow DirectAccess clients to use
local name resolution and click Finish
1 Based on what I could find checking Allow DirectAccess clients to use local name resolution
will allow the DirectAccess client to use the DNS server published by DHCP on the physical
network they are connected to In the event the Network Location server is unavailable the
client would then use the local DNS server for name resolution allowing the client to at least
access some things via DNS
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1635
32 Click on Configurehellip next to Step 2 Remote Access Server
33 On the Remote Access Server Setup page select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment and then click Next gt
1 NOTE By default your domainrsquos FQDN will be used so if you have a local domain you will
want to switch this to your actual com net org whatever
2 As an additional side note hereis some information from the following KB article on what the
differences are between each of the topologies From what I gather using the dual NIC
configuration is Microsoftrsquos best practice from a security standpoint
Two adaptersmdashWith two network adapters Remote Access can be configured with
one network adapter connected directly to the Internet and the other is connected to
the internal network Or alternatively the server is installed behind an edge device such
as a firewall or a router In this configuration one network adapter is connected to the
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1735
perimeter network the other is connected to the internal network
Single network adaptermdashIn this configuration the Remote Access server is installed
behind an edge device such as a firewall or a router The network adapter is connected
to the internal network
34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters
35 Leave the Remote Access Setup screen open and right click on Start button and select
Run
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1235
22 Click on the Configurehellip button for Step 1 Remote Clients
23 Select Deploy full DirectAccess for client access and remote management and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1335
24
25 Click on the Addhellip button
26
27 Select the security group inside of Active Directory that will contain computer objects allowed to
use DirectAccess and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1435
28 Optionally uncheck or check Enable DirectAccess for mobile computers only as well as Use force
tunneling and click Next gt
1 If Enable DirectAccess for mobile computers is checked WMI will query the machine to
determine if it is a laptoptablet If WMI determines the machine is not a ldquomobile devicerdquo the
group policy object will not be applied to those machines in the security group In short if
checked DirectAccess will not be applied to computers that are desktops or VMs placed
inside the security group
2 If Use force tunneling is enabled mobile computers will always connect to the DirectAccess
server regardless if the client is directly attached to local network or is remote
3
29 Double click on the Resource | Type row
1 What this step is trying to do is find a resource on the internal network that the client can
ldquopingrdquo to ensure the DirectAccess client has successfully connected to the internal network
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1535
30 Select whether you want the client to verify it has connected to the internal network via a HTTP
response or network ping optionally click the validate button to test the connection and then click
Add
1 You may want to add a couple resources for failover testing purposes however it isnrsquot
recommended to list every resource on your internal network
31 Enter in your Helpdesk email address and DirectAccess connection name (this name will show
up as the name of the connection a user would use) and check Allow DirectAccess clients to use
local name resolution and click Finish
1 Based on what I could find checking Allow DirectAccess clients to use local name resolution
will allow the DirectAccess client to use the DNS server published by DHCP on the physical
network they are connected to In the event the Network Location server is unavailable the
client would then use the local DNS server for name resolution allowing the client to at least
access some things via DNS
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1635
32 Click on Configurehellip next to Step 2 Remote Access Server
33 On the Remote Access Server Setup page select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment and then click Next gt
1 NOTE By default your domainrsquos FQDN will be used so if you have a local domain you will
want to switch this to your actual com net org whatever
2 As an additional side note hereis some information from the following KB article on what the
differences are between each of the topologies From what I gather using the dual NIC
configuration is Microsoftrsquos best practice from a security standpoint
Two adaptersmdashWith two network adapters Remote Access can be configured with
one network adapter connected directly to the Internet and the other is connected to
the internal network Or alternatively the server is installed behind an edge device such
as a firewall or a router In this configuration one network adapter is connected to the
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1735
perimeter network the other is connected to the internal network
Single network adaptermdashIn this configuration the Remote Access server is installed
behind an edge device such as a firewall or a router The network adapter is connected
to the internal network
34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters
35 Leave the Remote Access Setup screen open and right click on Start button and select
Run
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1335
24
25 Click on the Addhellip button
26
27 Select the security group inside of Active Directory that will contain computer objects allowed to
use DirectAccess and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1435
28 Optionally uncheck or check Enable DirectAccess for mobile computers only as well as Use force
tunneling and click Next gt
1 If Enable DirectAccess for mobile computers is checked WMI will query the machine to
determine if it is a laptoptablet If WMI determines the machine is not a ldquomobile devicerdquo the
group policy object will not be applied to those machines in the security group In short if
checked DirectAccess will not be applied to computers that are desktops or VMs placed
inside the security group
2 If Use force tunneling is enabled mobile computers will always connect to the DirectAccess
server regardless if the client is directly attached to local network or is remote
3
29 Double click on the Resource | Type row
1 What this step is trying to do is find a resource on the internal network that the client can
ldquopingrdquo to ensure the DirectAccess client has successfully connected to the internal network
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1535
30 Select whether you want the client to verify it has connected to the internal network via a HTTP
response or network ping optionally click the validate button to test the connection and then click
Add
1 You may want to add a couple resources for failover testing purposes however it isnrsquot
recommended to list every resource on your internal network
31 Enter in your Helpdesk email address and DirectAccess connection name (this name will show
up as the name of the connection a user would use) and check Allow DirectAccess clients to use
local name resolution and click Finish
1 Based on what I could find checking Allow DirectAccess clients to use local name resolution
will allow the DirectAccess client to use the DNS server published by DHCP on the physical
network they are connected to In the event the Network Location server is unavailable the
client would then use the local DNS server for name resolution allowing the client to at least
access some things via DNS
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1635
32 Click on Configurehellip next to Step 2 Remote Access Server
33 On the Remote Access Server Setup page select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment and then click Next gt
1 NOTE By default your domainrsquos FQDN will be used so if you have a local domain you will
want to switch this to your actual com net org whatever
2 As an additional side note hereis some information from the following KB article on what the
differences are between each of the topologies From what I gather using the dual NIC
configuration is Microsoftrsquos best practice from a security standpoint
Two adaptersmdashWith two network adapters Remote Access can be configured with
one network adapter connected directly to the Internet and the other is connected to
the internal network Or alternatively the server is installed behind an edge device such
as a firewall or a router In this configuration one network adapter is connected to the
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1735
perimeter network the other is connected to the internal network
Single network adaptermdashIn this configuration the Remote Access server is installed
behind an edge device such as a firewall or a router The network adapter is connected
to the internal network
34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters
35 Leave the Remote Access Setup screen open and right click on Start button and select
Run
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1435
28 Optionally uncheck or check Enable DirectAccess for mobile computers only as well as Use force
tunneling and click Next gt
1 If Enable DirectAccess for mobile computers is checked WMI will query the machine to
determine if it is a laptoptablet If WMI determines the machine is not a ldquomobile devicerdquo the
group policy object will not be applied to those machines in the security group In short if
checked DirectAccess will not be applied to computers that are desktops or VMs placed
inside the security group
2 If Use force tunneling is enabled mobile computers will always connect to the DirectAccess
server regardless if the client is directly attached to local network or is remote
3
29 Double click on the Resource | Type row
1 What this step is trying to do is find a resource on the internal network that the client can
ldquopingrdquo to ensure the DirectAccess client has successfully connected to the internal network
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1535
30 Select whether you want the client to verify it has connected to the internal network via a HTTP
response or network ping optionally click the validate button to test the connection and then click
Add
1 You may want to add a couple resources for failover testing purposes however it isnrsquot
recommended to list every resource on your internal network
31 Enter in your Helpdesk email address and DirectAccess connection name (this name will show
up as the name of the connection a user would use) and check Allow DirectAccess clients to use
local name resolution and click Finish
1 Based on what I could find checking Allow DirectAccess clients to use local name resolution
will allow the DirectAccess client to use the DNS server published by DHCP on the physical
network they are connected to In the event the Network Location server is unavailable the
client would then use the local DNS server for name resolution allowing the client to at least
access some things via DNS
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1635
32 Click on Configurehellip next to Step 2 Remote Access Server
33 On the Remote Access Server Setup page select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment and then click Next gt
1 NOTE By default your domainrsquos FQDN will be used so if you have a local domain you will
want to switch this to your actual com net org whatever
2 As an additional side note hereis some information from the following KB article on what the
differences are between each of the topologies From what I gather using the dual NIC
configuration is Microsoftrsquos best practice from a security standpoint
Two adaptersmdashWith two network adapters Remote Access can be configured with
one network adapter connected directly to the Internet and the other is connected to
the internal network Or alternatively the server is installed behind an edge device such
as a firewall or a router In this configuration one network adapter is connected to the
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1735
perimeter network the other is connected to the internal network
Single network adaptermdashIn this configuration the Remote Access server is installed
behind an edge device such as a firewall or a router The network adapter is connected
to the internal network
34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters
35 Leave the Remote Access Setup screen open and right click on Start button and select
Run
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1535
30 Select whether you want the client to verify it has connected to the internal network via a HTTP
response or network ping optionally click the validate button to test the connection and then click
Add
1 You may want to add a couple resources for failover testing purposes however it isnrsquot
recommended to list every resource on your internal network
31 Enter in your Helpdesk email address and DirectAccess connection name (this name will show
up as the name of the connection a user would use) and check Allow DirectAccess clients to use
local name resolution and click Finish
1 Based on what I could find checking Allow DirectAccess clients to use local name resolution
will allow the DirectAccess client to use the DNS server published by DHCP on the physical
network they are connected to In the event the Network Location server is unavailable the
client would then use the local DNS server for name resolution allowing the client to at least
access some things via DNS
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1635
32 Click on Configurehellip next to Step 2 Remote Access Server
33 On the Remote Access Server Setup page select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment and then click Next gt
1 NOTE By default your domainrsquos FQDN will be used so if you have a local domain you will
want to switch this to your actual com net org whatever
2 As an additional side note hereis some information from the following KB article on what the
differences are between each of the topologies From what I gather using the dual NIC
configuration is Microsoftrsquos best practice from a security standpoint
Two adaptersmdashWith two network adapters Remote Access can be configured with
one network adapter connected directly to the Internet and the other is connected to
the internal network Or alternatively the server is installed behind an edge device such
as a firewall or a router In this configuration one network adapter is connected to the
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1735
perimeter network the other is connected to the internal network
Single network adaptermdashIn this configuration the Remote Access server is installed
behind an edge device such as a firewall or a router The network adapter is connected
to the internal network
34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters
35 Leave the Remote Access Setup screen open and right click on Start button and select
Run
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1635
32 Click on Configurehellip next to Step 2 Remote Access Server
33 On the Remote Access Server Setup page select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment and then click Next gt
1 NOTE By default your domainrsquos FQDN will be used so if you have a local domain you will
want to switch this to your actual com net org whatever
2 As an additional side note hereis some information from the following KB article on what the
differences are between each of the topologies From what I gather using the dual NIC
configuration is Microsoftrsquos best practice from a security standpoint
Two adaptersmdashWith two network adapters Remote Access can be configured with
one network adapter connected directly to the Internet and the other is connected to
the internal network Or alternatively the server is installed behind an edge device such
as a firewall or a router In this configuration one network adapter is connected to the
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1735
perimeter network the other is connected to the internal network
Single network adaptermdashIn this configuration the Remote Access server is installed
behind an edge device such as a firewall or a router The network adapter is connected
to the internal network
34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters
35 Leave the Remote Access Setup screen open and right click on Start button and select
Run
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1735
perimeter network the other is connected to the internal network
Single network adaptermdashIn this configuration the Remote Access server is installed
behind an edge device such as a firewall or a router The network adapter is connected
to the internal network
34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters
35 Leave the Remote Access Setup screen open and right click on Start button and select
Run
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1835
36 Type mmc and select OK
37 Click File -gt AddRemove Snap-inhellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 1935
38 Select Certificates and click Add gt
39 Select Computer account and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2035
40 Ensure Local Computer is selected and click Finish
41 Click OK on the Add or Remove Snap-ins machine
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2135
42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates
and select Request New Certificatehellip
43 Click Next on the Before You Begin screen
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2235
44 Click Next on the Select Certificate Enrollment Policy
45 Select your template that will support server authentication and click More information is
required to enroll for this certificate Click here to configure settings
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2335
46 On the Subject tab enter the following values (substituting in your companyrsquos information)
Common name damydomaincom
Country US
Locality Honolulu
Organization My Company
Organization Unit Information Technology
State Hawaii
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2435
47 On the Private Key tab expand Key options and check Make private key exportable Click
Apply when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2535
48 Click Enroll
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2635
49 Click Finish
50 Go back to the Remote Access Setup screen and click Browsehellip
51 Select your damydomaincom certificate we just created and click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2735
52 Click Next gt
53 Check Use computer certificates and check Use an intermediate certificate and then click
Browsehellip
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2835
54 Select the certificate authority that will be issuing the client certificates and click click OK
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 2935
55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well
as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two
options are not covered in the scope of this tutorial Click Finish when done
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3035
56 Click on Configurehellip next to Step 3 Infrastructure Servers
57 On the Remote Access Setup screen check The network location server is deployed on a
remote web server (recommended) type in the website address to the Network Location
Server and click Next gt
1 So for whatever reason there arenrsquot many articles explaining what exactly the network
location server is and how to set it up From what I gather the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network The webpage can be the default IIS webpage just ensure the
website is NOT accessible externally
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3135
58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next gt
59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local
domainrsquos suffix has been added and click Next gt
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3235
60 Click Finish on the Management page
61 Click the Configurehellip button on Step 4 Application Servers
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3335
62 Check Do not extend authentication to application servers and click Finish
63 Click Finishhellip on the Remote Access Management Console page
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3435
64 Click Apply on the Remote Access Review page
65 Click Close once direct access has successfully finished deploying
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack
212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg
httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 3535
66 Login to one of your Windows 8X Enterprise machines that is inside of your
DirectAccess Compuers security group and run a gpupdate from command line to pull
down the latest group policy
67 At this point you should now be able to login to your network via DirectAccess
NOTES
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you
click on the link in the bottom left corner you will find two steps to some good KB
articles httptechnetmicrosoftcomen-uslibraryjj134262aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx
This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified
Remote Access Windows Server 2012 R2 on December 16 2013
[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack