[Tutorial] Configuring Direct Access on Server 2012 R2 _ Jack Stromberg

212014 [Tutorial] Configuring Direct Access on Server 2012 R2 | Jack Stromberg

httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2 135

Jack StrombergA site about stuff

[Tutorial] Configuring Direct Access on Server2012 R2

This tutorial will cover deployment of Windows Server 2012 R2primes latest version of DirectAccess While

there are multiple ways to configure Direct Access I tried to pull together what I believe are the

bestrecommended practices and what I believe would be a common deployment between

organizations If you have any thoughtsfeedback on how to improve this deployment please leave a

comment below

Before beginning if you are curious what DirectAccess is here is a brief overview of what it is and what it

will allow us to accomplish

DirectAccess also known as Unified Remote Access is a VPN-like technology that

provides intranet connectivity to client computers when they are connected to the Internet Unlike

many traditional VPN connections which must be initiated and terminated by explicit user action

DirectAccess connections are designed to connect automatically as soon as the computer connects to

the Internet DirectAccess was introduced in Windows Server 2008 R2 providing this service

to Windows 7 and Windows 8 rdquoEnterpriserdquo edition clients

httpenwikipediaorgwikiDirectAccess

Prerequisites

Domain Admin rights to complete the tutorial below

Windows Server 2012 R2 machine

Two network cards ndash One in your internal network the other in your DMZ

Joined to your domain

Latest Windows Updates

(seriously apply these there are updates released specifically for DirectAccess)

DMZ

PKI Setup (Public Key Infrastructure to issue self-signed certificates)

Custom template setup for issuing servers with an intended purpose of Server

Authentication



Certificate auto-enrollment has been configured

Active Directory Security Group designated with Computer Objects allowed to use DirectAccess

1 Login to your Server 2012 R2 server we will be using for installing the Direct Access

2 Ensure all windows updates have been applied

3 Open up Server Manager

4 Select Manage -gt Add Roles and Features

5 Click Next gt on the Before you Begin step



6 Ensure Role-based or feature-based installation is checked and click Next gt

7 Select Next gt on the Select destination server step



8 Check Remote Access and click Next gt

9 Click Next gt on the Select Features step



10 Click Next gt on the Remote Access step

11 Check DirectAccess and VPN (RAS)



12 Click the Add Features button on the dialog box that prompts

13 Check DirectAccess and VPN (RAS) and then click Next gt



14 Click Next gt on the Web Server Role (IIS) page

15 Click Next gt on the Role Services page



16 Check the Restart the destination server automatically if required checkbox and click Yes on

the dialog box



17 Click Install

18 Click Close when the install has completed



19 Back in Server Manager click on Tools -gt Remote Access Management (You can ignore the

warning icon the Open the Getting Started Wizard will only do a quick setup of DirectAccess We

want to do a full deployment)



Here is what the quick deployment looks like Donrsquot click on this

20 On the Remote Access Management Console click on DirectAccess and VPN on the top left and

then click on the Run the Remote Access Setup Wizard

21 On the Configure Remote Access window select Deploy DirectAccess only



22 Click on the Configurehellip button for Step 1 Remote Clients

23 Select Deploy full DirectAccess for client access and remote management and click Next gt



24

25 Click on the Addhellip button

26

27 Select the security group inside of Active Directory that will contain computer objects allowed to

use DirectAccess and click OK



28 Optionally uncheck or check Enable DirectAccess for mobile computers only as well as Use force

tunneling and click Next gt

1 If Enable DirectAccess for mobile computers is checked WMI will query the machine to

determine if it is a laptoptablet If WMI determines the machine is not a ldquomobile devicerdquo the

group policy object will not be applied to those machines in the security group In short if

checked DirectAccess will not be applied to computers that are desktops or VMs placed

inside the security group

2 If Use force tunneling is enabled mobile computers will always connect to the DirectAccess

server regardless if the client is directly attached to local network or is remote

3

29 Double click on the Resource | Type row

1 What this step is trying to do is find a resource on the internal network that the client can

ldquopingrdquo to ensure the DirectAccess client has successfully connected to the internal network



30 Select whether you want the client to verify it has connected to the internal network via a HTTP

response or network ping optionally click the validate button to test the connection and then click

Add

1 You may want to add a couple resources for failover testing purposes however it isnrsquot

recommended to list every resource on your internal network

31 Enter in your Helpdesk email address and DirectAccess connection name (this name will show

up as the name of the connection a user would use) and check Allow DirectAccess clients to use

local name resolution and click Finish

1 Based on what I could find checking Allow DirectAccess clients to use local name resolution

will allow the DirectAccess client to use the DNS server published by DHCP on the physical

network they are connected to In the event the Network Location server is unavailable the

client would then use the local DNS server for name resolution allowing the client to at least

access some things via DNS



32 Click on Configurehellip next to Step 2 Remote Access Server

33 On the Remote Access Server Setup page select Behind an edge device (with two network

adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect

back to your environment and then click Next gt

1 NOTE By default your domainrsquos FQDN will be used so if you have a local domain you will

want to switch this to your actual com net org whatever

2 As an additional side note hereis some information from the following KB article on what the

differences are between each of the topologies From what I gather using the dual NIC

configuration is Microsoftrsquos best practice from a security standpoint

Two adaptersmdashWith two network adapters Remote Access can be configured with

one network adapter connected directly to the Internet and the other is connected to

the internal network Or alternatively the server is installed behind an edge device such

as a firewall or a router In this configuration one network adapter is connected to the



perimeter network the other is connected to the internal network

Single network adaptermdashIn this configuration the Remote Access server is installed

behind an edge device such as a firewall or a router The network adapter is connected

to the internal network

34 On the Network Adapters step select your External (DMZ) and Internal (LAN) adapters

35 Leave the Remote Access Setup screen open and right click on Start button and select

Run



36 Type mmc and select OK

37 Click File -gt AddRemove Snap-inhellip



38 Select Certificates and click Add gt

39 Select Computer account and click Next gt



40 Ensure Local Computer is selected and click Finish

41 Click OK on the Add or Remove Snap-ins machine



42 Expand Certificates (Local Computer) -gt Personal -gt Certificates right click on Certificates

and select Request New Certificatehellip

43 Click Next on the Before You Begin screen



44 Click Next on the Select Certificate Enrollment Policy

45 Select your template that will support server authentication and click More information is

required to enroll for this certificate Click here to configure settings



46 On the Subject tab enter the following values (substituting in your companyrsquos information)

Common name damydomaincom

Country US

Locality Honolulu

Organization My Company

Organization Unit Information Technology

State Hawaii



47 On the Private Key tab expand Key options and check Make private key exportable Click

Apply when done



48 Click Enroll



49 Click Finish

50 Go back to the Remote Access Setup screen and click Browsehellip

51 Select your damydomaincom certificate we just created and click OK



52 Click Next gt

53 Check Use computer certificates and check Use an intermediate certificate and then click

Browsehellip



54 Select the certificate authority that will be issuing the client certificates and click click OK



55 Optionally you may enable Enable Windows 7 client computers to connect via DirectAccess as well

as Enforce corporate compliance for DirectAccess clients with NAP Note Configuring these two

options are not covered in the scope of this tutorial Click Finish when done



56 Click on Configurehellip next to Step 3 Infrastructure Servers

57 On the Remote Access Setup screen check The network location server is deployed on a

remote web server (recommended) type in the website address to the Network Location

Server and click Next gt

1 So for whatever reason there arenrsquot many articles explaining what exactly the network

location server is and how to set it up From what I gather the Network Location Server is

merely a server with a website running on it that the client can contact to ensure it has

reached the internal network The webpage can be the default IIS webpage just ensure the

website is NOT accessible externally



58 Specify any additional DNS servers you wish to use for name resolution ensure Use local name

resolution if the name does not exist in DNS or DNS servers are unreachable when the

client computer is on a private network (recommended) is checked and click Next gt

59 Check Configure DirectAccess clients with DNS client suffix search list ensure your local

domainrsquos suffix has been added and click Next gt



60 Click Finish on the Management page

61 Click the Configurehellip button on Step 4 Application Servers



62 Check Do not extend authentication to application servers and click Finish

63 Click Finishhellip on the Remote Access Management Console page



64 Click Apply on the Remote Access Review page

65 Click Close once direct access has successfully finished deploying



66 Login to one of your Windows 8X Enterprise machines that is inside of your

DirectAccess Compuers security group and run a gpupdate from command line to pull

down the latest group policy

67 At this point you should now be able to login to your network via DirectAccess

NOTES

Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment Once you

click on the link in the bottom left corner you will find two steps to some good KB

articles httptechnetmicrosoftcomen-uslibraryjj134262aspx

Here is another article from Microsoft with a more indepth explanation about where to place the

Network Location Server httptechnetmicrosoftcomen-uslibraryee382275(v=ws10)aspx

This entry was posted in Active Directory Networking and tagged DirectAccess Remote Access Unified

Remote Access Windows Server 2012 R2 on December 16 2013

[httpjackstrombergcom201312tutorial-configuring-direct-access-on-server-2012-r2] by Jack



Certificate auto-enrollment has been configured

Active Directory Security Group designated with Computer Objects allowed to use DirectAccess

1 Login to your Server 2012 R2 server we will be using for installing the Direct Access

2 Ensure all windows updates have been applied

3 Open up Server Manager

4 Select Manage -gt Add Roles and Features

5 Click Next gt on the Before you Begin step
























the dialog box



17 Click Install



















24


26














3








Add


































Run



























Country US

Locality Honolulu



State Hawaii




Apply when done



48 Click Enroll



49 Click Finish





52 Click Next gt


Browsehellip













































NOTES
































the dialog box



17 Click Install



















24


26














3








Add


































Run



























Country US

Locality Honolulu



State Hawaii




Apply when done



48 Click Enroll



49 Click Finish





52 Click Next gt


Browsehellip













































NOTES











17 Click Install



















24


26














3








Add


































Run



























Country US

Locality Honolulu



State Hawaii




Apply when done



48 Click Enroll



49 Click Finish





52 Click Next gt


Browsehellip













































NOTES


























24


26














3








Add


































Run



























Country US

Locality Honolulu



State Hawaii




Apply when done



48 Click Enroll



49 Click Finish





52 Click Next gt


Browsehellip













































NOTES




















3








Add


































Run



























Country US

Locality Honolulu



State Hawaii




Apply when done



48 Click Enroll



49 Click Finish





52 Click Next gt


Browsehellip













































NOTES













Add


































Run



























Country US

Locality Honolulu



State Hawaii




Apply when done



48 Click Enroll



49 Click Finish





52 Click Next gt


Browsehellip













































NOTES
































Run



























Country US

Locality Honolulu



State Hawaii




Apply when done



48 Click Enroll



49 Click Finish





52 Click Next gt


Browsehellip













































NOTES



































Country US

Locality Honolulu



State Hawaii




Apply when done



48 Click Enroll



49 Click Finish





52 Click Next gt


Browsehellip













































NOTES












Apply when done



48 Click Enroll



49 Click Finish





52 Click Next gt


Browsehellip













































NOTES











48 Click Enroll



49 Click Finish





52 Click Next gt


Browsehellip













































NOTES











49 Click Finish





52 Click Next gt


Browsehellip













































NOTES











52 Click Next gt


Browsehellip













































NOTES





















































NOTES









[Tutorial] Configuring Direct Access on Server 2012 R2 _ Jack Stromberg

Documents

Transcript of [Tutorial] Configuring Direct Access on Server 2012 R2 _ Jack Stromberg