TechOnTip Weblog

Run book for Technocrats

Archive for February, 2013

Windows 2012 Direct Access – Verify Installation

Posted by Brajesh Panda on February 13, 2013

Click here for other Direct Access related articles.

In last post I have shown you how to install and configure a dual homed direct access server behind the edge. If you have not read that, read it here. Before we move forward in our exercise let’s check out what configurations has been changed in our server. This will help during troubleshooting.

  • IPConfig in DA Server; Few things has been changed
    • In Automatically Private IPv6 Address has been provisioned
    • ISATAP Address has been configured
    • IP-HTTPS Interface and Tunnel End Points has been configured


  • Local IPv6 route table & persistent routes for IPv6 prefix has been updated

  • In IIS IP-HTTPS SSL is not configured in binding section of default website with 443.
  • To check SSL certificate binding lets run “netsh http show sslcert”.

  • In Remote Access management console Operation Status Page check everything is working fine

  • In Direct Access server open “Windows Firewall with Advanced Security” Console. You can use “wf.msc to open the same. Make sure “DirectAccess Policy-DaServerToCorpSimplified” Connection Security Rules is created.

  • Make sure DirectAccess Policy-DaServerToCorpSimplified rule is set for both inbound and outbound connection & Authentication is set to Custom.
  • To check Authencation, Open properties for the rule – click authentication tab – click customize
  • First Authentication Method is selected for Computer & 2nd Authentication is selected for User.

  • Active Directory DNS has been updated with few Host Records

  • Open Group Policy Management console and verify two newly created GPOs and to whom they are applied to

In next post we will test Direct Access Infrastructure with Windows 8 clients.


Posted in Direct Access | Tagged: , | Leave a Comment »

Windows 2012 Direct Access – Installation & Configuration

Posted by Brajesh Panda on February 13, 2013

Click here for other Direct Access related articles.

In this posting I am going to demonstrate how to install & configure a Dual Homed Direct Access server. You can find the topology diagram here. I am going to try middle scenario i.e. Behind an Edge device (with two network adapters.

This will be a few part series, keep following the connected URLs at the end of the posting. Here we will be using Windows 2012 Server’s Remote Access Role & Direct Access feature.


  • Create Two security groups in Active Directory
    • DirectAccessClients-Win8 and add Windows 8 Computer Accounts
    • DirectAccessClients-Win7 and add only Windows 7 Computer Accounts
  • Decide on below URLs & create necessary certificates
    • IP-HTTPS (remoteconnect.contoso.local)
    • Network Location Server (DirectAccess-NLS.contoso.local
  • Install IP-HTTPS certificates on Direct Access Server along with private key
  • Install IIS & NLS certificate on the Network Location Server & create necessary internal DNS record to resolve the NLS URL.
  • In this build I have provisioned Two Network cards for the Direct Access server
    • One in DMZ & and Another one in Corporate Network
    • DA server can only discover internal Active Directory domain thru Corporate Network NIC

  • Make sure IPv6 components are not disabled in this computer. IPConfig should show all IPv6 Transition tunnel adapters with media disconnected as state.

Installation & Configuration

  • Install Remote Access and requisite components from Server Manager. Just default installation
  • Open Remote Access Management Console
  • From Setup page click on “Run the Remote Access Setup Wizard” Option

  • Click on Deploy Direct Access Only

  • It will check pre-requisites & Open Setup page. Where you will find Active & Grayed out tiles & they will get activated as soon as you configure the previous section

  • To configure Step 1 click on Configure option
  • On Deployment Scenario page Select “Deploy Full direct Access for client access and remote management” & click Next

  • In Select Groups page perform below steps and click next
    • remove “Domain\Domain computers” and add your Direct Access Clients Groups
    • Unselect “Enable DirectAccess for Mobile Computers only“. If you select this option, with WMI it will detect which computer is laptop and only apply the policies to those computers. So if you are testing with a VM or Desktop computer, GPO will not get applied.
    • Make sure “Use Fore tunneling” is not selected. Selecting this will route all internet traffic thru direct access server.

  • In “Network Connectivity Assistant” page Double click empty Resource space to add new internal resources, which will be used by NCA or Win 7 DCA (Direct Access Connectivity Assistant) to check Direct Access connection is okay

  • After you add resources for NCA, add Help Desk Email Address and a descriptive name for the connection. So incase user face any DA connection issue & user clicks to generate Diagnostic Logs it will show the email address to which mail can be send and a Descriptive name will help the user to differentiate the connection from other VPN connections.
  • Also select “Allow Direct Access Clients to use local name resolution” option. It helps users to use their own name resolution while Network Location server is not available and user is inside the corporate network & also to disconnect DA Connection temporarily .
  • And click Finish

  • Now in Remote Access management console you will find Step-2 is activated for configuration.
  • On Step 2 Click Configure; In “Network Topology” window select the “Behind an Edge device (with two network adapters)” topology window type the IP-HTTPS URL you are going to use & click next

  • As IP-HTTPS certificate is already installed, it will auto detect the certificate in “Network Adapters” window. If you don’t have IP-HTTPS certificate, use a self-signed certificate option will be highlighted. Make sure correct Adapters are mapped to correct network & click Next

  • In Authentication window select “Active Directory credentials” option and click Finish. If you have “Windows 8″ only clients “Use of Computer Certificate” is optional, if you need few advance functionalities in Windows 8, you need computer certificate else it is not required. However if you have Windows 7 Clients we need computer certificates and related PKI infra.
  • For now let’s NOT select Computer certificates and Windows 7 client computers. We will enable this during client testing phase in our exercise.

  • Now in Remote Access management console you will find Step-2 is activated for configuration.
  • On Step 3 Click Configure
  • In “Network Location Server” window type the network location server’s HTTPS URL and click validate & after successful validation click next.

  • In “DNS” window to add local corporate domains double click the resource field and type the domain suffix and click detect to resolve the name. This Table is called as Name Resolution Policy Table (NRPT).
  • This table helps the client to determine which domains/namespace are located inside corporate network. So name resolution for them and traffic related to them pass thru direct access connection. Other domains which are not part of this list are resolved thru clients own external DNS configuration and traffic follows accordingly direct to internet – split traffic.
  • Also make sure in DNS window 2nd Option is selected under local name resolution option. It helps the clients to use corporate DNS server or own name resolution while NLS/DNS is not reachable in the corporate network.

  • In “DNS Suffix Search List” add internal DNS suffixes for cross domain or forest resolution & click next
  • In Management window add server names from where management connections will be started thru management tunnel. SCCM & Domain Controllers are automatically discovered later after completion of the Wizard.
  • And Click Finish to complete Step 3 Configuration

  • Step 4 is optional and required to be configured if end to end IPSec Authentication is required from DA Client to Application Server.

  • In the Remote Access Management Console click Finish to commit all configurations. It will present a report to review before commit.
  • Review the same, change necessary information like GPO name if required and click Apply

  • Verify the result page for any error and click Close to finish

In next posting I will show you to verify new/changed configurations on Direct Access Server.

Posted in Direct Access | Tagged: , , | 6 Comments »

Direct Access in Windows 2012

Posted by Brajesh Panda on February 4, 2013

Click here for other Direct Access related articles.

DirectAccess allows domain users to securely access corporate network thru their domain joined remote computer without dialing a traditional VPN dialer or accessing SSL web site for SSL-VPN.

Every time a DirectAccess-enabled computer connects to the Internet it establishes bidirectional connectivity automatically with corporate network.

And by default it uses split technology so only corporate traffics traverse thru the Direct Access Connection. This behavior can be changed to force public internet traffic thru corporate network.

Direct Access technology is based on IPv6. So Direct Access Server & Clients communicate using IPv6 and this is done thru IPv6 transition technologies. Same way Direct Access Client talks to internal IPv4 infrastructure thru Direct Access Server using IPv6 Transition Technologies.

Direct Access was introduced with Windows 2008 R2. But in new version some good enhancement has been done;

  • Windows 2008 R2 need Forefront to use few (NAT64, DNS64) IPv6 transition technologies. However these are right built into this Windows 2012; removing dependency on forefront.
  • IP-HTTPS technology has been improved in Windows 2012 which can come over Teredo limitations.
  • In a simpler deployment IP-HTTPS connection can use a self-signed certificate.
  • In a truly Windows 8 client environment, it don’t need a computer certificate removing PKI requirement. However if you have Windows 7 and want to support it, you need Computer Certificate resulting PKI environment for client version.
  • Both traditional Windows VPN (RRAS) and Direct Access can co-exist on the same server.
  • Supports Load Balancing between multiple servers
  • Support multiple entry points for Site disaster recovery & helps to connect to near access point in the world
  • Supports multiple network architecture like; (check out the diagram)
    • With One NIC inside corporate network,
    • With two NIC; -one nic in DMZ and other one in corporate,
    • Two NIC – one in Public Internet (for Teredo) and one in corporate network

Few things need to be considered for production deployment where both Win 7 & 8 clients are coexisting;

  • PKI infrastructure
  • Public certificate for IP-HTTPS deployment. If you are using internal CA certificate, make sure your CA’s CRL (certification revocation list) URL is available over internet for clients to verify
  • You have to still deploy Direct Access Connectivity 2.0 tool to Windows 7 clients. And have to configure DCA settings manually. Easy way of doing is enable Multisite connectivity in Remote Access configuration where you can define a separate GPO for Windows 7 computers
  • Best practice is to use two different security groups for Windows 7 & 8 clients.
  • Configure internal CA templates to issue computer certificates to clients as per their membership
  • Make sure Network Location Server (NLS) is highly available & its URL is not published to internet. NLS helps clients to determine if they are inside or outside of corporate network. If outside clients start direct access connection. So if clients are inside corporate network and NLS is not accessible that time, they will start Direct Access connection and being inside corporate network they may not able to connect to Direct Access server’s public interface and clients will not able to access network resources.

Will keep updating this article with my findings! Watch out for upcoming articles how to configure Direct Access Infrastructure.

Posted in Direct Access | Tagged: | 2 Comments »

%d bloggers like this: