TechOnTip Weblog

Run book for Technocrats

Windows 2012 Direct Access – Windows 8 Client Testing

Posted by Brajesh Panda on March 10, 2013

Click here for other Direct Access related articles.

In last two articles I have demonstrated how to Install, Configure & Verify Direct Access installation. In this article we will test & verify using a Windows 8 Client. For Windows 7 clients check out my next article. Visit Direct Access
tab on the home page for other Windows 2012 Direct Access articles.

  • Install Windows 8 Enterprise Client Computer
  • Join it Contoso. Local Domain
  • Check certificate store to ensure no computer certificate is installed in this machine
    • Note: Remember certificate is not mandatory and we have not selected to use computer certificate in configuration section. We will test with certificate later in this article
  • Add the Computer Account to “Contoso\DirectAccessClients-Win8” security group
  • Make sure GPO is applied to the computer. To validate run “Gpresult /r” and make sure direct access client policy is applied under computer configuration
  • You will able to see Direct Access Connection in the Network List
    • On Windows Start bar click on the network Icon
    • You should able to see “Contoso DA Connection
  • Make sure Windows Firewall is NOT stopped
  • Check windows firewall advance setting rules – “wf.msc

  • Open properties of “DirectAccessPolicy-ClientToCorpSimplified” policy & from Authentication tab check authentication method.

  • Let’s disconnect the computer from Contoso.Local LAN network & start the external wireless connection and observe what is happening
  • Observe network connection list; you will Contoso DA Connection is connected

  • In Advance Windows firewall console and check out Main Mode Security Associations or tunnels. You can observe 1st Computer Account is used & User Account for authentication.

  • Check out IPConfig details in Windows 8 computer. You will find both IP-HTTPS and Teredo interfaces has been assigned IPv6 addresses.
  • Just note if IP-HTTPS interface has an IP address, it means system is using IP-HTTPS technology. DA Client by default tries Teredo connection 1st with its auto address & if connection is not successful it tries IP-HTTPS. So in below picture we see an IP address for Teredo interface. However as IP_HTTPS interface has IP address we can assume it is using IP-HTTPS. Technically permanently we can disable the Teredo Interface to avoid confusion.

  • Try to Ping Corporate servers.

  • Try to access corporate resources like RDP & \\UNC path for fileshare
  • In domain controller check DNS for dynamic host entries for this client. There are two entries one for IP-HTTPS and other for Teredo interface. Teredo interface can be disabled in client to stop registering in DNS unnecessarily – “netsh interface Teredo set state disabled

  • In Direct Access Server management console check Remote Client Status for details. You will find connection information.

  • Till now we have NOT used Computer Certificate. But if we have Win 7 clients & if we need few other advance functionalities we need to have computer certificate based authentication.
  • To use computer certificate
    • We have to issue computer certificate to the windows 8 machine
    • And we have to enable the same from Remote Access Management console
  • After PKI infrastructure get configured certificates can be installed manually or using auto enroll option. I have already configured PKI infra and auto enroll, you may like to check out here to know how.
  • After certificate get installed on the client make sure you verify the same to ensure all is okay.
  • On Server Side; Make sure your Enterprise or Standalone Root CA cert is installed.
  • Open Remote Access Management Console on Step 2 “remote access server” configuration click on configure; On 3rd Authentication window select use computer certificates & click on browse and select root CA certificate

  • Go back to the connected Windows 8 client and do “gpupdate /force” to apply the policy
  • And to check new firewall policies open advance windows firewall console using “wf.msc”.

  • Double click and open properties of “DirectAccessPolicy-ClientToCorp”, click Authentication Tab & under method click customize. You can see 1st Authentication method has been changed to “Computer Certificate”

  • Now disconnect the client from corporate network and hook it up to internet. You can observe Two Tunnels are created for the connection using computer certificate.

  • You can conduct same set of corporate access testing as we did in 1st section of this article without certificate

Check out next article for Windows 7 client testing.


One Response to “Windows 2012 Direct Access – Windows 8 Client Testing”

  1. […] Windows 2012 Direct Access – Windows 8 Client Testing […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: