TechOnTip Weblog

Run book for Technocrats

Posts Tagged ‘Remote Access’

Windows 2012 Direct Access – Installation & Configuration

Posted by Brajesh Panda on February 13, 2013

Click here for other Direct Access related articles.

In this posting I am going to demonstrate how to install & configure a Dual Homed Direct Access server. You can find the topology diagram here. I am going to try middle scenario i.e. Behind an Edge device (with two network adapters.

This will be a few part series, keep following the connected URLs at the end of the posting. Here we will be using Windows 2012 Server’s Remote Access Role & Direct Access feature.


  • Create Two security groups in Active Directory
    • DirectAccessClients-Win8 and add Windows 8 Computer Accounts
    • DirectAccessClients-Win7 and add only Windows 7 Computer Accounts
  • Decide on below URLs & create necessary certificates
    • IP-HTTPS (remoteconnect.contoso.local)
    • Network Location Server (DirectAccess-NLS.contoso.local
  • Install IP-HTTPS certificates on Direct Access Server along with private key
  • Install IIS & NLS certificate on the Network Location Server & create necessary internal DNS record to resolve the NLS URL.
  • In this build I have provisioned Two Network cards for the Direct Access server
    • One in DMZ & and Another one in Corporate Network
    • DA server can only discover internal Active Directory domain thru Corporate Network NIC

  • Make sure IPv6 components are not disabled in this computer. IPConfig should show all IPv6 Transition tunnel adapters with media disconnected as state.

Installation & Configuration

  • Install Remote Access and requisite components from Server Manager. Just default installation
  • Open Remote Access Management Console
  • From Setup page click on “Run the Remote Access Setup Wizard” Option

  • Click on Deploy Direct Access Only

  • It will check pre-requisites & Open Setup page. Where you will find Active & Grayed out tiles & they will get activated as soon as you configure the previous section

  • To configure Step 1 click on Configure option
  • On Deployment Scenario page Select “Deploy Full direct Access for client access and remote management” & click Next

  • In Select Groups page perform below steps and click next
    • remove “Domain\Domain computers” and add your Direct Access Clients Groups
    • Unselect “Enable DirectAccess for Mobile Computers only“. If you select this option, with WMI it will detect which computer is laptop and only apply the policies to those computers. So if you are testing with a VM or Desktop computer, GPO will not get applied.
    • Make sure “Use Fore tunneling” is not selected. Selecting this will route all internet traffic thru direct access server.

  • In “Network Connectivity Assistant” page Double click empty Resource space to add new internal resources, which will be used by NCA or Win 7 DCA (Direct Access Connectivity Assistant) to check Direct Access connection is okay

  • After you add resources for NCA, add Help Desk Email Address and a descriptive name for the connection. So incase user face any DA connection issue & user clicks to generate Diagnostic Logs it will show the email address to which mail can be send and a Descriptive name will help the user to differentiate the connection from other VPN connections.
  • Also select “Allow Direct Access Clients to use local name resolution” option. It helps users to use their own name resolution while Network Location server is not available and user is inside the corporate network & also to disconnect DA Connection temporarily .
  • And click Finish

  • Now in Remote Access management console you will find Step-2 is activated for configuration.
  • On Step 2 Click Configure; In “Network Topology” window select the “Behind an Edge device (with two network adapters)” topology window type the IP-HTTPS URL you are going to use & click next

  • As IP-HTTPS certificate is already installed, it will auto detect the certificate in “Network Adapters” window. If you don’t have IP-HTTPS certificate, use a self-signed certificate option will be highlighted. Make sure correct Adapters are mapped to correct network & click Next

  • In Authentication window select “Active Directory credentials” option and click Finish. If you have “Windows 8″ only clients “Use of Computer Certificate” is optional, if you need few advance functionalities in Windows 8, you need computer certificate else it is not required. However if you have Windows 7 Clients we need computer certificates and related PKI infra.
  • For now let’s NOT select Computer certificates and Windows 7 client computers. We will enable this during client testing phase in our exercise.

  • Now in Remote Access management console you will find Step-2 is activated for configuration.
  • On Step 3 Click Configure
  • In “Network Location Server” window type the network location server’s HTTPS URL and click validate & after successful validation click next.

  • In “DNS” window to add local corporate domains double click the resource field and type the domain suffix and click detect to resolve the name. This Table is called as Name Resolution Policy Table (NRPT).
  • This table helps the client to determine which domains/namespace are located inside corporate network. So name resolution for them and traffic related to them pass thru direct access connection. Other domains which are not part of this list are resolved thru clients own external DNS configuration and traffic follows accordingly direct to internet – split traffic.
  • Also make sure in DNS window 2nd Option is selected under local name resolution option. It helps the clients to use corporate DNS server or own name resolution while NLS/DNS is not reachable in the corporate network.

  • In “DNS Suffix Search List” add internal DNS suffixes for cross domain or forest resolution & click next
  • In Management window add server names from where management connections will be started thru management tunnel. SCCM & Domain Controllers are automatically discovered later after completion of the Wizard.
  • And Click Finish to complete Step 3 Configuration

  • Step 4 is optional and required to be configured if end to end IPSec Authentication is required from DA Client to Application Server.

  • In the Remote Access Management Console click Finish to commit all configurations. It will present a report to review before commit.
  • Review the same, change necessary information like GPO name if required and click Apply

  • Verify the result page for any error and click Close to finish

In next posting I will show you to verify new/changed configurations on Direct Access Server.


Posted in Direct Access | Tagged: , , | 6 Comments »

%d bloggers like this: