DirectAccess provides your users with a seamless secure VPN tunnel to your corporate network.
In this step by step i will demonstrate the process to install and configure DirectAccess on Server 2012 R2 to support connectivity with Windows 7 and Windows 8 client computers. We will also integrate NAP into the equation to perform a health check on the clients to make sure they comply with corporate regulations before connecting.
You will need to have the following already in place to follow this guide:
- You will need to have an existing Active Directory environment to work with
- You will need to have an enterprise active directory integrated certificate authority – this is only required if you want to allow support for Windows 7, Windows 8 does not need one. If you don’t have one configured i can recommend following the steps in this blog http://blogs.technet.com/b/xdot509/archive/2013/03/22/installing-a-two-tier-pki-hierarchy-in-windows-server-2012-wrap-up.aspx follow it through from start to end and you will have a fully functional two tier PKI
- The DirectAccess server will need to have two network cards (you can use a virtual server if you wish). One network card is configured on your corporate interface and the other is to a DMZ. In my configuration i have assigned it a public IP address, however you can chose other options during the install. The local area connection interfaces on the server are renamed to External and Internal -both are setup with static IP addresses.
- You need to enable HTTPS TCP443 from your firewall to the public interface on the server
- you need to register an A DNS record pointing to your public IP of the DirectAccess Server – this will be resolved by clients so it must be resolvable outside your network
- You will need a public certificate installed in the personal store of the direct access server which resolves to the public DirectAccess DNS hostname.
Install the roles
I have called my DirectAccess server SV-RAS01 and added it into Server Manager from my computer to manage it remotely. The server is domain joined.
1. From server manager launch the Add Roles Wizard
2. Select Remote Access Role
and leave features as is
3. Select DirectAccess and VPN (RAS) as the role service
and leave Web Server Role (IIS) as is
4. Verify the role selection is correct and click Install
Launch Remote Access Management and start the configuration
1. From the server manager, right click the server name under the Remote Access Role and select Remote Access Management
2. Click the Run the getting started wizard
3. We will be installing both DirectAccess and traditional VPN roles on the server
4. Select Edge and give the DNS name which points to your public IP address of the DirectAccess server
You can use the other options but these options are not covered in this blog.
5. Click the click here link to make changes to the default configuration
6. Click Change on GPO Settings
If you have already got a specific GPO you want to use to provide the client settings you can browse for the GPO or you can create a new GPO by typing in the name. Two GPO’s exist – one which is applied to direct access clients, and one to direct access servers. The wizard will automatically make configuration settings to the GPO’s based on the options you chose during installation.
7. Click Change on Remote Clients
Select a group which will contain all your Direct Access clients – the default is domain computers but you may not want to allow direct access for all your computers.
On the Network Connectivity Assistant specify one or more server names or URLS that the computer should check to verify corporate connectivity
Also enter a Helpdesk Email address and connection name – this makes is simpler to identify the connection on client computers and automatically send log files if required.
8. Click Edit Remote Access Server Setup and select Network Adapters tab. Make sure Network Adapters is correctly configured for both the external and internal network and select the SSL Certificate that resolves to your domain name
9. Click Infrastructure Servers Setup and specify the name of the network location server. You can either use the default which is installed on the same server as DA or you can point it to another server. The NLS is used to determine if the client computer is connected to the corporate network. If it is then the DirectAccess client won’t try and establish a DA connection. If it can’t reach the NLS then the computer will assume it is off the network and try and connect. It is very important that this server is always responsive. I suggest creating a blank HTTPS website on a highly available web farm. Only a response from the webserver on that URL is required. This server must NOT be accessible from outside your corporate network.
Click the DNS Suffix list and enter in any specific DNS suffixes used by your organisation and the IP addresses of the DNS servers that host the zones
10. From the Remote Access Server configuration pages click the Authentication Tab, and if you are using Windows 7 computers select the option to enable Windows 7 Client computers to connect and select the certificate for your issuing certificate authority. You can also enable the Enforce NAP option if you are going to user network access protection.
At this point the direct access configuration is complete and we are ready to start testing.
If you have enabled certificates to allow Windows 7 support you will need to request computer certificates for your clients from your PKI. This will be required for Windows 8 clients too if Win7 support is enabled.
Make sure your Windows 8 computer is in the correct OU and groups, and make sure the group policies have applied.
Check the network connections and you should see a workplace connection object shown.
For Windows 7 client computers you need to create an additional GPO and download the Direct Access Connectivity Assistant tool from here.
Once you have installed the assistant you need to create and apply a GPO. Use the settings from the GPO that was created by Direct Access setup. In the download you will find the relevant GPO templates and a document with the relevant settings and deployment options.
Here are a few checks to go through if things are working as expected
1. Is the computer in the correct role group in active directory
2. Is the computer in the correct OU in AD
3. Is the windows firewall enabled
4. Does the computer have antivirus installed and is it up to date
5. Have the group policies been applied correctly to the computer – check from an administrative command prompt using gpresult /r for the DirectAccess computer policies
6. Check the computer certificate has been correctly installed
7. Ensure the computer has internet connectivity
8. Check all direct access services are running correctly on the direct access server by checking the operation status page from the Remote Access console.
Configure Network Access Protection
If you want to verify the health of your computers and make sure the antivirus software is up to date and the windows firewall is turned on you can configure network access protection. To do so you will need an additional Windows 2012 R2 server.
1. Install the network protection role from server manager
Select Network Policy Server and Health Registration Authority
Select the CA you want to use to issue HRA certificates
Select Yes to require authentication
If you get the option to use SSL select it, otherwise install a certificate on the server and enable SSL on the HRA website post installation.
Leave IIS roles as default
Confirm the steps and complete the install
2. Launch the network policy server console from the server and click Configure NAP
Select IPSec with HRA and give the policy a name
Since the HRA role is running on the same server we can leave the RADIUS clients blank
Click Next on Machine Groups as we are not using them
Select the Security Health Validator(s) to use, the default being the Windows Security Health Validator
3. You can configure the SHV to meet your requirements, the default option will check the antivirus software is installed and updating, antispyware is enabled and updating and the firewall it turned on. You can also check for specifc updates to be installed should you wish.
Expand Network Access Protection > System Health Validator > Settings > Default Configuration properties.
4. Configure the NPS server as an management server from the remote access configuration console, Step 3 infrastructure servers node.
5. You need to create an HRA certificate. Launch the certificate authority snap in from your issuing CA and right click certificate templates and manage.
Locate the workstation authentication certificate template, right click and duplicate
Set the compatibility to Windows Server 2008 R2 and Windows 8 / Server 2008R2
Give the certificate a name on the General Tab and make sure publish to active directory is NOT selected
Make sure nothing is enabled in the Issuance Requirements tab.
Set the subject name to supply in request on the subject name tab.
On the Server Tab tick both check boxes. This prevents the CA DB from being flooded with certificates as it generates a new cert every 4 hours by default.
On the Key Extensions tab you need to add System Health Authentication.
4. You now need to apply a GPO to the computer to enforce the NAP configuration.
The following settings need to be configured in the GPO:
Windows Settings > Security Settings > System Services > Network Access Protection = Enabled
Windows Settings > Security Settings > NAP Client Configuration > Enforcement Clients > IPsec Relying party = Enables
Windows Settings > Security Settings > NAP Client Configuration > Trusted Server Groups >
Group Name : Direct Access NAP
Administrative Templates > Windows Components > Security Centre > Turn on Security Centre = Enabled
5. Reboot the client computer and make sure the NAP GPO has applied. You can test NAP is working correctly by disabling the antivirus real-time protection. A message should appear within a few minutes advising that their may be limited connectivity.