Directaccess uses IPv6 and IPsec to create direct connections to a company's network via a DirectAccess server. 6to4, Teredo, IP-HTTPS.
http://technet.microsoft.com/en-us/library/dn636118.aspx
3.4.1 Implement server requirements
Server must be a part of an AD domain
Server must be running 2008R2, 2012, 2012R2
Server published through MF-TMG or MF-UAG, a single nic is needed. If it is connected directly, it requires two nics.
Two Public IP addresses unless using NAT via IP over HTTPS
2012 can use NLB up to eight nodes
2012 introduces single IPSEC tunnel but it does not support certain other capabilities, which can be restored by configuring the dual IPSEC tunnel model of 2008R2 (1 Infrastructure, 1 Intranet)
2008R2 functional level
ISATAP requires dns server supporting DNS messaging over ISATAP.
ISATAP name removed from DNS global query block list
Ipsec policies
Teredo requires ICMPv6 functionality
Server setup:
Install the remoteaccess windowsfeature on the DirectAccess server
Run Remote Access Management tool from Server Manager. (ramgmtui.exe)
Run "Getting Started Wizard"
Deploy "Directaccess and VPN" or "Directaccess"
Choose your network topology - Edge server, behind two nice edge device, behind single adapter edge device
Enter IP address to be used to reach this server. (Public IP if edge)
Click edit for other settings. Some of these can be configured after the wizard using the four step component configuration.
GPO names
-lets you select specific GPOs for Client and Server. These will be created in the domain.
Remote Clients - Step 1Client configuration
-You can uncheck the "Enable directaccess for mobile computers only", which uses the WMI filter to detect mobile computers in the listed groups. Then you can specify specific groups that will contain DA_Clients.
-Network Connectivity Assistant contains settings used on the client for connectivity info, diagnostics, and support.
Remote Access Server - Step 2 Server Configuration
-network settings for the DA server
Infrastructure setup - Step 3 Infrastructure configuration (NLS, DNS, DNS suffix for clients, Management servers)
-an NLS server is an internal server that, if the DA client can HTTPS to it, it assumes it is on the intranet and disables DA.
-used to setup DNS suffixes that will be used for internal resolution. Other suffixes will use client's DNS server if configuration allows to do so.
Step 4 - Application confiuration
require end-to-end authentication and encryption to specific application servers
Check Operation Status of the DA server is in "Working" state.
Extra Note: 2012 introduced DNS64 and NAT64 for backwards compatibility, allowing access to internal corporate resources via IPv4. 2008R2 requires MF-UAG for this functionality.
3.4.2 implement client configuration
Clients must be WIndows 7 Enterprise, Ultimate, Windows 8 Enterprise, 2008R2,2012, 2012R2
Client must be joined to the domain
Windows 7 and 2008R2 uses DirectAccess Connectivity Assistant (DCA)
Windows 8, 2012 uses Network Connectivity Assistant (NCA)
Domain clients are auto-configured according to the GPO assigned. As noted before, WMI filter for mobile computers can be enforced in addition to specific security groups.
3.4.3 configure
DNS for Direct Access
directaccess requires two external DNS A records - one is for the DirectAccess server, the second is for a Certificate Revocation List. Internal DNS requires the NLS server and CRL.
There is DNS setup in Infrastructure Configuration(Step 3).
-Set the suffixes that are used for name resolution via DA.
-Configure the behaviour of DNS resolution for a DA client while connected
- Use local name resolution if name does not exist
- Use local name if name does not exist or DNS servers are unreachable
- Use local name resolution due to any DNS resolution error.
- Configure addition DA client suffix search list
To determine client's dns "location" use
netsh dnsclient show state
Effective NRPT settings:
netsh dnsclient show effectivepolicy
Name Resolution Policy Table (NRPT) is used to determine behavior of the DNS clients when issuing queries.
To view the NRPT settings on the client as defined via GP:
netsh namespace show policy
ISATAP note: When using ISATAP you must remove ISATAP from the global query block list:
dnscmd /config /globalqueryblocklist isatap
3.4.4 configure certificates for Direct Access
2012 and 2012R2 no longer require a PKI certificate setup.
This is done by by implementing an HTTPS based Kerberos proxy. Client authentication
requests are sent to a Kerberos proxy service running on the
DirectAccess server. The Kerberos proxy then sends Kerberos requests to
Domain Controllers on behalf of the client.
The DA server can have a server auth certificate installed, which can be from a public CA. Otherwise
it will configure its own IP-HTTPS and KDC proxy certificates as self-signed. This is done during setup wizard.
No comments:
Post a Comment