Step-By-Step: Further Detail In Setting Up DirectAccess
Now that you have successfully complete installation of DirectAccess Client services, lets go into further detail regarding the configuration process.
Both Windows 7 and Windows Server 2008 R2 DirectAccess are enabled via a solution accelerator called a DCA ( DirectAccess Connectivity Assistant). The DCA is installed on direct access client computers and helps to troubleshoot the connectivity problems with direct access servers.
DCA is replaced in Windows 8 by NCA (Network Connectivity Assistant) and is included with the operating system itself.
In setting up DirectAccess, an IT administrator can define who will be using the DirectAccess service in the organization. The following are the steps top enable this.
Step 1: Configuring the DirectAccess service
- Navigate to Server Manager > Tools > Remote Access Management
- Then it will load the mmc and from there select DirectAccess and VPN and configuration section in left hand panel
- To run the wizard click on the option from Remote access mmc
- From the console select option Deploy DirectAccess Only
- Then in next window it shows 4 main steps to complete the configuration. In some setups all 4 options will not apply. For example some time remote access server role will holds by the infrastructure or the application server
- From the “Remote Access Management Console” under the step 1, click on configure
- Then in next window select the option “Deploy full DirectAccess for client access and remote management” and click next. As it explain this option allows DirectAccess client to connect via internet in to internal network and administrators can manage these clients remotely
- In next window we can define which security groups in organization can use the DirectAccess services. Click on “add” to proceed. Here in demo I add security group called “Remote Clients” which I already setup in the AD
Note: If Forefront UAG is in use with force tunneling make sure you select option “use force tunneling” in the window
- Once completed click next to continue
- As mentioned, NCA in client computers used to troubleshoot connectivity problems. In here it allows to define a test resource which can use to test the validity of the connection. This must be a FQDN which is always allows for DirectAccess clients. (For ex- CMS, Billing Portal). In window you also can define the helpdesk email address and name for the DirectAccess connection. Also if you wish to use local dns name resolution make sure you select the option “Allow DirectAccess clients to use local name resolution”. Once you done click on Finish to continue
Step 2: Remote Access Server setup
In DirectAccess this server will act as the gateway which connects external network with the internal network. This server typically needs to run with 2 NIC at least which will represent internal and external networks.
- From the “Remote Access Management Console” under the step 2 (Remote Access Server), click on configure
- The wizard then asks to define the relevant network topology. By default its selected with “Behind an edge device”. Here is where we also need to define the IP address or the FQDN which direct access clients uses to connect. Once configuration done, click next to continue
- In next window, it gives option to define the NIC cards to represent internal and external networks. Note – it is easy to identify them if you rename the network connections on the server. It also gives option to select the digital certificate for IP-HTTPS connections
If a specific SSL is not to be utilized, use option ”Use a self-signed certificate created automatically by DirectAccess” and click next
- In next window it gives lot of options to use for the authentication. You can use AD username and password to connect or else can go with two-factor authentication to use with smart cards or OTP (one time password). If you needs, you can use computer certificates for authentication as well. If company still deals with windows 7 clients make sure you select option “Enable Windows 7 client computers”. If company uses NPS (network protection server) we also can force direct access clients to use NPS using option “Enforce corporate compliance for DirectAccess clients with NAP”. Once done with configuration, click on finish to proceed
Step 3: Infrastructure Server setup
Now that the gateway server configured, infrastructure servers are needed to support DirectAccess setup. For ex- DNS servers, NLS (Network Location Server), WSUS server etc.
One of the great DirectAccess feature is it’s ability to automatically detect the location of the client computer. This occurs via the NLS (Network Location Server). Let’s assume we have internal CMS, this can use as the NLS in Direct Access setup. So once client connects it will check if it can connect to given CMS URL, if its can it assume client is in local network and automatically disabled direct access components. If its cant access it will assume user connects from external network and enables the direct access connections. But you need to maintain high availability on the NLS.
To proceed with the configuration,
- From the “Remote Access Management Console” under the step 3 (Infrastructure Server), click on configure
- In wizard, define the NLS url, which needs to be a HTTPS URL, and click next to continue
- In next window we can verify the DNS suffixes and internal DNS servers direct access will use and click next to continue
- In next window make sure domain suffixes are correctly used and click next to continue
- In next window we can define the management servers such as WSUS and click on finish
Step 4: Application Servers setup
An extra level of authentication to the servers which runs with critical data can be added if it is required. Using the application servers setup wizard we can define those servers which need extra authentication.
- From the “Remote Access Management Console” under the step 4 (Application Server), click on configure
- To enable it, you need to select option “Extend authentication to selected application servers” option. In here you can select the security groups containing the servers which required extra authentication
Note: DirectAccess requires IPv6 addressing in place to operate. So organization should prepare for this in planning stage and implement any transitioning mechanism required.
The process is now complete.