Appendix B – DirectAccess Setup Wizard Instructions
Ensure the prerequisite steps from Appendix A have been completed prior to beginning the DirectAccess Setup Wizard.
The DirectAccess Management Console feature simplifies the configuration of DirectAccess by providing you with a set of steps and wizard pages. Once all of the steps have been completed, the configuration can either be saved as a set of script files for future use, or it can be applied as the configuration settings directly to the DirectAccess server.
To install the DirectAccess Management Console feature
In Server Manager, under Features Summary, click Add features.
On the Select Features page, select DirectAccess Management Console.
In the Add Features Wizard window, click Add Required Features.
On the Select Features page, click Next.
On the Confirm Installation Selections page, click Install.
On the Installation Results page, click Close.
To run the DirectAccess Server Management snap-in
Click Start, point to Administrative Tools, and then click DirectAccess Management.
In the console tree, expand DirectAccess.
Click Setup to configure the DirectAccess server.
The configuration can be saved at any point during installation by clicking Save at the bottom right of the Setup dialog box. This will save the configuration to %windir%\DirectAccess\DirectAccessConfig.xml. Re-launching the snap-in will read the configuration from DirectAccessConfig.xml file and setup will pick up from where it was saved.
When the setup is complete, click Finish to review the DirectAccess configuration. Then click Apply to apply the DirectAccess settings.
The saved configuration to DirectAccessConfig.xml can also be applied through scripts.
In order to apply the changes that the DirectAccess Management Console collects, you must have local administrator permissions and permissions to create or edit Group Policy objects and to link the GPOs to the domain. If you lack these permissions, the console will still run, but at the end of the setup, Apply will be grayed out. In this case, you will need to save your configuration without applying it.
The DirectAccess Setup Wizard guides you through the steps to configure a DirectAccess server. The following figure shows the DirectAccess Setup Wizard.
Step 1 – Remote clients
The first step of the Setup Console is to select the Active Directory security groups that contain the computer accounts that will be enabled for DirectAccess. The following figure shows an example.
The security groups selected can exist in separate domains or forests, assuming the appropriate trusts are in place. The security groups must exist before the DirectAccess Setup Wizard is run.
Step 2 – DirectAccess server
The next step is to configure the DirectAccess server. This will include choices about connectivity, and certificates.
On this page, you specify which interface connects to the Internet and which connects to the intranet (the internal network). You can also enable authorization with smart cards. The following figure shows an example:
On this page, you can select two certificates:
A root certificate to which the DirectAccess client certificates must chain. This will be used to verify the certificates sent by the DirectAccess client computers during IPSec authentication.
A certificate to use for connectivity over HTTPS (IP-HTTPS). This certificate must have either a public IPv4 address of the DirectAccess server or an FQDN that can be resolved to a public IPv4 address of the DirectAccess server using Internet DNS servers in the Subject field of the certificate. Additionally, ensure that a CRL distribution point configured in this certificate is accessible from the Internet. This certificate cannot also be used for network location.
The following figure shows and example:
Step 3 – Infrastructure servers
The third step configures the infrastructure servers, such as DNS servers, domain controllers, and management servers.
On the Location page, type an HTTPS-based URL that will be used by clients to determine if they are on the intranet. You can specify that the DirectAccess server is the network location server; however, it is highly recommended that the network location server be a different, highly available server.
If you specify that the DirectAccess server is the network location server, you must select a certificate that will be used for network location detection. This certificate must have either an intranet IPv4 address of the DirectAccess server or an FQDN that can be resolved to an intranet IPv4 address of the DirectAccess server in the Subject field of the certificate. The FQDN must not be resolvable using Internet DNS servers, and the intranet IPv4 address must not be reachable from the Internet. Additionally, this certificate must have a CRL distribution point that is accessible by DirectAccess clients using intranet DNS servers configured in TCP/IP settings.
This certificate cannot be the same as that used for IP-HTTPS connections, as chosen on the Certificates page of step 2 of the DirectAccess Setup Wizard.
The following figure shows an example:
DNS and domain controller
This page configures the NRPT, which will be used by remote client computers to determine which DNS queries should be directed to intranet DNS servers. The wizard auto-populates the table with the domain DNS suffix and the IPv6 or ISATAP addresses of the DNS server and, depending on the network location server, an exemption entry for the name of the network location server.
These entries can be edited by double-clicking the entry, or by right-clicking an entry and then clicking Edit. To add more entries, right-click an empty row, and then click New. Alternately, you can double-click an empty row. To delete an entry from the NRPT, right-click the entry, and then click Delete.
This page allows configuration of management servers, which are used to manage DirectAccess client computers. This is an optional setting.
Step 4 –Application servers
The final step is to identify application servers that will be restricted using IPsec. This feature provides a simple way to integrate the Server and Domain Isolation solution into a DirectAccess deployment.
Use this page to configure additional levels if authentication is required for some high-value servers. The default setting is to require no additional end-to-end authentication.