Proof of Concept - DirectAccess

Problem:  I would like to experiment with Direct Access in a simple manner

Solution:  Here I’m going to talk about rolling out Direct Access in a proof of concept way.  I have posted some references links at the end which have proven useful to me.  I’m not going to get into a long drawn out conversation about what Direct Access is, I’m sure you all know by now however for those that want some further reading, try this White Paper on Direct Access and Microsoft Forefront Unified Access Gateway: http://bit.ly/1FfIYF0.

So in order to gain access to corporate resources there are first some pre-requisites you need to fulfil:

  • Your client operating systems must be Windows Enterprise Edition
  • Firewall work must have been undertaken to allow the traffic through.
  • Your external CNAME record must have been set up
  • Are you supporting Windows 7 Clients?  If so additional steps need to be taken.

In my example I’m going to use Server 2012R2 on my VMs.  I am going to be supporting Windows 7 clients as well as Windows 8.1 and Windows 10 Technical Preview (10049).  So lets get started.  Here is a diagram of what I intend to achieve.

clip_image001

Step 1 – Windows 7 Clients CA Install (Part 1 of 2)

If you are not supporting Windows 7 Clients you can skip to Step 2

First things first, on your Domain Controller create the following groups:
1. DA Clients
2. DA Servers

Because I am going to support Windows 7 Clients, first I will set up the PKI.  On the DA server I install the Certificate Authority Role.  Selecting the Active Directory Certificate Services role I accept all defaults and install the role adding the required features when prompted.

1. clip_image002

2. clip_image003

3. clip_image004

4. clip_image005

I’m configuring an enterprise root CA on my network mainly accepting defaults through the wizards, this is not the way I advise setting up a CA in production (please don’t do this!).  Plenty of reading materials are available on how to implement a thorough PKI with Root CA’s (Turned off), subordinate CA’s and issuing CAs however for this experiment I am just throwing it all on the DA server, so lets get to it: Once the role is installed I will need to configure it.  So next I run the Post Deployment Configuration task.

1. clip_image006

2. clip_image007

3. clip_image008

4. clip_image009

5. clip_image010

6. clip_image011

7. clip_image012

8. clip_image013

Take note of the validity period here, 5 years might not be enough for your environments

9. clip_image014

And finally click click to confirm on the final screen and wait for the task to be completed.   Once installed we will need to do a number of things.  Firstly we need to create a group policy to enable auto enrolment of certificates so on the root of the domain create a GPO called “Auto Enrol Certificates” and security filter it to DA Clients and DA Servers groups you created earlier.  Edit the GPO and drill down through Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.  Double click Certificate Services Client – Auto-Enrolment. In Configuration Model select Enabled and then check both Renew Expired Certificates and Update Certificates that use Certificate Templates.

Next we need to create the certificates for Clients and Servers.  Lets create the client one first, open up the Certificate Authority MMC and expand your server, right click on Certificate Templates and select Manage. In the centre pane of the Certificate Templates Console scroll to the bottom, right click on Workstation Template and select Duplicate Template.  From the Properties of New Template window select the General tab and give the certificate a name such as Direct Access Clients.  On the Security tab click Add and add in the DA Clients group giving it Read, Enrol and Autoenroll

Lets now create the server certificate so return to the Certificate Templates Console scroll to the bottom, right click on Workstation Template again and select Duplicate Template.  From the Properties of New Template window select the General tab and give the certificate a name such as Direct Access Servers.  On the Security tab click Add and add in the DA Clients group giving it Read, Enrol and Autoenroll.  On the Extensions tab select the Applications Policies and click Edit… then click Add… and chose Server Authentication from the Add Application Policy window, clicking OK twice to return back to the Properties of New Template window.  Finally go to the Subject Name tab and under Subject Name Format select Common Name from the drop down menu and then click OK OK to create the certificate.  Now I will close the Certificate Templates Console and return back to the Certificate Authority MMC.

We will now need to issue the two certificates we created from the template so, in the Certificate Authority MMC, right click the certificate container and select NEW then Certificate Template to Issue, choosing the two certificates we just created.

Step 2 – Basic Direct Access Setup.

By basic, I mean basic.  So, lets get to it.  First install the Remote Access Role choosing to install Direct Access and VPN and accepting default & required features as we go:

1. clip_image015

2. clip_image016

3. clip_image017

4. clip_image018

Once installed lets walk through the Post Installation task conveniently called the Getting Started Wizard.  You can launch this from Server Manager straight after the install or by loading the Remote Access Management Console and clicking on Run the Getting Started Wizard.  First I’m going to select Direct Access Only.

clip_image019

On the next screen is where you will specify the external DNS name that clients will look for when they are outside the network.  My imaginary domain is home.local and we (logically would) own the domain for www.home.com (we don’t really – this is imaginary), so I am going to put in the next screen my external DNS address.  In my example we are behind a single network adapter and I’m going to use directaccess.home.com for my public name clients will look for.  My domain will be edited so that a CNAME record for ‘directaccess’ is pointing to the external IP address of my gateway.  My firewall will then statically NAT the traffic coming in to my DA server.  Each gateway and firewall (hardware) is different and I cannot document all ways of doing this so some of this you’re going to have to figure out for your self.  I am using Watchguard firewalls in production and editing the DNS records using out domain hosting company. things could be slightly different for you guys.  Tread carefully on this step and make sure you understand the aspects of it within your own environment.

clip_image020

On the next step be careful, click on the link in the window, not the Finish button

clip_image021

So, the next window that pops up is the Remote Access Review window.  Notice this is a window you can scroll down on to edit various options.  The top and first option is where you can change the name of the GPO’s that are used in your domain.  Should you have a specific way you label your GPO’s then you can change them here by clicking on the Change link next to GPO Settings.  I am interested in changing the clients though.  Notice you are given the ‘Domain Computers’ group by default (the mind boggles!) to change this click on (yes you’ve guess it) Change.  Change the group used to the Direct Access Clients group you already created.  I always take the tick out of the option for Enable DirectAccess for mobile computers only too because often I test with VM’s and VMs are not recognised as mobile devices.  Then click Next.

clip_image022

On this screen enter you helpdesk contact email address (this is displayed in error messages for your clients if they are experiencing trouble connecting) and click Finish.

clip_image023

Next click on OK on the Remote Access Review window and finally OK to close the Configure Remote Access window.

On the Remote Access Management Console window you can now check in on the Operational Status page to ensure you have green ticks all the way down and that everything looks OK to you.  Be patient and keep hitting refresh (top right) once all green its working as it should.

clip_image025

Step 3 – Windows 7 Clients CA Install (Part 2 of 2)

Finally we need to make a small change to ensure our windows 7 clients can work.  on the Remote Access Management Console select DirectAccess and VPN from the top left on the console and then click Edit… under step 2.

clip_image027

Next click on Authentication from the left hand side, tick the box that states Enable Windows 7 Client computers to connect via DirectAccess then click Browse…

clip_image028

From the Windows Security window select the certificate created with today’s date and has the name of your CA server you created earlier.  Notice there is two (look at the bottom of the list).  I am unsure why it displays two, I have compared the serial numbers and keys on the certificates and they are both the same – perhaps someone can comment on why this is?  I assume its because one will be the client and one the server certificate, however they both appear to be exactly the same when you drill down into the details of the certificate and it seems to work which ever one you choose.

clip_image029

Click OK to close and then click Finish to return to the Remote Access Management Console.  Look for this in the centre pane of the console:

clip_image030

Click Finish and it will apply all the new settings.

Well done! You have now configured a basic installation of DirectAccess that should now function as it is intended to. 

Tips! Firstly I wouldn’t advise using Self-Signed certificated for a production environment and the PKI should also be set up much better than it is on this brief example.  You could also implement High Availability on the DA servers creating a cluster to keep the DA service active should a server failure take place.  This will also use the IPHTTPS technology to create the tunnel to your resources, if you wish to use any of the other available technologies then you’ll need to look into the prerequisites and/or hardware that these require.

Resources
Real World Direct Access Set up Blog:
http://blogs.msdn.com/b/canberrapfe/archive/2012/07/12/simple-direct-access-setup-with-windows-server-2012-rp.aspx

Microsoft Direct Access Troubleshooting Tool
http://www.microsoft.com/en-us/download/details.aspx?id=41938

Windows 10 Experience
You will see this when you fire up your VM (or test laptop).

clip_image031

and then supposing you have shares to access from home if you check in your explorer you should see access tot he shares:

clip_image032

also you could go into your network connections you will see ‘Workplace Connection’ (or whatever you called it) like so:

clip_image033

Rather satisfying that it tells me my PC is set up correctly.  I did hit the Collect button out of curiosity however it just span round and round.  Not sure if this bit is ready yet.

And there you go, it works just fine on the other operating systems too.

Hope this was informative for you.

Jonathan.