Beruflich Dokumente
Kultur Dokumente
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
Jack Stromberg
A site about stu
Prerequisites
Domain Admin rights to complete the tutorial below
Windows Server 2012 R2 machine
Two network cards One in your internal network, the other in your DMZ
DMZ
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
1/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
2/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
3/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
4/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
5/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
6/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
12. Click the Add Features button on the dialog box that prompts
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
7/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
13. Check DirectAccess and VPN (RAS) and then click Next >
14. Click Next > on the Web Server Role (IIS) page
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
8/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
9/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
16. Check the Restart the destination server automatically if required checkbox and click Yes on
the dialog box.
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
10/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
11/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
19. Back in Server Manager, click on Tools -> Remote Access Management (You can ignore the
warning icon, the Open the Getting Started Wizard will only do a quick setup of DirectAccess. We
want to do a full deployment).
Here is what the quick deployment looks like. Dont click on this.
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
12/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
20. On the Remote Access Management Console, click on DirectAccess and VPN on the top left and
then click on the Run the Remote Access Setup Wizard.
21. On the Con gure Remote Access window, select Deploy DirectAccess only
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
13/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
22. Click on the Con gure button for Step 1: Remote Clients
23. Select Deploy full DirectAccess for client access and remote management and click Next >
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
14/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
24.
25. Click on the Add button
26.
27. Select the security group inside of Active Directory that will contain computer objects allowed to
use DirectAccess and click OK
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
15/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
28. Optionally, uncheck or check Enable DirectAccess for mobile computers only as well as Use force
tunneling and click Next >
1. If Enable DirectAccess for mobile computers is checked, WMI will query the machine to
determine if it is a laptop/tablet. If WMI determines the machine is not a mobile device,
the group policy object will not be applied to those machines in the security group. In short,
if checked, DirectAccess will not be applied to computers that are desktops or VMs placed
inside the security group.
2. If Use force tunneling is checked, computers will always use the direct access server when
remote. For example, if the user surfs the web to a public website like jackstromberg.com,
the tra c will go through the DirectAccess tunnel and back to the machine, rather than
directly to the ISP. Generally, this is used for strict compliance environments that want all
network tra c to ow through a central gateway.
3.
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
16/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
30. Select whether you want the client to verify it has connected to the internal network via a HTTP
response or network ping, optionally click the validate button to test the connection, and then
click Add
1. You may want to add a couple resources for failover testing purposes, however it isnt
recommended to list every resource on your internal network.
31. Enter in your Helpdesk email address and DirectAccess connection name (this name will show
up as the name of the connection a user would use), and check Allow DirectAccess clients to use
local name resolution and click Finish.
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
17/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
1. Based on what I could nd, checking Allow DirectAccess clients to use local name resolution
will allow the DirectAccess client to use the DNS server published by DHCP on the physical
network they are connected to. In the event the Network Location server is unavailable, the
client would then use the local DNS server for name resolution; allowing the client to at least
access some things via DNS.
33. On the Remote Access Server Setup page, select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment, and then click Next >
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
18/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
1. NOTE: By default, your domains FQDN will be used, so if you have a .local domain, you will
want to switch this to your actual .com, .net, .org, .whatever.
2. As an additional side note, hereis some information from the following KB article on what
the di erences are between each of the topologies. From what I gather, using the dual NIC
con guration is Microsofts best practice from a security standpoint.
Two adaptersWith two network adapters, Remote Access can be con gured with
one network adapter connected directly to the Internet, and the other is connected to
the internal network. Or alternatively the server is installed behind an edge device
such as a rewall or a router. In this con guration one network adapter is connected
to the perimeter network, the other is connected to the internal network.
Single network adapterIn this con guration the Remote Access server is installed
behind an edge device such as a rewall or a router. The network adapter is
connected to the internal network.
34. On the Network Adapters step, select your External (DMZ) and Internal (LAN) adapters.
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
19/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
35. Leave the Remote Access Setup screen open and right click on Start button and select Run
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
20/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
21/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
22/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
42. Expand Certi cates (Local Computer) -> Personal -> Certi cates, right click on Certi cates
and select Request New Certi cate
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
23/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
24/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
45. Select your template that will support server authentication and click More information is
required to enroll for this certi cate. Click here to con gure settings.
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
25/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
1. Note: The WebServers enrollment policy is not something out of the box con gured by
Microsoft. You will need to manually login to your certi cate authority, duplicate the Web
Servers template with the settings you wish, ensure your usergroup can Enroll for a
certi cate, and then publish it to AD.
46. On the Subject tab, enter the following values (substituting in your companys information):
Common name: da.mydomain.com
Country: US
Locality: Honolulu
Organization: My Company
Organization Unit: Information Technology
State: Hawaii
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
26/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
47. On the Private Key tab, expand Key options and check Make private key exportable. Click
Apply when done.
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
27/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
28/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
29/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
50. Go back to the Remote Access Setup screen and click Browse
51. Select your da.mydomain.com certi cate we just created and click OK.
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
30/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
53. Check Use computer certi cates and check Use an intermediate certi cate and then click
Browse
54. Select the certi cate authority that will be issuing the client certi cates and click click OK
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
31/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
55. Optionally, you may enable Enable Windows 7 client computers to connect via DirectAccess as
well as Enforce corporate compliance for DirectAccess clients with NAP. Note: Con guring these
two options are not covered in the scope of this tutorial. Click Finish when done.
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
32/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
57. On the Remote Access Setup screen, check The network location server is deployed on a
remote web server (recommended), type in the website address to the Network Location
Server, and click Next >
1. So for whatever reason, there arent many articles explaining what exactly the network
location server is and how to set it up. From what I gather, the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network. The webpage can be the default IIS webpage; just ensure the
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
33/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
58. Specify any additional DNS servers you wish to use for name resolution, ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next >
34/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
35/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
62. Check Do not extend authentication to application servers and click Finish
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
36/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
65. Click Close once direct access has successfully nished deploying
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
37/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
66. Login to one of your Windows 8.X Enterprise machines that is inside of your DirectAccess
Compuers security group and run a gpupdate from command line to pull down the latest
group policy.
67. At this point, you should now be able to login to your network via DirectAccess!
NOTES:
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment. Once
you click on the link, in the bottom left corner, you will nd two steps to some good KB
articles: http://technet.microsoft.com/en-us/library/jj134262.aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server: http://technet.microsoft.com/en-us/library/ee382275(v=ws.10).aspx
This entry was posted in Active Directory, Networking and tagged DirectAccess, Remote Access, Uni ed
Remote Access, Windows Server 2012 R2 on December 16, 2013
[http://jackstromberg.com/2013/12/tutorial-con guring-direct-access-on-server-2012-r2/] by Jack.
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
38/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
Rene Wieldraaijer
March 17, 2014 at 8:19 am
Nice tutorial. One comment on point 28. You write If Use force tunneling is enabled, mobile computers
will always connect to the DirectAccess server regardless if the client is directly attached to local
network or is remote..
It should be. When force tunneling is enabled mobile computers will always use the direct access
server when remote. So they will not use local breakout for Web sur ng and stu like that. Some say
that this improves security because the client cannot be used as a remote bridge between the Internet
and the corporate network. Anyway. When force tunneling is enabled computers will still not use the DA
server when on the local network.
Jack
Post author
Mahmoud
March 25, 2014 at 4:06 am
Thanks Jack,
I am on a task of setting up Direct Access on 2012 R2 but with OTP (One Time Password), I am going
through this guide and hopefully OTP will work ne
Jack
Post author
39/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
Bernard Brink
March 28, 2014 at 4:21 am
Jack
Post author
Sander Daems
April 23, 2014 at 1:36 am
Markus Kugler
June 13, 2014 at 1:26 am
40/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
Thanks, Markus
Jack
Post author
Hi Markus,
The only thing that I can think of that would cause this is if you were running the installer as a local user
account on the machine rather than domain admin, your active directory account you are running does
not have access to browse the security group, or the security group is in a di erent domain/child
domain and you have not browsed to it properly.
Hope this helps!
Jack
Deon
July 31, 2014 at 3:37 am
Katherine Moss
January 29, 2015 at 8:30 pm
Thanks for that! Very helpful; Ive not tried it yet, though I plan to shortly. My question is, why uncheck
the extend authentication to application servers checkbox? Because wouldnt that imply that you
would need a standard VPN in order to authenticate because DA isnt being extended to applications?
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
41/42
7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
Jack
Post author
Hi Katherine,
This option isnt really extending access to an application, but providing the authentication process
directly with the requested server, rather than the DA server. In the case where you have a highly
locked down environment, I would recommend you check the extend authentication to application
servers checkbox and then specify the security groups containing the speci c servers that users can
access over the DirectAccess connection.
Hope this helps,
Jack
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
42/42