(Tutorial) Configuring Direct Access On Server 2012 R2 - Jack Stromberg

7/28/2015
[Tutorial]ConfiguringDirectAccessonServer2012R2|JackStromberg
Jack Stromberg
A site about stu
[Tutorial] Con guring Direct Access on Server

2012 R2
This tutorial will cover deployment of Windows Server 2012 R2s latest version of DirectAccess. While
there are multiple ways to con gure Direct Access, I tried to pull together what I believe are the
best/recommended practices and what I believe would be a common deployment between
organizations. If you have any thoughts/feedback on how to improve this deployment, please leave a
comment below.
Before beginning, if you are curious what DirectAccess is, here is a brief overview of what it is and what
it will allow us to accomplish.
DirectAccess, also known as Uni ed Remote Access, is a VPN-like technology that

provides intranet connectivity to client computers when they are connected to the Internet. Unlike
many traditional VPN connections, which must be initiated and terminated by explicit user action,
DirectAccess connections are designed to connect automatically as soon as the computer connects to
the Internet. DirectAccess was introduced in Windows Server 2008 R2, providing this service
to Windows 7 and Windows 8 Enterprise edition clients.
http://en.wikipedia.org/wiki/DirectAccess
Prerequisites
Domain Admin rights to complete the tutorial below
Windows Server 2012 R2 machine
Two network cards One in your internal network, the other in your DMZ
Joined to your domain

Latest Windows Updates
(seriously, apply these, there are updates released speci cally for DirectAccess)
DMZ
http://jackstromberg.com/2013/12/tutorialconfiguringdirectaccessonserver2012r2/
1/42
7/28/2015
PKI Setup (Public Key Infrastructure to issue self-signed certi cates)

Custom template setup for issuing servers with an intended purpose of Server
Authentication
Certi cate auto-enrollment has been con gured
Active Directory Security Group designated with Computer Objects allowed to use DirectAccess
1. Login to your Server 2012 R2 server we will be using for installing the Direct Access
2. Ensure all windows updates have been applied.
3. Open up Server Manager
4. Select Manage -> Add Roles and Features
5. Click Next > on the Before you Begin step
2/42
7/28/2015
6. Ensure Role-based or feature-based installation is checked and click Next >
3/42
7/28/2015
7. Select Next > on the Select destination server step
8. Check Remote Access and click Next >
4/42
7/28/2015
9. Click Next > on the Select Features step
5/42
7/28/2015
10. Click Next > on the Remote Access step
11. Check DirectAccess and VPN (RAS)
6/42
7/28/2015
12. Click the Add Features button on the dialog box that prompts
7/42
7/28/2015
13. Check DirectAccess and VPN (RAS) and then click Next >
14. Click Next > on the Web Server Role (IIS) page
8/42
7/28/2015
15. Click Next > on the Role Services page
9/42
7/28/2015
16. Check the Restart the destination server automatically if required checkbox and click Yes on
the dialog box.
17. Click Install
10/42
7/28/2015
18. Click Close when the install has completed
11/42
7/28/2015
19. Back in Server Manager, click on Tools -> Remote Access Management (You can ignore the
warning icon, the Open the Getting Started Wizard will only do a quick setup of DirectAccess. We
want to do a full deployment).
Here is what the quick deployment looks like. Dont click on this.
12/42
7/28/2015
20. On the Remote Access Management Console, click on DirectAccess and VPN on the top left and
then click on the Run the Remote Access Setup Wizard.
21. On the Con gure Remote Access window, select Deploy DirectAccess only
13/42
7/28/2015
22. Click on the Con gure button for Step 1: Remote Clients
23. Select Deploy full DirectAccess for client access and remote management and click Next >
14/42
7/28/2015
24.
25. Click on the Add button
26.
27. Select the security group inside of Active Directory that will contain computer objects allowed to
use DirectAccess and click OK
15/42
7/28/2015
28. Optionally, uncheck or check Enable DirectAccess for mobile computers only as well as Use force
tunneling and click Next >
1. If Enable DirectAccess for mobile computers is checked, WMI will query the machine to
determine if it is a laptop/tablet. If WMI determines the machine is not a mobile device,
the group policy object will not be applied to those machines in the security group. In short,
if checked, DirectAccess will not be applied to computers that are desktops or VMs placed
inside the security group.
2. If Use force tunneling is checked, computers will always use the direct access server when
remote. For example, if the user surfs the web to a public website like jackstromberg.com,
the tra c will go through the DirectAccess tunnel and back to the machine, rather than
directly to the ISP. Generally, this is used for strict compliance environments that want all
network tra c to ow through a central gateway.
3.
16/42
7/28/2015
29. Double click on the Resource | Type row

1. What this step is trying to do is nd a resource on the internal network that the client can
ping to ensure the DirectAccess client has successfully connected to the internal network.
30. Select whether you want the client to verify it has connected to the internal network via a HTTP
response or network ping, optionally click the validate button to test the connection, and then
click Add
1. You may want to add a couple resources for failover testing purposes, however it isnt
recommended to list every resource on your internal network.
31. Enter in your Helpdesk email address and DirectAccess connection name (this name will show
up as the name of the connection a user would use), and check Allow DirectAccess clients to use
local name resolution and click Finish.
17/42
7/28/2015
1. Based on what I could nd, checking Allow DirectAccess clients to use local name resolution
will allow the DirectAccess client to use the DNS server published by DHCP on the physical
network they are connected to. In the event the Network Location server is unavailable, the
client would then use the local DNS server for name resolution; allowing the client to at least
access some things via DNS.
32. Click on Con gure next to Step 2: Remote Access Server
33. On the Remote Access Server Setup page, select Behind an edge device (with two network
adapters) and ensure you specify a public facing DNS record that DirectAccess will use to connect
back to your environment, and then click Next >
18/42
7/28/2015
1. NOTE: By default, your domains FQDN will be used, so if you have a .local domain, you will
want to switch this to your actual .com, .net, .org, .whatever.
2. As an additional side note, hereis some information from the following KB article on what
the di erences are between each of the topologies. From what I gather, using the dual NIC
con guration is Microsofts best practice from a security standpoint.
Two adaptersWith two network adapters, Remote Access can be con gured with
one network adapter connected directly to the Internet, and the other is connected to
the internal network. Or alternatively the server is installed behind an edge device
such as a rewall or a router. In this con guration one network adapter is connected
to the perimeter network, the other is connected to the internal network.
Single network adapterIn this con guration the Remote Access server is installed
behind an edge device such as a rewall or a router. The network adapter is
connected to the internal network.
34. On the Network Adapters step, select your External (DMZ) and Internal (LAN) adapters.
19/42
7/28/2015
35. Leave the Remote Access Setup screen open and right click on Start button and select Run
36. Type mmc and select OK
20/42
7/28/2015
37. Click File -> Add/Remove Snap-in
38. Select Certi cates and click Add >
21/42
7/28/2015
39. Select Computer account and click Next >
40. Ensure Local Computer is selected and click Finish
22/42
7/28/2015
41. Click OK on the Add or Remove Snap-ins machine
42. Expand Certi cates (Local Computer) -> Personal -> Certi cates, right click on Certi cates
and select Request New Certi cate
23/42
7/28/2015
43. Click Next on the Before You Begin screen
44. Click Next on the Select Certi cate Enrollment Policy
24/42
7/28/2015
45. Select your template that will support server authentication and click More information is
required to enroll for this certi cate. Click here to con gure settings.
25/42
7/28/2015
1. Note: The WebServers enrollment policy is not something out of the box con gured by
Microsoft. You will need to manually login to your certi cate authority, duplicate the Web
Servers template with the settings you wish, ensure your usergroup can Enroll for a
certi cate, and then publish it to AD.
46. On the Subject tab, enter the following values (substituting in your companys information):
Common name: da.mydomain.com
Country: US
Locality: Honolulu
Organization: My Company
Organization Unit: Information Technology
State: Hawaii
26/42
7/28/2015
47. On the Private Key tab, expand Key options and check Make private key exportable. Click
Apply when done.
27/42
7/28/2015
48. Click Enroll.
28/42
7/28/2015
49. Click Finish.
29/42
7/28/2015
50. Go back to the Remote Access Setup screen and click Browse
51. Select your da.mydomain.com certi cate we just created and click OK.
52. Click Next >
30/42
7/28/2015
53. Check Use computer certi cates and check Use an intermediate certi cate and then click
Browse
54. Select the certi cate authority that will be issuing the client certi cates and click click OK
31/42
7/28/2015
55. Optionally, you may enable Enable Windows 7 client computers to connect via DirectAccess as
well as Enforce corporate compliance for DirectAccess clients with NAP. Note: Con guring these
two options are not covered in the scope of this tutorial. Click Finish when done.
32/42
7/28/2015
56. Click on Con gure next to Step 3: Infrastructure Servers
57. On the Remote Access Setup screen, check The network location server is deployed on a
remote web server (recommended), type in the website address to the Network Location
Server, and click Next >
1. So for whatever reason, there arent many articles explaining what exactly the network
location server is and how to set it up. From what I gather, the Network Location Server is
merely a server with a website running on it that the client can contact to ensure it has
reached the internal network. The webpage can be the default IIS webpage; just ensure the
33/42
7/28/2015
website is NOT accessible externally.
58. Specify any additional DNS servers you wish to use for name resolution, ensure Use local name
resolution if the name does not exist in DNS or DNS servers are unreachable when the
client computer is on a private network (recommended) is checked and click Next >
59. Check Con gure DirectAccess clients with DNS client su
x search list, ensure your local
domains su x has been added, and click Next >

34/42
7/28/2015
60. Click Finish on the Management page.
61. Click the Con gure. button on Step 4: Application Servers
35/42
7/28/2015
62. Check Do not extend authentication to application servers and click Finish
63. Click Finish on the Remote Access Management Console page
36/42
7/28/2015
64. Click Apply on the Remote Access Review page
65. Click Close once direct access has successfully nished deploying
37/42
7/28/2015
66. Login to one of your Windows 8.X Enterprise machines that is inside of your DirectAccess
Compuers security group and run a gpupdate from command line to pull down the latest
group policy.
67. At this point, you should now be able to login to your network via DirectAccess!
NOTES:
Here is a pretty good resource from Microsoft on helping plan your DirectAccess deployment. Once
you click on the link, in the bottom left corner, you will nd two steps to some good KB
articles: http://technet.microsoft.com/en-us/library/jj134262.aspx
Here is another article from Microsoft with a more indepth explanation about where to place the
Network Location Server: http://technet.microsoft.com/en-us/library/ee382275(v=ws.10).aspx
This entry was posted in Active Directory, Networking and tagged DirectAccess, Remote Access, Uni ed
Remote Access, Windows Server 2012 R2 on December 16, 2013
[http://jackstromberg.com/2013/12/tutorial-con guring-direct-access-on-server-2012-r2/] by Jack.
12 thoughts on [Tutorial] Con guring Direct Access on Server 2012 R2
38/42
7/28/2015
Rene Wieldraaijer
March 17, 2014 at 8:19 am
Nice tutorial. One comment on point 28. You write If Use force tunneling is enabled, mobile computers
will always connect to the DirectAccess server regardless if the client is directly attached to local
network or is remote..
It should be. When force tunneling is enabled mobile computers will always use the direct access
server when remote. So they will not use local breakout for Web sur ng and stu like that. Some say
that this improves security because the client cannot be used as a remote bridge between the Internet
and the corporate network. Anyway. When force tunneling is enabled computers will still not use the DA
server when on the local network.
Jack
Post author
March 17, 2014 at 2:11 pm
Thanks Rene! I have updated the wording for that step.

Appreciate the feedback!
Jack
Mahmoud
March 25, 2014 at 4:06 am
Thanks Jack,
I am on a task of setting up Direct Access on 2012 R2 but with OTP (One Time Password), I am going
through this guide and hopefully OTP will work ne
Jack
Post author
March 25, 2014 at 11:31 am

39/42
7/28/2015
Thanks Mahmoud! Please let me know how it goes!
Bernard Brink
March 28, 2014 at 4:21 am
Thank you, nice article.

And thank you for cleari ng the NLS question
Jack
Post author
March 28, 2014 at 7:10 am
Thanks for the comment Bernard! Glad to have helped!
Sander Daems
April 23, 2014 at 1:36 am
Nice article! Thanks
Markus Kugler
June 13, 2014 at 1:26 am
Thanks, nice article.

Im playing around in my lab environment and Im running into a annoying wizard issue. The wizard tells
me that the active directory security group cannot be found althou it exists. Found one guy having this
issue solved with solving a frs-error, but everything looks great here.
I tried the one-nic and the two-nic scenario behind a edge device.
can anybody give me a hint?
40/42
7/28/2015
Thanks, Markus
Jack
Post author
June 16, 2014 at 8:08 am
Hi Markus,
The only thing that I can think of that would cause this is if you were running the installer as a local user
account on the machine rather than domain admin, your active directory account you are running does
not have access to browse the security group, or the security group is in a di erent domain/child
domain and you have not browsed to it properly.
Hope this helps!
Jack
Deon
July 31, 2014 at 3:37 am
Great article thank you.

I was messing around changing options etc. to get a good understanding on everything. I then removed
the server to start again. This caused the laptop to no longer be connected to the domain network
location, it changed to private location.
Found this article which resolved my problem.
http://virot.eu/manually-remove-direct-access-from-a-client/
Katherine Moss
January 29, 2015 at 8:30 pm
Thanks for that! Very helpful; Ive not tried it yet, though I plan to shortly. My question is, why uncheck
the extend authentication to application servers checkbox? Because wouldnt that imply that you
would need a standard VPN in order to authenticate because DA isnt being extended to applications?
41/42
7/28/2015
Jack
Post author
January 30, 2015 at 9:15 am
Hi Katherine,
This option isnt really extending access to an application, but providing the authentication process
directly with the requested server, rather than the DA server. In the case where you have a highly
locked down environment, I would recommend you check the extend authentication to application
servers checkbox and then specify the security groups containing the speci c servers that users can
access over the DirectAccess connection.
Hope this helps,
Jack
42/42

(Tutorial) Configuring Direct Access On Server 2012 R2 - Jack Stromberg

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

(Tutorial) Configuring Direct Access On Server 2012 R2 - Jack Stromberg

Hochgeladen von

Copyright:

Verfügbare Formate

7/28/2015

[Tutorial] Con guring Direct Access on Server

DirectAccess, also known as Uni ed Remote Access, is a VPN-like technology that

Joined to your domain

PKI Setup (Public Key Infrastructure to issue self-signed certi cates)

3. Open up Server Manager

4. Select Manage -> Add Roles and Features

5. Click Next > on the Before you Begin step

6. Ensure Role-based or feature-based installation is checked and click Next >

7. Select Next > on the Select destination server step

8. Check Remote Access and click Next >

9. Click Next > on the Select Features step

10. Click Next > on the Remote Access step

11. Check DirectAccess and VPN (RAS)

15. Click Next > on the Role Services page

17. Click Install

18. Click Close when the install has completed

29. Double click on the Resource | Type row

32. Click on Con gure next to Step 2: Remote Access Server

36. Type mmc and select OK

37. Click File -> Add/Remove Snap-in

38. Select Certi cates and click Add >

39. Select Computer account and click Next >

40. Ensure Local Computer is selected and click Finish

41. Click OK on the Add or Remove Snap-ins machine

43. Click Next on the Before You Begin screen

44. Click Next on the Select Certi cate Enrollment Policy

48. Click Enroll.

49. Click Finish.

52. Click Next >

56. Click on Con gure next to Step 3: Infrastructure Servers

website is NOT accessible externally.

59. Check Con gure DirectAccess clients with DNS client su

x search list, ensure your local

domains su x has been added, and click Next >

60. Click Finish on the Management page.

61. Click the Con gure. button on Step 4: Application Servers

63. Click Finish on the Remote Access Management Console page

64. Click Apply on the Remote Access Review page

12 thoughts on [Tutorial] Con guring Direct Access on Server 2012 R2

March 17, 2014 at 2:11 pm

Thanks Rene! I have updated the wording for that step.

March 25, 2014 at 11:31 am

Thanks Mahmoud! Please let me know how it goes!

Thank you, nice article.

March 28, 2014 at 7:10 am

Thanks for the comment Bernard! Glad to have helped!

Nice article! Thanks

Thanks, nice article.

June 16, 2014 at 8:08 am

Great article thank you.

January 30, 2015 at 9:15 am

Das könnte Ihnen auch gefallen