Microsoft® Jump Start

M6: Implementing DirectAccess

Rick Claus | Technical Evangelist | Microsoft

Ed Liberman | Technical Trainer | Train Signal

Jump Start Target Agenda | Day One

Day 1 Day 2

Module 1: Installing and Configuring

Servers Based on Windows Server

2012

Module 7: Implementing Failover

Clustering

Module 2: Monitoring and

Maintaining Windows Server 2012

Module 8: Implementing Hyper-V

Module 3: Managing Windows Server

2012 by Using PowerShell 3.0

Module 9: Implementing Failover

Clustering with Hyper-V

- MEAL BREAK - - MEAL BREAK -

Module 4: Managing Storage for

Windows Server 2012

Module 10: Implementing Dynamic

Access Control

Module 5: Implementing Network

Services

Module 11: Implementing Active

Directory Domain Services

Module 6: Implementing Direct Access Module 12: Implementing Active

Directory Federation Services

Module Overview

•Overview of DirectAccess

• Installing and Configuring DirectAccess

Components

Problems with Remote Connections

What are the

challenges you face

when implementing

remote connections?

VPN connects remote users to the network

DirectAccess extends the network

to the remotely-connected

computers and users

What Is DirectAccess?

Connects automatically to the corporate network over the public network

Uses various protocols, including HTTPS, to establish IPv6 connectivity

Supports selected server access and IPSec authentication

Supports end-to-end authentication and encryption

Supports management of remote client computers

Allows remote users to connect directly to intranet servers

Features of DirectAccess

Always-on connectivity

Seamless connectivity

Bidirectional access

Manage-out Support

Improved security

Integrated solution

Benefits of DirectAccess

DirectAccess

server

What’s New in DirectAccess in Windows Server 2012

• Improved DirectAccess Management:

– Rich monitoring of client computers

– DirectAccess and RRAS coexistence

– Accounting and reporting

– Windows PowerShell and Server Core support

– Unified management wizard and tools

What’s New in DirectAccess in Windows Server 2012

• Simplified DirectAccess Management:

– Express setup for small and medium deployment

– Works with existing infrastructure

– IPv6 for internal network is not required

– Single NIC adapter

– Single IP address

What’s New in DirectAccess in Windows Server 2012

• Performance and Scalability:

– Support for high availability and external load balancers

– Improved support for Receive Site Scaling (RSS) running

in virtual machines

– IP-HTTPS interoperability and performance

improvements

– Lower bandwidth utilization

– Streamlined encryption

What’s New in DirectAccess in Windows Server 2012

•New Deployment Scenarios:

– Deploy multiple endpoints through the world

– Global unified management through single console

– Deploy a server behind a NAT

– Support for one-time password and virtual smart cards

– Off premise provisioning

DirectAccess Components

Internet websites

DirectAccess server

AD DS domain controller

DNS server

Internal network resources Network location

server

PKI deployment

IPv6/IPsec

External client computers

NRPT/ Connection security rules

Internal client computers

• Table that defines DNS servers for different

namespaces and corresponding security settings – NRPT is used before the adapter’s DNS settings

•Using NRPT – DNS servers can be defined for each DNS namespace

rather than for each interface

– DNS queries for specific namespaces can be optionally

secured by using IPSec

Name Resolution Policy Table (NRPT)

Name Resolution Policy Table (NRPT)

Internet websites

DirectAccess server

AD DS domain controller

DNS server

Internal client computers

Internal network resources

Internet websites

DirectAccess server

Internal client computers

AD DS domain controller

DNS server

CRL dist point

Network location server

How DirectAccess Works for Internal Client Computers

Connection security rules

NRPT

DirectAccess server

AD DS domain controller

DNS server

Connection security rules

NRPT

External client computers

DNS server

Internal network resources

How DirectAccess Works for External Client Computers

DirectAccess server

AD DS domain controller

DNS server

Connection security rules

NRPT

External client computers

DNS server

Internal network resources

Internet websites

DirectAccess server

AD DS domain controller

DNS server

Connection security rules

NRPT

External client computers

DNS server

Internal network resources

DirectAccess server

AD DS domain controller

DNS server

Connection security rules

NRPT

External client computers

DNS server

Internal network resources

Prerequisites for Implementing DirectAccess

Active Directory

Group Policy

IPv6 and transition

technologies

IPv6

ICMPv6 Echo

Request traffic

ICMPv6

IPsec policies

PKI

DirectAccess

server

DNS and domain

controller

Process of Configuring DirectAccess

To configure DirectAccess:

1. Configure the AD DS domain controller and DNS

2. Configure the PKI environment

3. Configure the DirectAccess server

4. Configure the DirectAccess clients and test

intranet and Internet access

DEMO: Configuring AD DS and Network Services for DirectAccess

• In this demonstration, you will see how to configure

AD DS, PKI, and network services for DirectAccess

DEMO: Configuring the DirectAccess Server

• In this demonstration, you will see how to configure a

DirectAccess server

Demonstration: Configuring the DirectAccess Client

• In this demonstration, you will see how to configure a

DirectAccess client

Windows 7 vs. Windows 8 Client Implementation

• Includes an in-box user

interface for

DirectAccess

troubleshooting

• Automatically choose a

site in multisite

deployment

• Can be used in

deployments that does

not require full PKI

implementations

WINDOWS 8 WINDOWS 7

• No tool from the client

site for monitoring

user interface for

DirectAccess

• Needs to be setup

manually for selected

site in multisite

deployment

• Needs certificate

Lab Review

•Why would you use a GPO to configure certificate

deployment?

•How do you install the DirectAccess feature?