2012 R2 DirectAccess

Looking to do 2012 R2 DirecAccess? You only want a single nic? And you want to use a NAT? Well read on then!

 

 

Recently we implemented DirectAccess for our internal infrastructure. A couple of items to note is that I’m not publishing the final configuration that’s been updated with the proper certificates, but the information posted will get you a working DirectAccess with a single NIC behind a NAT infrastructure.
There are several ways to setup DirectAccess, this document is the initial configuration for Model Technology Solutions. Additional Considerations include:

  • PKI
  • CRL/CDP configurations for internal and external clients
  • Not using self-signed certificates
  • NRTP
  • Additional exclusions
  • NLS
  • Additional URLS
  • Load balancing DirectAccess Servers
  • Additional transition technologies

Domain Controller Configuration

DNS Configuration

  1. On a domain controller (DNS Server) run this command:

dnscmd /config /globalqueryblocklist wpad

Disable ISATAP

  1. If you’re using a single NIC behind a NAT for the DirectAccess server you’ll be using IP-HTTPS and you will need to disable ISATAP on the Domain Controller by running this command:

netsh int ipv6 isatap set state disabled

Group Membership

  1. Create an Active Directory group which computers will be placed into to enable DirectAccess

DOMAIN\Da-Computers-GROUPNAME

 Additional Notes

  • The IPV6 Address will be handled automatically
  • Ensure the DNS server is listening on the IPV6 Address (properties of the DNS server, interfaces tab)
  • Four DNS records will be created as part of the DirectAccess Setup
  • The Domain Controller does not need the Firewall enabled

Public DNS Record

  1. Create a public DNS record for the DirectAccess URL. If you’re using a different external domain namespace than your internal domain namespace you won’t have to add the DirectAccess URL to the NRPT exclusions. If they are the same, you’ll need to add the URL to the NRPT exclusions in Group Policy.

something.model-technology.com points to the external IP of Model’s Cisco ASA (83.25.50.20) – (This isn’t the real IP :))

Firewall Configuration

Access Rule

  1. an access rule from Any source to the DA Server (192.168.20.13) using port 443 needs to be created

1

 

NAT Rule

  1. a NAT rule needs to be create for the bi-directional communication over 443

2

 

 

DirectAccess Server Configuration

  1. From the features section in Server Manager, choose Remote Access
  2. Once the base installation is complete, a post configuration will need to be completed
  3. Choose “Deploy DirectAccess Only”

3

Next type in the DNS name for Model’s configuration, we used da.model-technology.com (not shown in the screenshot)

4

On the next screen, choose the “EDIT” hyperlink before clicking next, so you can configure the group for the DirectAccess clients properly

5

Note: There’s a missing screenshot to configure the group, but this step is critical! You’ll figure it out once you see the options.

  1. Click Ok, then Finish…

 

 

Disable ISATAP

  • If you’re using a single NIC behind a NAT for the DirectAccess server you’ll be using IP-HTTPS and you will need to disable ISATAP on the DirectAccess Server by running this command:

netsh int ipv6 isatap set state disabled

 

 

Verify DirectAccess Configuration

Please note that Model’s configuration is not utilizing a PKI infrastructure, but rather self-signed certificates…

6

7

 

 

8

9

10

11

 

12

13

Note, the DNS server address is the IPV6 address of the DirectAccess Server, not the Domain Controller

14

15

16

17

18

 

Verify DNS Configuration

Note these are configured automatically during the DirectAccess setup.

19

 

Verify Group Policy Configuration

Note, these policies are created automatically. Because we have blocked inheritance enabled on certain OU’s, I have set them to be enforced.

20

 

Additional Notes

  • The IPV6 Address will be handled automatically
  • The DirectAccess server needs to have the firewall enabled to function. If you have a group policy turning off the firewall on servers, the DirectAccess Server will need to be excluded from the policy.
  • WinRM cannot be configured through Group Policy on the DirectAccess server. If you have a group policy in place, the DirectAccess Server will need to be excluded from the policy.
  • There are several hotfixes pertaining to the DirectAccess server and DirectAccess clients, if you see the references section.

DirectAccess Client Configuration

Note, there are Operating System dependencies for DirectAccess clients, please look them up to ensure you have the correct version of the Operating System.

  1. Once the client is a member of the DirectAccess group, is in an OU where the Group Policy will be applied, and the computer has been rebooted, you should see the new DirectAccess Icon in the Network Configuration screen

21

  1. Once you move to an external network, the DirectAccess connection should move to a connected state.

22

 

 

Troubleshooting

There’s a utility from Microsoft that will test the various aspects of the DirectAccess infrastructure from the client side called the DirectAccess client troubleshooter. It’s a free download from Microsoft and is useful for identify the issues with DirectAccess and can be found here DirectAccess Troubleshooter

 

References

 

 

By |2016-04-12T11:06:30+00:00January 15th, 2015|DirectAccess|0 Comments

About the Author:

Jason Rutherford
Managing Partner – Model Technology Solutions With over 18 years of Systems Management experience, Jason’s focus on people, process, and delivery has shaped Model into the consulting practice that it has become today. His approach to creating a consulting organization focused on creating IT efficiencies has led to strategic partnerships with Model’s clients. He believes in strong community support and that knowledge sharing is a critical factor to success.

Model Technology

Let us help you get your end point and data center strategy on cruise control!  Ask about our Calibration Assessment.

CONTACT US

  • 12125 Woodcrest Executive Drive, Ste. 204 Creve Coeur, MO 63141
  • (314) 254-4138
  • sales@model-technology.com

RECENT TWEETS