Saturday, 20 September 2014

Part 1: Deploying Microsoft's DirectAccess on Windows Server 2012 R2, in a Simple Topology behind a NAT Firewall

I am going to post a series of DirectAccess posts on how to deploy and configure it, this will hopefully give some useful information on things I have learned while deploying it in production. It's got to be said, DirectAccess can be "flaky", meaning it's behavior is sometimes inconsistent, I have personally installed DirectAccess four times into a production environment, each time I have required Microsoft support.

To install the required roles and features for DirectAccess, use the following PowerShell command, the SXS folder must be available locally or it will fail. I have included NLB to support a future post.


Add-WindowsFeature –Name DirectAccess-VPN, NLB   -IncludeManagementTools



Once you have restarted the server, open the Remote Access Management Console from the start menu. Click on the Run the Remote Access Setup Wizard, it would be my advice to avoid using the Run the Getting Started Wizard.

This part will depends on your requirements but I learned the hard way that if you have DirectAccess and VPN deployed, the NULL encyption for clients is invalid and connections are still suseptable to double encryption which makes performance terrible. Richard Hicks (MVP) blog outlines this known issue in more depth http://directaccess.richardhicks.com/2014/06/24/directaccess-ip-https-null-encryption-and-sstp-vpn/
Click Deploy DirectAccess Only.

The interface will refresh and you can click Configure under Step 1 - Remote Clients.

By default Deploy full DirectAccess for client access and remote management is selected, click Next.

I have created a domain local security group that contains the computer objects of all authorized DirectAccess clients, I suggest you do the same click Add and point to the group. I have seen disasters where people put Domain Computers in here, with no WMI Filtering which deploys DirectAccess to everything. This is part because if you mis-configure DirectAccess the GPO that gets deployed can tatoo the registry in a way that breaks DNS on the local devices, not something you would want across your entire domain.
If you tick Enable DirectAccess for Mobile Computers Only this configures a GPO WMI Filter to query the device for a battery, I have chosen not to enable this. I have also not selected Use Force Tunneling because it degrades performance so much, again down to the requirements.

At the next step you should configure the Network Connectivity Assistant (NCA), I personally always configure this to use PING and point it to my Domain Controllers, by default the DirectAccess wizard configures it to use HTTP and points it to a website http://DirectAccessWebHostProbe I have seen this cause issues so I do it this way.

You should consider changing the DirectAccess Connection Name this is the string of text that is displayed to users, below is an example of Windows 8.1.

Click Finish. Now you can move on to Step 2 - Remote Access Server click Configure.

In this simple topology example I am deploying DirectAccess behind a Cisco ASA 5510 Firewall therefore I have selected Behind an Edge Device (with a Single Network Adapter) in future posts I will go into deploying DirectAccess on the Edge. You must configure an externally resolvable FQDN for DirectAccess clients. I have configured directaccess.ryanbetts.co.uk, click Next.
As this server only has a single interface it has been automatically selected, if you rename interfaces Internal or External for example DirectAccess can automatically  detect these at this stage. Again this is a simple example so I am using self -signed certificates. Click Next.

Although it is not a requirement for Windows 8 clients, if you are planning to use Windows 7 Enterprise clients you must configure Use Computer Certificates and point it to your Certificate Authority. If you are using Windows 7, and are hosting the Certificate Authority, ensure the Certificate Revocation List (CRL) is externally reachable. Click Next.

Click Configure for Step 3 Infrastructure Servers.
For this example I am installing the Network Location Server (NLS) on box, with DirectAccess. This is not considered a good practice as the NLS is so important to DirectAccess. If you are looking to configure the Network Location Server (NLS) on a seperate server check out my other blog post on how to do this for DirectAccess - http://blog.ryanbetts.co.uk/2014/06/directaccess-configuring-network.html

The DNS Server configuration can be a bit confusing, the address should be set to the DirectAccess Servers IP, most people would think this should be a DNS server address. Definately got me the first time I deployed DirectAccess.

This is straight forward in my lab as I only have a single domain, if you want to exclude domains remove them from the Domain Suffixes to Use list. Click Next.

On the Management tab, this is where you define the SCCM/WSUS servers in the environment. I personally have an SCCM 2012 R2 server, so I have pointed it to that. Click Finish.

Click Finish to write the GPO's.
The wizard will compile a review of all the settings, click Apply when you are happy with them. You can use the Change button to rename the GPO's it creates if your GPO structure uses a naming convention.


Don't worry if the Dashboard looks like this at first, it seems to take a few minutes (sometimes longer) for DirectAccess to compose itself.
Click Refresh a couple of times and it will come back green for every service if you have configured it correctly.

If you remember back to earlier in this post I chose Behind Edge (with one network adapter) this means I am going to use Network Address Translation (NAT) to enable DirectAccess to sit behind a firewall, although this is a supported configuration it means the only connection protocol that can be used for clients to connect is HTTPS which is a TCP protocol, this means performance is degraded as it's a connection orientated protocol that handshakes. In a NAT'd environment you must have a 1:1 NAT rule configured on the firewall that points to the internal IP of the DirectAccess server, port 443 is required if HTTPS is going to be used.

If you are looking to deploy DirectAccess, I would also check out the following resources;

http://directaccess.richardhicks.com/ (MVP DirectAccess Blog)

http://www.amazon.com/Microsoft-DirectAccess-Best-Practices-Troubleshooting/dp/1782171061/ref=sr_1_1?ie=UTF8&qid=1411295281&sr=8-1&keywords=directaccess (Book by DirectAccess MVP)

http://www.amazon.com/Windows-Server-Unified-Planning-Deployment/dp/1849688281/ref=sr_1_2?ie=UTF8&qid=1411295281&sr=8-2&keywords=directaccess (Another good book for DirectAccess)

Comments system

Disqus Shortname