Tuesday 17 June 2014

DirectAccess: Configuring Network Location Server (NLS) SSL NLS Off-Box

Internet Information Services (IIS) must be installed on the server that is going to host the Network Location Server (NLS). When IIS is configured a new certificate request must be made. The Certificates (Local) MMC snap-in can be used to to do this, expand Personal and Certificates. Right click on the Certificates folder and select Request New Certificate...

Click Next at the inital Certificate Enrollment page.

From the list of available Certificate Requests choose Web Server, in your environment this may be blank this is due to Certificate Templates not being issued. You can duplicate and certificate templates on your CA (remember and grant permissions to either Authenticated Users or Domain Computers), and choose Certificate Template to Issue.

Select Web Server (this was provisioned by the Web Server Certificate Template), and click More information is required to enroll this certificate. Click here to configure settings.

From the Certificate Properties dialog box, under Subject Name: change the type to Common Name, the value should be set to the name used for the NLS server. In this example it's nls.company.pri click Add.

Click Enroll.

The Certificate being enrolled.


Click Finish to conclude the Certificate request.

You will now see on the IIS Server that the nls.company.pri certificate appears under Personal/Certificates.

Although by default the DirectAccess Getting Started Wizard installs NLS on the DA Server, if you are to host it on another server you should create a new website. Decide where on the local file system the website files will reside and create a new folder.



Change the Permissions on the website folder to include Everyone with Full Control (in production you would not enter Everyone F/C to any directory, but this is an example).

In case in your environment you have multiple administrators create a very simply web page, this something like Do Not Delete.

To save the Notepad document as .html choose Save as type: All Files and name the file with the extension .html

Open the Internet Information Services (IIS) console, expand the server name object and right click on Sites, then click Add Website.

In the Site Name: field enter NLS (or whatever you have chosen), and click Select to change the Application Pool to Default AppPool, click OK.

The physical path should point to the new folder you created that contains the index.html file. Under Bindings the Type should be set to https, the IP Address should be the interface of this web server, and Port should be 443. Perhaps the most important part is the Host name: field, this must match the Common Name (nls.company.pri) that was configured during the Certificate Request done in an earlier stage.From the SSL Certificate drop down select nls.company.pri, click OK. It warrants notice that in this example I have an additional Network Adapter configured on this VM, with the IP of this interface only listens for the DirectAccess traffic, in my experience this works best for the NLS Server.

IIS should look something like this.

DNS must now be configured to support the NLS website, you start by right clicking on the Forward Lookup Zone under your domain Company.pri and select New Host (A or AAAA)... record.

The A record should use the name of nls and the IP address should be set to the IP address of the interface you bound to the SSL Certificate in IIS.

If you now open up CMD and type ping nls it should resolve to the correct IP. If you too decide to configure a dedicated interface for NLS traffic, you must be careful to remove any duplicate DNS (A) record that will be automatically created when the new interface is connected to an already domain joined computer (Active Directory Integrated Zones with Dynamic Updates). If you fail to do this the server you are using is effectively going to answer pings to multiple IP's.

Open the Remote Access Management console and click Step 3 Infrastructure Servers Edit

From the Network Location Server pane, click The network location server is deployed on a remote web server (recommended). In the URL field type https://nls.company.pri and click Validate.

Now return to the Dashboard NLS will be reporting full health.