Internet Information
Services (IIS) must be installed on the server that is going to host the
Network Location Server (NLS). When IIS is configured a new certificate request
must be made. The Certificates (Local) MMC snap-in can be used to to do
this, expand Personal and Certificates. Right click on the Certificates
folder and select Request New Certificate...
Click Next at
the inital Certificate Enrollment page.
From the list of
available Certificate Requests choose Web Server, in your
environment this may be blank this is due to Certificate Templates not
being issued. You can duplicate and certificate templates on your CA (remember
and grant permissions to either Authenticated Users or Domain
Computers), and choose Certificate Template to Issue.
Select Web Server
(this was provisioned by the Web Server Certificate Template), and click More
information is required to enroll this certificate. Click here to configure
settings.
From the Certificate
Properties dialog box, under Subject Name: change the type to Common
Name, the value should be set to the name used for the NLS server. In this
example it's nls.company.pri click Add.
Click Enroll.
The Certificate
being enrolled.
Click Finish to
conclude the Certificate request.
You will now see on
the IIS Server that the nls.company.pri certificate appears under Personal/Certificates.
Although by default
the DirectAccess Getting Started Wizard installs NLS on the DA Server,
if you are to host it on another server you should create a new website. Decide
where on the local file system the website files will reside and create a new
folder.
Change the Permissions on the website folder to include Everyone with
Full Control (in production you would not enter Everyone F/C to
any directory, but this is an example).
In case in your
environment you have multiple administrators create a very simply web page,
this something like Do Not Delete.
To save the Notepad
document as .html choose Save as type: All Files and name the
file with the extension .html
Open the Internet
Information Services (IIS) console, expand the server name object and right
click on Sites, then click Add Website.
In the Site Name:
field enter NLS (or whatever you have chosen), and click Select to
change the Application Pool to Default AppPool, click OK.
The physical path
should point to the new folder you created that contains the index.html
file. Under Bindings the Type should be set to https, the IP
Address should be the interface of this web server, and Port should
be 443. Perhaps the most important part is the Host name: field,
this must match the Common Name (nls.company.pri) that was
configured during the Certificate Request done in an earlier stage.From the SSL
Certificate drop down select nls.company.pri, click OK. It
warrants notice that in this example I have an additional Network Adapter
configured on this VM, with the IP of 192.168.1.20 this interface only
listens for the DirectAccess traffic, in my experience this works best for the
NLS Server.
IIS should look
something like this.
DNS must now be configured to support the NLS website, you start by right
clicking on the Forward Lookup Zone under your domain Company.pri
and select New Host (A or AAAA)... record.
The A record should
use the name of nls and the IP address should be set to the IP
address of the interface you bound to the SSL Certificate in IIS.
If you now open up CMD
and type ping nls it should resolve to the correct IP. If you too decide
to configure a dedicated interface for NLS traffic, you must be careful to
remove any duplicate DNS (A) record that will be automatically created when the
new interface is connected to an already domain joined computer (Active
Directory Integrated Zones with Dynamic Updates). If you fail to do this the
server you are using is effectively going to answer pings to multiple IP's.
Open the Remote
Access Management console and click Step 3 Infrastructure Servers Edit
From the Network
Location Server pane, click The network location server is deployed on a
remote web server (recommended). In the URL field type https://nls.company.pri and click Validate.
Now return to the Dashboard
NLS will be reporting full health.
