To install the required roles and features for DirectAccess, use the following PowerShell command, the SXS folder must be available locally or it will fail. I have included NLB to support a future post.
Add-WindowsFeature –Name DirectAccess-VPN, NLB -IncludeManagementTools
|
Once you have restarted the server, open the
Remote Access Management Console from the start menu. Click on the Run
the Remote Access Setup Wizard, it would be my advice to avoid using the Run
the Getting Started Wizard.
This part will depends on your requirements but I
learned the hard way that if you have DirectAccess and VPN deployed, the
NULL encyption for clients is invalid and connections are still
suseptable to double encryption which makes performance terrible. Richard Hicks
(MVP) blog outlines this known issue in more depth http://directaccess.richardhicks.com/2014/06/24/directaccess-ip-https-null-encryption-and-sstp-vpn/
Click Deploy DirectAccess Only.
The interface will refresh and you can click Configure
under Step 1 - Remote Clients.
By default Deploy full DirectAccess for client
access and remote management is selected, click Next.
I have created a domain local security group that
contains the computer objects of all authorized DirectAccess clients, I suggest
you do the same click Add and point to the group. I have seen disasters
where people put Domain Computers in here, with no WMI Filtering which
deploys DirectAccess to everything. This is part because if you mis-configure
DirectAccess the GPO that gets deployed can tatoo the registry in a way that
breaks DNS on the local devices, not something you would want across your
entire domain.
If you tick Enable DirectAccess for Mobile
Computers Only this configures a GPO WMI Filter to query the device for a
battery, I have chosen not to enable this. I have also not selected Use
Force Tunneling because it degrades performance so much, again down to the
requirements.
At the next step you should configure the Network
Connectivity Assistant (NCA), I personally always configure this to use PING
and point it to my Domain Controllers, by default the DirectAccess wizard
configures it to use HTTP and points it to a website http://DirectAccessWebHostProbe
I have seen this cause issues so I do it this way.
You should consider changing the DirectAccess
Connection Name this is the string of text that is displayed to users,
below is an example of Windows 8.1.
Click Finish. Now you can move on to Step
2 - Remote Access Server click Configure.
In this simple topology example I am deploying
DirectAccess behind a Cisco ASA 5510 Firewall therefore I have selected Behind
an Edge Device (with a Single Network Adapter) in future posts I will go
into deploying DirectAccess on the Edge. You must configure an externally
resolvable FQDN for DirectAccess clients. I have configured directaccess.ryanbetts.co.uk,
click Next.
As this server only has a single interface it has
been automatically selected, if you rename interfaces Internal or External
for example DirectAccess can automatically
detect these at this stage. Again this is a simple example so I am using
self -signed certificates. Click Next.
Although it is not a requirement for Windows 8
clients, if you are planning to use Windows 7 Enterprise clients you must
configure Use Computer Certificates and point it to your Certificate
Authority. If you are using Windows 7, and are hosting the Certificate
Authority, ensure the Certificate Revocation List (CRL) is externally
reachable. Click Next.
Click Configure for Step 3
Infrastructure Servers.
For this example I am installing the Network
Location Server (NLS) on box, with DirectAccess. This is not considered a good
practice as the NLS is so important to DirectAccess. If you are looking to
configure the Network Location Server (NLS) on a seperate server check out my
other blog post on how to do this for DirectAccess - http://blog.ryanbetts.co.uk/2014/06/directaccess-configuring-network.html
The DNS Server configuration can be a bit
confusing, the address should be set to the DirectAccess Servers IP,
most people would think this should be a DNS server address. Definately got me
the first time I deployed DirectAccess.
This is straight forward in my lab as I only have
a single domain, if you want to exclude domains remove them from the Domain
Suffixes to Use list. Click Next.
On the Management tab, this is where you define
the SCCM/WSUS servers in the environment. I personally have an SCCM 2012 R2
server, so I have pointed it to that. Click Finish.
Click Finish to write the GPO's.
The wizard will compile a review of all the
settings, click Apply when you are happy with them. You can use the Change
button to rename the GPO's it creates if your GPO structure uses a naming
convention.
Don't worry if the Dashboard looks like
this at first, it seems to take a few minutes (sometimes longer) for
DirectAccess to compose itself.
Click Refresh a couple of times and it
will come back green for every service if you have configured it correctly.
If you remember back to earlier in this post I
chose Behind Edge (with one network adapter) this means I am going to
use Network Address Translation (NAT) to enable DirectAccess to sit behind a
firewall, although this is a supported configuration it means the only
connection protocol that can be used for clients to connect is HTTPS
which is a TCP protocol, this means performance is degraded as it's a
connection orientated protocol that handshakes. In a NAT'd environment you must have a 1:1 NAT rule configured on the firewall that points to the internal IP of the DirectAccess server, port 443 is required if HTTPS is going to be used.
If you are looking to deploy DirectAccess, I would also check out the following resources;
http://directaccess.richardhicks.com/ (MVP DirectAccess Blog)
http://www.amazon.com/Microsoft-DirectAccess-Best-Practices-Troubleshooting/dp/1782171061/ref=sr_1_1?ie=UTF8&qid=1411295281&sr=8-1&keywords=directaccess (Book by DirectAccess MVP)
http://www.amazon.com/Windows-Server-Unified-Planning-Deployment/dp/1849688281/ref=sr_1_2?ie=UTF8&qid=1411295281&sr=8-2&keywords=directaccess (Another good book for DirectAccess)
If you are looking to deploy DirectAccess, I would also check out the following resources;
http://directaccess.richardhicks.com/ (MVP DirectAccess Blog)
http://www.amazon.com/Microsoft-DirectAccess-Best-Practices-Troubleshooting/dp/1782171061/ref=sr_1_1?ie=UTF8&qid=1411295281&sr=8-1&keywords=directaccess (Book by DirectAccess MVP)
http://www.amazon.com/Windows-Server-Unified-Planning-Deployment/dp/1849688281/ref=sr_1_2?ie=UTF8&qid=1411295281&sr=8-2&keywords=directaccess (Another good book for DirectAccess)
