Introductiondownload.microsoft.com › ... › TestLabGuide_Demonstr… · Web viewA.Obtain NLS Certificate for SSL Connections to Network Location Server on APP115 B.Configure the

Test Lab Guide: Demonstrate Forefront UAG 2010 SP1 RC DirectAccess

Microsoft CorporationPublished: October 2010

AbstractDirectAccess is a new feature in the Windows® 7 and Windows Server® 2008 R2 operating systems that enables remote users to securely access intranet shared folders, Web sites, and applications without connecting to a virtual private network (VPN). Forefront UAG 2010 SP1 RC DirectAccess extends the benefits of Windows DirectAccess across your infrastructure by enhancing availability and scalability, as well as simplifying deployments and ongoing management. This paper contains an introduction to DirectAccess and step-by-step instructions for extending the Base Configuration test lab to demonstrate UAG DirectAccess with a simulated

http://go.microsoft.com/fwlink/?LinkId=198140

Internet, intranet, and home network.

Copyright InformationThis document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Author: Thomas W Shinder

© 2010 Microsoft Corporation. All rights reserved.

Date of last update: October 25, 2010

Microsoft, Windows, Active Directory, Internet Explorer, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

ContentsIntroduction.................................................................................................................................................1

In this guide.............................................................................................................................................2

Overview of the Test Lab scenario...............................................................................................................3

Configuration component requirements.....................................................................................................4

Steps for configuring the test lab................................................................................................................5

STEP 1: Complete the Base Configuration...............................................................................................6

STEP 2: Configure DC1.............................................................................................................................6

A. Create Reverse Lookup Zone on DNS Server on DC1...................................................................7

B. Enter PTR Record for DC1............................................................................................................8

C. Enable ISATAP Name Resolution on DNS Server on DC1.............................................................8

D. Create DNS Records for NLS and ISATAP on DC1.........................................................................9

E. Create a Security Group for DirectAccess Clients on DC1..........................................................10

F. Create and Deploy a Certificate Template for the IP-HTTPS Listener Certificate and Network Location Server Certificate.................................................................................................................10

G. Create ICMPv4 and ICMPv6 Echo Request Firewall Rules in Domain Group Policy on DC1.......12

H. Create a Shared Folder on the C:\ Drive on DC1........................................................................14

STEP 3: Configure APP1.........................................................................................................................14

A. Obtain NLS Certificate for SSL Connections to Network Location Server on APP1.....................15

B. Configure the HTTPS Security Binding on the NLS Web Site on APP1........................................16

STEP 4: Install and Configure APP3........................................................................................................16

A. Install the OS on APP3 and Disable the Firewall........................................................................17

B. Install Web Services...................................................................................................................18

C. Create a Shared Folder on C:\....................................................................................................19

STEP 5: Configure UAG1........................................................................................................................20

A. Rename the EDGE1 to UAG1.....................................................................................................22

B. Obtain the IP-HTTPS Listener Certificate on UAG1....................................................................23

C. Configure a DNS Entry on INET1 with the Name on the IP-HTTPS Certificate............................24

D. Install Forefront UAG Service Pack 1 on UAG1..........................................................................24

E. Run the UAG Getting Started Wizard.........................................................................................25

F. Run the UAG DirectAccess Configuration Wizard on UAG1.......................................................26

G. Confirm Group Policy Settings on UAG1....................................................................................28

H. Confirm IPv6 Settings on UAG1..................................................................................................29

I. Update IPv6 Settings on DC1.....................................................................................................30

J. Update IPv6 Settings on APP1....................................................................................................30

K. Confirm IPv6 Address Registration in DNS.................................................................................30

L. Confirm IPv6 Connectivity between DC1/APP1/UAG1...............................................................31

STEP 6: Configure CLIENT1.....................................................................................................................31

A. Add CLIENT1 to the DA_Clients Security Group.........................................................................32

B. Test IPv6 Configuration, Confirm Group Policy Settings and Machine Certificate on CLIENT1. .33

C. Test Connectivity to a Network Share and the Network Location Server..................................33

STEP 7: Configure NAT1.........................................................................................................................34

A. Install the OS on NAT1...............................................................................................................35

B. Rename the Network Interfaces on NAT1.................................................................................35

C. Disable 6to4 on NAT1................................................................................................................36

D. Configure ICS on the External Interface of NAT1.......................................................................36

STEP 8: Test DirectAccess Connectivity from the Internet.....................................................................37

STEP 9: Test DirectAccess Connectivity from Behind a NAT Device.......................................................39

A. Testing Teredo Connectivity......................................................................................................40

B. Testing IP-HTTPS Connectivity...................................................................................................42

STEP 10: View DirectAccess Client Sessions in the UAG DirectAccess Monitor.....................................44

STEP 11: Test Connectivity When Returning to the Corpnet.................................................................44

STEP 12: Snapshot the Configuration....................................................................................................45

Additional Resources.................................................................................................................................45

IntroductionForefront Unified Access Gateway (UAG) 2010 SP1 RC provides users with the experience of being seamlessly connected to their intranet any time they have Internet access. When DirectAccess is enabled, requests for intranet resources (such as e-mail servers, shared folders, or intranet Web sites) are securely directed to the intranet, without the need for users to connect to a VPN. DirectAccess enables increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside of the office. Forefront UAG 2010 SP1 RC DirectAccess extends the benefits of Windows DirectAccess across your infrastructure by enhancing availability and scalability, as well as simplifying deployments and ongoing management. For more information, see Overview of Forefront UAG DirectAccess.

IT professionals can benefit from UAG 2010 SP1 RC DirectAccess in many ways:

Improved Manageability of Remote Users. Without DirectAccess, IT professionals can only manage mobile computers when users connect to a VPN or physically enter the office. With DirectAccess, IT professionals can manage mobile computers by updating Group Policy settings and distributing software updates any time the mobile computer has Internet connectivity, even if the user is not logged on. This flexibility allows IT professionals to manage remote computers on a regular basis and ensures that mobile users stay up-to-date with security and system health policies.

Secure and Flexible Network Infrastructure. Taking advantage of technologies such as Internet Protocol version 6 (IPv6) and Internet Protocol security (IPsec), DirectAccess provides secure and flexible network infrastructure for enterprises. Below is a list of DirectAccess security and performance capabilities:

o Authentication. DirectAccess authenticates the computer, enabling the computer to connect to the intranet before the user logs on. DirectAccess can also authenticate the user and supports two-factor authentication using smart cards and one-time passwords, such as RSA SecurID.

o Encryption. DirectAccess uses IPsec to provide encryption for communications across the Internet.

o Access to IPv4-only intranet resources. UAG DirectAccess extends the value of Windows DirectAccess with NAT64/DNS64, an IPv6/IPv4 protocol transition technology that enables DirectAccess client connectivity to IPv4-only resources on the intranet.

High availability and array configuration. UAG DirectAccess extends the value of Windows DirectAccess by adding integrated support for Network Load Balancing and array configuration, which work together to enable a highly available DirectAccess deployment.

IT Simplification and Cost Reduction. By default, DirectAccess separates intranet from Internet traffic, which reduces unnecessary traffic on the intranet by sending only traffic destined for the

1

http://technet.microsoft.com/en-us/library/ee406226.aspx


intranet through the DirectAccess server. Optionally, IT can configure DirectAccess clients to send all traffic through the DirectAccess server.

The following figure shows a DirectAccess client on the Internet.

In this guideThis paper contains instructions for configuring and demonstrating UAG2010 SP1 RC DirectAccess using five server computers and two client computers. The starting point for this guide is a Test Lab based on the “Steps for Configuring the Corpnet Subnet “ and “Steps for Configuring the Internet Subnet“ sections of the Test Lab Guide: Base Configuration. The resulting UAG 2010 SP1 RC DirectAccess test lab simulates an intranet, the Internet, and a home network and demonstrates DirectAccess functionality in different Internet connection scenarios.

Important:

These instructions are designed for configuring a Test Lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network, and to show clearly the required functionality. This configuration is not designed to reflect best practices, nor does it reflect a required or recommended configuration for a production network. The configuration, including IP address assignment and all other configuration parameters, is designed to work only on a separate Test Lab network. For more information on planning and deploying DirectAccess with Forefront UAG for your production network, please see the Forefront UAG DirectAccess design guide and the Forefront UAG DirectAccess deployment guide

2

http://technet.microsoft.com/en-us/library/dd857320.aspx




Overview of the Test Lab scenarioIn this test lab scenario, Forefront UAG DirectAccess is deployed with:

One computer running Windows Server 2008 R2 Enterprise Edition (DC1), that is configured as an intranet domain controller, Domain Name System (DNS) server, Dynamic Host Configuration Protocol (DHCP) server, and an enterprise root certification authority (CA).

One intranet member server running Windows Server 2008 R2 Enterprise Edition (UAG1), that is configured as a Forefront UAG 2010 SP1 RC DirectAccess server.

One intranet member server running Windows Server 2008 R2 Enterprise Edition (APP1) that is configured as a general application server and Network Location Server.

One intranet member server running Windows Server 2003 SP2 Enterprise Edition (APP3), that is configured as a IPv4 only web and file server. This server is used to highlight the NAT64/DNS64 capabilities.

One standalone server running Windows Server 2008 R2 Enterprise Edition (INET1), that is configured as an Internet DNS and DHCP server.

One standalone client computer running Windows 7 Ultimate Edition (NAT1), that is configured as a network address translator (NAT) device using Internet Connection Sharing.

One roaming member client computer running Windows 7 Ultimate Edition (CLIENT1) that is configured as a DirectAccess client.

The test lab consists of three subnets that simulate the following:

A home network named Homenet (192.168.137.0/24) connected to the Internet by a NAT.

The Internet (131.107.0.0/24).

An intranet named Corpnet (10.0.0.0/24) separated from the Internet by the Forefront UAG DirectAccess server.

Computers on each subnet connect using either a physical or virtual hub or switch, as shown in the following figure.

3

CLIENT1 initially connects to the Corpnet subnet and joins the intranet domain. After UAG1 is configured as a Forefront UAG DirectAccess server, and CLIENT1 is updated with the DirectAccess client Group Policy settings, CLIENT1 later connects to the Internet subnet and the Homenet subnet, and tests DirectAccess connectivity to intranet resources on the Corpnet subnet.

Configuration component requirementsThe following components are required for configuring Forefront UAG DirectAccess in the test lab:

The product disc or files for Windows Server 2008 R2 Enterprise Edition.

The product disc or files for Windows Server 2003 Enterprise SP2

The product disc or files for of Windows 7 Ultimate.

Five computers or virtual machines that meet the minimum hardware requirements for Windows Server 2008 R2 Enterprise; two of these computers has two network adapters installed.

One computer or virtual machine that meets the minimum hardware requirements for Windows Server 2003 SP2

4

Two computers or virtual machines that meet the minimum hardware requirements for Windows 7 Ultimate; one of these computers has two network adapters installed.

The product disc or a downloaded version of Microsoft Forefront Unified Access Gateway (UAG) 2010 Service Pack 1 Release Candidate (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=980ff09f-2d5e-4299-9218-8b3cab8ef77a).

Steps for configuring the test labThe following steps describe how to configure the server and client computers, and configure the Forefront UAG DirectAccess server, in a test lab. Following these configurations you can verify DirectAccess connectivity from the Internet and Homenet subnets.

Note:

You must be logged on as a member of the Domain Admins group or as a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group.

Step 1: Complete the Base Configuration. The Base Configuration is the core of all Test Lab Guide scenarios. The first step is to complete the Base Configuration.

Step 2: Configure DC1 - DC1 is a Windows Server 2008 R2 computer that is the domain controller, Certificate server, DNS server, File Server and DHCP server for the corp.contoso.com domain.

Step 3: Configure APP1- APP1 is a Windows Server 2008 R2 computer that acts in the role of the Network Location Server on the network.

Step 4: Install and Configure APP3 - APP3 is a Windows Server 2003 Enterprise Edition computer that acts as an IPv4 only host and is used to demonstrate DirectAccess connectivity to IPv4 only resources using the UAG DNS64 and NAT64 features. APP3 hosts both HTTP and SMB resources that the DirectAccess client computer will be able to access from other the simulated Internet.

Step 5: Configure UAG1 – UAG1 acts as UAG SP1 RC DirectAccess. Step 6: Configure CLIENT1 – CLIENT1 is a DirectAccess client that is used to test DirectAccess

connectivity in several Internet network access scenarios. Step 7: Install and Configure NAT1 – NAT1 acts as a simulated NAT router that enables CLIENT1

access to the UAG DirectAccess server over the simulated Internet.

5

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=980ff09f-2d5e-4299-9218-8b3cab8ef77a

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=980ff09f-2d5e-4299-9218-8b3cab8ef77a

Step 8: Test DirectAccess Connectivity from the Internet – CLIENT1 is connected to the simulated Internet subnet to demonstrate DirectAccess connectivity using the 6to4 IPv6 transition technology.

Step 9: Test DirectAccess Connectivity from Behind a NAT Device – CLIENT1 is connected to the simulated private address network to demonstrate DirectAccess connectivity using the Teredo and IP-HTTPS IPv6 transition technologies.

Step 10: View DirectAccess Connections in the UAG SP1 RC DirectAccess Monitor. UAG SP1 RC includes a new DirectAccess Web Monitor. In this step you will view information about the UAG SP1 RC DirectAccess server and DirectAccess client connections in the new DirectAccess Monitor application.

Step 11: Test Connectivity When Returning to the Corpnet – CLIENT1 is connected again to the Corpnet subnet to demonstrate how DirectAccess components are automatically disabled to connect to local resources.

Step 12: Snapshot the Configuration – At the completion of the lab, snapshot the configuration so that you can later return to a working UAG DirectAccess Test Lab.

Note You will notice that there are several steps that begin with an asterisk (*). The * indicates that the step requires that you move to a computer or virtual machine that is different from the computer or virtual machine you were at when you completed the previous step.

STEP 1: Complete the Base ConfigurationThis Test Lab Guide uses the Base Configuration network as a starting place. Please complete all the steps in Test Lab Guide: Base Configuration before proceeding with the remainder of the steps in this guide. If you have already completed all the steps in the Base Configuration Test Lab Guide and saved a disk image or a virtual machine snapshot of the Base Configuration, then you can restore the Base Configuration and proceed to the next step.

STEP 2: Configure DC1DC1 acts as a domain controller, Certificate server, DNS server, File Server and DHCP server for the corp.contoso.com domain. The following steps build on the Base Configuration to prepare DC1 to carry out these roles to support a working DirectAccess solution:

A. Create a Reverse Lookup Zone on the DNS Server on DC1.A reverse lookup zone for network ID 10.0.0.0/24 is required to create a pointer record for DC1. The pointer record allows reverse name resolution for DC1, and prevents name resolution errors during DNS related configuration steps. The reverse lookup zone is not required for a functional DirectAccess solution.

B. Enter a Pointer Record for DC1.A pointer record for DC1 will allow services to perform reverse name resolution for DC1. This is when performing DNS related operations. It is not required for a functional DirectAccess solution.

6


C. Enable ISATAP Name Resolution in DNS on DC1.By default, the Windows Server 2008 R2 DNS server will not answer queries for the ISATAP and WPAD host names. The DNS server is configured so that it will answer queries for ISATAP.

D. Create DNS Records for NLS and ISATAP on DC1.The DirectAccess client uses a Network Location Server (NLS) to determine if the computer is on or off the corporate network. If on the corporate network, the DirectAccess client can connect to the Network Location Server using an HTTPS connection. A DNS record is required to resolve the name of the NLS. In addition, a DNS record for ISATAP is required so that ISATAP capable hosts on the network can obtain IPv6 addressing and routing information from the ISATAP router configured on UAG1.

E. Create a Security Group for DirectAccess Clients on DC1.When DirectAccess is configured on the UAG DirectAccess server, it automatically creates Group Policy Objects and GPO settings that are applied to DirectAccess clients and servers. The DirectAccess client GPO uses security group filtering to assign the GPO settings to a designated DirectAccess security group. This group is populated with DirectAccess client computer accounts. This is a required component of a DirectAccess solution.

F. Create and Deploy a Certificate Template for the IP-HTTPS Listener Certificate and the Network Location Server Certificate.A Web site certificate is required for the Network Location Server so that computers can use HTTPS to connect to it when they are on the corporate network. The UAG DirectAccess server uses a Web site certificate on its IP-HTTPS listener so that it can accept incoming connections from DirectAccess clients that are behind network devices that limit outbound connections to only HTTP/HTTPS. A Web site certificate template is created and used for certificate requests to the Microsoft Certificate Server installed on DC1. A Web site certificate bound to the UAG DirectAccess server’s IP-HTTPS is a required component of a working DirectAccess solution.

G. Create ICMPv4 and ICMPv6 Echo Request Firewall Rules in Domain Group Policy on DC1.ICMP v4 and v6 echo requests inbound and outbound are required for Teredo support. Firewall Rules are configured using the Windows Firewall with Advanced Security GPO snap-in to distribute the configuration.

H. Create a Shared Folder on the C:\ Drive on DC1.A shared folder is created on the C:\drive of DC1 to test SMB connectivity for DirectAccess clients to a resources on the CORP domain.

A. Create Reverse Lookup Zone on DNS Server on DC1A reverse lookup zone on DC1 for network ID 10.0.0.0/24 is required to create a pointer record for DC1. The pointer record will allow reverse name resolution for DC1, which will prevent name resolution errors during several DNS related configuration steps. The reverse lookup zone is not required for a functional DirectAccess solution and is used as a convenience in this lab.

1. On DC1, click Start, and point to Administrative Tools. Click DNS.

7

2. In the DNS Manager console, in the left pane of the console, expand the server name, and click Reverse Lookup Zones. Right click Reverse Lookup Zones and click New Zone.

3. On the Welcome to the New Zone Wizard page, click Next.

4. On the Zone Type page, click Next.

5. On the Active Directory Zone Replication Scope page, click Next.

6. On the Reverse Lookup Zone Name page, click Next.

7. On the Reverse Lookup Zone Name page, select the Network ID option, and then enter 10.0.0 in the text box. Click Next.

8. On the Dynamic Update page, click Next.

9. On the Completing the New Zone Wizard page, click Finish.

10. Leave the DNS console open for the next operation.

B. Enter PTR Record for DC1A pointer record for DC1 will allow services to perform reverse name resolution for the DC1 computer. This will be useful when performing several DNS related operations. It is not required for a functional DirectAccess solution and is configured as a convenience for this lab.

1. On DC1, in the DNS Manager console, expand the Forward Lookup Zones node in the left pane of the console. Click on corp.contoso.com.

2. Double click on dc1 in the right pane of the console.

3. In the DC1 Properties dialog box, put a checkmark in the Update associated pointer (PTR) record checkbox and click OK. If the checkbox is already enabled, remove the checkmark and then enable it again. Click OK.

4. Expand the Reverse Lookup Zones node in the left pane of the console and click 0.0.10.in-addr.arpa. Confirm that there is an entry for 10.0.0.1 in the middle pane of the console.

5. Leave the DNS console open.

C. Enable ISATAP Name Resolution on DNS Server on DC1By default, the Windows Server 2008 R2 DNS server will not answer queries for ISATAP and WPAD host names. These names are included in the DNS server’s Global Query Block List. The following procedures configure the DNS server so that it will answer queries for ISATAP by removing ISATAP from the Global Query Block List.

8

1. On DC1, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

2. In the command window, type dnscmd /config /globalqueryblocklist wpad, and then press ENTER.

3. In the command prompt window, type dnscmd /info /globalqueryblocklist to confirm that ISATAP is not included in the list, and that the display says Query result: String: wpad

4. Close the command prompt window.

For more information on configuring the global query block list, please see http://download.microsoft.com/download/5/3/c/53cdc0bf-6609-4841-a7b9-cae98cc2e4a3/DNS_Server_Global_%20Query_Block%20List.doc

D. Create DNS Records for NLS and ISATAP on DC1DirectAccess clients use a Network Location Server to determine if the computer is on or off the intranet. If the DirectAccess client can connect to the Network Location Server using HTTPS, it determines that it is on the corporate network and the Name Resolution Policy Table (NRPT) is disabled. If the DirectAccess client cannot connect to the Network Location Server when on the intranet, the Name Resolution Policy Table remains enabled which can cause name resolution and connectivity problems when the DirectAccess client is situated on the intranet. A DNS record is required for the DirectAccess client to resolve the name of the Network Location Server.

In addition, all IPv6 capable hosts on the corpnet need to resolve the name ISATAP to the internal IP address of the UAG DirectAccess server, so a DNS record is required for ISATAP. The UAG DirectAccess server will act as an ISATAP router for the organization and provides prefix and routing information for ISATAP hosts on the corporate network.

1. On DC1, click the corp.contoso.com forward lookup zone in the left pane of the console. Right click corp.contoso.com and click New Host (A or AAAA).

2. In the New Host dialog box, enter ISATAP in the Name (uses parent domain name if blank) text box. Then enter 10.0.0.2 in the IP address text box. (IP address 10.0.0.2 will be the IP address of the internal interface of the UAG server, which will act as the ISATAP router in this lab).

3. Click Add Host. Then click OK in the DNS dialog box.

4. In the New Host dialog box, enter NLS in the Name (uses parent domain name if blank) text box (this is the name the DirectAccess clients use to connect to the Network Location Server). Enter 10.0.0.3 in the IP address text box, and then click Add Host. Click OK in the DNS text box. (Note that IP address 10.0.0.3 is the IP address of APP1, which acts as a network location server in this lab).

9

http://download.microsoft.com/download/5/3/c/53cdc0bf-6609-4841-a7b9-cae98cc2e4a3/DNS_Server_Global_%20Query_Block%20List.doc

http://download.microsoft.com/download/5/3/c/53cdc0bf-6609-4841-a7b9-cae98cc2e4a3/DNS_Server_Global_%20Query_Block%20List.doc

5. Click Done.

6. Confirm that there are entries for ISATAP and NLS in the middle pane of the console.

7. Close the DNS Manager console.

8. Open a command prompt window and enter nslookup isatap and press ENTER. Confirm that ISATAP resolves to 10.0.0.2. Close the command prompt window.

E. Create a Security Group for DirectAccess Clients on DC1When you run the UAG DirectAccess wizard on the UAG1 computer, the wizard will create Group Policy Objects and deploy them in Active Directory. One GPO is created for the UAG DirectAccess server, and another is created for DirectAccess clients. Security Group filtering is used to apply the DirectAccess GPO settings to the DirectAccess Clients security Group. To obtain the settings required to be a DirectAccess client, the computer must be a member of this security group. Do not use any of the built-in security groups as your DirectAccess client security Group. Use the following procedure to create the DirectAccess security group. This group is required for a working DirectAccess solution.

1. On DC1, open the Active Directory Users and Computers console. In the left pane, right-click Users, point to New, and then click Group.

2. In the New Object - Group dialog box, under Group name, enter DA_Clients. (Note that the group name “DA_Clients” is not a mandatory name; you can use any name you like for the DirectAccess clients security group in your production environment).

3. Under Group scope, choose Global, under Group type, choose Security, and then click OK.

4. Close the Active Directory Users and Computers console.

F. Create and Deploy a Certificate Template for the IP-HTTPS Listener Certificate and Network Location Server Certificate

A Web site certificate is required for the Network Location Server so that computers can use HTTPS to connect to it when the DirectAccess client is on the intranet. In addition, the UAG DirectAccess server uses a web site certificate on its IP-HTTPS listener so that it can accept incoming connections from DirectAccess clients that are behind network devices that limit outbound connections to only HTTP/HTTPS. The following procedures describe how to create a web site certificate template to use for requests to the Microsoft Certificate Server installed on DC1. A web site certificate bound to the UAG DirectAccess server’s IP-HTTPS listener and a web site certificate bound to the Network Location Server Web site are both required for a working DirectAccess solution.

1. On DC1, click Start, enter mmc in the Search box, and then press ENTER.

2. Click the File menu, and then click Add/Remove Snap-in.

3. In the list of snap-ins, click Certificate Templates, click Add, and then click OK.10

4. In the console tree, expand Certificates Templates.

5. In the right pane, right-click the Web Server template, and then click Duplicate Template.

6. Click Windows Server 2008 Enterprise, and then click OK. (Note that you can use either the Windows Server 2003 or Windows Server 2008 templates). In Template display name, type Web Server 2008.

7. Click the Server tab. On the Server tab, put a checkmark in the Do not include revocation information in issued certificates (Applicable only for Windows Server 2008 R2 and above). Click Apply. Note that we are configuring this option so that we do not need to publish the CRL for external DirectAccess clients. You would not use this option in your production environment.

8. Click the Security tab.

9. Click Authenticated Users, and then select Enroll in the Allow column.

10. Click Add, enter Domain Computers in the Enter the object names to select text box, and then click OK.

11. Click Domain Computers, and then select Enroll in the Allow column. Click Apply.

12. Click the Request Handling tab.

13. Select Allow private key to be exported (note that we do this as a convenience for this lab, making the private key exportable is not required by DirectAccess; however, in order to create a UAG DirectAccess array, the same certificate must be installed on all array members; enabling export of the private key greatly simplifies this requirement). Click Apply.

14. Click OK.

15. Close the MMC window without saving changes.

16. Click Start, point to Administrative Tools, and then click Certification Authority.

17. In the console tree, expand corp-DC1-CA, right-click Certificate Templates, point to New, and then click Certificate Template to Issue.

18. In the list of certificate templates, click Web Server 2008, and then click OK.

19. In the right pane of the console, you should see the Web Server 2008 certificate template with an Intended Purpose of Server Authentication.

20. Close the Certification Authority console.

11

G. Create ICMPv4 and ICMPv6 Echo Request Firewall Rules in Domain Group Policy on DC1Support for incoming and outgoing ICMPv4 and v6 is required for Teredo clients. DirectAccess clients will use Teredo as their IPv6 transition technology to connect to the UAG DirectAccess server over the IPv4 Internet when they are assigned a private (RFC 1918) IP address and are located behind a NAT device or firewall that allows outbound UDP port 3544. In addition, enabling ping facilitates connectivity testing between participants in the DirectAccess solution.

1. On DC1, click Start, click Administrative Tools, and then click Group Policy Management.

2. In the console tree, expand Forest: corp.contoso.com. Then expand Domains, and then expand corp.contoso.com.

3. In the console tree, right-click Default Domain Policy, and then click Edit.

4. In the console tree of the Group Policy Management Editor, expand Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security-LDAP://.

5. In the console tree, click Inbound Rules, right-click Inbound Rules, and then click New Rule.

6. On the Rule Type page, click Custom, and then click Next.

7. On the Program page, click Next.

8. On the Protocols and Ports page, for Protocol type, click ICMPv4, and then click Customize.

9. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK.

10. Click Next.

11. On the Scope page, click Next.

12. On the Action page, click Next.

13. On the Profile page, click Next.

14. On the Name page, for Name, type Inbound ICMPv4 Echo Requests, and then click Finish.

15. In the console tree, right-click Inbound Rules, and then click New Rule.




12


20. Click Next.


22. On the Action page, click Next.


24. On the Name page, for Name, type Inbound ICMPv6 Echo Requests, and then click Finish.

25. In the console tree, right-click Outbound Rules, and then click New Rule.





30. Click Next.


32. On the Action page, click Allow the connection, and then click Next.


34. On the Name page, for Name, type Outbound ICMPv4 Echo Requests, and then click Finish.

35. In the console tree, right-click Outbound Rules, and then click New Rule.





40. Click Next.


13

42. On the Action page, click Allow the connection, and then click Next.


44. On the Name page, for Name, type Outbound ICMPv6 Echo Requests, and then click Finish.

45. Confirm that the rules you created appear in the Inbound Rules and Outbound Rules nodes. Close the Group Policy Management Editor.

H. Create a Shared Folder on the C:\ Drive on DC1DirectAccess clients should be able to connect to SMB resources on the intranet when the DirectAccess client is connected to the simulated Internet, or connecting from behind a NAT device over the Internet. A network share is created on DC1 to test DirectAccess client connectivity to SMB resources over the infrastructure tunnel.

1. Click Start, and then click Computer.

2. Double-click Local Disk (C:).

3. Click New Folder, type Files, and then press ENTER. Leave the Local Disk window open.

4. Click Start, click All Programs, click Accessories, right-click Notepad, and then click Run as administrator.

5. In the Untitled – Notepad window, type This is a shared file on DC1.

6. Click File, click Save, and navigate to the Files folder.

7. In File name, type Example, and then click Save. Close the Notepad window.

8. In the Local Disk (C:) window, right-click the Files folder, point to Share with, and then click Specific people.

9. Click Share, and then click Done.

10. Close the Local Disk (C:) window.

STEP 3: Configure APP1APP1 is a Windows Server 2008 R2 Enterprise Edition computer that acts in the role of the Network Location Server for the intranet. We have chosen to not to install the Network Location Server on the domain controller, even though that would have reduced the number of machines required for the lab network. The reason for this is that NLS on the DC can be a problematic if the DC is IPv6 based and can cause potential problems with network location detection. For this reason we have chosen to install the NLS on APP1.

You will perform the following operations to configure APP1:

14

A. Obtain an NLS Certificate for SSL Connections to the Network Location Server on APP1.APP1 acts as the Network Location Server. To enable this role, APP1 needs a web site certificate so that the DirectAccess clients are able to establish an SSL connection to a Web site on APP1. DirectAccess clients access this site by connecting to Network Location Server name, which is nls.corp.contoso.com in this lab.

B. Configure the HTTPS Security Binding on the NLS Web Site on APP1. The web site certificate needs to be bound to a web site on APP1 so that it can respond to SSL connection requests from the DirectAccess clients on the intranet.

A. Obtain NLS Certificate for SSL Connections to Network Location Server on APP1The Network Location Server requires a Web site certificate to enable SSL session establishment with the DirectAccess client. The subject name on this certificate must match the name that the DirectAccess client uses to connect to the Network Location Server. On this Test Lab network, the DirectAccess client tries to connect to connect to the NLS at nls.corp.contoso.com. This name is used later in the DirectAccess configuration wizard on the UAG server.

1. On APP1, click Start, enter mmc, and then press ENTER.

2. Click the File menu, and then click Add/Remove Snap-in.

3. Click Certificates, click Add, select Computer account, click Next, select Local computer, click Finish, and then click OK.

4. In the left pane of the console, expand Certificates (Local Computer)\Personal\Certificates.

5. Right-click Certificates, point to All Tasks, and then click Request New Certificate.

6. On the Before You Begin page, click Next.

7. On the Select Certificate Enrollment Policy page, select the Active Directory Enrollment Policy entry and click Next.

8. On the Request Certificates page, put a checkmark in the Web Server 2008 checkbox, and then click More information is required to enroll for this certificate.

9. On the Subject tab of the Certificate Properties dialog box, in Subject name section, for Type, select Common Name.

10. In the Value section, enter nls.corp.contoso.com, and then click Add.

11. In the Alternative name section, for Type, select DNS.

12. In Value, type nls.corp.contoso.com, and then click Add.

13. Click OK, click Enroll, and then click Finish.

15

14. In the details pane of the Certificates snap-in, verify that a new certificate with the name nls.corp.contoso.com was enrolled with Intended Purposes of Server Authentication.

15. Right click the nls.corp.contoso.com certificate and click Properties.

16. In the nls.corp.contoso.com Properties dialog box, in the Friendly name text box, enter NLS Certificate. Click OK. (Note: this is not required for the DirectAccess solution to work, but this makes the certificate easy to identify when binding it to the NLS Web site’s SSL listener).

17. Close the console window. If you are prompted to save settings, click No.

B. Configure the HTTPS Security Binding on the NLS Web Site on APP1After the web server role is installed, the web site certificate must be bound to the Network Location Server web site. This is required for the web server to establish an SSL connection with the computer configured as a DirectAccess client, and is a required component of a DirectAccess solution.

1. On APP1, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

2. In the left pane of the console, open APP1\Sites, and then click Default Web site.

3. In the Actions pane, click Bindings.

4. In the Site Bindings dialog box, click the https entry and then click Edit.

5. In the Add Site Binding dialog box, in SSL Certificate, click the NLS Certificate.

6. Click the View button.

7. In the Certificate dialog box, confirm that the certificate was Issued to: nls.corp.contoso.com. (this is the name the DirectAccess client computer must use to connect to the Network Location Server).

8. In the Add Site Binding dialog box, click OK.

9. In the Edit Site Binding dialog box, click OK.

10. In the Site Bindings dialog box, click Close.

11. Close the Internet Information Services (IIS) Manager console.

STEP 4: Install and Configure APP3APP3 is a Windows Server 2003 SP2 Enterprise Edition computer that acts as an IPv4 only host and is used to demonstrate DirectAccess connectivity to IPv4 only resources using the UAG DNS64 and NAT64 features. APP3 hosts both HTTP and SMB resources that the DirectAccess client computer will be able to access from other the simulated Internet. The UAG NAT64/DNS64 feature set enables organizations to

16

deploy DirectAccess without requiring them to upgrade network resources to native IPv6 or even IPv6 capable.

For more information on NAT64/DNS64 please see Deep Dive Into DirectAccess – NAT64 and DNS64 in Action

The following operations are performed to configure APP3:

A. Install the operating system on APP3 and Disable the FirewallThe first step is to install Windows Server 2003 Enterprise Edition SP2 on APP3. This is not a requirement. You could use another IPv4 only operating system, such as Windows 2000 Server or even Windows XP. The goal is to provide an IPv4 resource for the DirectAccess clients to connect to from over the Internet.

B. Install Web services on APP3Install IIS Web services on APP3 so that HTTP connectivity over the DirectAccess connection to an IPv4 only host is demonstrated.

C. Create a shared folder on APP3Create a shared folder on APP3 to demonstrate SMB connectivity over the DirectAccess connection.

A. Install the OS on APP3 and Disable the FirewallThe first step is to install Windows Server 2003 Enterprise Edition SP2 on APP3. This is not a requirement. You could use another IPv4 only operating system, such as Windows 2000 Server or even Windows XP. The goal is to provide an IPv4 resource for the DirectAccess clients to connect to from over the Internet.

1. Start the installation of Windows Server 2003.

2. On the Welcome to the Windows Setup Wizard page, click Next.

3. On the Regional and Language Options page, click Next.

4. On the Personalize Your Software page, enter your Name and Organization information, click Next.

5. On the Licensing Modes page, select Per server. Number of concurrent connections option and enter 100. Click Next.

6. On the Computer Name and Administrator Password page, in the Computer name text box, enter APP3. Enter a complex Administrator password and Confirm password. Click Next.

7. On the Date and Time Settings page, set the correct date and time and click Next.

8. On the Networking Settings page, select Custom Settings and click Next.

17

http://blogs.technet.com/edgeaccessblog/archive/2009/09/08/deep-dive-into-directaccess-nat64-and-dns64-in-action.aspx


9. On the Networking Components page, select Internet Protocol (TCP/IP) and click Properties.

10. On the Internet Protocol (TCP/IP) Properties page, select the Use the following IP address option. In the IP address text box, enter 10.0.0.4. In the Subnet Mask text box, enter 255.255.255.0 Select the Use the following DNS server addresses option. In the Preferred DNS server text box, enter 10.0.0.1.

11. In the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.

12. In the Advanced TCP/IP Settings dialog box, click the DNS tab.

13. On the DNS tab, in the DNS Suffix for this connection text box, enter corp.contoso.com. Click OK. In the Internet Protocol (TCP/IP) Properties dialog box, click OK. On the Networking Components page, click Next.

14. On the Workgroup or Computer Domain page, select the Yes make this computer a member of the following domain option. In the text box under that option, enter CORP.

15. In the Join Computer to CORP Domain dialog box, in the User name text box, enter CORP\User1 and in the Password text box, enter User1’s password. Click OK.

16. Log on as CORP\User1.

17. Click Start, point to Control Panel and point to Network Connections. Right click on Local Area Connection and click Properties.

18. In the Local Area Connection Properties dialog box, click the Advanced tab.

19. On the Advanced tab, click the Settings button.

20. In the Windows Firewall dialog box, on the General tab, select the Off option. (Note: we are turning off the Windows Firewall as a convenience for this lab so that we can ping APP3. In a production environment, you should enable ping selectively through the Windows Firewall. You must enable ping requests to support Teredo DirectAccess clients).

Note: If you install Windows Server 2003 RTM, there is no Windows Firewall and you will not need to disable the firewall.

B. Install Web ServicesInstall IIS Web services on APP3 so that HTTP connectivity can be demonstrated over the DirectAccess connection.

1. At APP3, click Start and point to Control Panel. Click Add or Remove Programs.

2. In the Add or Remove Programs window, click Add/Remove Windows Components button.

18

3. On Windows Components page, click Application Server and then click Details.

4. In the Application Server dialog box, put a checkmark in the Internet Information Services (IIS) checkbox. Click OK.

5. On the Windows Components page, click Next.

6. On the Completing the Windows Components Wizard page, click Finish.

7. Close the Add or Remove Programs window.

8. Click the Internet Explorer icon in the Quick Start Bar.

9. In the dialog box that informs you Internet Explorer Enhanced Security Configuration is enabled, put a checkmark in the In the future, do not show this message checkbox and then click OK.

10. In the Internet Explorer address bar, enter http://localhost and press ENTER.

11. You should see the IIS Under Construction page, indicating that the default IIS Web site is available and running. Close the Internet Explorer window.

C. Create a Shared Folder on C:\Create a shared folder on APP3 to demonstrate the ability to connect to an SMB resource on a IPv4 only computer on the DirectAccess connection over the Internet.

1. At APP3, click Start and click Windows Explorer.

2. In the left pane of the Windows Explorer window, expand My Computer and click Local Disk (C:)

3. Click the File menu, point to New and click Folder.

4. Rename New Folder to Files.

5. Right click the Files folder and click Sharing and Security.

6. In the Files Properties dialog box, on the Sharing tab, select the Share this folder option. Accept the default share name, which is Files. Click OK.

7. Double click the Files folder.

8. Click the File menu, point to new, and click New Text Document.

9. Double click the New Text Document.txt file.

10. In the New Text Document.txt – Notepad window, enter This is a new text document on APP3, and IPv4 only server.

19

http://localhost/

11. Close the Notepad window. In the Notepad dialog box, click Yes to save the changes.

12. Close Windows Explorer.

STEP 5: Configure UAG1UAG1 acts as the UAG DirectAccess server for the network. UAG1 will be connected to both the simulated Internet and the intranet and will need one network interface connected to each of these networks. The UAG DirectAccess server provides the following network services:

ISATAP routerAn ISATAP router is an IPv6 router that advertises subnet prefixes to ISATAP hosts and forwards IPv6 traffic between ISATAP hosts and hosts on other IPv4 subnets. The ISATAP router provides ISATAP clients the information they need to properly configure their ISATAP adapters. For more information about ISATAP, please see http://technet.microsoft.com/en-us/magazine/2008.03.cableguy.aspx

Teredo server A Teredo server is an IPv6/IPv4 node that is connected to both the IPv4 Internet and the IPv6 intranet, supports a Teredo tunneling interface over which packets are received. The general role of the Teredo server is to assist in the address configuration of Teredo clients and to facilitate the initial communication between Teredo clients and other Teredo clients or between Teredo clients and IPv6 hosts. The Teredo server listens on UDP port 3544 for Teredo traffic. DirectAccess clients located behind NAT devices and firewalls use Teredo to connect to the UAG DirectAccess server. For more information on Teredo, please see http://technet.microsoft.com/en-us/library/bb457011.aspx

IPsec gatewayThe Full Intranet access model (which is used in this lab document) allows DirectAccess clients to connect to all resources inside the intranet. It does this by using IPsec-based tunnel policies that require authentication and encryption and IPsec sessions terminate at the IPsec Gateway. The IPsec Gateway is a function that is hosted on the UAG DirectAccess server.

IP-HTTPS serverIP-HTTPS is a new protocol for Windows 7 and Windows Server 2008 R2 that allows DirectAccess clients behind a Web proxy server or firewall to establish connectivity by tunneling IPv6 packets inside an IPv4-based HTTPS session. HTTPS is used instead of HTTP so that Web proxy servers will not attempt to examine the data stream and terminate the connection. The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections. Note that IP-HTTPS does not work behind authenticating web proxies (when authentication is required) or from behind web proxies that perform outbound SSL inspection (such as the TMG 2010 firewall when outbound SSL inspection is enabled).

NAT64/DNS64 IPv6/IPv4 protocol translatorThe UAG DirectAccess server includes NAT64 and DNS64, which enables DirectAccess clients on the Internet to connect to IPv4 resources on the intranet. DirectAccess clients always use IPv6 to

20

http://technet.microsoft.com/en-us/library/bb457011.aspx

http://technet.microsoft.com/en-us/magazine/2008.03.cableguy.aspx

communicate with intranet servers. When a DirectAccess client needs to connect to IPv4 resources on the intranet, it issues a DNS query for the FQDN of the resource. DNS64 intercepts the request, sends the query to the intranet DNS server, and obtains the IPv4 address of the resource. DNS64 then dynamically generates an IPv6 address for the client to connect to; in addition, DNS64 informs NAT64 of the IPv4/IPv6 mapping. The client issues a request for the dynamically generated IPv6 address, which is intercepted by NAT64, and then NAT64 forwards the request to the IPv4 address of the intranet resource. NAT64 also returns the response based on entries in its state table. For more information about DNS64 and NAT64, please see http://blogs.technet.com/edgeaccessblog/archive/2009/09/08/deep-dive-into-directaccess-nat64-and-dns64-in-action.aspx

6to4 relay routerA 6to4 relay router can accept traffic from DirectAccess clients using the 6to4 IPv6 transition technology and forward the traffic over an IPv4 intranet. The UAG DirectAccess server acts as the 6to4 relay router and provides addressing information to the DirectAccess clients. DirectAccess clients use this information to configure their 6to4 tunnel adapters to forward IPv6 messages over the IPv4 Internet to the UAG DirectAccess servers. For more information on 6to4 please see http://technet.microsoft.com/en-us/library/cc756770(WS.10).aspx

The following procedures are performed on the UAG1 computer or virtual machine:

A. Rename UAG1Change the computer name assigned during setup of the Base Configuration to UAG1.

B. Obtain a Certificate for the IP-HTTPS Listener on UAG1The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections from DirectAccess clients on the Internet. The IP-HTTPS Listener requires a web site certificate to support the SSL connection between itself and the DirectAccess client.

C. Install Forefront UAG on UAG1Install the Forefront Unified Access Gateway software on UAG1.

D. Run the UAG Getting Started Wizard on UAG1The UAG Getting Started Wizard walks you through the process of initial configuration of the UAG server.

E. Run the UAG DirectAccess Configuration Wizard on UAG1DirectAccess is not enabled by default. You must run the UAG DirectAccess wizard to enable DirectAccess features and capabilities on UAG1.

F. Confirm Group Policy Settings on UAG1The UAG DirectAccess wizard configures GPOs and settings that are automatically deployed to the Active Directory. One GPO is assigned to the UAG DirectAccess server, and one is deployed to machines that belong to the DirectAccess Clients security group. The step confirms that the Group Policy settings were deployed to the UAG DirectAccess server.

21

http://technet.microsoft.com/en-us/library/cc756770(WS.10).aspx



G. Confirm IPv6 Settings on UAG1For the DirectAccess solution to function, the IPv6 settings on must be correct. This step confirms these setting on UAG1.

H. Update IPv6 Settings on DC1DC1 is capable of being an ISATAP host. However, this functionality might not be immediately available. This step expedites DC1 setting itself up as an ISATAP host by updating its IPv6 configuration.

I. Update IPv6 Settings on APP1APP1 is capable of being an ISATAP host. However, this functionality might not be immediately available. This step expedites APP1 setting itself up as an ISATAP host by updating its IPv6 configuration.

J. Confirm IPv6 Address Registrations in DNSIPv6 capable hosts can communicate with one another over IPv6 using their ISATAP adapters. However, they must be able to resolve the destination host to an IPv6 address to use this capability. This step confirms that the IPv6 ISATAP addressees are registered in DNS.

K. Confirm IPv6 Connectivity between DC1/APP1/UAG1After activity the IPv6 settings on DC1, APP1 and UAG1, test IPv6 connectivity by using the ping utility.

A. Rename the EDGE1 to UAG1Change the computer name of EDGE1 to UAG1.

1. At the EDGE1 computer or virtual machine, click Start and then right click Computer. Click Properties.

2. On the System page, click the Advanced system settings link.

3. In the System Properties dialog box, click the Computer Name tab.

4. On the Computer Name tab, click the Change button.

5. In the Computer Name/Domain Changes dialog box, in the Computer name text box, enter UAG1. Click OK.

6. Click OK in the Computer Name/Domain Changes dialog box informing you that you must restart the computer.

7. Click Close in the System Properties dialog box.

8. Click Restart Now in the dialog box informing you that you must restart to apply the changes.

9. Log on as CORP\User1

22

B. Obtain the IP-HTTPS Listener Certificate on UAG1The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections from DirectAccess clients on the Internet. The IP-HTTPS Listener requires a web site certificate to support the SSL connection between itself and the DirectAccess client. The common name on this certificate must be the name the external DirectAccess client uses to connect to the IP-HTTPS Listener, and must be resolvable using an Internet based DNS server to the first of the two consecutive IP addresses bound to the external interface of the UAG DirectAccess server. Perform the following steps to obtain the IP-HTTPS certificate. In addition, you will request a new computer certificate for UAG1 that supports the machine’s new computer name.

1. At UAG1, click Start, type mmc, and then press ENTER. Click Yes at the User Account Control prompt.

2. Click File, and then click Add/Remove Snap-ins.

3. Click Certificates, click Add, click Computer account, click Next, select Local computer, click Finish, and then click OK.

4. In the console tree of the Certificates snap-in, open Certificates (Local Computer)\Personal\Certificates.

5. In the middle pane of the console, click on the EDGE1.corp.contoso.com certificate and press the DELETE key on the keyboard. Right click an empty area in the middle pane, point to All Tasks and click Request New Certificate.

6. On the Before You Begin page, click Next.

7. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and click Next.

8. On the Request Certificates page, put a checkmark in the Computer checkbox and click Enroll, then click Finish.

9. You should now see a new certificate for UAG1.corp.contoso.com with the Intended Purposes of Client Authentication and Server Authentication.

10. Right-click Certificates, point to All Tasks, and then click Request New Certificate.

11. Click Next twice.

12. On the Request Certificates page, click Web Server 2008, and then click More information is required to enroll for this certificate.

13. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select Common Name.

23

14. In Value, type uag1.contoso.com, and then click Add.

15. In Alternative name, for Type, select DNS.

16. In Value, enter uag1.contoso.com, and then click Add.

17. Click OK, click Enroll, and then click Finish.

18. In the details pane of the Certificates snap-in, verify that a new certificate with the name uag1.contoso.com was enrolled with Intended Purposes of Server Authentication.

19. Right-click the certificate and then click Properties.

20. In the Friendly Name text box, enter IP-HTTPS Certificate, and then click OK.

21. Close the console window. If you are prompted to save settings, click No.

C. Configure a DNS Entry on INET1 with the Name on the IP-HTTPS CertificateIn order to connect to the IP-HTTPS listener on UAG1, the DirectAccess client needs to be able to resolve the subject name listed on the IP-HTTPS certificate. In this step you will configure INET1 with a Host (A) DNS record with the name uag1.contoso.com that resolves to 131.107.0.1.

1. *At INET1, log on as Administrator.

2. Click Start, point to Administrative Tools and click DNS.

3. In the DNS Manager console, in the left pane, expand the server name and then expand Forward Lookup Zones. Click the contoso.com zone.

4. Right click the contoso.com zone and click New Host (A or AAAA).

5. In the New Host dialog box, in the Name text box, enter uag1. In the IP address text box, enter 131.107.0.2.

6. Click Add Host. In the DNS dialog box, click OK.

7. Click Done in the New Host dialog box.

D. Install Forefront UAG Service Pack 1 on UAG1Install the Forefront Unified Access Gateway software on UAG1.

1. *At UAG1, insert the Forefront UAG DVD into the optical drive. (Note: Ensure you install Forefront UAG from the DVD. Network installations are not supported.)

2. Click Start, click Computer, double-click the DVD drive Forefront UAG 2010, and then double-click Setup.

24

3. In the Setup window, under Prepare and Install, click Install Forefront UAG. Click Yes in the User Account Control dialog box.

4. On the Welcome to the Forefront UAG 2010 with Service Pack 1 Setup Wizard page, click Next.

5. Read the License Terms, and if you choose to proceed, select I accept the License Terms for Microsoft Software, and then click Next.

6. On the Select Installation Location page, click Next, and wait for the installation to complete successfully.

7. On the You have successfully completed the Forefront UAG Setup page, click Restart now, and then click Next. Wait for the server to restart.

8. Log on to UAG1 as CORP\User1.

E. Run the UAG Getting Started WizardThe UAG Getting Started Wizard walks you through the process of initial configuration of the UAG server. This will set up the basic information required to configure the networking settings on the server, define the server topology (standalone or array) and whether or not to join Microsoft update for updating the server.

1. At UAG1, click Start, click All Programs, click Microsoft Forefront UAG, and then click Forefront UAG Management. Click Yes in the User Account Control dialog box. UAG will start to configure itself for the first time. The Getting Started Wizard splash screen appears.

2. In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.

3. On the Welcome to the Network Configuration Wizard page, click Next.

4. On the Define Network Adapters page, select Corpnet in the Internal column, and Internet in the External column. Click Next.

5. On the Define Internal Network IP Address Range page, verify that the range that appears is 10.0.0.0 to 10.0.0.255, and then click Next.

6. On the Completing the Network Configuration Wizard page, click Finish.

7. On the Getting Started Wizard, click Define Server Topology.

8. On the Welcome to the Server Management Wizard page, click Next.

9. On the Select Configuration page, select Single server, and then click Next.

10. On the Completing the Server Management Wizard page, click Finish.

25

11. In the Getting Started Wizard, click Join Microsoft Update.

12. On the Welcome to the Server Configuration Wizard page, click Next.

13. On the Use Microsoft Update for Forefront UAG page, select I don’t want to use Microsoft Update, and then click Next. (NOTE: in a production environment it is highly recommended that you select the use Microsoft Update option).

14. On the Customer Experience Improvement Program page, select No, I do not want to participate and click Next. (NOTE: in a production environment it is highly recommended that you select the Yes, I am willing to participate anonymously in the Customer Experience Improvement program.).

15. On the Completing the Server Configuration Wizard page, click Finish.

16. On the Getting Started Wizard page, click Close.

17. In the Getting Started Wizard dialog box, when prompted Do you want to activate the configuration now, click Yes.

18. On the Activate Configuration page, enter a password and confirm the password for the backup file that will save the current UAG configuration. Click Next.

19. On the Activate Configuration page, confirm that there is a checkmark in the Back up configuration before performing this activation checkbox, then click Activate.

20. Wait for the Activation completed successfully message, and then click Finish.

21. To exit the Microsoft Forefront UAG Management console, click the File menu, click Exit, and then click Yes when prompted Do you want to close the Forefront UAG Management console.

F. Run the UAG DirectAccess Configuration Wizard on UAG1DirectAccess is not enabled by default. To enable DirectAccess features and capabilities on UAG1, you need to run the DirectAccess Configuration wizard. After running the DirectAccess Configuration Wizard, two new Group Policy objects are created – one is linked to the computer account for the UAG DirectAccess server, and the second is linked to the DirectAccess clients security group (DA_Clients) you configured earlier. In addition, the IPv6 components, including support for IPv6 transition technologies and IPv6/IPv4 protocol transition technologies are enabled on the UAG DirectAccess server.

1. Click Start, point to All Programs, click Microsoft Forefront UAG, and then click Forefront UAG Management. Click Yes in the User Account Control dialog box.

2. In the left pane of the Forefront Unified Access Gateway console, click DirectAccess. In the Forefront UAG DirectAccess Configuration pane, in the Step 1 Clients and GPOs section, click the Configure link.

26

3. This opens the Clients and GPOs Configuration wizard. On the Deployment Model page, select the Allow DirectAccess clients to connect to internal networks, and enable remote management of DirectAccess clients option. Click Next.

4. On the Client Domains page, notice that corp.contoso.com is automatically listed in the Enable DirectAccess for client computers in these domains list. Click Next.

5. On the Policy Management page, notice that the Automatically generate the following GPOs for DirectAccess policies option is selected and that names and locations for the Clients, Gateway and Application Servers GPOs are automatically listed. Click Next.

6. On the Client Groups page, select the Security Groups option and click Add.

7. In the Select Group dialog box, in the Enter the object name to select text box, enter DA_Clients. Click OK.

8. Click Finish.

9. In the Step 2 DirectAccess Server section, click the Configure link.

10. This brings up the UAG DirectAccess Server Configuration wizard. On the Connectivity page, in the Internet-facing section, click the down arrow in the First Internet-facing IPv4 address drop down box and click 131.107.0.2. In the Internal section, click the down arrow in the Internal IPv4 address used when ISATAP is deployed on the UAG DirectAccess server and click 10.0.0.2. Click Next.

11. On the IP-HTTPS page, click the Browse button. In the Windows Security dialog box, click the IP-HTTPS Certificate and click OK.

12. On the IP-HTTPS Certificate page, note that in the Select the server certificate used to authenticate to DirectAccess clients section that it says CN=uag1.contoso.com. This is the name that the DirectAccess clients use to connect to the IP-HTTPS listener on the UAG DirectAccess server. Click Next.

13. On the IPsec Certificate Authentication page, select the Use a certificate from a trusted root CA option, then click the Browse button next to that option. In the Windows Security dialog box, click corp-DC1-CA and then click OK.

14. On the IPsec Certificate Authentication page, click Finish.

15. In the Step 3 Infrastructure Servers section, click the Configure link.

16. This brings up the Infrastructure Server Configuration wizard. In the Specify the URL used to access the network location server text box, enter nls.corp.contoso.com, then click Validate. Click Next.

27

17. On the DNS Suffixes page, click Next.

18. On the Authentication Domains page, confirm that corp.contoso.com is included in the Enable DirectAccess for user accounts in these domains and click Next.

19. On the Management Servers page, click the Domain Controllers entry in the Built-In Server Groups tree. Notice in the right pane that DC1.corp.contoso.com is automatically discovered. Click Finish.

20. In the UAG DirectAccess pane, click Apply Policy.

21. On the Forefront UAG DirectAccess Configuration Review page, click Apply Now.

22. In the DirectAccess Policy Configuration dialog box, click OK.

23. On the Forefront UAG DirectAccess Configuration Review page, click Close.

24. Open an elevated command prompt. In the command prompt window enter gpupdate /force and press ENTER. Wait for the command to complete and then close the command prompt window.

25. In the UAG DirectAccess pane, click the Activate button on the bottom of the pane.

26. On the Activate Configuration page, confirm that there is a checkbox in the Back up configuration before performing this activation checkbox and click Activate. Click Finish on the Activate Configuration page after the activation is completed.

27. To exit the Microsoft Forefront UAG Management console, click the File menu, click Exit, and then click Yes when prompted Do you want to close the Forefront UAG Management console.

G. Confirm Group Policy Settings on UAG1The UAG DirectAccess wizard configures GPOs and settings that are automatically deployed to the Active Directory. One GPO is assigned to the UAG DirectAccess server, and one is deployed to machines that belong to the DirectAccess Clients security group. The following steps confirm that the Group Policy settings were deployed to the UAG DirectAccess server.

1. *Go to the DC1. At DC1, click Start, point to Administrative Tools and click Group Policy Management.

2. Expand Forest: corp.contoso.com and then expand Domains and then expand corp.contoso.com. Then expand Group Policy Objects.

3. You will find three new GPOs, two of which are currently linked to the default domain policy. UAG DirectAccess: Clients (UAG1.CORP.CONTOSO.COM) is applied to members of the DA_Clients security group. UAG DirectAccess: Gateways (UAG1.CORP.CONTOSO.COM) is

28

applied to the UAG server. There is also a Group Policy Object named UAG DirectAccess: AppServers (UAG1.CORP.CONTOSO.COM) which is applied when you configure end-to-end security in the UAG DirectAccess wizard. Confirm that the correct security filtering is done for each of these Group Policy Objects by clicking on the GPO and then viewing the entries in the Security Filtering section on the Scope tab in the right pane of the console.

4. *Go to the UAG1. Open an elevated command prompt. Change the focus to c:\Users\User1\Desktop (enter cd c:\Users\User1\Desktop and press ENTER).

5. At the command prompt, enter gpresult /scope computer /f /h report.html and press ENTER

6. On the desktop, double click the report file. In the Group Policy Objects section, notice in the Group Policy Objects\Applied GPOs section that UAG DirectAccess: Gateways (UAG1.CORP.CONTOSO.COM) appears, showing that the DirectAccess server GPO has been applied to UAG1. Close the Internet Explorer window.

7. Click Start and enter wf.msc in the Search box and press ENTER.

8. In the Windows Firewall with Advanced Security console, notice in the middle pane that it says that the Domain Profile is Active and Public Profile is Active. It is important that the Windows Firewall is enabled and both the Domain and Public Profiles are active. If the Windows Firewall with Advanced Security is disabled, or if Domain or Public profiles are disabled, then DirectAccess will not work correctly.

9. In the left pane of the Windows Firewall with Advanced Security Console, click the Connection Security Rules node. Notice in the middle pane of the console that there are two connection security rules: UAG DirectAccess Gateway – Clients Access Enabling Tunnel – All and UAG DirectAccess Gateway – Clients Corp Tunnel. The first rule is used for the infrastructure tunnel and the second rule is used to establish the intranet tunnel. Both of these rules are delivered to UAG1 using Group Policy.

10. Close the Windows Firewall with Advanced Security console.

H. Confirm IPv6 Settings on UAG1For the DirectAccess solution to function, the IPv6 settings on must be correct. The following steps confirm these setting on UAG1.

1. At UAG1, click Start and right click on the command prompt and click Run as administrator. Click Yes in the User Account Control dialog box.

2. In the command prompt window, enter ipconfig /all and press ENTER.

3. The ipconfig /all display shows information related to the UAG1 networking configuration. There are several sections of interest. The Tunnel adapter 6TO4 Adapter section shows information

29

that includes the Global IPv6 address used by UAG1 on its external interface. The Tunnel adapter isatap.corp.contoso.com section shows information regarding UAG1’s ISATAP interface; here you find the ISATAP address for UAG1. In the Tunnel adapter IPHTTPSInterface section, you’ll see information regarding the IP-HTTPS interface. Using the IP addressing scheme used in this lab, you should see the following addresses:6TO4 Adapter: 2002:836b:2::836b:2 and 2002:836b:2::836b:3ISATAP: 2002:836b:2:8000:0:5efe:10.0.0.2IPHTTPS: 2002:836b:2:8100:c887:6a74:6ef0:bf (Note that the “debolded” values will vary due to how the IP-HTTPS address is generated)

4. To see information regarding the Teredo interface on UAG1, enter netsh interface Teredo show state and press ENTER. The output should include an entry State: online

I. Update IPv6 Settings on DC1DC1 is capable of being an ISATAP host. However, this functionality might not be immediately available. You can expedite DC1 setting itself up as an ISATAP host by updating its IPv6 configuration.

1. *At DC1, click Start and then right click the command prompt icon. Click Run as administrator.

2. In the command prompt window, enter sc control iphlpsvc paramchange and press ENTER.

3. Close the command prompt window after the command completes.

J. Update IPv6 Settings on APP1APP1 is capable of being an ISATAP host. However, this functionality might not be immediately available. You can expedite DC1 setting itself up as an ISATAP host by updating its IPv6 configuration.

1. *At APP1, click Start and then right click the command prompt icon. Click Run as administrator.

2. In the command prompt window, enter sc control iphlpsvc paramchange and press ENTER.

3. Close the command prompt window after the command completes.

K. Confirm IPv6 Address Registration in DNSIPv6 capable hosts can communicate with one another over an IPv4 network with IPv6 using their ISATAP adapters. However, they must be able to resolve the destination host to an IPv6 address to use this capability. The following steps confirm that the IPv6 ISATAP addressees are registered in DNS.

1. *At DC1, click Start, point to Administrative Tools and click DNS.

2. In the DNS Manager, expand the server name, then expand the Forward Lookup Zones node in the left pane of the console. Click corp.contoso.com.

3. Click the Name column in the right pane of the console so that computer names are listed alphabetically. For APP1, DC1 and UAG1 there should be an IPv4 address and IPv6 address. If

30

there is no IPv6 address, return to the machine that does not have an IPv6 address and open an elevated command prompt. At the elevated command prompt enter ipconfig /registerdns. Then return to the DNS console on DC1 and confirm that the IPv6 address is registered in DNS. If the IPv6 address does not appear in the console, refresh the console view.

Note that the ISATAP addresses listed in the DNS resource records do not use the dotted decimal format for the last 32 bits of the IPv6 address that you see when using ipconfig to view IP addressing information on the hosts. However, these addresses represent the same information; the only difference is that the last 32 bits are represented in HEX instead of dotted decimal format.

L. Confirm IPv6 Connectivity between DC1/APP1/UAG1After activating the IPv6 settings on DC1, APP1 and UAG1, test IPv6 connectivity by using the ping utility

1. *At DC1, click Start and right click the command prompt icon and click Run as administrator.

2. In the command prompt window, enter ipconfig /flushdns to remove IPv4 address entries that might already be in the DNS client cache.

3. In the command prompt window, enter ping UAG1 and press ENTER. You should see the ISATAP address of UAG1 in the reply, which is 2002:836b:2:8000:0:5efe:10.0.0.2.

4. In the command prompt window, enter ping APP1 and press ENTER. You should see the ISATAP address of APP1 in the reply, which is 2002:836b:2:8000:0:5efe:10.0.0.3. Close the command prompt window.

5. *At UAG1, use an elevated command prompt window and ping DC1 and APP1 and confirm that the responses are from the ISATAP addresses of those servers. The close the command prompt window

STEP 6: Configure CLIENT1CLIENT1 is a computer or virtual machine running Windows 7 Ultimate Edition that is used demonstrate how DirectAccess works in a number of scenarios. CLIENT1 is first connected to the corpnet subnet to receive the DirectAccess Group Policy settings. CLIENT1 is later moved to the simulated Internet to test DirectAccess connectivity over 6to4 and CLIENT1 is moved behind a NAT device to test both Teredo and IP-HTTPS DirectAccess connectivity.

NOTE:CLIENT1 is a Windows 7 computer and after installation the default power plan is applied. CLIENT1 may go to sleep before you reach the end of the lab configuration. To prevent this from happening, select the High Performance power plan in the Control Panel.

The following operations configure CLIENT1:

31

A. Add CLIENT1 to the DA_Clients Active Directory Security GroupThe DirectAccess client settings are assigned only to members of the security group designated for DirectAccess clients. Place CLIENT1 in the DA_Clients security group so that the Group Policy settings are assigned to CLIENT1.

B. Test IPv6 Configuration, Confirm Group Policy Settings and Machine Certificate on CLIENT1Before moving CLIENT1 out of the corpnet and onto the simulated Internet and behind a NAT device, check the IPv6 configuration on CLIENT1, confirm that DirectAccess client Group Policy Settings are enabled on CLIENT1, and that CLIENT1 has the computer certificate required to establish the IPsec connections to the UAG DirectAccess server.

C. Test Connectivity to a Network Share and Network Location Server The final check on CLIENT1 before moving it outside the corpnet is to confirm connectivity to a network share on the corpnet and to the Network Location Server. Connectivity to the Network Location Server is required so that the DirectAccess client can determine if it is on-network or off-network.

A. Add CLIENT1 to the DA_Clients Security GroupThe DirectAccess client settings are assigned only to members of the security group designated for DirectAccess clients. You will place CLIENT1 in the DA_Clients security group so that the Group Policy settings are assigned to CLIENT1.

1. *On the DC1 computer or virtual machine, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the console tree, expand corp.contoso.com, and then click Users.

3. In the details pane, double-click DA_Clients.

4. In the DA_Clients Properties dialog box, click the Members tab, and then click Add.

5. In the Select Users, Contacts, Computers, or Groups dialog box, click Object Types, click Computers, and then click OK.

6. Under Enter the object names to select (examples), type CLIENT1, and then click OK.

7. Verify that CLIENT1 is displayed below Members, and then click OK.

8. Close the Active Directory Users and Computers console.

9. *On CLIENT1, start the computer and log on as CORP\User1. If CLIENT1 is already started, restart the computer and log on as CORP\User1.

32

B. Test IPv6 Configuration, Confirm Group Policy Settings and Machine Certificate on CLIENT1

Before moving CLIENT1 out of the corpnet subnet and onto the simulated Internet and behind a NAT device on the Internet, check the IPv6 configuration on CLIENT1, confirm that DirectAccess client Group Policy Settings are enabled on CLIENT1, and that CLIENT1 has the computer certificate required to establish the IPsec connections to the UAG DirectAccess server.

1. On the CLIENT1 computer or virtual machine, click Start and then click All Programs. Click Accessories and then right click command prompt. Click Run as administrator. Click Yes in the UAC dialog box.

2. In the command prompt window, enter ping dc1 and press ENTER. Confirm that the reply comes from an IPv6 ISATAP address, 2002:836b:2:8000:0:5efe:10.0.0.1.

3. Ping APP1 and UAG1 to confirm that both these machines reply with IPv6 ISATAP addresses, 2002:836b:2:8000:0:5efe:10.0.0.3 and 2002:836b:2:8000:0:5efe:10.0.0.2.

4. In the command prompt window, enter netsh namespace show policy and press ENTER. This command shows the DNS Name Resolution Policy Table (NRPT) settings, which were provided to CLIENT1 via Group Policy. For more information about DirectAccess and the NRPT, please see http://technet.microsoft.com/en-us/library/dd637795(WS.10).aspx

5. In the command prompt window, enter netsh namespace show effectivepolicy and press ENTER. This command shows the current DNS name resolution policy table settings and indicates that the client is in the corporate network and Name Resolution Policy Table (NRPT) settings are turned off.

6. In the command prompt window, enter certutil –store my and press ENTER. The output will display information about the certificate installed on CLIENT1. The subject name on the certificate should be CN=CLIENT1.corp.contoso.com and the certificate template name (certificate type) should be Machine, Computer. This machine certificate was assigned using Group Policy autoenrollment and will be used to create the IPsec tunnels between CLIENT1 and UAG1 when CLIENT1 leaves the corporate network.

C. Test Connectivity to a Network Share and the Network Location ServerThe final check on CLIENT1 before moving it outside the corpnet subnet is to confirm connectivity to a network share on the corpnet subnet and to the Network Location Server. Connectivity to the Network Location Server is required so that the DirectAccess client can determine if it is on or off the corporate network.

1. On CLIENT1, from the taskbar, click the Internet Explorer icon.

33

http://technet.microsoft.com/en-us/library/dd637795(WS.10).aspx

2. In the Welcome to Internet Explorer 8 window, click Next. In the Turn on Suggested Sites window, click No, don’t turn on, and then click Next. In the Choose your settings dialog box, click Use express settings, and then click Finish.

3. In the Toolbar, click Tools, and then click Internet Options. For Home page, click Use blank, and then click OK.

4. In the Address bar, enter https://nls.corp.contoso.com/, and then press ENTER. You should see the default IIS 7 Web page on DC1.

5. Close the Internet Explorer window.

6. Click Start, enter \\DC1\Files, and then press ENTER.

7. You should see a folder window with the contents of the Files file share.

8. In the Files folder window, double-click the Example.txt file. You should see the contents of the Example.txt file. Close the example.txt - Notepad and the Files folder windows.

STEP 7: Configure NAT1NAT1 is a Windows 7 computer configured as a NAT device that separates a private network from the Internet. The built-in Internet Connection Service (ICS) is used to provide the NAT server functionality. ICS includes DHCP server-like functionality and automatically assigns IP addressing information to clients located behind the NAT1 ICS NAT device. NAT1 has two network interfaces – one connected to the simulated Internet and one connected to a Homenet subnet.

NOTE:NAT1 is a Windows 7 computer and after installation the default power plan is applied. NAT1 may go to sleep before you reach the end of the lab configuration. You can prevent this from happening by selecting the High Performance power plan in the Control Panel.

Perform the following operations to configure NAT1 as a NAT device:

A. Install the operating system on NAT1The first step is to install the Windows 7 operating system.

B. Rename the interfaces on NAT1Rename the network interfaces in the Network Connections window to make them easier to identify. Note that this is not required, but makes applying the correct settings on the appropriate interface easier.

C. Disable 6to4 functionality on NAT1Disable 6to4 functionality on NAT 1. The reason for this is that if you don’t disable 6to4 on NAT1, it will act as a 6to4 router and issue a 6to4 address to CLIENT1 when it is connect to the Homenet subnet. This will prevent CLIENT1 from acting as a Teredo or IP-HTTPS DirectAccess client.

34

D. Configure ICS on the External Interface of NAT1Internet Connection Services enable NAT1 to act as a NAT device and DHCP server for clients located behind NAT1. This enables CLIENT1 to automatically obtain IP addressing information and connect to the simulated Internet when connected to the Homenet subnet behind NAT1.

A. Install the OS on NAT1The first step is to install the Windows 7 operating system.

1. At NAT1, connect one network adapter to the Internet subnet or virtual switch, and the other to the Homenet subnet or virtual switch.

2. Start the installation of Windows 7 Ultimate Edition.

3. When prompted for a user name, enter User1. When prompted for a computer name, enter NAT1.

4. When prompted for a password, enter a strong password twice.

5. If prompted for a Password Hint, enter a password hint.

6. When prompted for protection settings, click Use recommended settings.

7. When prompted for your computer's current location, click Public network.

B. Rename the Network Interfaces on NAT1In this step you rename the network interfaces in the Network Connections window to make them easier to identify. Note that this is not required, but makes applying the correct settings on the appropriate interface easier.

1. Click Start, and then click Control Panel.

2. Under Network and Internet, click View status and tasks, and then click Change adapter settings.

3. In the Network Connections window, right-click the network connection that is connected to the Homenet subnet, and then click Rename.

4. Enter Homenet, and then press ENTER.

5. In the Network Connections window, right-click the network connection that is connected to the Internet subnet, and then click Rename.

6. Enter Internet, and then press ENTER.

7. Leave the Network Connections window open for the next procedure.

35

8. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

9. To check network communication between NAT1 and INET1, in the command window, type ping inet1.isp.example.com, and then press ENTER.

10. Verify that there are four responses from 131.107.0.1.

C. Disable 6to4 on NAT1In the lab environment we use a Windows 7 computer to simulate a NAT device located in a remote location. One issue with Windows 7 when configured as an Internet Connection Service server is that it can act as a 6to4 router. When this is the case, it might assign the CLIENT1 computer behind the NAT1 ICS computer a 6to4 address and prevent it from acting as a Teredo and IP-HTTPS client. In order to demonstrate both Teredo and IP-HTTPS functionality, 6to4 functionality on the NAT1 is disabled.

1. In an elevated command prompt window, enter netsh interface 6to4 set state state=disabled, and then press ENTER. An Ok response is returned after the command completes.

2. Close the command window.

D. Configure ICS on the External Interface of NAT1Internet Connection Services enable NAT1 to act as a NAT device and DHCP server for clients located behind NAT1. This enables CLIENT1 to automatically obtain IP addressing information and connect to the simulated Internet when connected to the Homenet subnet behind NAT1.

1. At NAT1, in the Network Connections window, right-click Internet, and then click Properties.

2. Click the Sharing tab, select Allow other network users to connect through this computer’s Internet connection, and then click OK.

3. Right click the Homenet interface on NAT1 and click Status.

4. In the Local Area Connection Status dialog box, on the General tab, click the Details button.

5. In the Network Connection Details dialog box, notice that the internal interface has been assigned an IP address and subnet mask by the Internet Connection Service, using a network ID of 192.168.137.0/24. DHCP clients placed behind NAT1 obtain an IP address on this network ID and DNS server settings from the Internet Connection Services.

6. Click Close in the Network Connection Details dialog box, and click Close in the Local Area Connection Status dialog box.

7. Close the Network Connections window.

36

STEP 8: Test DirectAccess Connectivity from the InternetCLIENT1 is now ready for DirectAccess testing. In the first set of tests, you connect CLIENT1 to the simulated Internet. When connected to the simulated Internet, CLIENT1 is assigned a public IPv4 address. When a DirectAccess client is assigned a public IPv4 address, it will try to establish a connection to the DirectAccess server using an IPv6 6to4 connection over its 6to4 tunnel adapter. After connecting to the simulated Internet and establishing the DirectAccess connection, you perform a number of tests to confirm IPv6 connectivity and connectivity to corpnet assets from over the simulated Internet.

1. Unplug CLIENT1 from the corpnet switch and connect it to the Internet switch. Wait for 30 seconds.

2. Open an elevated command prompt. In the command prompt window, enter ipconfig /all and press ENTER.

3. Examine the output from the ipconfig command. CLIENT1 is now connected to the Internet and has a public IPv4 address. When the DirectAccess client has a public IPv4 address, it will use the 6to4 IPv6 transition technology to tunnel the IPv6 messages over an IPv4 Internet between the DirectAccess client and UAG DirectAccess server. Look at the information in the Tunnel adapter 6TO4 adapter. You see a tunnel adapter address that begins with 2002:836b, which is a globally routable address. You will also see a default gateway, which is the first of the two consecutive IPv6 6to4 IP addresses assigned to the UAG DirectAccess server. This address should be 2002:836b:2::836b:2. Note the DNS server entry in this section. This is the DNS server that is used to access any resource other than what is accessible over the DirectAccess connection.

4. In the command prompt window, enter ipconfig /flushdns and press ENTER. This flushes name resolution entries that may still exist in the client DNS cache from when CLIENT1 was connected to the corpnet.

5. In the command prompt window, enter ping dc1 and press ENTER. You should see replies from the ISATAP address assigned to DC1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.1

6. In the command prompt window, enter ping app1 and press ENTER. You should see replies from the ISATAP address assigned to DC2, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.3

7. In the command prompt window, enter ping uag1 and press ENTER. You should see replies from the ISATAP address assigned to UAG1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.2

8. In the command prompt window, enter ping app3 and press ENTER. You should see replies from the NAT64 address assigned by UAG1 to APP3, which in this case is 2002:836b:2:8001::a00:4 The ability to ping APP3 is important, because success indicates that you were able to establish a connection using NAT64/DNS64, as APP3 is an IPv4 only resource.

37

9. In the command prompt window, enter netsh namespace show effectivepolicy and press ENTER. The output shows the current settings for the Name Resolution Policy Table (NRPT). These settings indicate that all connections to .corp.contoso.com should be resolved by the DirectAccess DNS Server, which is the UAG DirectAccess server, with the IPv6 address of 2002:836b:3::836b:3. Also, note the NRPT entry indicating that there is an exemption for the name nls.corp.contoso.com; names on the exemption list are not answered by the DirectAccess DNS server. You can ping the DirectAccess DNS server IP address to confirm connectivity to the DirectAccess server; for example, you can ping 2002:836b:3::836b:3.

10. Open Internet Explorer and click the Tools menu and click Internet Options. In the Internet Options dialog box, on the General tab, click the Use Blank button to set the default Web page as blank. Close the Internet Explorer window.

11. In the Internet Explorer address bar, enter http://app1.corp.contoso.com and press ENTER. You will see the default IIS site on APP1.

12. In the Internet Explorer address bar, enter http://app3.corp.contoso.com and press ENTER. You will see the default web site on APP3.

13. Click Start and in the Search box, enter \\App3\Files and press ENTER. Double click on the New Text Document file. This demonstrates that you were able to connect to an IPv4 only server using SMB to obtain a resource in the resource domain.

14. Click Start and in the Search box, enter wf.msc and press ENTER.

15. In the Windows Firewall with Advanced Security console, notice that only the Public Profile is active. The Windows Firewall must be enabled for DirectAccess to work correctly. If for some reason that the Windows Firewall were disabled, DirectAccess connectivity would fail.

16. Expand the Monitoring node in the left pane of the console and click the Connection Security Rules node. You should see the active connection security rules: UAG DirectAccess Client – Client Access Enabling Tunnel – All, UAG DirectAccess Client – Clients Corp Tunnel and UAG DirectAccess Client – Exempt NLA. Scroll the middle pane to the right to expose the 1st Authentication Methods and 2nd Authentication Methods columns. Notice that the first rule uses NTLMv2 to establish the infrastructure tunnel and the second rule uses Kerberos V5 to establish the intranet tunnel. The second tunnel is required to connect to APP1 and APP3, since they are not on the management servers list.

17. In the left pane of the console, expand the Security Associations node and click the Main Mode node. Notice the infrastructure tunnel security associations using NTLMv2 and the intranet tunnel security association using Kerberos V5. Right click the entry that shows User (Kerberos V5) as the 2nd Authentication Method and click Properties. On the General tab, notice the

38

http://app3.corp.contoso.com/


Second authentication Local ID is CORP\User1, indicating that User1 was able to successfully authenticate to the CORP domain using Kerberos.

18. Click Start and right click on Computer and click Properties. Click the Remote Settings link in the left pane of the console. On the Remote tab, in the Remote Desktop section, select the Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure) and click OK. This enables Remote Desktop Connections from Windows Vista and above and Windows 2008 and above computers for remote management. We will use this feature to test the ability to remotely manage DirectAccess clients from management servers on the corpnet.

19. *Move to the DC1 computer or virtual machine. Click Start and enter mstsc and press ENTER. In the Remote Desktop Connection dialog box, in the Computer text box, enter client1.corp.contoso.com and click Connect. In the Windows Security dialog box, select Use another account. In the User name text box enter CORP\User1 and enter User1’s password and click OK. The Remote Desktop Session is successfully established. Note that when you connect from an infrastructure server, you can establish the connection even before the user logs in, increasing your ability to manage DirectAccess client machines on the Internet.

NOTE: You are able to “manage out” CLIENT1 without creating special Firewall Rules because it is acting as a 6to4 IPv6 host. In order to remotely manage Teredo and IP-HTTPS DirectAccess clients, you will need to configure special Firewall Rules that enable inbound access for the protocol or service and enable “edge traversal” for that Firewall Rule.

20. Close the Remote Desktop Connection window. Click OK in the Remote Desktop Connection dialog box that informs you that this will disconnect your session.

21. *Return to CLIENT1. Log on as CORP\User1.

22. Close the System Control Panel window and the Windows Firewall with Advanced Security console. Close all other open windows before moving to the next step.

STEP 9: Test DirectAccess Connectivity from Behind a NAT DeviceWhen a DirectAccess client is connected to the Internet from behind a NAT device or a Web proxy server, the DirectAccess client uses either Teredo or IP-HTTPS to connect to the DirectAccess server. If the NAT device enables outbound UDP port 3544 to the DirectAccess server’s public IP address, then Teredo is used. If Teredo access is not available, the DirectAccess client falls back to IP-HTTPS over outbound TCP port 443, which enables access through firewalls or Web proxy servers over the traditional SSL port. Teredo is the preferred access method, because of its superior performance over IP-HTTPS. In addition, if the web proxy requires authentication, the IP-HTTPS connection will fail. IP-HTTPS connections also fail if the web proxy performs outbound SSL inspection, due to the fact that the HTTPS

39

session is terminated at the web proxy instead of the UAG DirectAccess server. In this section you will perform the same tests performed when connecting using a 6to4 connection in the previous section.

The following procedures are performed on CLIENT1:

A. Test Teredo Connectivity. The first set of tests are performed when the DirectAccess client is configured to use Teredo. This is the automatic setting when the NAT device allows outbound access to UDP port 3544

B. Test IP-HTTPS Connectivity. The second set of tests are performed when the DirectAccess client is configured to use IP-HTTPS. In order to demonstrate IP-HTTPS connectivity, Teredo is disabled on CLIENT1.

A. Testing Teredo ConnectivityThe DirectAccess client can use either Teredo or IP-HTTPS when connecting to the DirectAccess server from behind a NAT device. You will first examine the settings and test connectivity using Teredo.

1. Unplug CLIENT1 from the Internet switch and connect it to the Homenet switch. If asked what type of network you want to define the current network, select Home Network.

2. Open an elevated command prompt. In the command prompt window, enter ipconfig /all and press ENTER.

3. Examine the output of the ipconfig command. This computer is now connected to the Internet from behind a NAT device and is assigned a private IPv4 address. When the DirectAccess client is behind a NAT device and assigned a private IPv4 address, the preferred IPv6 transition technology is Teredo. If you look at the output of the ipconfig command, you should see a section for Tunnel adapter Local Area Connection and then a Description Teredo Tunneling Pseudo-Interface, with an IP address that starts with 2001: consistent with being a Teredo address. You will not see a default gateway listed for the Teredo tunnel adapter.

4. In the command prompt window, enter ipconfig /flushdns and press ENTER. This will flush name resolution entries that may still exist in the client DNS cache from when CLIENT1 was connected to the Internet.


6. In the command prompt window, enter ping app1 and press ENTER. You should see replies from the ISATAP address assigned to APP1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.3


40

8. In the command prompt window, enter ping app3 and press ENTER. You should see replies from the NAT64 address assigned by UAG1 to APP3, which in this case is 2002:836b:2:8001::a00:4

9. In the command prompt window, enter netsh namespace show effectivepolicy and press ENTER. The output shows the current settings for the Name Resolution Policy Table (NRPT). These settings indicate that all connections to .corp.contoso.com should be resolved by the DirectAccess DNS Server, which is the UAG DirectAccess server, with the IPv6 address of 2002:836b:3::836b:3. Also, note the NRPT entry indicating that there is an exemption for the name nls.corp.contoso.com; names on the exemption list are not answered by the DirectAccess DNS server. You can ping the DirectAccess DNS server IP address to confirm connectivity to the DirectAccess server; for example, you can ping 2002:836b:3::836b:3 in this example.

10. In the Internet Explorer address bar, enter http://app1.corp.contoso.com and press ENTER. You will see the default IIS site on DC2.


12. Click Start and in the Search box, enter \\App3\Files and press ENTER. Double click on the New Text Document file. This demonstrates that you were able to connect to an IPv4 only server using SMB to obtain a resource on an IPv4 only host.

13. Click Start and in the Search box, enter Firewall and press ENTER.

14. In the Windows Firewall with Advanced Security console, notice that only the Private profile is active. The Windows Firewall must be enabled for DirectAccess to work correctly. If for some reason the Windows Firewall were disabled, DirectAccess connectivity would fail.

15. Expand the Monitoring node in the left pane of the console and click the Connection Security Rules node. You should see the active connection security rules: UAG DirectAccess Client – Client Access Enabling Tunnel – All, UAG DirectAccess Client – Clients Corp Tunnel and UAG DirectAccess Client – Exempt NLA. Scroll the middle pane to the right to expose the 1st Authentication Methods and 2nd Authentication Methods columns. Notice that the first rule uses NTLMv2 to establish the infrastructure tunnel and the second rule uses Kerberos V5 to establish the intranet tunnel.

16. In the left pane of the console, expand the Security Associations node and click the Main Mode node. Notice the infrastructure tunnel security associations using NTLMv2 and the intranet tunnel security association using Kerberos V5. Right click the entry that shows User (Kerberos V5) as the 2nd Authentication Method and click Properties. On the General tab, notice the Second authentication Local ID is CORP\User1, indicating that User1 was able to successfully authenticate to the CORP domain using Kerberos to establish the second tunnel (intranet tunnel).

41




B. Testing IP-HTTPS ConnectivityWhen the DirectAccess client is unable to establish a Teredo connection with the DirectAccess server (typically when a firewall or router has blocked outbound UDP port 3544), the DirectAccess client configures itself to use IP-HTTPS to tunnel IPv6 messages over the IPv4 Internet. In the following exercises you confirm that the host is configured as an IP-HTTPS host and check connectivity.

1. Open an elevated command prompt. In the command prompt window, enter netsh interface teredo set state disabled and press ENTER. This disables Teredo on CLIENT1 and enables CLIENT1 to configure itself to use IP-HTTPS.

2. Open an elevated command prompt. In the command prompt window, enter ipconfig /all and press ENTER. An Ok response appears when the command completes.

3. Examine the output of the ipconfig command. This computer is now connected to the Internet from behind a NAT device and is assigned a private IPv4 address. Teredo is disabled and the DirectAccess client falls back to IP-HTTPS. When you look at the output of the ipconfig command, you see a section for Tunnel adapter iphttpsinterface with an IP address that starts with 2002:836b:2:8100 consistent with this being an IP-HTTPS address. You will not see a default gateway listed for the IP-HTTPS tunnel adapter.

4. In the command prompt window, enter ipconfig /flushdns and press ENTER. This will flush name resolution entries that may still exist in the client DNS cache from when CLIENT1 was connected to the corpnet.


6. In the command prompt window, enter ping app1 and press ENTER. You should see replies from the ISATAP address assigned to APP1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.3


8. In the command prompt window, enter ping app3 and press ENTER. You should see replies from the NAT64 address assigned by UAG1 to APP3, which in this case is 2002:836b:2:8001::a00:4

9. In the command prompt window, enter netsh namespace show effectivepolicy and press ENTER. The output shows the current settings for the Name Resolution Policy Table (NRPT).

42

These settings indicate that all connections to .corp.contoso.com should be resolved by the DirectAccess DNS Server, which is the UAG DirectAccess server, with the IPv6 address of 2002:836b:3::836b:3. Also, note the NRPT entry indicating that there is an exemption for the name nls.corp.contoso.com; names on the exemption list are not answered by the DirectAccess DNS server. You can ping the DirectAccess DNS server IP address to confirm connectivity to the DirectAccess server; for example, you can ping 2002:836b:3::836b:3 in this example.

10. In the Internet Explorer address bar, enter http://app1.corp.contoso.com and press ENTER. You will see the default IIS site on APP1.


12. Click Start and in the Search box, enter \\App3\Files and press ENTER. Double click on the New Text Document file. This demonstrates that you were able to connect to an IPv4 only server using SMB to obtain a resource on an IPv4 only host.

13. Click Start and in the Search box, enter Firewall and press ENTER.

14. In the Windows Firewall with Advanced Security console, notice that only the Private profile is active. The Windows Firewall must be enabled for DirectAccess to work correctly. If for some reason the Windows Firewall were disabled, DirectAccess connectivity would fail.

15. Expand the Monitoring node in the left pane of the console and click the Connection Security Rules node. You should see the active connection security rules: UAG DirectAccess Client – Client Access Enabling Tunnel – All, UAG DirectAccess Client – Clients Corp Tunnel and UAG DirectAccess Client – Exempt NLA. Scroll the middle pane to the right to expose the 1st Authentication Methods and 2nd Authentication Methods columns. Notice that the first rule uses NTLMv2 to establish the infrastructure tunnel and the second rule uses Kerberos V5 to establish the intranet tunnel.

16. In the left pane of the console, expand the Security Associations node and click the Main Mode node. Notice the infrastructure tunnel security associations using NTLMv2 and the intranet tunnel security association using Kerberos V5. When you right click the Kerberos security association, you will see authentication for CORP\User1. This indicates that the client was able to authenticate with the CORP domain using Kerberos to establish the second (intranet) tunnel.


43



STEP 10: View DirectAccess Client Sessions in the UAG DirectAccess MonitorA new feature included in UAG 2010 Service Pack 1 DirectAccess is the new DirectAccess Monitor feature that is included in the UAG Web Monitor applications. You can use the DirectAccess Monitor to obtain information about current and historical connections to the UAG DirectAccess server.

Perform the following steps to view the DirectAccess client connections in the UAG 2010 Service Pack 1 DirectAccess Monitor:

1. *At UAG1, click Start and then click All Programs. Click Microsoft Forefront UAG, then click Forefront UAG Web Monitor. Click Yes in the User Account Control dialog box.

2. Click OK in the Internet Explorer dialog box informing you that the web page uses Java.

3. In the left pane on the Web Monitor web page, in the DirectAccess Monitor section, click the Current Status link. In the main part of the web page, notice that there is information regarding the health of a number of UAG DirectAccess related services.

4. In the left pane on the Web Monitor web page, in the DirectAccess Monitor section, click the Active Sessions link. Here you can see information about current and recent connections. You also can find information regarding the computer account and user account that established the connection.

5. Close Internet Explorer.

6. *Move to CLIENT1. Open an elevated command prompt window. In the command prompt window, enter netsh interface teredo set state client and press ENTER. This will re-enable the Teredo adapter so that it will be available when you use this Test Lab in the future to test other UAG DirectAccess scenarios.

STEP 11: Test Connectivity When Returning to the CorpnetMany of your users will move between remote locations and the corpnet, so it’s important that when they return to the corpnet that they are able to access resources without having to make any configuration changes. UAG DirectAccess makes this possible because when the DirectAccess client returns to the corpnet, it is able to make a connection to the Network Location Server. Once the HTTPS connection is successfully established to the Network Location Server, the DirectAccess client disables it DirectAccess client configuration and uses a direct connection to the corpnet.

1. *Return to CLIENT1. Shut down CLIENT1 and then unplug CLIENT1 from the Home subnet or virtual switch and connect it to the Homenet subnet or virtual switch. Log on as CORP\User1. If asked what type of network you want to define the current network, select Work Network.

2. Open an elevated command prompt. In the command prompt window, enter ipconfig /all. The output will indicate that CLIENT1 has a local IP address, and that there is no active 6to4, Teredo or IP-HTTPS tunnel. Note that CLIENT1 has an active ISATAP tunnel adapter.

44

3. Test connectivity to the network share on APP3. Click Start and enter \\APP3\Files and press enter. You will be able to open the file in that folder.

STEP 12: Snapshot the ConfigurationThis completes the DirectAccess test lab. To save this configuration so that you can quickly return to a working DirectAccess configuration from which you can test other DirectAccess modular TLGs, TLG extensions, or for your own experimentation and learning, do the following:

1. On all physical computers or virtual machines in the test lab, close all windows and then perform a graceful shutdown.

2. If your lab is based on virtual machines, save a snapshot of each virtual machine and name the snapshots TLG UAG DirectAccess SP1RC. If your lab uses physical computers, create disk images to save the DirectAccess test lab configuration.

Additional ResourcesFor procedures to configure the Base Configuration test lab on which this document is based, see the Test Lab Guide: Base Configuration.

For the design and configuration of your pilot or production deployment of DirectAccess, see the Forefront UAG DirectAccess design guide and the Forefront UAG DirectAccess deployment guide.

For information about troubleshooting DirectAccess, see the DirectAccess Troubleshooting Guide.

For information about troubleshooting DirectAccess in a Test Lab, see the Test Lab Guide: Troubleshoot UAG DirectAccess.

For a comprehensive list of UAG DirectAccess Test Lab Guides, see the TechNet wiki Test Lab Guide clearinghouse at Test Lab Guides.

For more information about DirectAccess, see the DirectAccess Getting Started Web page and the DirectAccess TechNet Web page.

45

http://technet.microsoft.com/en-us/network/dd420463.aspx

http://www.microsoft.com/servers/directaccess.mspx

http://social.technet.microsoft.com/wiki/contents/articles/test-lab-guides.aspx

http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=d2e460c8-b4bf-4fda-9f86-ecc4b7add5d1

http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=d2e460c8-b4bf-4fda-9f86-ecc4b7add5d1


http://technet.microsoft.com/en-us/library/dd857320.aspx



Introductiondownload.microsoft.com › ... › TestLabGuide_Demonstr… · Web viewA.Obtain NLS Certificate for SSL Connections to Network Location Server on APP115 B.Configure the

Documents