DIRECT ACCESS, DO’S AND DON’TS KIERAN JACOBSEN HP ENTERPRISE SERVICES
DirectAccess, do’s and don’ts
Nov 07, 2014
Are you considering deploying DirectAccess? DirectAccess is Microsoft’s next generation remote access solution providing a seamless corporate network connectivity experience. The session will cover a number of issues that IT professionals deploying DirectAccess should be aware of including load balancing, certificates, and IP Infrastructure requirements.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
DIRECT ACCESS, DO’S AND DON’TS
KIERAN JACOBSEN
HP ENTERPRISE SERVICES
PLAN FOR THE NIGHT
• Pre-deployment design considerations
• Deploying your first server
• Diagnosing Issues
WINDOWS 7 OR 8/8.1
Windows 7:
• Requires certificate based computer authentication
• Doesn’t support the use of NULL ciphers when IPHTTPS is used
• Will require connectivity assistant to be installed
• Has limited support for multi site deployments
HIGH AVAILABILITY OPTIONS
• Load Balancing
• NLB
• External Load Balancer
• Multi Site
• Clients can select entry points automatically or can specify them manually
• Global load balanced IP support
• Limited Windows 7 support
• Cannot deploy DirectAccess load balancing or multi-site on 2012 R2 when Web Proxy Server installed
3RD PARTLY LOAD BALANCERS
• F5 & Riverbed support various different deployment types
• Ensure you enable NULL SSL Ciphers
• Can provide SSL offload support (if supporting Windows 7)
DIRECTACCESS AND PKI
• CRL and Strong CRL validation
• IPSEC will fail to establish a connection if using certificate based computer authentication with computer certificates that use SHA512 hashing algorithm
LET’S DEPLOY
DON’T USE THE GETTING STARTED WIZARD
DIRECTACCESS WITH OR WITHOUT VPN
JUST 4 SIMPLE STEPS
STEP1: FULL ACCESS OR MANAGE OUT?
STEP 1: GROUPS
STEP 1: NETWORK CONNECTIVITY
STEP 2: NETWORK PLACEMENT
STEP 2: NETWORK ADAPTERS
STEP 2: AUTHENTICATION
STEP 3: NETWORK LOCATION SERVICE
STEP 3: NETWORK LOCATION SERVICE
STEP 3: DNS AND NRPT
NRPT RESOLUTION: EXCHANGE.CITADEL.UMBRELLACORP.INFO
Whilst connected to DirectAccess, User’s Outlook client needs to connect to exchange.citadel.umbrellacorp.info
1. FQDN will be compared to the NRPT – only matches first entry in table, which direct it to DNS proxy on DirectAccess Server
2. User’s computer will send a DNS request to the DirectAccess server
3. DirectAccess server uses locally configured network interfaces to resolve request, if response from corporate DNS servers is an IPv4 address, DirectAccess server will substitute a IPv6 address.
4. Response is sent to the DirectAccess client
NRPT RESOLUTION:INSIDE.CITADEL.UMBRELLACORP.INFO (NLS ADDRESS)
Whilst connected to DirectAccess, DirectAccess performs a connectivity test to see if it is connected to the corporate network
1. FQDN will be compared to the NRPT – matches second entry in table, which is the NRPT exemption.
2. User’s computer will send a DNS request directly to the DNS server configured on the client’s NIC
3. Public DNS unable to resolve the address, DirectAccess determines it is still externally connected.
NRPT RESOLUTION:MICROSOFT.COMWhilst connected to DirectAccess, User opens Internet Explorer and attempts to open up the Microsoft web page
1. FQDN will be compared to the NRPT – no matching entries are found
2. If Split Tunnelling (Default) : User’s computer will send a DNS request directly to the DNS server configured on the client’s NIC, Public DNS will then resolve the address and respond to the client.
OR
If Force Tunnelling: User’s computer will send DNS request to DirectAccess server, and the DirectAccess server will use locally configured network interfaces to resolve request, if response from corporate DNS servers is an IPv4 address, DirectAccess server will substitute a IPv6 address. The address is then sent to the client.
NRPT RESOLUTION: INTRANET (SINGLE LABEL)Whilst connected to DirectAccess, User opens Internet Explorer, types intranet in the box, hits enter:
1. Single-label is in use, append DNS suffix to request to form an FQDN
2. FQDN will be compared to the NRPT – only matches first entry in table, which direct it to DNS proxy on DirectAccess Server
3. User’s computer will send a DNS request to the DirectAccess server
4. DirectAccess server uses locally configured network interfaces to resolve request, if response from corporate DNS servers is an IPv4 address, DirectAccess server will substitute a IPv6 address.
5. Response is sent to the DirectAccess client – Either 1) resolved address or 2) Name not found
6. If name has been resolved, process completed all is done, if name not found, return to step 2 and try the next entry in the DNS suffix search order. If all suffix search entries have been exhausted, continue to 7.
7. Attempt to use LLMNR, NetBIOS or WINS * Special Warning *
NRPT RESOLUTION: INTRANET (SINGLE LABEL) – LOCAL NAME RESOLUTION
STEP 3: DNS AND NRPT (FORCE TUNNEL)
STEP 3: DNS SUFFIXES
STEP 3: MANAGEMENT SERVERS
STEP 4: APPLICATION SERVERS
FINISHING YOUR DEPLOYMENT
DEPLOYMENT DONE
DIRECTACCESS DIAGNOSTICS
• Check Operation Status in Remote Access Management Console
• DirectAccess diagnostic log available from client
• Access steps changed in 8.1 from 8
• Information Logged:
• NCA Connection Status (Probes List)
• IP-HTTPs Configuration (Get-NetIPHttpsConfiguration) and IP-HTTPs State (Get-NetIPHttpsState)
• NRPT Policy (Get-DnsClientNrptPolicy)
• IPsec Main Mode SA's (Get-NetIPsecMainModeSA)
• IPsec Quick Mode SA's (Get-NetIPsecQuickModeSA)
• And more…
DIRECTACCESS DIAGNOSTICS – EXTRA COMMANDS
• “Custom Commands” group policy
• Computer Configuration -> Admin Templates -> Network -> DirectAccess Client Experience Settings -> Custom Commands
• Can be any PowerShell Command/Cmdlet/Function/Script
• Recommended:
• $wc=new-object net.webclient; $wc.downloadstring(“<your NLS address”)
• $wc=new-object net.webclient; $wc.downloadstring(“<your NCA address”)
• Nltest /dnsgetdc:<domain name>
• netsh advfirewall show currentprofile
DIRECTACCESS AND GROUP POLICY
• Server and workstation configured using group policy
• Created by management console
• Server policy filtered by server AD account
• Client policy filtered by specified groups in step 1 wizard
• Multi site creates server policies for each site
• Policies created at root of domain
ANTIVIRUS AND SECURITY SOFTWARE
• DirectAccess requires Windows Firewall IPSEC components
• Be careful of web filtering functions
• Ensure network IPS/IDS exclusions are correct
QUESTIONS AND LINKS
• My Blog: http://aperturescience.su
• My Twitter: @kjacobsen
• Richard Hicks’ Blog: http://directaccess.richardhicks.com/
• Tom Schinder’s Blog: http://blogs.technet.com/b/tomshinder
Related Documents
