WSV404 DirectAccess Server (Server 2008 R2) DirectAccess Client (Windows 7) Internet Native IPv6 6to4 Teredo IP-HTTPS Tunnel over IPv4 UDP, HTTPS,

DirectAccess Configuration, Tips, Tricks, and Best Practices

Rand Morimoto, Ph.D., MCITP, CISSPAuthor, “Windows 2008 R2 Unleashed”President, Convergent Computing

WSV404

How Today’s Session is Structured

This is a Level 400 session, so NO marketing fluff!I will jump right into the installation / configuration of DirectAccess, and will be stopping at key points in the installation process where extra tips, tricks, and clarifications are commonly neededDemo Guide and Deployment WhitePaper:

http://www.cco.com/portals/0/downloads/WSV404-DirectAccessDemos-Morimoto.pdfhttp://www.cco.com/portals/0/downloads/WSV404-DirectAccessDeploymentGuide-Morimoto.pdf

Assumptions

You have a good command of Active Directory Group PoliciesYou have a good familiarity of navigating through Windows Control Panel and NetworkingYou have a conceptual knowledge of DNS, IPSec, and IPv6 (I will expand your understanding of these technologies in this session. This is where most implementers get hung-up when deploying DirectAccess…)

DirectAccess Server(Server 2008 R2)

DirectAccess Client(Windows 7)

Internet

Native IPv6

6to4

Teredo

IP-HTTPS

Tunnel over IPv4 UDP, HTTPS, etc.

Encrypted IPsec+ESP

DirectAccess – Background Slide

Understanding IPv6

DirectAccess uses IPv6 for its routing mechanism, take a look at my 8-part blog post on Understanding IPv6

http://www.networkworld.com/community/morimoto

Create / Utilize a consistent IPv6 addressing configuration for DirectAccess clients and the DirectAccess (or UAG) host server(s)Make sure the Win7 DirectAccess client systems can successfully “ping” and access the DirectAccess server over IPv6 (if you get a “Transmit Failure” error, DirectAccess won’t work (simple fix as addressed in my blog posts))

My Implementation Environment

Active Directory 2008 SP2 or Active Directory 2008 R2 Domain ControllerActive Directory Certification AuthorityA Windows 2008 R2 Server running the DirectAccess featureA Windows 7 Enterprise or Ultimate client system(An application server in my internal network)

My Implementation Environment (con’t)

Config #1: End-to-Edge Access Model

For end-to-edge protection, DirectAccess clients establish an IPsec session to an IPsec gateway server (which by default is the same computer as the DirectAccess server). The IPsec gateway server then forwards unprotected traffic, shown in red, to application servers on the intranet. This architecture works with any IPv6-capable application server but does not require that server to run IPsec, simplifying the configuration and setup

Config #2: End-to-Edge with End-to-End IPSec Model

For end-to-edge with End to End IPSec protection, DirectAccess clients establish an IPsec session to an IPsec gateway server, and that IPSec traffic continues all the way to the Intranet server for end to end IPSec protection. This architecture provides better security than just the End to Edge model.

Config #3: End-to-End IPSec Access Model

With end-to-end IPSec protection, DirectAccess clients establish an IPsec session through the DirectAccess server to each application server to which they connect. This provides the highest level of security because you can configure access control on the DirectAccess server and extend IPSec all the way to the internal server. This architecture requires that application servers run Windows Server 2008 SP2 or Windows Server 2008 R2 and use both IPv6 and IPsec.

DirectAccess Server(Server 2008 R2)

Line of Business Applications

IPv6 IPv4 IPv6

Windows Server 2008/R2

Step #1: Enabling IPv6 in the Enterprise

On all internal DCs, run PowerShell command:Dnscmd /config /globalqueryblocklist wpad

Using ISATAP

DirectAccess Server(Server 2008 R2)

Line of Business Applications

IPv6 IPv4

NAT64DNS-ALG

Windows Server 2003Non-Windows

– or – Setup NAT64

Step 2: Configuring Network Location ServerAny INTERNAL server running Web servicesCreate a DNS name (like nls.yourdomain.com)Associate this new NLS DNS name to an IP Address of an Internal Web server

NLS tells the DirectAccess clients whether they are “inside” or “outside” of the network. *** Make sure this system is HIGHLY available!!! ***

Step 3: Create Group(s) for the DA ClientsCreate a security group (Global or Universal)Add Win7 client systems into this group

Remember, systems are no longer really part of a “site” as they are now universally roaming systems. So you define the group of systems by policy of what you want the systems to have access to, not where they arbitrarily are.

Step 4: Configuring Windows Firewall for DirectAccess

Allow inbound and outbound ICMPv6 Echo Request messagesCreate a Group Policy or configure each system individually

Step 5: Configuring the Network Location ServerEnroll the server with a certificate and configure for SSL access

Step 6: Certificate Auto-EnrollmentMake sure all systems in the Direct Access group of client systems have a valid client authentication certificate

Step 7: Installing and Configuring DirectAccess (server)

Add a certificate to the DirectAccess serverAdd the DirectAccess feature on the serverRun the DirectAccess setup

Step 8: Finalizing Configurations

Make sure DA client systems are in the DA policy groupRun Gpupdate / force on all systems to make sure new policies have been applied (servers for firewall policy, clients for firewall and certificate auto-enrollment policies)Stop/Start the iphlpsvc on all servers and test to make sure that all systems can resolve the isatap.yourdomain.com DNS entry that was created during the DirectAccess setup wizard (note: stop/start may not be necessary, configuration should be picked up and applied after the GPUpdate is run)Use ping (ipaddress) -6 to make sure you can ping servers and systems internally

Step 9: Testing DirectAccess (Internally)

With the client system internal, run IPConfig and check to make sure you have a local addressAccess a file on a fileserver or SharePoint using an internal http(s) connection

Step 10: Testing DirectAccess (Externally)

With the client system external, run IPConfig and check to make sure you have an external IP addressAccess a file on a fileserver or SharePoint using an internal http(s) connection> netsh dns show state (output is different when inside and outside)

Step 11: Testing DirectAccess (Externally using IP-HTTPS)

Step 10 tested external access using the automatically generated Teredo 2001: addressNow to verify that external access is working using IP-HTTPS, disable Teredo:

Netsh interface teredo set state disableNetsh interface httpstunnel show interfaces

Re-access your fileserver and your Web server with an internal address, see if you still have access now over IP-HTTPS

Teredo

ISATAP

Native IPv6

Routing IPv6 in an IPv4 World…

Also 6to4 and IP-HTTPS

6to4: tunnel IPv6 over IPv4

6to4 router derives IPv6 prefix from IPv4 addressIPv4 address: 207.213.246.1 is represented as cfd5:f601 (convert decimal to hex)Its 6to4 address is: 2002:cfd5:f601:0000:0000:0000:cfd5:f601

Automatic tunneling from 6to4 routers or relays

*** BUT: 6to4 does not route through NAT, so any time you are somewhere that happens to be doing IPv4 NAT (which is everywhere!), 6to4 won’t work! ***

IPv4 Internet

6to4-A

6to4-B

Relay

Native IPv6

Relay

C

B

A

1.2.3.4

5.6.7.8

192.88.99.1

192.88.99.1

3001:2:3:4:c…

2002:506:708::b…

2002:102:304::b…

Windows Win 7 and Server 2008R2 Teredo

Teredo provides IPv4 NAT traversal capabilities by tunneling IPv6 inside of IPv4 using UDPTeredo provides IPv6 connectivity when behind an Internet IPv4 NAT deviceIs designed to be a universal method for NAT traversal for most types of NAT use*** Thus solves the NAT routing issue that 6to4 has, BUT since Teredo encapsulates inside UDP packets, if you are somewhere that blocks UDP encapsulated packets (which is pretty much everywhere), then Teredo does not work either ***

ISATAP: IPv6 behind firewall

ISATAP router provides IPv6 prefixHost complements prefix with IPv4 addressDirect tunneling between ISATAP hosts Relay through ISATAP router to IPv6 local or global

Firewalled IPv4

network

IPv4 FW

A

Local “native” IPv6

network

IPv6 FW

ISATAP

B

IPv6Internet

C

D

IPv4Internet

ISATAP is a tunneling protocol, so it in itself doesn’t create a client/server relationshipISATAP merely allows IPv6 communications to tunnel thru an IPv4 networkISATAP is great for site to site communications, or client to server initiated communications

IP-HTTPS

Microsoft created protocol (submitted as RFC)IPv6 encapsulated within an HTTPS packet (similar to RPC/HTTPS with Outlook for the past decade where Outlook RPC is encapsulated within an HTTPS packet)VERY high success rate of communications “anywhere” because it only requires access to an IPv4 network that allows HTTPS traffic (which is basically everywhere)Requirements

Certificates requiredHost must have access to the CRL distribution point

Tunnel IPv6 in HTTPSIPv6

Intranet

IPHTTPSHost

IPv4 Internet

IPv6 Host

NAT Device

IPHTTPSserver

Certificate

XXX

Web server with CRL

DirectAccess Monitoring

Built-in to the DirectAccess feature installed on the DA serverProvides server monitoring information on DirectAccess components

Replacing the DirectAccess Server with a UAG Server

IPv6

IPv6Always On

Windows7

IPv4

IPv4

IPv4

DirectAccessServer

Extend support to IPv4 servers

UAG improves adoption and extends access to existing infrastructure

UAG and DirectAccess better together: 1. Extends access to line of business servers with IPv4 support2. Access for down level and non Windows clients3. Enhances scalability and management4. Simplifies deployment and administration5. Hardened Edge Solution

MANAGED

VistaXP

UNMANAGED

Non Windows

PDA

DirectAccess

SSL VPN

UAG provides access for down level and non Windows clientsUAG enhances scale and management with integrated LB and array capabilities.UAG uses wizards and tools to simplify deployments and ongoing management.

UAG is a hardened edge appliance available in HW and virtual options

+

Windows7

+

Step 7: Installing and Configuring UAG

Same steps as before for Step 1 – Step 6Add a certificate to the UAG serverInstall UAG on the serverRun the UAG DirectAccess setupSame steps as before for Step 8 – Step 11

Additional Benefits of Having UAG

Windows 7 clients now can access internal servers that do not have IPv6 enabledWindows XP clients can now do SSL VPN access to secured and encrypted servers

Configuring End-to-End Access

In the UAG or DA Management Console, in the Application Servers box, click Edit and choose “Require end to end authentication and encryption…” (note: e2e authentication inside of the tunnel)Select the security group that has Windows 2008 or later servers you want to enable end to end protectionCreate policy “groups” of servers by employee roles

Testing End-to-End Access

Check to make sure remote client still has access to internal serversOpen Windows Firewall Advanced Security snap-inExpand monitoring / security associations, click Quick Mode and verify that the IPsec session still exists for the application servers(s)

Diagnostics

Internet Explorer Diagnose Problem ButtonIt has been enhanced to troubleshoot DirectAccess

Networking Icon (right click)Troubleshoot problems option. Supports providing a location. Also has a DirectAccess Entry Point

Control Panel, TroubleshootingConnect to a Workplace place using DirectAccess

Command Prompt (Elevated)NETSH TRACE START SCENARIO=DIRECTACCESS REPORT=YES CAPTURE=YES

Related Content

Breakout SessionsWSV403 – “How to Troubleshoot DirectAccess”, Thursday 2:45pmSIM316 – “Troubleshoot UAG DirectAccess in 45 Minutes Flat”, Wednesday 1:30pm

Hands-on LabWSV288-HOL – “Windows Server 2008 R2: Implementing DirectAccess”, TBD

Track Resources

Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.

You can also find the latest information about our products at the following links:

Windows Azure - http://www.microsoft.com/windowsazure/

Microsoft System Center - http://www.microsoft.com/systemcenter/

Microsoft Forefront - http://www.microsoft.com/forefront/

Windows Server - http://www.microsoft.com/windowsserver/

Cloud Power - http://www.microsoft.com/cloud/

Private Cloud - http://www.microsoft.com/privatecloud/

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://northamerica.msteched.com

Connect. Share. Discuss.

Complete an evaluation on CommNet and enter to win!

Scan the Tag to evaluate this session now on myTech•Ed Mobile