Author: Sean Wilkins
DirectAccess Connection Process
As covered in the overview, the connection process for using DirectAccess depends on the connection between the client and the server and has been designed to work in a variety of different situations. The steps required to establish a connection are as follows:
- A Windows 7 Ultimate or Enterprise DirectAccess client detects connection to a network
- The client determines whether it is connected to an intranet, if not then DirectAccess is used
- The client connects to the DirectAccess server viaIPv6 and IPSec; if a native IPv6 network is not available the client will use 6to4 or Teredo to send IPv4 encapsulated IPv6 traffic.
- If a firewall prevents the client from establishing a connection to the DirectAccess server then a connection is attempted using HTTPS, when using HTTPS a Secure Sockets Layer (SSL) connection is used to encapsulate IPv6 traffic.
- The client will authenticate the client (computer) and the server via computer certificates
- If NAP is used health validation will occur
- When the user on the client logs in, the DirectAccess client will establish the second tunnel to the resources and authenticate the computer and user credentials.
- If authenticated the resources will be accessible
DirectAccess Network Requirements
There are a number of prerequisites which must be satisfied before deploying DirectAccess on your network. These are listed below and are what is recommended by Microsoft before a full implementation; some of these steps may be optional if simply testing in a lab environment:
- Deploy Active Directory
- Deploy a Public Key Infrastructure with AD certificate services
- Configure a certificate revocation list (CRL) which is reachable from the Internet (Clients)
- Install Windows 7 Ultimate or Enterprise on your clients and join to AD
- Configure firewalls to allow DirectAccess traffic
- Teredo – UDP port 3544
- 6to4 – IPv4 protocol 41
- IP-HTTPS – TCP port 443
- Remote IPv6 clients – ICMPv6 and IPv4 protocol 50
- Ensure DNS servers are running at least Windows 2008 and remove ISATAP from global query block list
DirectAccess Client Connection Specifics
As step 3 in the above list tells use if a connection is to be established via DirectAccess a connection supporting IPv6 is required. As there are a number of different ways which exist to connect to IPv6 networks there are also a number of different ways to configure DirectAccess. The most preferred of these options would be to have an existing IPv6 client which connects to the server through an IPv6 network. In this case the connection between the server and the client is rather simple and just uses a simple IPv6 connection. However, if the client does not have a native IPv6 connection between the client and the server then DirectAccess's other options can be used. These options include using 6to4 or Teredo transition technologies or as a last option using a HTTPS connection.
Now the best option with client configuration is to utilize group policy. In this situation the required configuration can be created at a central point and published to all potential DirectAccess clients. Now if for whatever reason you want to manually configure the DirectAccess client then these four policies would need to be configured, all of which are located under the ‘Computer Configuration\Administrative Templates\
etwork\TCPIP Settings\IPv6 Transition Technologies' node:
- 6to4 Relay Name – Configured with the public IPv4 address (one of the addresses) on the DirectAccess server
- IP-HTTPS State – Configured with the URL for the IP-HTTPS server (DirectAccess server) and configures the state which can be used to control the use of IP-HTTPS. By default, an IP-HTTPS connection is used as a last resort connection.
- Teredo Default Qualified – Enables the use of the Teredo transition technology.
- Teredo Server Name – Configured with the address of the Teredo server (DirectAccess server).
DirectAccess Server Connection Specifics
Now, with DirectAccess, the bulk of the configuration must be done on the server; however once this is complete the deployment of each DirectAccess client is as simple as putting them in the appropriate DirectAccess policy group.
There are some minimum requirements which must be met in order for a server to be configured with DirectAccess. These include:
- Must be running Windows Server 2008 R2 and be a Domain member (Not a DC)
- Must have two network adapters (Intranet and Internet), the Internet network adapter must have two consecutive global IPv4 addresses assigned to it (not private).
- Must have a digital certificate which is configured with the fully qualified domain name which matches the name associated with the two Internet IPv4 addresses.
- At least one global security group which will be used to assign DirectAccess policy to the clients
- Must configure a connection-specific DNS suffix
Once these requirements have been met you can start to setup DirectAccess on the server. The following screen shots show the basic steps which would be taken to set the server up for DirectAccess:
Figure 1 - DirectAccess Feature Setup
The first step is to install the DirectAccess Management Console; this will then be used to configure DirectAccess.
Figure 2 - DirectAccess Setup Wizard
Once the DirectAccess Management console is installed, then you can run it from the Administrator tools directory. Figure 2 above shows what the management console looks like and is organized into four different configuration steps.
Figure 3 - DirectAccess Client Setup
The first step is used to select the global security group used for DirectAccess clients.
Figure 4 - DirectAccess Server Setup – Internet interface Domain classification
The second step is used to configure the network interface for use with DirectAccess. The wizard at this point will perform a number of checks to ensure that all prerequisites have been satisfied. From this screen you would select which interfaces will be used to connect to the Internet and which one would be used to connect to the internal network servers. The interface which is going to be used for connecting to the Internet must not be classified by Windows as a domain interface as the wizard will not allow it; this is shown in figure 4.
Figure 5 - DirectAccess Server Setup – Existing IPv6 Configuration
If the wizard detects that IPv6 has already been configured on the Internet interface it will configure DirectAccess appropriately along with still providing IPv6 transition technology support; this is shown in figure 5.
Figure 6 - DirectAccess Server Setup – No Existing IPv6 Configuration
However, if IPv6 is not configured on the Internet interface then DirectAccess will detect this as well and enable the use of IPv6 transition technologies; this is shown in figure 6.
Figure 7 - DirectAccess Server Setup – IPv6 Prefix Configuration
Once the internal and Internet interfaces have been configured then the internal IPv6 prefix will be configured along with the prefix which will be given out to DirectAccess clients. This configuration is shown in figure 7.
Figure 8 - DirectAccess Server Setup – Certificate Configuration
The last part of this step configuration requires the assignment of certificates to be used for remote client certificates and for IP-HTTPS client connectivity. This configuration is shown in figure 8.
Figure 9 - Infrastructure Server Setup - Network Location Configuration
The next step is used to setup the infrastructure server setup including the network location server. The network location server is used by clients to determine whether they are already connected to the intranet and thus do not require DirectAccess. This can be configured to either work through a highly available HTTPS server or via the DirectAccess server itself; this configuration is shown in figure 9.
Figure 10 - Application Server Configuration
The last step involved with setting up DirectAccess involves the configuration for the internal application servers. As reviewed in the overview article there are a number of different ways to setup connections between the clients and the application servers; the configuration options available for this are shown in figure 10.