390 likes | 743 Views
WSV404. DirectAccess Configuration, Tips, Tricks, and Best Practices. Rand Morimoto, Ph.D., MCITP, CISSP Author, “Windows 2008 R2 Unleashed” President, Convergent Computing. How Today’s Session is Structured. This is a Level 400 session, so NO marketing fluff!
E N D
WSV404 DirectAccess Configuration, Tips, Tricks, and Best Practices Rand Morimoto, Ph.D., MCITP, CISSP Author, “Windows 2008 R2 Unleashed” President, Convergent Computing
How Today’s Session is Structured • This is a Level 400 session, so NO marketing fluff! • I will jump right into the installation / configuration of DirectAccess, and will be stopping at key points in the installation process where extra tips, tricks, and clarifications are commonly needed • Demo Guide and Deployment WhitePaper: • http://www.cco.com/portals/0/downloads/WSV404-DirectAccessDemos-Morimoto.pdf • http://www.cco.com/portals/0/downloads/WSV404-DirectAccessDeploymentGuide-Morimoto.pdf
Assumptions • You have a good command of Active Directory Group Policies • You have a good familiarity of navigating through Windows Control Panel and Networking • You have a conceptual knowledge of DNS, IPSec, and IPv6 (I will expand your understanding of these technologies in this session. This is where most implementers get hung-up when deploying DirectAccess…)
DirectAccess – Background Slide Internet DirectAccess Client (Windows 7) DirectAccess Server (Server 2008 R2) Tunnel over IPv4 UDP, HTTPS, etc. Encrypted IPsec+ESP Native IPv6 6to4 Teredo IP-HTTPS
Understanding IPv6 • DirectAccess uses IPv6 for its routing mechanism, take a look at my 8-part blog post on Understanding IPv6 • http://www.networkworld.com/community/morimoto • Create / Utilize a consistent IPv6 addressing configuration for DirectAccess clients and the DirectAccess (or UAG) host server(s) • Make sure the Win7 DirectAccess client systems can successfully “ping” and access the DirectAccess server over IPv6 (if you get a “Transmit Failure” error, DirectAccess won’t work (simple fix as addressed in my blog posts))
My Implementation Environment • Active Directory 2008 SP2 or Active Directory 2008 R2 Domain Controller • Active Directory Certification Authority • A Windows 2008 R2 Server running the DirectAccess feature • A Windows 7 Enterprise or Ultimate client system • (An application server in my internal network)
Config #1: End-to-Edge Access Model For end-to-edge protection, DirectAccess clients establish an IPsec session to an IPsec gateway server (which by default is the same computer as the DirectAccess server). The IPsec gateway server then forwards unprotected traffic, shown in red, to application servers on the intranet. This architecture works with any IPv6-capable application server but does not require that server to run IPsec, simplifying the configuration and setup
Config #2: End-to-Edge with End-to-End IPSec Model For end-to-edge with End to End IPSec protection, DirectAccess clients establish an IPsec session to an IPsec gateway server, and that IPSec traffic continues all the way to the Intranet server for end to end IPSec protection. This architecture provides better security than just the End to Edge model.
Config #3: End-to-End IPSec Access Model With end-to-end IPSec protection, DirectAccess clients establish an IPsec session through the DirectAccess server to each application server to which they connect. This provides the highest level of security because you can configure access control on the DirectAccess server and extend IPSec all the way to the internal server. This architecture requires that application servers run Windows Server 2008 SP2 or Windows Server 2008 R2 and use both IPv6 and IPsec.
Step #1: Enabling IPv6 in the Enterprise DirectAccess Server (Server 2008 R2) Line of Business Applications Using ISATAP IPv6 IPv6 IPv4 Windows Server 2008/R2 On all internal DCs, run PowerShell command: Dnscmd /config /globalqueryblocklistwpad
– or – Setup NAT64 DirectAccess Server (Server 2008 R2) Line of Business Applications Windows Server 2003 Non-Windows NAT64 DNS-ALG IPv6 IPv4
Step 2: Configuring Network Location Server • Any INTERNAL server running Web services • Create a DNS name (like nls.yourdomain.com) • Associate this new NLS DNS name to an IP Address of an Internal Web server NLS tells the DirectAccess clients whether they are “inside” or “outside” of the network. *** Make sure this system is HIGHLY available!!! *** Step 3: Create Group(s) for the DA Clients • Create a security group (Global or Universal) • Add Win7 client systems into this group Remember, systems are no longer really part of a “site” as they are now universally roaming systems. So you define the group of systems by policy of what you want the systems to have access to, not where they arbitrarily are.
Allow inbound and outbound ICMPv6 Echo Request messages Create a Group Policy or configure each system individually Step 4: Configuring Windows Firewall for DirectAccess Step 5: Configuring the Network Location Server • Enroll the server with a certificate and configure for SSL access Step 6: Certificate Auto-Enrollment • Make sure all systems in the Direct Access group of client systems have a valid client authentication certificate
Add a certificate to the DirectAccess server Add the DirectAccess feature on the server Run the DirectAccess setup Step 7: Installing and Configuring DirectAccess (server)
Step 8: Finalizing Configurations • Make sure DA client systems are in the DA policy group • Run Gpupdate / force on all systems to make sure new policies have been applied (servers for firewall policy, clients for firewall and certificate auto-enrollment policies) • Stop/Start the iphlpsvc on all servers and test to make sure that all systems can resolve the isatap.yourdomain.com DNS entry that was created during the DirectAccess setup wizard (note: stop/start may not be necessary, configuration should be picked up and applied after the GPUpdate is run) • Use ping (ipaddress) -6 to make sure you can ping servers and systems internally
Step 9: Testing DirectAccess (Internally) • With the client system internal, run IPConfig and check to make sure you have a local address • Access a file on a fileserver or SharePoint using an internal http(s) connection
Step 10: Testing DirectAccess (Externally) • With the client system external, run IPConfig and check to make sure you have an external IP address • Access a file on a fileserver or SharePoint using an internal http(s) connection • > netshdns show state (output is different when inside and outside)
Step 11: Testing DirectAccess(Externally using IP-HTTPS) • Step 10 tested external access using the automatically generated Teredo 2001: address • Now to verify that external access is working using IP-HTTPS, disable Teredo: • Netsh interface teredo set state disable • Netsh interface httpstunnel show interfaces • Re-access your fileserver and your Web server with an internal address, see if you still have access now over IP-HTTPS
Routing IPv6 in an IPv4 World… Native IPv6 Teredo ISATAP Also 6to4 and IP-HTTPS
6to4 router derives IPv6 prefix from IPv4 address IPv4 address: 207.213.246.1 is represented as cfd5:f601 (convert decimal to hex) Its 6to4 address is: 2002:cfd5:f601:0000:0000:0000:cfd5:f601 Automatic tunneling from 6to4 routers or relays *** BUT: 6to4 does not route through NAT, so any time you are somewhere that happens to be doing IPv4 NAT (which is everywhere!), 6to4 won’t work! *** 6to4: tunnel IPv6 over IPv4 1.2.3.4 192.88.99.1 2002:102:304::b… 3001:2:3:4:c… 6to4-A Relay C A Native IPv6 IPv4 Internet 2002:506:708::b… B Relay 6to4-B 5.6.7.8 192.88.99.1
Windows Win 7 and Server 2008R2 Teredo • Teredo provides IPv4 NAT traversal capabilities by tunneling IPv6 inside of IPv4 using UDP • Teredo provides IPv6 connectivity when behind an Internet IPv4 NAT device • Is designed to be a universal method for NAT traversal for most types of NAT use • *** Thus solves the NAT routing issue that 6to4 has, BUT since Teredo encapsulates inside UDP packets, if you are somewhere that blocks UDP encapsulated packets (which is pretty much everywhere), then Teredo does not work either ***
ISATAP router provides IPv6 prefix Host complements prefix with IPv4 address Direct tunneling between ISATAP hosts Relay through ISATAP router to IPv6 local or global ISATAP: IPv6 behind firewall D IPv4 Internet IPv6 Internet IPv4 FW IPv6 FW ISATAP Firewalled IPv4 network Local “native” IPv6 network B ISATAP is a tunneling protocol, so it in itself doesn’t create a client/server relationship ISATAP merely allows IPv6 communications to tunnel thru an IPv4 network ISATAP is great for site to site communications, or client to server initiated communications C A
Microsoft created protocol (submitted as RFC) IPv6 encapsulated within an HTTPS packet (similar to RPC/HTTPS with Outlook for the past decade where Outlook RPC is encapsulated within an HTTPS packet) VERY high success rate of communications “anywhere” because it only requires access to an IPv4 network that allows HTTPS traffic (which is basically everywhere) Requirements Certificates required Host must have access to the CRL distribution point IP-HTTPS Web server with CRL X X X IPv6 Host IPHTTPSserver NAT Device IPHTTPSHost IPv6Intranet IPv4 Internet Tunnel IPv6 in HTTPS Certificate
Built-in to the DirectAccess feature installed on the DA server Provides server monitoring information on DirectAccess components DirectAccess Monitoring
Replacing the DirectAccess Server with a UAG Server MANAGED UAG and DirectAccess better together: Extends access to line of business servers with IPv4 support Access for down level and non Windows clients Enhances scalability and management Simplifies deployment and administration Hardened Edge Solution IPv6 Windows7 IPv6 Always On DirectAccess Windows7 UNMANAGED IPv4 VistaXP Extend support to IPv4 servers SSL VPN DirectAccessServer IPv4 Non Windows + + PDA IPv4 UAG uses wizards and tools to simplify deployments and ongoing management. UAG provides access for down level and non Windows clients UAG enhances scale and management with integrated LB and array capabilities. UAG improves adoption and extends access to existing infrastructure UAG is a hardened edge appliance available in HW and virtual options
Same steps as before for Step 1 – Step 6 Add a certificate to the UAG server Install UAG on the server Run the UAG DirectAccess setup Same steps as before for Step 8 – Step 11 Step 7: Installing and Configuring UAG
Additional Benefits of Having UAG • Windows 7 clients now can access internal servers that do not have IPv6 enabled • Windows XP clients can now do SSL VPN access to secured and encrypted servers
Configuring End-to-End Access • In the UAG or DA Management Console, in the Application Servers box, click Edit and choose “Require end to end authentication and encryption…” (note: e2e authentication inside of the tunnel) • Select the security group that has Windows 2008 or later servers you want to enable end to end protection • Create policy “groups” of servers by employee roles
Testing End-to-End Access • Check to make sure remote client still has access to internal servers • Open Windows Firewall Advanced Security snap-in • Expand monitoring / security associations, click Quick Mode and verify that the IPsec session still exists for the application servers(s)
Diagnostics • Internet Explorer Diagnose Problem Button • It has been enhanced to troubleshoot DirectAccess • Networking Icon (right click) • Troubleshoot problems option. Supports providing a location. Also has a DirectAccess Entry Point • Control Panel, Troubleshooting • Connect to a Workplace place using DirectAccess • Command Prompt (Elevated) • NETSH TRACE START SCENARIO=DIRECTACCESS REPORT=YES CAPTURE=YES
Related Content • Breakout Sessions • WSV403 – “How to Troubleshoot DirectAccess”, Thursday 2:45pm • SIM316 – “Troubleshoot UAG DirectAccess in 45 Minutes Flat”, Wednesday 1:30pm • Hands-on Lab • WSV288-HOL – “Windows Server 2008 R2: Implementing DirectAccess”, TBD
Track Resources • Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward. • You can also find the latest information about our products at the following links: • Cloud Power - http://www.microsoft.com/cloud/ • Private Cloud - http://www.microsoft.com/privatecloud/ • Windows Server - http://www.microsoft.com/windowsserver/ • Windows Azure - http://www.microsoft.com/windowsazure/ • Microsoft System Center - http://www.microsoft.com/systemcenter/ • Microsoft Forefront - http://www.microsoft.com/forefront/
Resources • Connect. Share. Discuss. http://northamerica.msteched.com Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn