Implementing Microsoft DirectAccess Step by Step: Part 2
The first task in a DirectAccess deployment is to modify the DNS service configuration and remove the
The first task in a DirectAccess deployment is to modify the DNS service configuration and remove the
ISATAP name from its default global block list. By making this change the DNS will be able to service
ISATAP requests. Use the following steps to complete this task:
1. On PRIMARY Domain Controller, open PowerShell console session using the ― Run as Administrator option.
2. In the PowerShell console, execute the following command:
dnscmd /config /globalqueryblocklist wpad
Note
The preceding command needs to be run on each DNS server on the internal network. In addition, it is important to understand that this command is only being executed because this scenario is using ISATAP for internal IPv6 support. Depending on your deployment needs, executing this command may or may not be required.
The next task in the DirectAccess deployment is to create the NLS DNS record (Network Location Server). This DNS record is used for the NLS URL that DirectAccess clients use to determine if they are in the corporate network. Use the following steps to complete this task:
1. On DC01, launch Server Manager.
2. Expand Roles\DNS Server\DNS\DC01\Forward Lookup Zones, and select the example.local zone.
3. Right-click example.local and then click New Host (A or AAAA).
4. In the Name field, type nls. In the IP address field, type the IP address of the NLS website, click Add
Host, click OK, and then click done.
The last task in this section is to create a security group for DirectAccess client computers. This allows the DirectAccess clients to be defined within the DirectAccess configuration and apply specific
DirectAccess Group Policy Objects. For this scenario the group will be named DirectAccessClients. Use the following steps to complete this task:
1. On DC01, launch Server Manager.
2. Expand Roles\Active Directory Domain Services\Active Directory Users and Computers\ example.local and select the container that the new group object will be created within.
3. Right-click on the container, select New, and then click Group.
4. In the Group Name field, type DA_Client.
5. Under Group scope, choose Global or Universal, under Group type, choose Security, and then click
OK.
Configuring Windows Firewall for DirectAccess
The next task is to create and enable Windows Firewall rules that allow inbound and outbound ICMPv6
Echo Request messages. These rules are needed allow connectivity for Teredo-based DirectAccess
clients that are behind a NAT. DirectAccess clients that are behind NATs on the Internet will attempt to
use Teredo for IPv6 connectivity to the DirectAccess server. DirectAccess clients are Teredo clients to the
DirectAccess server, which is acting as a Teredo server and relay. To ensure that a destination is
reachable, Teredo clients send an Internet Control Message Protocol for IPv6 (ICMPv6) Echo Request
message and wait for an ICMPv6 Echo Reply message. If ICMPv6 Echo Requests are not allowed, then
the DirectAccess client will fall back on using IP-HTTPS to establish a DirectAccess connection.
Use the following steps to create a GPO named ―DirectAccess ICMP‖ which will be used to deploy the
needed Windows Firewall rules:
1. On DC01, launch Server Manager.
2. Expand Features\Group Policy Management\Forest: companyabc.com\Domains and select example.local.
3. In the console tree, right-click the domain example.local and select Create a GPO in the Domain and
Link It Here.
4. Enter the name DirectAccess ICMP and then click OK.
5. Right-click the DirectAccess ICMP Group Policy Object and select Edit.
6. In the console tree of the Group Policy Management Editor, expand Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security.
7. In the console tree, select and then right-click Inbound Rules, and then click New Rule.
8. On the Rule Type page, click Custom, and then click next and next.
9. On the Protocols and Ports page, for Protocol Type, select ICMPv6, and then click Customize.
10. In the Customize ICMP Settings dialog box, click Specific ICMP Types, select Echo Request, and
then click OK.
11. Click Next, Next, Next, and Next.
12. On the Name page, in the Name field, type Inbound ICMPv6 Echo Requests, and then click Finish.
13. In the console tree, select and then right-click Outbound Rules, and then click New Rule.
14. On the Rule Type page, click Custom, and then click Next and Next.
15. On the Protocols and Ports page, for Protocol Type, click ICMPv6, and then click Customize.
16. In the Customize ICMP Settings dialog box, click Specific ICMP Types, select Echo Request, and then click OK. Click Next and Next.
17. On the Action page, click Allow the Connection, and then click Next and Next.
18. On the Name page, in the Name field, type Outbound ICMPv6 Echo Requests, and then click Finish.
19. Close the Group Policy Management Editor and the Group Policy Management Console.
No comments:
Post a Comment