Implementing Microsoft DirectAccess Step by Step: Part 5
The next task in the DirectAccess deployment is to complete the DirectAccess installation and Configuration. To start this process you will first need to request a server authentication certificate that will be used for IP-HTTPS. Use the following steps to complete this task:
The next task in the DirectAccess deployment is to complete the DirectAccess installation and Configuration. To start this process you will first need to request a server authentication certificate that will be used for IP-HTTPS. Use the following steps to complete this task:
1. On DA click Start, type mmc, and then press ENTER.
2. Click File, and then click Add/Remove Snap-in.
3. Click Certificates, click Add, select Computer account, click next, select Local computer, click Finish, and then click OK.
4. In the console tree of the Certificates snap-in, expand Certificates (Local Computer)\Personal.
5. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
6. Click Next twice.
7. On the Request Certificates page, click Web Server 2008, and then click more information is required to enroll for this certificate.
8. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select Common Name.
9. In Value, type directaccess.example.local, and then click Add.
10. In Alternative name, for Type, select DNS.
11. In Value, type directaccess.example.local, and then click Add.
12. Click OK, click Enroll, and then click Finish.
Note
Point 7 assumes that the Web Server 2008 certificate template was created beforehand. For the purpose of this scenario the Web Server 2008 template was a version 3 template that was duplicated from the version 1 Web Server template. The permissions for the Web Server 2008 certificate template were modified to allow Domain Computers to enroll for certificates based on this template and the private key can be exported. Lastly, the subject name and subject alternative name of a certificate can be specified during the request.
13. In the details pane of the Certificates snap-in, verify that a new certificate with the name
Directaccss.example.local was enrolled with Intended Purposes of Server Authentication.
14. Right-click the certificate and select Properties.
15. In the Friendly Name field, type IP-HTTPS and click OK.
Once the IP-HTTPS certificate has been installed the next task is to install the DirectAccess Management Console feature on DA01. Use the following steps to complete this task:
1. On DA, launch Server Manager.
2. Right-click on Features and select Add Features.
3. On the Select Features page, select DirectAccess Management Console.
4. At the pop-up, click Add Required Features. This adds the Group Policy Management feature.
5. Click Next.
6. Click Install.
7. Click Close to finish.
After the DireactAccess Management Console has been installed the next task is to complete the
DirectAccess configuration using the DirectAccess Setup Wizard. To complete this task use the following steps:
1. On DA, launch Server Manager.
2. Expand Features, DirectAccess, and select the Setup node. The screen will show the DirectAccess Setup Wizard, as shown in Figure 8.
FIGURE 8 DirectAccess Setup Wizard.
3. In Step 1 Remote Clients, click Configure.
4. On the DirectAccess Client Setup page, click the Add button.
5. In the Select Group dialog box, type DA_Client and click OK. The screen will show the group, as shown in Figure 9.
FIGURE 9 DirectAccess Client Setup.
6. Click Finish.
7. In Step 2 DirectAccess Server, click Configure.
8. On the Connectivity page, for Interface Connected to the Internet, ensure that the correct interface is selected. For Interface Connected to the Internal Network, ensure that the correct interface is selected. The wizard will attempt to select the best interfaces based on the IP address ranges. In Figure 10, the public address has been assigned to the Internet interface and the private address has been assigned to the internal interface.
FIGURE 10 DirectAccess Server Connectivity Setup.
The DirectAccess Setup Wizard has an informational note that it detected that the internal network is IPv4-based and will enable IPv6 transition technologies as part of the setup. The
DirectAccess server will be configured as the ISATAP server.
9. Click Next.
10. On the Certificate Components page, for select the Root Certificate to Which Remote Client
Certificates Must Chain, click Browse. In the list of certificates, select the appropriate Root CA certificate, and then click OK.
11. For Select the Certificate That Will Be Used to Secure Remote Client Connectivity over HTTPS, click
Browse. In the list of certificates, click the certificate named IP-HTTPS, and then click OK. The results are shown in Figure 11. Click Finish.
FIGURE 11 DirectAccess Server certificate components.
12. In Step 3 Infrastructure Servers, click Configure.
13. On the Location page, click Network Location Server Is Run on a Highly Available Server, type
https://nls.example.local ,click Validate, and then click Next. You should get a green check mark with a Validation Successful message.
14. On the DNS and Domain Controller page (shown in Figure 12), note the entry for the name example.local with the IPv6 address. This is the 6to4 IPv6 address for the DC01 domain controller. All
DirectAccess client requests to the domain example.local will be forwarded to this domain controller.
nls.example.local and directaccess.example.local are also listed with a blank DNS server which defines an NRPT exemption for these FQDNs.
The blank DNS for the network location server is needed so that DirectAccess clients can use the URL to determine if they are inside the corporate network or on the Internet. When inside the network, the DirectAccess clients will be able to access the site. When remote and connected via DirectAccess, the clients will be unable to reach the site due to the blank DNS entry, although they can reach all other internal resources. Example.local and nls.example.local com have been added as NRPT exceptions because of the split-brain DNS configuration. If these exceptions were not added then clients would not be able to resolve these FQDNs when they were on an external network.
15. Click Next.
16. On the Management page, if there were internal management servers, such as Microsoft System Center Configuration Manager 2012 (SCCM) servers that needed to reach the DirectAccess clients, they would be entered in this portion of the setup. For the purposes of this scenario leave this blank and click Finish.
17. In Step 4 Application Servers, click Configure.
18. On the DirectAccess Application Server Setup page, leave Require No Additional End-to-End Authentication. If end-to-end protection were required, this step in the configuration wizard is where the permitted application servers would be added. For the purposes of this only the end-to-edge access model is being used, so no additional configuration is needed.
19. Click Finish.
20. Click Save, and then click Finish launching the configuration wizard.
21. In the DirectAccess Review dialog box, click Apply.
During the configuration process two new Group Policy Objects are created, each named DirectAccess
Policy-<GUID>. One has security filtering defined such that it applies only to the DirectAccess server by computer name (DirectAccess$). The other has security filtering defined such that it applies only to the
DirectAccess clients in the DirectAccessClients security group.
No comments:
Post a Comment