Microsoft Direct Access Continued: Public Key Infrastructure
What is PKI?
Public Key Infrastructure (PKI) refers to the technical mechanisms, procedures and policies that collectively provide a framework for addressing the previously illustrated fundamentals of security – authentication, confidentiality, integrity, non-repudiation and access control. Read more about PKI:What is PKI?
Installing AD CS Role:
Go the “Add Roles and Features” under Server Manager, add “Active Directory Certificate Service”(AD CS)
Select “Certification Authority”(CA), confirm and install
Post-deployment configurations, select CA to configure
Choose the setup type based on your environment
Choose “Root CA” since we are creating a new PKI
Create a new private key
Adjust the settings if you wish, I went with the defaults
This step is autofilled, you can rename the CA here
Adjust the validity period
Again, the locations will be autofilled, Next>
Go to CA Management Console
On the left pane, right click “Certificate Templates” > “Manage”
On the bottom, right click “Workstation Authentication” > “Duplicate Template”
Now configure the properties of the new template, under “General” tab, name the template, since it’ll be used for Direct Access authentication, I named it accordingly.
Under “Extensions” tab, edit “Application Policies”
Client Authentication is already there, add “Server Authentication”
Go back to template properties, under “Security”, Allow domain computers to “Autoenroll”, so later when a certificate is created, the domain clients will enroll automatically
Under “Subject Name”, select “Common name”, this makes the certificate easier to identify. Click “OK” to save your settings and close the window
Close the template console, on the left pane of the CA Management Console, right click “Certificate Template” > “New” > “Certificate Template to Issue”
Select the template just created
And it will show up on the right pane
Go to Direct Access Management Console, edit server settings
Under “Authentication”, check “Use computer certificates”, browse and find the proper certificate
Restart the server and client computer…
Verifying Client Enrollment:
To verify the client computers have received the certificate, log in as a administrator on the client computer, do not log in as a domain user, you won’t have the authority to view the computer certificates. Run “mmc” to open up Microsoft Management Console, add a “Certificates” snap-in
Select “Computer account”
> “Local computer”
On the left pane, click on “Personal” > “Certificates”, you will see the certificate on the right pane
How to Implement Microsoft Direct Access on Server 2012 (PKI optional)
What is Direct Access?
DirectAccess allows remote users to securely access internal network file shares, Web sites, and applications without connecting to a virtual private network (VPN). DirectAccess establishes bi-directional connectivity with an internal network every time a DirectAccess-enabled computer connects to the Internet, even before the user logs on. Users never have to think about connecting to the internal network and IT administrators can manage remote computers outside the office, even when the computers are not connected to the VPN.
What are the differences between Direct Access and VPN?
Although sharing some similarities with a typical VPN solution, Direct Access requires close to none user intervention once successfully configured. No additional software is required on the client’s side, the domain clients will automatically connect to the intranet anywhere there is Internet access.
DA is also more secure, in order to connect to the intranet, DA clients have to be jointed to the domain, a certificate could also be issued to the clients to further enhance security.
A static internal IP address for the DA server
Windows Firewall must be enable on all profiles
Clients must be running Enterprise version of Windows 7-10(Education editions are also supported, Pro and Home are not)
A public key infrastructure is not required, but recommended
Static public IP for your edge device, whether a sever with multiple NICs, or a router. Use DDNS(Dynamic DNS) if you do not have a static public IP
IPv6 enabled (not necessarily configured) on server and client
Make sure to reserve your server’s IP if you run DHCP for other devices
Configure DDNS for your router’s public IP:
There are lots of free DDNS providers out there, I went with “no-ip”
By registering a DDNS record, you create a hostname equivalent of your public IP of your router, and by configuring the router later, the public IP will always stay updated when the ISP issues you a new public IP
My router only supports two DDNS providers, you could flash your router with DD-WRT to open up more options. Enter your hostname, username and password as you registered your account
My server sits behind a router, in order to reach it I’ll have to forward traffics to it, setting up port forwarding is simple, if you know the correct port numbers. In order for Direct Access to work, port 41, 443, and 3544 need to be forwarded to your server. Here are some details about what these ports are used for: DA and NAT
Now that you have taken care of the networking stuff and your server can be reached from the Internet, it’s time to deploy proper roles and features on your server, I’m running server 2012 r2.
Active Directory and Remote Access:
Active directory services are needed because you need to create a domain, and Direct Access clients need to belong to a domain first. Go to “Add roles and features”
Role based, Next>
Pick the sever you want to install the services on, Next>
Select “Active Directory Domain Services” and “Remote Access”
Add default features, Next>
Remote Access overview
Select “DirectAccess and VPN(RAS) “
Active Directory overview
The wizard will prompt you to add and IIS role, it is required for AD and DA
Again, add default features for IIS
Confirmation page on the roles and services you are about to install
Finish the installation and close the wizard
For Active Directory, add a new forest and name the domain
Set a DSRM password, leave else at default
This DNS warning is common and can be safely ignored
Verify NetBOIS domain name, Next>
Leave at default, Next>
Review the configurations
After checking prerequisites, save configurations and close the wizard
For the Remote Access post-deployment configurations, select “Deploy DirectAccess only”
Select the option that’s appropriate for your environment, if you have a server with multiple NICs and at least one public facing IP address, choose between the first two options, in my case, the server is behind an edge device with a single network adapter. In the blank, fill in the DDNS FQDN configured earlier.
Before applying the settings, you can modify GPO settings if you wish
The default DA GPO settings will be applied to all domain clients, you can apply it to different user groups if you wish, I left mine at default because there is only one domain client in my environment
Apply the settings
Creating domain users and add them to appropriate groups:
Now that you have added and configured the AD and DA roles, create some domain users. Go to “Tools” > “Active Directory Users and Computers”
The “Domain Computers” group is automatically created
Create a new user and set a password
Add the new user to “Domain Computers” group, or any customized groups you wish to use
Remote Access Management Console:
You can further configure the DA service with Remote Access Management Console
Edit the client settings
Some of these settings were set by the getting started wizard
Enabling DA for mobile computers only will stop clients on the intranet from connecting to the DA server; enabling force tunneling will direct both internal and external traffic to the DA server’s network, if not enabled, external traffic will go through the LAN the client is currently connected to. Configure based on your needs
You can also name your DA connection.
The RA server and Infrastructure servers settings can be left on default, unless you wish to configure a PKI and certificate.
DA Client Configurations:
The beauty of Direct Access is it requires little user intervention from the client side once properly set up, simply join the client computer to your domain and login as an authorized user, the DA connection will happen automatically
I’ve made a Windows 10 Edu virtual machine and made it a domain client to test the DA deployment, remember, Windows Pro and Home are not supported
Make sure the client and server are on the same name space, you can change the DNS address after you’ve joined the domain
At this point, test your DA deployment by creating some shared resources with proper GPO settings and see if your client can access them from the Internet
Log in as a domain user
You should see a Direct Access connection on the bottom right
And there is my shared folder
Tip: if you are having connection issues, and port forwarding is set up correctly, try running “gpupdate” in command prompt on the client computer
The PKI and certificate content will be on another page, this post is getting way to long…
Azure is a comprehensive set of cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of datacenters. Integrated tools, DevOps.
Why use Microsoft Azure?
Server 2012 R2 Deployment:
Most of this set up process is to be done in a browser.
First you will need to sign up with Microsoft Azure, pretty straight forward process, except they ask for your phone number to “verify you identity”, which I find to be a little odd
After you’ve signed up and logged in, they direct you straight to the Azure control panel, click on “+ New”
Search for server 2012
And click “Create”
Only to find out that you’ll need to “Upgrade” your subscription
Here you’ll need to sign up for a free trial
And they wants your credit card info
You will have $200 worth of credit to use during the trial
Go back to the dashboard, find Server 2012 R2 and click “Create”
And configure some settings for the new server
“Name” = server name, “User name” = administrator name, and “resource group” is just a container in Azure for ease of management
Step 2, here you can decide the amount of hardware resources your server can have, Microsoft gives you some recommended pre-configured models to choose from, but in a free trial, you won’t be able to crank up the number of virtual CPUs and RAM anyway, I picked the first one.
Step 3, some network settings and miscellaneous stuff, the network part will be auto-filled, leave at default unless you need to change anything
Step 3 Cont.
Step 4, summary, if everything looks good, click “Create”. Note they charge $.014 per hour for this particular set up.
Wait for the deployment to finish, in my case it took less than 5 minutes
Once it is done, the server dashboard pops up, you can view the server status here, click on “Connect” to connect to the server, and a .rdp file will be downloaded, use it to establish a remote desktop connection to your server