Microsoft Direct Access Continued: Public Key Infrastructure

What is PKI?

Public Key Infrastructure (PKI) refers to the technical mechanisms, procedures and policies that collectively provide a framework for addressing the previously illustrated fundamentals of security – authentication, confidentiality, integrity, non-repudiation and access control. Read more about PKI: What is PKI?

Installing AD CS Role:

Go the “Add Roles and Features” under Server Manager, add “Active Directory Certificate Service”(AD CS)

Select “Certification Authority”(CA), confirm and install

Post-deployment configurations, select CA to configure


Choose the setup type based on your environment

Choose “Root CA” since we are creating a new PKI

Create a new private key

Adjust the settings if you wish, I went with the defaults

This step is autofilled, you can rename the CA here

Adjust the validity period

Again, the locations will be autofilled, Next>

Confirmation page


Generating Certificates:

Go to CA Management Console

On the left pane, right click “Certificate Templates” > “Manage”

On the bottom, right click “Workstation Authentication” > “Duplicate Template”

Now configure the properties of the new template, under “General” tab, name the template, since it’ll be used for Direct Access authentication, I named it accordingly.

Under “Extensions” tab, edit “Application Policies”

Client Authentication is already there, add “Server Authentication”

Go back to template properties, under “Security”, Allow domain computers to “Autoenroll”, so later when a certificate is created, the domain clients will enroll automatically

Under “Subject Name”, select “Common name”, this makes the certificate easier to identify. Click “OK” to save your settings and close the window


Close the template console, on the left pane of the CA Management Console, right click “Certificate Template” > “New” > “Certificate Template to Issue”

Select the template just created

And it will show up on the right pane

Go to Direct Access Management Console, edit server settings

Under “Authentication”, check “Use computer certificates”, browse and find the proper certificate

Restart the server and client computer…


Verifying Client Enrollment:

To verify the client computers have received the certificate, log in as a administrator on the client computer, do not log in as a domain user, you won’t have the authority to view the computer certificates. Run “mmc” to open up Microsoft Management Console, add a “Certificates” snap-in

Select “Computer account”

> “Local computer”

On the left pane, click on “Personal” > “Certificates”, you will see the certificate on the right pane

Click on the certificate to view its information

And this is the end of the tutorial.


Microsoft Direct Access

How to Implement Microsoft Direct Access on Server 2012 (PKI optional)


What is Direct Access?

DirectAccess allows remote users to securely access internal network file shares, Web sites, and applications without connecting to a virtual private network (VPN). DirectAccess establishes bi-directional connectivity with an internal network every time a DirectAccess-enabled computer connects to the Internet, even before the user logs on. Users never have to think about connecting to the internal network and IT administrators can manage remote computers outside the office, even when the computers are not connected to the VPN.

What are the differences between Direct Access and VPN?

Although sharing some similarities with a typical VPN solution, Direct Access requires close to none user intervention once successfully configured. No additional software is required on the client’s side, the domain clients will automatically connect to the intranet anywhere there is Internet access.

DA is also more secure, in order to connect to the intranet, DA clients have to be jointed to the domain, a certificate could also be issued to the clients to further enhance security.


  • A static internal IP address for the DA server
  • Windows Firewall must be enable on all profiles
  • Clients must be running Enterprise version of Windows 7-10(Education editions are also supported, Pro and Home are not)
  • A public key infrastructure is not required, but recommended
  • Static public IP for your edge device, whether a sever with multiple NICs, or a router. Use DDNS(Dynamic DNS) if you do not have a static public IP
  • IPv6 enabled (not necessarily configured) on server and client
  • Visit  Direct Access Prerequisites-TechNet for more details


Set a static IP for your server: 

Make sure to reserve your server’s IP if you run DHCP for other devices

Configure DDNS for your router’s public IP:

There are lots of free DDNS providers out there, I went with “no-ip”

By registering a DDNS record, you create a hostname equivalent of your public IP of your router, and by configuring the router later, the public IP will always stay updated when the ISP issues you a new public IP

My router only supports two DDNS providers, you could flash your router with DD-WRT to open up more options. Enter your hostname, username and password as you registered your account

Port forwarding:

My server sits behind a router, in order to reach it I’ll have to forward traffics to it, setting up port forwarding is simple, if you know the correct port numbers. In order for Direct Access to work, port 41, 443, and 3544 need to be forwarded to your server. Here are some details about what these ports are used for: DA and NAT

Server Deployment:

Now that you have taken care of the networking stuff and your server can be reached from the Internet, it’s time to deploy proper roles and features on your server, I’m running server 2012 r2.

Active Directory and Remote Access:

Active directory services are needed because you need to create a domain, and Direct Access clients need to belong to a domain first. Go to “Add roles and features”



Role based, Next>


Pick the sever you want to install the services on, Next>


Select “Active Directory Domain Services” and “Remote Access” 

Add default features, Next>

Remote Access overview

Select “DirectAccess and VPN(RAS) “

Active Directory overview

The wizard will prompt you to add and IIS role, it is required for AD and DA

Again, add default features for IIS

Confirmation page on the roles and services you are about to install

Finish the installation and close the wizard

Post-deployment configurations:

For Active Directory, add a new forest and name the domain

Set a DSRM password, leave else at default

This DNS warning is common and can be safely ignored

Verify NetBOIS domain name, Next>

Leave at default, Next>

Review the configurations

After checking prerequisites, save configurations and close the wizard

For the Remote Access post-deployment configurations, select “Deploy DirectAccess only”

Select the option that’s appropriate for your environment, if you have a server with multiple NICs and at least one public facing IP address, choose between the first two options, in my case, the server is behind an edge device with a single network adapter. In the blank, fill in the DDNS FQDN configured earlier.

Before applying the settings, you can modify GPO settings if you wish

The default DA GPO settings will be applied to all domain clients, you can apply it to different user groups if you wish, I left mine at default because there is only one domain client in my environment

Apply the settings

Creating domain users and add them to appropriate groups:

Now that you have added and configured the AD and DA roles, create some domain users. Go to “Tools” > “Active Directory Users and Computers”

The “Domain Computers” group is automatically created

Create a new user and set a password

Add the new user to “Domain Computers” group, or any customized groups you wish to use

Remote Access Management Console:

You can further configure the DA service with Remote Access Management Console

Edit the client settings

Some of these settings were set by the getting started wizard

Enabling DA for mobile computers only will stop clients on the intranet from connecting to the DA server; enabling force tunneling will direct both internal and external traffic to the DA server’s network, if not enabled, external traffic will go through the LAN the client is currently connected to. Configure based on your needs

You can also name your DA connection.

The RA server and Infrastructure servers settings can be left on default, unless you wish to configure a PKI and certificate.

DA Client Configurations:

The beauty of Direct Access is it requires little user intervention from the client side once properly set up, simply join the client computer to your domain and login as an authorized user, the DA connection will happen automatically

I’ve made a Windows 10 Edu virtual machine and made it a domain client to test the DA deployment, remember, Windows Pro and Home are not supported

Make sure the client and server are on the same name space, you can change the DNS address after you’ve joined the domain

At this point, test your DA deployment by creating some shared resources with proper GPO settings and see if your client can access them from the Internet

Log in as a domain user

You should see a Direct Access connection on the bottom right 

And there is my shared folder

Tip: if you are having connection issues, and port forwarding is set up correctly, try running “gpupdate” in command prompt on the client computer

The PKI and certificate content will be on another page, this post is getting way to long…


How to setup and utilize a Server 2012 VM in Microsoft Azure

What is Microsoft Azure?

Azure is a comprehensive set of cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of datacenters. Integrated tools, DevOps.

Why use Microsoft Azure?

  • Scalability
  • Cost
  • Speed
  • Security
  • Availability

Server 2012 R2 Deployment:

Most of this set up process is to be done in a browser.

First you will need to sign up with Microsoft Azure, pretty straight forward process, except they ask for your phone number to “verify you identity”, which I find to be a little odd

After you’ve signed up and logged in, they direct you straight to the Azure control panel, click on “+ New”

Search for server 2012

And click “Create”

Only to find out that you’ll need to “Upgrade” your subscription

Here you’ll need to sign up for a free trial

And they wants your credit card info

You will have $200 worth of credit to use during the trial

Go back to the dashboard, find Server 2012 R2 and click “Create”

And configure some settings for the new server

“Name” = server name, “User name” = administrator name, and “resource group” is just a container in Azure for ease of management

Step 2, here you can decide the amount of hardware resources your server can have, Microsoft gives you some recommended pre-configured models to choose from, but in a free trial, you won’t be able to crank up the number of virtual CPUs and RAM anyway, I picked the first one.

Step 3, some network settings and miscellaneous stuff, the network part will be auto-filled, leave at default unless you need to change anything

Step 3 Cont.

Step 4, summary, if everything looks good, click “Create”. Note they charge $.014 per hour for this particular set up.

Wait for the deployment to finish, in my case it took less than 5 minutes

Once it is done, the server dashboard pops up, you can view the server status here, click on “Connect” to connect to the server, and a .rdp file will be downloaded, use it to establish a remote desktop connection to your server

Enter your administrator credentials

And that’s it, you are in.