How to Implement Microsoft Direct Access on Server 2012 (PKI optional)
What is Direct Access?
DirectAccess allows remote users to securely access internal network file shares, Web sites, and applications without connecting to a virtual private network (VPN). DirectAccess establishes bi-directional connectivity with an internal network every time a DirectAccess-enabled computer connects to the Internet, even before the user logs on. Users never have to think about connecting to the internal network and IT administrators can manage remote computers outside the office, even when the computers are not connected to the VPN.
What are the differences between Direct Access and VPN?
Although sharing some similarities with a typical VPN solution, Direct Access requires close to none user intervention once successfully configured. No additional software is required on the client’s side, the domain clients will automatically connect to the intranet anywhere there is Internet access.
DA is also more secure, in order to connect to the intranet, DA clients have to be jointed to the domain, a certificate could also be issued to the clients to further enhance security.
- A static internal IP address for the DA server
- Windows Firewall must be enable on all profiles
- Clients must be running Enterprise version of Windows 7-10(Education editions are also supported, Pro and Home are not)
- A public key infrastructure is not required, but recommended
- Static public IP for your edge device, whether a sever with multiple NICs, or a router. Use DDNS(Dynamic DNS) if you do not have a static public IP
- IPv6 enabled (not necessarily configured) on server and client
- Visit Direct Access Prerequisites-TechNet for more details
Set a static IP for your server:
Make sure to reserve your server’s IP if you run DHCP for other devices
Configure DDNS for your router’s public IP:
There are lots of free DDNS providers out there, I went with “no-ip”
By registering a DDNS record, you create a hostname equivalent of your public IP of your router, and by configuring the router later, the public IP will always stay updated when the ISP issues you a new public IP
My router only supports two DDNS providers, you could flash your router with DD-WRT to open up more options. Enter your hostname, username and password as you registered your account
My server sits behind a router, in order to reach it I’ll have to forward traffics to it, setting up port forwarding is simple, if you know the correct port numbers. In order for Direct Access to work, port 41, 443, and 3544 need to be forwarded to your server. Here are some details about what these ports are used for: DA and NAT
Now that you have taken care of the networking stuff and your server can be reached from the Internet, it’s time to deploy proper roles and features on your server, I’m running server 2012 r2.
Active Directory and Remote Access:
Active directory services are needed because you need to create a domain, and Direct Access clients need to belong to a domain first. Go to “Add roles and features”
Role based, Next>
Pick the sever you want to install the services on, Next>
Select “Active Directory Domain Services” and “Remote Access”
Add default features, Next>
Remote Access overview
Select “DirectAccess and VPN(RAS) “
Active Directory overview
The wizard will prompt you to add and IIS role, it is required for AD and DA
Again, add default features for IIS
Confirmation page on the roles and services you are about to install
Finish the installation and close the wizard
For Active Directory, add a new forest and name the domain
Set a DSRM password, leave else at default
This DNS warning is common and can be safely ignored
Verify NetBOIS domain name, Next>
Leave at default, Next>
Review the configurations
After checking prerequisites, save configurations and close the wizard
For the Remote Access post-deployment configurations, select “Deploy DirectAccess only”
Select the option that’s appropriate for your environment, if you have a server with multiple NICs and at least one public facing IP address, choose between the first two options, in my case, the server is behind an edge device with a single network adapter. In the blank, fill in the DDNS FQDN configured earlier.
Before applying the settings, you can modify GPO settings if you wish
The default DA GPO settings will be applied to all domain clients, you can apply it to different user groups if you wish, I left mine at default because there is only one domain client in my environment
Apply the settings
Creating domain users and add them to appropriate groups:
Now that you have added and configured the AD and DA roles, create some domain users. Go to “Tools” > “Active Directory Users and Computers”
The “Domain Computers” group is automatically created
Create a new user and set a password
Add the new user to “Domain Computers” group, or any customized groups you wish to use
Remote Access Management Console:
You can further configure the DA service with Remote Access Management Console
Edit the client settings
Some of these settings were set by the getting started wizard
Enabling DA for mobile computers only will stop clients on the intranet from connecting to the DA server; enabling force tunneling will direct both internal and external traffic to the DA server’s network, if not enabled, external traffic will go through the LAN the client is currently connected to. Configure based on your needs
You can also name your DA connection.
The RA server and Infrastructure servers settings can be left on default, unless you wish to configure a PKI and certificate.
DA Client Configurations:
The beauty of Direct Access is it requires little user intervention from the client side once properly set up, simply join the client computer to your domain and login as an authorized user, the DA connection will happen automatically
I’ve made a Windows 10 Edu virtual machine and made it a domain client to test the DA deployment, remember, Windows Pro and Home are not supported
Make sure the client and server are on the same name space, you can change the DNS address after you’ve joined the domain
At this point, test your DA deployment by creating some shared resources with proper GPO settings and see if your client can access them from the Internet
Log in as a domain user
You should see a Direct Access connection on the bottom right
And there is my shared folder
Tip: if you are having connection issues, and port forwarding is set up correctly, try running “gpupdate” in command prompt on the client computer
The PKI and certificate content will be on another page, this post is getting way to long…