How DirectAccess Works
When a client provisioned for DirectAccess is outside of the corporate network, it will automatically attempt to establish a secure remote connection to the DirectAccess server over the Internet. The DirectAccess connection takes place at the machine level and requires no user interaction. Most commonly, the DirectAccess client will be on the IPv4 Internet, so an IPv6 transition technology will be selected and a tunnel will be established with the DirectAccess server.
Inside the IPv6 transition tunnel, authenticated and encrypted IPsec tunnels are established between the client and the server. It is over these tunnels that communication to resources on the corporate network takes place. The DirectAccess IPsec tunnels are defined as Connection Security Rules (CSR) in the Windows Firewall with Advanced Security on both the DirectAccess client and the server.
DirectAccess provides support only for Domain-joined clients that include operating system support for DirectAccess.
The following server operating systems support DirectAccess.
- You can deploy all versions of Windows Server 2016 as a DirectAccess client or a DirectAccess server.
- You can deploy all versions of Windows Server 2012 R2 as a DirectAccess client or a DirectAccess server.
- You can deploy all versions of Windows Server 2012 as a DirectAccess client or a DirectAccess server.
- You can deploy all versions of Windows Server 2008 R2 as a DirectAccess client or a DirectAccess server.
The following client operating systems support DirectAccess.
- Windows 10 Enterprise
- Windows 10 Enterprise 2015 Long Term Servicing Branch (LTSB)
- Windows 8 and 8.1 Enterprise
- Windows 7 Ultimate
- Windows 7 Enterprise
DirectAccess vs. VPN
- VPN connections are user initiated and therefore optional. It is up to the user to decide when they want to connect to the corporate network. By comparison, DirectAccess is seamless and transparent in nature, is completely automatic, and requires no user interaction to establish a connection.
- Many VPN protocols aren’t firewall friendly, which can impede the successful establishment of a VPN connection. DirectAccess can establish its secure remote connection using HTTPS, which is commonly allowed through most firewalls.
- VPNs often require investments in proprietary hardware and per-user licensing. DirectAccess can be deployed on existing virtual infrastructure and does not require additional user licensing.
- Proprietary software is commonly required to leverage all of the features provided by VPN solutions. This software must be deployed and managed by IT administrators. DirectAccess requires no additional third-party software to be installed. All settings for DirectAccess are managed through Group Policy Objects (GPOs) in Active Directory.
- A VPN connection can be established from any client machine with the VPN client software makes integration with a multifactor authentication solution an essential requirement, which makes the solution more complex and difficult to support. A DirectAccess connection can only be established from a client computer that has been provisioned for DirectAccess by IT, reducing the need to employ strong authentication for DirectAccess connections.
Windows Server 2016 and DirectAccess should be installed on a dedicated physical server for optimum performance. However, Windows Server 2016 and DirectAccess can be installed on a virtual machine hosted on any Microsoft Server Virtualization Validation Program (SVVP) validated hypervisor, including Microsoft Hyper-V, VMware, and many others. It is recommended that the server (physical or virtual) be provisioned with a minimum of four processor cores, 8GB of RAM, and 60GB of hard disk space.
For more information, please browse to : https://docs.microsoft.com/en-us/windows-server/remote/remote-access/directaccess/directaccess-deployment-paths-in-windows-server
For this demo purposes, i will be using 3 VM, consists of 2 Windows Server 2016 VM and 1 Windows 10 client VM which is all running in Hyper-V.
Infrastructure Requirement (this is based on the Isolated Environment) it might different in the Real Production implementation.
- 1 Domain Controller Server (DC-CLOUD)
- 1 Member Server (SUB-01 )
- 1 Client PC running Windows 10 (CLIENT-10)
01 – lets verify the network configuration for all our VM’s (Please Refer to the Pictures)
1 – Open Network Connections by pressing Window Key + X and clicking Network Connections.
2 – Rename the network connections intuitively so they can be quickly identified in the future. Renaming them Internal and External should be sufficient. Network adapters can be renamed by right-clicking them and choosing Rename or by simply highlighting a network adapter and pressing.
3 – To configure the Internal network interface, right-click the Internal network connectionand choose Properties. Highlight Internet Protocol Version 4 (TCP/IPv4) and then click Properties. Provide an IPv4 address and a subnet mask. DO NOT specify a default gateway! Provide the IP addresses for DNS servers on the corporate LAN as necessary.
02 – External Interface
1 – To configure the External interface, right-click the External adapter and choose Properties.Highlight Internet Protocol Version 4 (TCP/IPv4) and then click Properties. Provide an IPv4 address, subnet mask, and default gateway. DO NOT specify any DNS servers.
2 – Click Advanced. If Teredo support is required, click Add under the IP addresses section and specify the next consecutive public IPv4 address and subnet mask.
3 – Select the DNS tab and uncheck the box next to Register this connection’s addresses in DNS.
4 – Select the WINS tab and uncheck the box next to Enable LMHOSTS lookup. In addition, in the NetBIOS setting section select the option to Disable NetBIOS over TCP/IP.
Note : As the External network interface is public facing and connected to an untrusted network (public Internet or perimeter/DMZ network), it is recommended that all protocols and services other than IPv4 and IPv6 be disabled to reduce the attack surface of the DirectAccess server.
03 – Creating DirectAccess OU & Group in Active Directory
~*~ You need to create the OU & Group because we going to add CLIENT-10 into this group so that the client can have DirectAccess connection. ~*~
1 – Create a new OU – In the New Object – Organizational Unit dialog box, in the Name box, type “DirectAccess Clients”, and then click OK.
2- In the Active Directory Users and Computers console, expand, right-click DirectAccess Clients OU, click New, and then click Group.
3 – In the New Object – Group dialog box, in the Group name box, type DA Clients.
4 – Next, right-click DA Clients, and then click Properties.
5 – In the DA Clients Properties dialog box, click the Members tab, and then click Add and then click Object Types.
6 – Next, click Computers check box, and then click OK.
7 – In the Enter the object names to select (examples) box, type CLIENT-10, and then click OK.
8 – Verify that CLIENT-10 is displayed under Members, and then click OK.
04 – Installing the Remote Access server role
1 – Open Server Manager, click Add Roles and Features. (Please Refer to the Pictures)
2 – On the Before You Begin page, click Next.
3 – On the Select installation type page, click Next.
4 – On the Select destination server page, click Next.
5 – On the Select server roles page, click Remote Access, and then click Next.
6 – On the Select Features page, click Next.
7 – On the Remote Access page, click Next.
8 – On the Select role services page, click DirectAccess and VPN (RAS) and Add Roles and Features Wizard dialog box, click Add Features, and then verify that DirectAccess and VPN (RAS) is selected.
9 – On the Select role services page, click Next.
10 – On the Confirm installation selections page, click Install.
11 – When the installation completes, click Close.
05 – Configure DirectAccess by running the Getting (Please Refer to the Pictures)
1 – Open Server Manager, click Tools, and then click Remote Access Management.
2 – In the Remote Access Management console, under Configuration, click DirectAccess and VPN, and then click Run the Getting Started Wizard.
3 – In the Getting Started Wizard, on the Configure Remote Access page, click Deploy DirectAccess only.
4 – On the Network Topology page, verify that Edge is selected, in the Type the public name or IPv4 address used by clients to connect to the Remote Access server text box, type 18.104.22.168, and then click Next.
5 – In the Configure Remote Access interface, click the here link.
6 – On the Remote Access Review interface, verify that two GPOs are created, DirectAccess Server Settings and DirectAccess Client settings, and then next to Remote Clients, click the Change.
7 – Next, select Domain Computers (Windows\Domain Computers), and then click Remove.
8 – Next, on the same interface, click Add, and then type DA Clients, and then click OK.
9 – Make sure you clear the Enable DirectAccess for mobile computers only check box, and then click Next.
10 – On the DirectAccess Client Setup interface, click Finish.
DirectAccess connection name: NewHelpTech connection
11 – On the Remote Access Review interface, verify that Windows\DA Clients listed under Remote Clients and then click OK.
12 – On the Configure Remote Access page, click Finish and wait for the configuration to finish.
13 – In the Applying Getting Started Wizard Settings dialog box, verify that the configuration was successful, and then click Close.
06 – DirectAccess connectivity to Client Windows 10 (Please Refer to the Pictures)
Verify DirectAccess Group Policy configuration settings for Windows 10 clients
1 – Switch to CLIENT-10.
2 – Restart CLIENT-10, and then sign in again as Windows\Administrator with the password of [email protected]
3 – Open a Command Prompt window, and then type the following commands, pressing Enter at the end of each line:
Verify that DirectAccess Client Settings GPO displays in the list of Applied Policy objects for the Computer Setting, Close the Command Prompt window.
Move the client computer to the Internet virtual network (Please Refer to the Pictures)
1 – Open Network Connections by pressing Window Key + X and clicking Network Connections.
2 – In the Network Connections window, right-click Internal, and then click Disable.
3 – Right-click External, and then click Enable.
4 – Open the External IPv4 to verify the IP settings.
Verify connectivity to the DirectAccess server
1. On CLIENT-10, open a command prompt, type the following command, and then press Enter:
Notice the IPv6 address that starts with 2002. This is an IP-HTTPS address
2 – At the command prompt, type the following command, and then press Enter:
Netsh name show effectivepolicy
3 – Click Start, and then click Settings
4 – In Settings, select Network & Internet, and then click DirectAccess.
5 – Verify that Your PC is set up correctly for single-site DirectAccess is displayed under Location.
Notice the Collect button under Troubleshooting info
2 – Next, in the CLIENT-10, open PowerShell and type :
~*~ this command just to get the DirectAccess client settings ~*~
3 – Now, its time for us to test the DirectAccess connectivity.
~*~ In CLIENT-10, open IE and then type : http://www.Windows.ae ~*~
DirectAccess Server (SUB-01.) : Monitoring DirectAccess connectivity
1 – click Remote Client Status, and then in the central pane, review the information
under the Connected Clients list.
Close the Remote Access Management Console
Common Issues and Troubleshooting Tips
|Common Issue||Troubleshooting Tip|
|You have configured DirectAccess, but users are complaining about connectivity issues. You want an efficient way to troubleshoot their issues.||Basic troubleshooting is integrated in the Network Connectivity assistance, so educate users how to access it and to determine what is preventing the client computer from communicating with the
|The DirectAccess client tries to connect to the DirectAccess server by using IPv6 and IPsec with no success.||If you are using Teredo as the IPv6 transition technology, verify whether you have two public addresses on the external network adapter of the DirectAccess server. This is required for establishing|
that’s all for now.