Upload
barry-walker
View
238
Download
0
Tags:
Embed Size (px)
Citation preview
DirectAccess Configuration, Tips, Tricks, and Best Practices
Rand Morimoto, Ph.D., MCITP, CISSPAuthor, “Windows 2008 R2 Unleashed”President, Convergent Computing
WSV404
How Today’s Session is Structured
This is a Level 400 session, so NO marketing fluff!I will jump right into the installation / configuration of DirectAccess, and will be stopping at key points in the installation process where extra tips, tricks, and clarifications are commonly neededDemo Guide and Deployment WhitePaper:
http://www.cco.com/portals/0/downloads/WSV404-DirectAccessDemos-Morimoto.pdfhttp://www.cco.com/portals/0/downloads/WSV404-DirectAccessDeploymentGuide-Morimoto.pdf
Assumptions
You have a good command of Active Directory Group PoliciesYou have a good familiarity of navigating through Windows Control Panel and NetworkingYou have a conceptual knowledge of DNS, IPSec, and IPv6 (I will expand your understanding of these technologies in this session. This is where most implementers get hung-up when deploying DirectAccess…)
DirectAccess Server(Server 2008 R2)
DirectAccess Client(Windows 7)
Internet
Native IPv6
6to4
Teredo
IP-HTTPS
Tunnel over IPv4 UDP, HTTPS, etc.
Encrypted IPsec+ESP
DirectAccess – Background Slide
Understanding IPv6
DirectAccess uses IPv6 for its routing mechanism, take a look at my 8-part blog post on Understanding IPv6
http://www.networkworld.com/community/morimoto
Create / Utilize a consistent IPv6 addressing configuration for DirectAccess clients and the DirectAccess (or UAG) host server(s)Make sure the Win7 DirectAccess client systems can successfully “ping” and access the DirectAccess server over IPv6 (if you get a “Transmit Failure” error, DirectAccess won’t work (simple fix as addressed in my blog posts))
My Implementation Environment
Active Directory 2008 SP2 or Active Directory 2008 R2 Domain ControllerActive Directory Certification AuthorityA Windows 2008 R2 Server running the DirectAccess featureA Windows 7 Enterprise or Ultimate client system(An application server in my internal network)
My Implementation Environment (con’t)
Config #1: End-to-Edge Access Model
For end-to-edge protection, DirectAccess clients establish an IPsec session to an IPsec gateway server (which by default is the same computer as the DirectAccess server). The IPsec gateway server then forwards unprotected traffic, shown in red, to application servers on the intranet. This architecture works with any IPv6-capable application server but does not require that server to run IPsec, simplifying the configuration and setup
Config #2: End-to-Edge with End-to-End IPSec Model
For end-to-edge with End to End IPSec protection, DirectAccess clients establish an IPsec session to an IPsec gateway server, and that IPSec traffic continues all the way to the Intranet server for end to end IPSec protection. This architecture provides better security than just the End to Edge model.
Config #3: End-to-End IPSec Access Model
With end-to-end IPSec protection, DirectAccess clients establish an IPsec session through the DirectAccess server to each application server to which they connect. This provides the highest level of security because you can configure access control on the DirectAccess server and extend IPSec all the way to the internal server. This architecture requires that application servers run Windows Server 2008 SP2 or Windows Server 2008 R2 and use both IPv6 and IPsec.
DirectAccess Server(Server 2008 R2)
Line of Business Applications
IPv6 IPv4 IPv6
Windows Server 2008/R2
Step #1: Enabling IPv6 in the Enterprise
On all internal DCs, run PowerShell command:Dnscmd /config /globalqueryblocklist wpad
Using ISATAP
DirectAccess Server(Server 2008 R2)
Line of Business Applications
IPv6 IPv4
NAT64DNS-ALG
Windows Server 2003Non-Windows
– or – Setup NAT64
Step 2: Configuring Network Location ServerAny INTERNAL server running Web servicesCreate a DNS name (like nls.yourdomain.com)Associate this new NLS DNS name to an IP Address of an Internal Web server
NLS tells the DirectAccess clients whether they are “inside” or “outside” of the network. *** Make sure this system is HIGHLY available!!! ***
Step 3: Create Group(s) for the DA ClientsCreate a security group (Global or Universal)Add Win7 client systems into this group
Remember, systems are no longer really part of a “site” as they are now universally roaming systems. So you define the group of systems by policy of what you want the systems to have access to, not where they arbitrarily are.
Step 4: Configuring Windows Firewall for DirectAccess
Allow inbound and outbound ICMPv6 Echo Request messagesCreate a Group Policy or configure each system individually
Step 5: Configuring the Network Location ServerEnroll the server with a certificate and configure for SSL access
Step 6: Certificate Auto-EnrollmentMake sure all systems in the Direct Access group of client systems have a valid client authentication certificate
Step 7: Installing and Configuring DirectAccess (server)
Add a certificate to the DirectAccess serverAdd the DirectAccess feature on the serverRun the DirectAccess setup
Step 8: Finalizing Configurations
Make sure DA client systems are in the DA policy groupRun Gpupdate / force on all systems to make sure new policies have been applied (servers for firewall policy, clients for firewall and certificate auto-enrollment policies)Stop/Start the iphlpsvc on all servers and test to make sure that all systems can resolve the isatap.yourdomain.com DNS entry that was created during the DirectAccess setup wizard (note: stop/start may not be necessary, configuration should be picked up and applied after the GPUpdate is run)Use ping (ipaddress) -6 to make sure you can ping servers and systems internally
Step 9: Testing DirectAccess (Internally)
With the client system internal, run IPConfig and check to make sure you have a local addressAccess a file on a fileserver or SharePoint using an internal http(s) connection
Step 10: Testing DirectAccess (Externally)
With the client system external, run IPConfig and check to make sure you have an external IP addressAccess a file on a fileserver or SharePoint using an internal http(s) connection> netsh dns show state (output is different when inside and outside)
Step 11: Testing DirectAccess (Externally using IP-HTTPS)
Step 10 tested external access using the automatically generated Teredo 2001: addressNow to verify that external access is working using IP-HTTPS, disable Teredo:
Netsh interface teredo set state disableNetsh interface httpstunnel show interfaces
Re-access your fileserver and your Web server with an internal address, see if you still have access now over IP-HTTPS
Teredo
ISATAP
Native IPv6
Routing IPv6 in an IPv4 World…
Also 6to4 and IP-HTTPS
6to4: tunnel IPv6 over IPv4
6to4 router derives IPv6 prefix from IPv4 addressIPv4 address: 207.213.246.1 is represented as cfd5:f601 (convert decimal to hex)Its 6to4 address is: 2002:cfd5:f601:0000:0000:0000:cfd5:f601
Automatic tunneling from 6to4 routers or relays
*** BUT: 6to4 does not route through NAT, so any time you are somewhere that happens to be doing IPv4 NAT (which is everywhere!), 6to4 won’t work! ***
IPv4 Internet
6to4-A
6to4-B
Relay
Native IPv6
Relay
C
B
A
1.2.3.4
5.6.7.8
192.88.99.1
192.88.99.1
3001:2:3:4:c…
2002:506:708::b…
2002:102:304::b…
Windows Win 7 and Server 2008R2 Teredo
Teredo provides IPv4 NAT traversal capabilities by tunneling IPv6 inside of IPv4 using UDPTeredo provides IPv6 connectivity when behind an Internet IPv4 NAT deviceIs designed to be a universal method for NAT traversal for most types of NAT use*** Thus solves the NAT routing issue that 6to4 has, BUT since Teredo encapsulates inside UDP packets, if you are somewhere that blocks UDP encapsulated packets (which is pretty much everywhere), then Teredo does not work either ***
ISATAP: IPv6 behind firewall
ISATAP router provides IPv6 prefixHost complements prefix with IPv4 addressDirect tunneling between ISATAP hosts Relay through ISATAP router to IPv6 local or global
Firewalled IPv4
network
IPv4 FW
A
Local “native” IPv6
network
IPv6 FW
ISATAP
B
IPv6Internet
C
D
IPv4Internet
ISATAP is a tunneling protocol, so it in itself doesn’t create a client/server relationshipISATAP merely allows IPv6 communications to tunnel thru an IPv4 networkISATAP is great for site to site communications, or client to server initiated communications
IP-HTTPS
Microsoft created protocol (submitted as RFC)IPv6 encapsulated within an HTTPS packet (similar to RPC/HTTPS with Outlook for the past decade where Outlook RPC is encapsulated within an HTTPS packet)VERY high success rate of communications “anywhere” because it only requires access to an IPv4 network that allows HTTPS traffic (which is basically everywhere)Requirements
Certificates requiredHost must have access to the CRL distribution point
Tunnel IPv6 in HTTPSIPv6
Intranet
IPHTTPSHost
IPv4 Internet
IPv6 Host
NAT Device
IPHTTPSserver
Certificate
XXX
Web server with CRL
DirectAccess Monitoring
Built-in to the DirectAccess feature installed on the DA serverProvides server monitoring information on DirectAccess components
Replacing the DirectAccess Server with a UAG Server
IPv6
IPv6Always On
Windows7
IPv4
IPv4
IPv4
DirectAccessServer
Extend support to IPv4 servers
UAG improves adoption and extends access to existing infrastructure
UAG and DirectAccess better together: 1. Extends access to line of business servers with IPv4 support2. Access for down level and non Windows clients3. Enhances scalability and management4. Simplifies deployment and administration5. Hardened Edge Solution
MANAGED
VistaXP
UNMANAGED
Non Windows
PDA
DirectAccess
SSL VPN
UAG provides access for down level and non Windows clientsUAG enhances scale and management with integrated LB and array capabilities.UAG uses wizards and tools to simplify deployments and ongoing management.
UAG is a hardened edge appliance available in HW and virtual options
+
Windows7
+
Step 7: Installing and Configuring UAG
Same steps as before for Step 1 – Step 6Add a certificate to the UAG serverInstall UAG on the serverRun the UAG DirectAccess setupSame steps as before for Step 8 – Step 11
Additional Benefits of Having UAG
Windows 7 clients now can access internal servers that do not have IPv6 enabledWindows XP clients can now do SSL VPN access to secured and encrypted servers
Configuring End-to-End Access
In the UAG or DA Management Console, in the Application Servers box, click Edit and choose “Require end to end authentication and encryption…” (note: e2e authentication inside of the tunnel)Select the security group that has Windows 2008 or later servers you want to enable end to end protectionCreate policy “groups” of servers by employee roles
Testing End-to-End Access
Check to make sure remote client still has access to internal serversOpen Windows Firewall Advanced Security snap-inExpand monitoring / security associations, click Quick Mode and verify that the IPsec session still exists for the application servers(s)
Diagnostics
Internet Explorer Diagnose Problem ButtonIt has been enhanced to troubleshoot DirectAccess
Networking Icon (right click)Troubleshoot problems option. Supports providing a location. Also has a DirectAccess Entry Point
Control Panel, TroubleshootingConnect to a Workplace place using DirectAccess
Command Prompt (Elevated)NETSH TRACE START SCENARIO=DIRECTACCESS REPORT=YES CAPTURE=YES
Related Content
Breakout SessionsWSV403 – “How to Troubleshoot DirectAccess”, Thursday 2:45pmSIM316 – “Troubleshoot UAG DirectAccess in 45 Minutes Flat”, Wednesday 1:30pm
Hands-on LabWSV288-HOL – “Windows Server 2008 R2: Implementing DirectAccess”, TBD
Track Resources
Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.
You can also find the latest information about our products at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud - http://www.microsoft.com/privatecloud/
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
Complete an evaluation on CommNet and enter to win!
Scan the Tag to evaluate this session now on myTech•Ed Mobile