Windows Server 2008 R2 Unleashed (177 page)

908

CHAPTER 24

Server-to-Client Remote Access and DirectAccess

FIGURE 24.32

DirectAccess Server Connectivity Setup.

ptg

NOTE

The DirectAccess Setup Wizard has an informational note that it detected that the

internal network is IPv4-based and will enable IPv6 transition technologies as part of

the setup. The DirectAccess server will be configured as the ISATAP server.

10. Click Next.

11. On the Certificate Components page, for Select the Root Certificate to Which

Remote Client Certificates Must Chain, click Browse. In the list of certificates, click

the companyabc-DC1-CA root certificate, and then click OK.

12. For Select the Certificate That Will Be Used to Secure Remote Client Connectivity

over HTTPS, click Browse. In the list of certificates, click the certificate named IP-

HTTPS, and then click OK. The results are shown in Figure 24.33. Click Finish.

13. In Step 3 Infrastructure Servers, click Configure.

14. On the Location page, click Network Location Server Is Run on a Highly Available

Server, type https://nls.companyabc.com, click Validate, and then click Next. You

should get a green check mark with a Validation Successful message.

15. On the DNS and Domain Controller page (shown in Figure 24.34), note the entry for

the name companyabc.com with the IPv6 address

2002:c9b:a602:1:0:5efe:192.168.3.200. This is the 6to4 IPv6 address for the DC1

domain controller. All DirectAccess client requests to the domain companyabc.com

will be forwarded to this domain controller. The nls.companyabc.com is also listed

with a blank DNS server, which ensures that DirectAccess clients will not forward

the requests to this host.

DirectAccess Scenario

909

24

FIGURE 24.33

DirectAccess Server certificate components.

ptg

FIGURE 24.34

DirectAccess Infrastructure Server Setup for DNS.

NOTE

The blank DNS for the Network Location Service (NLS) is needed so that DirectAccess

clients can use the URL to determine if they are inside the corporate network or on the

Internet. When inside the network, the DirectAccess clients will be able to access the

site. When remote and connected via DirectAccess, the clients will be unable to reach

the site due to the blank DNS entry, although they can reach all other internal resources.

910

CHAPTER 24

Server-to-Client Remote Access and DirectAccess

16. Click Next.

17. On the Management page, if there were internal management servers, such as

Microsoft System Center Configuration Manager 2007 (SCCM) servers that needed to

reach the DirectAccess clients, they would be entered in this portion of the setup.

Leave this blank and click Finish.

18. In Step 4 Application Servers, click Configure.

19. On the DirectAccess Application Server Setup page, leave Require No Additional End-

to-End Authentication.

NOTE

If end-to-end protection were required, Step 4 is where the permitted application servers

would be added. This scenario is doing end-to-edge, so no configuration is needed.

20. Click Finish.

21. Click Save, and then click Finish to launch the configuration wizard.

22. In the DirectAccess Review dialog box, click Apply. The configuration will be applied.

ptg

23. In the DirectAccess Policy Configuration message box, click OK. The configuration

has now been applied. The configuration is stored in %WinDir%\DirectAccess\ in

an XML file named DirectAccessConfig.xml.

There will be two new Group Policy Objects, each named DirectAccess Policy-.

One has security filtering that applies it only to the DirectAccess server by computer name

(DA1$). The other has security filtering that applies it only to the DirectAccess clients in

the DirectAccessClients security group. The DirectAccess server (DA1) and the DirectAccess

clients (WS3) will need to be rebooted or have gpupdate.exe run to have their group poli-

cies applied.

Testing DirectAccess

To test the DirectAccess functionality, the WS3 computer will be added to the

DirectAccessClients computer group. This applies the DirectAccess client group policies.

To add CLIENT1 to the DirectAccess client computers security group, complete the

following steps:

1. On the DC1 domain controller, launch Server Manager.

2. Expand Roles, Active Directory Domain Services, Active Directory Users and

Computers, the domain companyabc.com, and select the container Users.

3. Right-click the group DirectAccessClients and select Properties.

DirectAccess Scenario

911

4. Select the Members tab, and then click the Add button.

5. In the Select Users, Contacts, Computers, or Groups dialog box, click Object Types,

check Computers, and click OK.

6. Under Enter the Object Names to Select (Examples), type WS3, and click OK.

7. Click OK to save.

24

8. Restart the WS3 computer to have the changes take effect.

The DirectAccess group policies will now be in effect on the WS3 computer.

You might need to run gpupdate.exe on the DirectAccess server DA1 to get the group

policies to take effect on it.

On all the internal servers, the commands net stop iphlpsvc and net start iphlpsvc

will need to be run to restart the IP Helper service and have the new ISATAP configuration

be recognized. This includes DC1, SERVER1, and DA1. When the IP Helper service starts,

the systems will resolve the isatap.companyabc.com DNS entry installed by the

DirectAccess setup and will enable their ISATAP interfaces.

NOTE

Of course, many administrators will simply reboot all the systems, which will have the

ptg

same effect as restarting the IP Helper service and applying group policies.

Following the configuration and the restart of the IP Helper service on all the compo-

nents, the IPv6 network should be fully functional. All systems should be able to reach

each other using the IPv6 addresses as well as the IPv4 addresses. If there is a problem

with the IPv6 access, DirectAccess will not function.

NOTE

The ping.exe tool can be used to verify that IPv6 is working. The -6 option forces ping

to use IPv6. The -4 option forces ping to use IPv4. The command to ping a computer

DC1 using IPv6 is ping dc1.companyabc.com -6. The command to ping a computer

DC1 using IPv4 is ping dc1.companyabc.com -4. Each computer should be success-

fully pinged with both commands. This can be a very useful technique when trou-

bleshooting DirectAccess and IPv6.

As shown in the arrows in Figure 24.35, we will test (A) the connection to the internal

network, (B) the connection to the public network, and, finally, (C) the connection to the

home network.

912

CHAPTER 24

Server-to-Client Remote Access and DirectAccess

192.168.3.201

Application Server

192.168.3.211

SERVER1

12.155.166.2

12.155.166.3

12.155.166.1

Internal Network

Public Network

DirectAccess Server

DNS

DA1

ns1.isp.amaris.org

A

B

192.168.3.200

NAT

NLS Server

C

https://nls.companyabc.com

Home Network

AD, DNS, and CA

DirectAccess Client

DC1

WS3

FIGURE 24.35

Testing client connection to networks.

For Test A, the connection to the internal network, execute the following steps:

1. Connect the DirectAccess client WS3 to the internal network.

2. Select Start, enter cmd, and press Enter.

3. At the command prompt, enter ipconfig and press Enter. Figure 24.36 shows that

WS3 has been assigned an IPv4 address (192.168.3.102) on the internal network and

ptg

that an ISATAP address has been automatically generated in the ISATAP tunnel adapter.

FIGURE 24.36

Test A—internal network.

DirectAccess Scenario

913

4. Launch Explorer and access a share on the application server to demonstrate access.

This demonstrates that WS3 is connected to the internal network and is able to access

resources and that the IPv6 transitional technologies are working internally, specifically

ISATAP.

For Test B, the connection to the public network, execute the following steps:

24

1. Connect the DirectAccess client WS3 to the public network.

2. Select Start, enter cmd, and press Enter.

3. At the command prompt, enter ipconfig and press Enter. Figure 24.37 shows that

WS3 has been assigned an IPv4 address (12.155.166.101) on the public network and

that a 6to4 address has been automatically generated with the 6to4 2002: prefix in

the 6to4 tunnel adapter.

ptg

FIGURE 24.37

Test B—public network.

4. Launch Explorer and access a share on the application server to demonstrate access.

This demonstrates that WS3 is connected to the public network and is able to access

resources and that the IPv6 transitional technologies are working publicly, specifically 6to4.

For Test C, the connection to the home network, execute the following steps: