mardi 26 mars 2013

[DirectAccess] Part 1: Implementing a Basic DirectAccess configuration with IP-HTTPS on Windows Server 2012 Core

You probably know that DirectAccess is now more easier to install with Windows Server 2012 and Windows 8.

The Web already contains a lot of excellent guides and labs about DirectAccess. In particular, I recommend you to read:

In this series, I propose to play with a real case : How to implement DirectAccess at home behind a common Web access. I've got only 1 public IPv4 address, a poor router (ISP box), one internal Lan... but a Windows Server 2012 Infrastructure !!

As proposed by a friend of mine, Yves D., that article could be called "DirectAccess made in APPOLO XIII: Let's try to reach home with what's to hand." :o)


1. Just a few reminders

In this first part, the goal is only to be able to access my datacenter (Ok... my VMs) from my laptop connected to the Internet through my mobile phone. At home, I've got a common Internet access with only one public IPv4, one LAN and my remote access server has only one ethernet card.

DirectAccess provides 3 protocols for IPv4 on the Internet:
 - 6to4
 - Teredo
Unfortunatly, 6to4 doesn't support NAT and Teredo requires 2 consecutive public IP addresses.

We will use IP-HTTPS to implement our DirectAccess tunnel.

2. Preparing Windows Server 2012 Core

Only one question: Why a Core edition ?
Saying experts, "installing a core server reduces dramatically the attack surface and could reduce up to 70% the updates to install." I think it's an important point.
Moreover, everything on Windows Server can be made with powershell or remotely. That's certainly the right time to test !

Install normally Windows Server 2012 core Edition, choose a password and logon.
Launch a powershell console with the command line start powershell

Assign a IP address. At home, I use IP addresses like 192.168.XXX.XXX
New-NetIPAddress <ServerIpAddress> -InterfaceAlias <InterfaceName> -PrefixLength 24 -DefaultGateway <GatewayIpAddress>

Set the DNS server
Set-DnsClientServerAddress -InterfaceAlias <InterfaceName> -ServerAddresses <DnsServer1, DnsServer2...>

Rename the server with the cmdlet rename-computer <computerName>
Restart the server with restart-computer

Insert the server in Active Directory with the cmdlet add-computer <Domaine Name>
and restart the server with restart-computer

Just one question: Have you ever configured a server so quickly ?
Powershell is great !!!

Now, we install the Remote Access. You can add the role from an other server with Server Manager

You can also just type the command
Install-WindowsFeature RemoteAccess -IncludeManagementTools

I'm sure now you love powershell ;o)

3. Prepare your network

Add on your public DNS a record to your public IP address.
For exemple on my DNS, I created the A record to my public IP address.

On your router, forward the 443/TCP from your public IP address to your server (same port)

Some people say that you need to forward also the 62000/TCP port ( That's wrong !
Technet says :
If you are deploying Remote Access with a single network adapter, and installing the network location server on the Remote Access server, TCP port 62000 should also be exempted.
Note: This exemption is on the Remote Access server, while all other exemptions are on the edge firewall.
Ok, that's not really clear ! That means that if you have a firewall between your Remote Access server and your internal network (for example if the server is in DMZ), you have to allow your clients (on the internal network) to join your DirectAccess server on port 62000/TCP.
Look at DirectAccess Server GPO. Inbound rule for port 62000 is a domain profile rule, not a public one !

4. Configure the Remote Access role for Direct Access

The goal is now to install Direct Access as basically as possible. In the next parts, we will improve the configuration.

Connect a Windows Server 2012 or a Windows 8 computer and open Server Manager
On Windows 8, you need to install the Remote Server Administration Tools (RSAT)

Click right on All Servers and Select Add Servers

Add your Remote Access server

Select the Remote Access node
Click right on the server and Select Remote Access Management

Note: On a Windows Server 2012, if you don't see Remote Access Management, you need to install the corresponding Administration Tools : Simply add the Remote Access Management Tools feature on the server you are connected on.

Now that the remote access console is opened, click on Run the Getting Started Wizard

Select Deploy DirectAccess only

Select Behind an edge device (with a single network adapter)
Provide the public DNS name of your remote access server (the name you provided in the 2nd step in your public DNS). You can also provide your public IP address.

You can click directly on finish. However, I recommend to modify certain settings.
Click on here, to edit the wizard settings

Settings will be published on servers and clients with two GPO.
I recommend to limit the scope of the clients GPO with a dedicated security group.
In the section Remote Clients, click on Change

Create and Provide a security group that will contains the DirectAccess clients.
Unselect Enable DirectAccess for mobile computers only
Click on Next

You can provide custom information for helpdesk email address and DirectAccess connection name
Click on Finish

Click on Finish

GPO and settings are applied
Click on Close

5. Configuration Overview

DirectAccess is now configured on servers and clients sides.

Here is what I get on the different configuration panels:

Remote Clients:

Remote Access Server:

Infrastructure Servers:

Note: if you have WSUS or SCCM servers, they will be automatically added in the previous panel. In a lab, you can remove them if they are not always turn on and if you want to prevent alerts in the DirectAccess Dashboard.

6. Tests with client

Add your test computer account in the DirectAccess client security group

Connect your test computer to your internal network and force policy refresh (gpupdate /force).
In the network panel, you should see a new connection with a specific icon. DirectAccess is not enabled because you're already connected to your internal network.

Connect your test computer on an external network. The directAccess client detects that you are not on the internal network and tries to contact the directAccess server.

For your information, here is the network configuration of my test computer.

After few time (it can take up to 2 minutes, we will improve that in the 2nd part), my directAccess connection is connected.

I can access the shares of my domain controller

If I try to ping my domain controller. I see that my domain controller use an IPv6 address, even if I never configured IPv6 on that server. In the 3rd part of this series, dedicated to troubleshooting, I will provide you more information about that IPv6 address.

You don't have to configure or to support IPv6 in your internal lab.
I can even contact my NAS that support only IPv4

In the Remote Access Management Console, in the Remote Client Status, you get all the information about the clients currently connected.
In that case, my client is connected with IP-HTTPS protocol. Users and Computers are authenticated with Kerberos.

In the next parts, I will show you how we can improve that configuration.

See you soon

Aucun commentaire:

Enregistrer un commentaire