vendredi 29 mars 2013

[DirectAccess] Part 2: Reporting and Optimizing IP-HTTPS connections

In part 1 of this series, we configured DirectAccess for IP-HTTPS connection in a simple (home) environment: One public IPv4 environment, a poor router (ISP box), One internal Lan and a Remote Access that runs Windows Server 2012 core.

Everything works fine and my client computer can join my internal network from the Internet through a DirectAccess tunnel with IP-HTTPS protocol.

We can now start with more advanced concepts. In this part, I propose to get reports on DirectAccess connection and to improve the IP-HTTPS connection times.


PART 2: REPORTING AND OPTIMIZING IP-HTTPS CONNECTIONS


1. Enable Reporting

On the Remote Access console, Select the Reporting node
Click on Configure Accounting


Select Use inbox accounting
You can configure logs retention delay
Click on Apply


Reporting is now enabled
You only have to define the reporting period and click on Generate Report to get information about previous connections.


In next parts, I will show you some use cases especially with client authentication.



2. Improve connection time

DirectAccess client tries to create connection with 3 protocols successively:
 - 6to4
 - Teredo
 - IP-HTTPS
Unfortunatly, 6to4 doesn't support NAT and Teredo requires 2 consecutive public IP addresses.

The only available protocol in our case is IP-HTTPS. In order to reduce connection time, you can disable other protocols on the client computers.

Type the following command lines on your client:

netsh interface isatap set state disabled
netsh interface ipv6 6to4 set state disabled
netsh interface teredo set state disabled



On my own experience, without that improvement, it takes up to 1'30" to be connected. After that improvement, It takes only 40".



I hope you enjoy that easy and short part. Keep your energy, in the next parts, we will discuss on authentication with certificates and PKI !


See you soon
Julien

Aucun commentaire:

Enregistrer un commentaire

Remarque : Seul un membre de ce blog est autorisé à enregistrer un commentaire.