vendredi 26 juillet 2013

[DirectAccess] Part 6: Configuring DirectAccess for Windows 7


In previous parts of this series, we configured DirectAccess on Windows Server 2012 for Windows 8 client computers.


Indeed, the current environment accepts only connections from Windows 8 computers. You certainly saw the option "Enable Windows 7 client computers to connect via DirectAccess". Is that all ? Obviously not.
In that article, I propose to configure our DirectAccess environment for Windows 7 clients. We will also discover the impacts on the architecture and how to troubleshoot DirectAccess for a Windows 7 clients.


PART 6: CONFIGURING DIRECTACCESS FOR WINDOWS 7


First thing first :
1. Enable Windows 7 client computers to connect via DirectAccess

Open the DirectAccess Console
In the Step 2 - Remote Access Server Box, click on Edit


 - On the Authentication page, select the option Enable Windows 7 client computers to connect via DirectAccess
 - Click on Finish and apply the configuration on the DirectAccess Server




2.Install the DirectAccess Connectivity Assistant

Download the DirectAccess Connectivity Assistant 2.0 on http://www.microsoft.com/en-us/download/details.aspx?id=29039.
Note that this version apply only on computers running Windows 7 when connecting to internal corporate networks with DirectAccess in Windows Server 2012 (only).

The package contains documentation, admx files for GPO and MSI files.
 - Intall the Microsoft_DirectAccess_Connectivity_Assistant_x64.msi or the Microsoft_DirectAccess_Connectivity_Assistant_x86.msi MSI file depending on your plateform.


The installation is really easy : I Accept, Install and Finish...






3. Set DirectAccess Connectivity Assistant settings

Indeed, parameters for DirectAccess Connectivity Assistant are provided by GPO:

 - Copy the ADMX file and ADML in your environment. In my own lab, I use a CentralStore.
(for more information http://www.microsoft.com/en-us/download/details.aspx?id=23947 and http://support.microsoft.com/kb/929841/en-us)



You can modify directly the DirectAccess Client Settings GPO but the Best Pratice is rather to leave DirectAccess manage that GPO and to configure the DirectAccess Connectivity Assistant with a dedicated GPO.

- Open the report of the DirectAccess Client Settings GPO
- In Computer Configuration > Policies > Administrative Templates > Network > DirectAccess Client Experience Settings, read the properties: Corporate Resources, IPsec Tunnel Endpoints (DTEs) and Support email Address.


- Create and link a new GPO to your Windows 7 computers
- In Computer Configuration > Policies > Administrative Templates > DirectAccess Connectivity Assistant, define the properties: Corporate Resources, DTEs and Support email Address.


 - Force GPO refresh on your Windows 7 computer client and connect it to the Internet.



4. Troubleshooting

In general, if DirectAccess works with Windows 8 computer client, It'll be good for Windows7.
However, if you have problems...


 - Click right on the DirectAccess Connectivity Assistant icon and Select Advanced Diagnostics


 - Logs are automatically generated. Click on the link.


 - Open the text file.


The assistant provides a first analysis and a lot of configuration dumps


Note that Powershell commands provided in Part 5: Troubleshooting guide for DirectAccess are not available in Windows 7. It's nice to have a full automatic tool that can make automatically all tests for you !

In that screenshot, we see the NRPT policy applied on the client.




5. DirectAccess works fine

Congratulation !






6. What are the impacts ?

In that chapter, I propose to show you the impact of adding certificates and enabling Windows 7 support.

Here, is a screenshot of the DirectAccess Client Settings GPO with default DirectAccess configuration (no certificates for clients authentitication).
Computer and User authentications rely only on Kerberos.


Now, a screenshot of the DirectAccess Client Settings GPO, when adding computer client authentication with certificates. User authentication always relies on Kerberos, but computer authentication relies now on Certificate too.
To get more information, read  Part 4: Authenticating DirectAccess clients with certificates §5. Logs and Authentication.


Finally, the DirectAccess Client Settings GPO, when Windows 7 computer clients are allowed.
Kerberos authentication is no longer supported for computer. Only certificate authentication is allowed.
Concerning User authentication, NTLM authentication is available too.




7. Logs and Authentication with Windows 7 computer clients allowed

 Windows 8 computer:
There are 2 tunnels :
 - The first for computer only. That tunnel is opened even if no user has opened a session.
 - The second for user. That tunnel is based on 2 connections:
    * User authentication relies on NTLM when contacting Domain Controller.
    * User authentication relies on Kerberos for all other services.
Computer is always authenticated with its certificate.



Details of the connections for a Windows 8 computer:


User authentication relies on NTLM when contacting Domain Controller.


User authentication relies on Kerberos for all other services.



 Windows 7 computer:
There is only one tunnel containing 4 connections:
 - The first 2 connections for computer only. That 2 connections are opened even if no user has opened a session.
 - The last 2 connections for user.

Computer is always authenticated with its certificate.
User authentication relies on NTLM when contacting Domain Controller.
User authentication relies on Kerberos for all other services.


Details of the connections for a Windows 7 computer:







I hope you enjoy that series concerning DirectAccess.

See you soon !
Julien

2 commentaires:

  1. Hi,
    What version of windows 7 are supported for DA?
    Thanks

    RépondreSupprimer
  2. Prerequisites for Deploying DirectAccess
    https://technet.microsoft.com/en-us/library/dn464273(v=ws.11).aspx

    RépondreSupprimer