vendredi 29 mars 2013

[DirectAccess] Part 2: Reporting and Optimizing IP-HTTPS connections

In part 1 of this series, we configured DirectAccess for IP-HTTPS connection in a simple (home) environment: One public IPv4 environment, a poor router (ISP box), One internal Lan and a Remote Access that runs Windows Server 2012 core.

Everything works fine and my client computer can join my internal network from the Internet through a DirectAccess tunnel with IP-HTTPS protocol.

We can now start with more advanced concepts. In this part, I propose to get reports on DirectAccess connection and to improve the IP-HTTPS connection times.


1. Enable Reporting

On the Remote Access console, Select the Reporting node
Click on Configure Accounting

Select Use inbox accounting
You can configure logs retention delay
Click on Apply

Reporting is now enabled
You only have to define the reporting period and click on Generate Report to get information about previous connections.

In next parts, I will show you some use cases especially with client authentication.

2. Improve connection time

DirectAccess client tries to create connection with 3 protocols successively:
 - 6to4
 - Teredo
Unfortunatly, 6to4 doesn't support NAT and Teredo requires 2 consecutive public IP addresses.

The only available protocol in our case is IP-HTTPS. In order to reduce connection time, you can disable other protocols on the client computers.

Type the following command lines on your client:

netsh interface isatap set state disabled
netsh interface ipv6 6to4 set state disabled
netsh interface teredo set state disabled

On my own experience, without that improvement, it takes up to 1'30" to be connected. After that improvement, It takes only 40".

I hope you enjoy that easy and short part. Keep your energy, in the next parts, we will discuss on authentication with certificates and PKI !

See you soon

mardi 26 mars 2013

[DirectAccess] Part 1: Implementing a Basic DirectAccess configuration with IP-HTTPS on Windows Server 2012 Core

You probably know that DirectAccess is now more easier to install with Windows Server 2012 and Windows 8.

The Web already contains a lot of excellent guides and labs about DirectAccess. In particular, I recommend you to read:

In this series, I propose to play with a real case : How to implement DirectAccess at home behind a common Web access. I've got only 1 public IPv4 address, a poor router (ISP box), one internal Lan... but a Windows Server 2012 Infrastructure !!

As proposed by a friend of mine, Yves D., that article could be called "DirectAccess made in APPOLO XIII: Let's try to reach home with what's to hand." :o)


1. Just a few reminders

In this first part, the goal is only to be able to access my datacenter (Ok... my VMs) from my laptop connected to the Internet through my mobile phone. At home, I've got a common Internet access with only one public IPv4, one LAN and my remote access server has only one ethernet card.

DirectAccess provides 3 protocols for IPv4 on the Internet:
 - 6to4
 - Teredo
Unfortunatly, 6to4 doesn't support NAT and Teredo requires 2 consecutive public IP addresses.

We will use IP-HTTPS to implement our DirectAccess tunnel.

2. Preparing Windows Server 2012 Core

Only one question: Why a Core edition ?
Saying experts, "installing a core server reduces dramatically the attack surface and could reduce up to 70% the updates to install." I think it's an important point.
Moreover, everything on Windows Server can be made with powershell or remotely. That's certainly the right time to test !

Install normally Windows Server 2012 core Edition, choose a password and logon.
Launch a powershell console with the command line start powershell

Assign a IP address. At home, I use IP addresses like 192.168.XXX.XXX
New-NetIPAddress <ServerIpAddress> -InterfaceAlias <InterfaceName> -PrefixLength 24 -DefaultGateway <GatewayIpAddress>

Set the DNS server
Set-DnsClientServerAddress -InterfaceAlias <InterfaceName> -ServerAddresses <DnsServer1, DnsServer2...>

Rename the server with the cmdlet rename-computer <computerName>
Restart the server with restart-computer

Insert the server in Active Directory with the cmdlet add-computer <Domaine Name>
and restart the server with restart-computer

Just one question: Have you ever configured a server so quickly ?
Powershell is great !!!

Now, we install the Remote Access. You can add the role from an other server with Server Manager

You can also just type the command
Install-WindowsFeature RemoteAccess -IncludeManagementTools

I'm sure now you love powershell ;o)

3. Prepare your network

Add on your public DNS a record to your public IP address.
For exemple on my DNS, I created the A record to my public IP address.

On your router, forward the 443/TCP from your public IP address to your server (same port)

Some people say that you need to forward also the 62000/TCP port ( That's wrong !
Technet says :
If you are deploying Remote Access with a single network adapter, and installing the network location server on the Remote Access server, TCP port 62000 should also be exempted.
Note: This exemption is on the Remote Access server, while all other exemptions are on the edge firewall.
Ok, that's not really clear ! That means that if you have a firewall between your Remote Access server and your internal network (for example if the server is in DMZ), you have to allow your clients (on the internal network) to join your DirectAccess server on port 62000/TCP.
Look at DirectAccess Server GPO. Inbound rule for port 62000 is a domain profile rule, not a public one !

4. Configure the Remote Access role for Direct Access

The goal is now to install Direct Access as basically as possible. In the next parts, we will improve the configuration.

Connect a Windows Server 2012 or a Windows 8 computer and open Server Manager
On Windows 8, you need to install the Remote Server Administration Tools (RSAT)

Click right on All Servers and Select Add Servers

Add your Remote Access server

Select the Remote Access node
Click right on the server and Select Remote Access Management

Note: On a Windows Server 2012, if you don't see Remote Access Management, you need to install the corresponding Administration Tools : Simply add the Remote Access Management Tools feature on the server you are connected on.

Now that the remote access console is opened, click on Run the Getting Started Wizard

Select Deploy DirectAccess only

Select Behind an edge device (with a single network adapter)
Provide the public DNS name of your remote access server (the name you provided in the 2nd step in your public DNS). You can also provide your public IP address.

You can click directly on finish. However, I recommend to modify certain settings.
Click on here, to edit the wizard settings

Settings will be published on servers and clients with two GPO.
I recommend to limit the scope of the clients GPO with a dedicated security group.
In the section Remote Clients, click on Change

Create and Provide a security group that will contains the DirectAccess clients.
Unselect Enable DirectAccess for mobile computers only
Click on Next

You can provide custom information for helpdesk email address and DirectAccess connection name
Click on Finish

Click on Finish

GPO and settings are applied
Click on Close

5. Configuration Overview

DirectAccess is now configured on servers and clients sides.

Here is what I get on the different configuration panels:

Remote Clients:

Remote Access Server:

Infrastructure Servers:

Note: if you have WSUS or SCCM servers, they will be automatically added in the previous panel. In a lab, you can remove them if they are not always turn on and if you want to prevent alerts in the DirectAccess Dashboard.

6. Tests with client

Add your test computer account in the DirectAccess client security group

Connect your test computer to your internal network and force policy refresh (gpupdate /force).
In the network panel, you should see a new connection with a specific icon. DirectAccess is not enabled because you're already connected to your internal network.

Connect your test computer on an external network. The directAccess client detects that you are not on the internal network and tries to contact the directAccess server.

For your information, here is the network configuration of my test computer.

After few time (it can take up to 2 minutes, we will improve that in the 2nd part), my directAccess connection is connected.

I can access the shares of my domain controller

If I try to ping my domain controller. I see that my domain controller use an IPv6 address, even if I never configured IPv6 on that server. In the 3rd part of this series, dedicated to troubleshooting, I will provide you more information about that IPv6 address.

You don't have to configure or to support IPv6 in your internal lab.
I can even contact my NAS that support only IPv4

In the Remote Access Management Console, in the Remote Client Status, you get all the information about the clients currently connected.
In that case, my client is connected with IP-HTTPS protocol. Users and Computers are authenticated with Kerberos.

In the next parts, I will show you how we can improve that configuration.

See you soon

jeudi 21 mars 2013

[SCCM 2012 & Intune] Mobile management - Part 5: Getting reports on Mobile devices with SCCM 2012 SP1

This article is the 5th of a series concerning Mobile Management with SCCM 2012 SP1 and Windows Intune.

In the last article of this series, we are going to see how to get information and reports on mobile devices in SCCM 2012 SP1.
For configuration compliance, read the part 4 of this series: Managing Mobile device configuration with SCCM 2012 SP1.


1. General information about Devices

In the Configuration Manager console, open the Asset and Compliance workspace
Expand the Devices node

First of all, you can notice that mobile devices have a special icon.
As usual, you can get information in the properties window of the device.

Click right on the mobile device.
Note that you've got here all feature to block or wipe your device.
Select Start and click on Resource Explorer

Here is an example of what you get for an iPhone
The first node show you current hardware configuration, the next one contains history of the configuration

2. Generating reports

SCCM 2012 SP1 contains by default a lot of reports
Open the Monitoring workspace
Expand Reportings>Reports and Open the Device Management folder

The first report to use is certainly All mobile device clients

Count of mobile devices by operating system provides the distribution of devices with a really pretty graph. A apologize, I have got only iOS devices in that lab ;o)

2 reports are made precisely for Windows Intune :
 - List of devices enrolled per user in Windows Intune
 - Number of devices enrolled per user in Windows Intune

I hope you enjoy this series.
Feel free to contact me if you look for information.

See you soon