Verify that the connection is two-way · Web viewThe express setup process applies to a scenario in which a single computer running Windows Server 2012 must be configured as a server

DirectAccess Proof-of-Concept

DirectAccess Fundamentals

2

Disclaimer

© 2012 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and

views expressed in this document, including URL and other Internet Web site references, may change

without notice. You bear the risk of using it.

Some examples are for illustration only and are fictitious. No real association is intended or inferred.

This document does not provide you with any legal rights to any intellectual property in any Microsoft

product. You may copy and use this document for your internal, reference purposes. You may modify this

document for your internal, reference purposes.

DirectAccess PoC: DirectAccess Fundamentals |

3

Contents

Introduction....................................................................................................................................................................... 4

Before you begin............................................................................................................................................................. 5

Virtual machines.............................................................................................................................................................. 6

Network............................................................................................................................................................................... 6

Overview............................................................................................................................................................................. 7

Server configuration....................................................................................................................................................... 8

Install the Remote Server role.................................................................................................................................... 8

Windows PowerShell equivalent commands...................................................................................................... 11

Configure DNS records on INET1........................................................................................................................... 11

Configure DNS records on DC1.............................................................................................................................. 13

Run the Getting Started wizard............................................................................................................................... 15

Demonstrate the DirectAccess user experience................................................................................................ 19

Check the DirectAccess connection....................................................................................................................... 21

Verify that CLIENT1 is connected to the Private Corpnet..............................................................................22

Verify that the connection is two-way.................................................................................................................. 24

Next steps........................................................................................................................................................................ 26

Additional resources.................................................................................................................................................... 27


4

Introduction

Welcome to the DirectAccess Proof-of-Concept (PoC): DirectAccess Fundamentals Delivery

Guide.

The express setup process applies to a scenario in which a single computer running Windows

Server 2012 must be configured as a server for a set of client computers who will connect to a

network through DirectAccess. With the simple deployment model used by DirectAccess and a

wizard-based configuration procedure, this process is quick and easy.

Despite its simplicity, express setup provides powerful features. Computers running Windows 7

or Windows 8 that are configured as DirectAccess clients can connect to the corporate network

any time that they have access to the Internet without the need to manually initiate a virtual

private network (VPN) connection. And server administrators can use DirectAccess to manage all

client computers remotely and keep security-related software updated even when the remote

users are not logged in to the network.


5

Before you beginBefore you start the hands-on lab, you must prepare the environment for the Express Setup Workshop. The PoC is contained in a virtual environment built on Windows Server 2012 Hyper-V® and Windows 8 virtual machines (VMs).

ObjectiveDemonstrate the client and server settings required for a basic Remote Access deployment.

Tasks

Install the Remote Access role.

Configure DirectAccess Using the Getting Started Wizard.

View the DirectAccess user experience.

ResultAt the completion of this workshop, you will have seen that you can easily deploy DirectAccess by using the Getting Started Wizard to configure a single remote access server.

Assumptions You have completed the Setup Guide.


6

Virtual machines

The virtual machines (VMs) needed for this workshop are implemented by using Microsoft Hyper-V as shown in the following table.

Virtual machine Role

HOST Hyper-V Host

DC1 Windows 2012 domain controller

3-EDGE1 Windows 2012 (without DirectAccess configured)

APP1 Windows 2012

2-APP1 Windows 2012

INET1 Windows 2012

NAT1 Windows 2012

CLIENT1 Windows 8 Client

Network

The credentials for every virtual machine on the network are:

User name: CORP\AdministratorPassword: P@ssw0rd

Virtual machine IP address Features

DC1 10.0.0.1 AD, DNS, DHCP

3-EDGE1 10.0.0.32

131.107.0.32

Remote Access role

NET1 131.107.0.1 DNS

CLIENT1 (Uses DHCP) Windows 8 Client


7

OverviewDirectAccess is a technology that provides central access for remote users without the need to establish a VPN connection. With the release of Windows Server 2012, DirectAccess was merged with Routing and Remote Access Service (RRAS) VPN to create a unified server role for managing both DirectAccess and legacy clients. Along with this change, the setup process was streamlined and simplified, particularly for smaller organizations that require only a basic DirectAccess implementation. In particular, DirectAccess setup no longer requires a full public key infrastructure (PKI) deployment, certificate provisioning, or the acquisition of two consecutive public IPv4 addresses.

DirectAccess provides a setup wizard to simplify the deployment process. After you install the Remote Access role on the server, express setup requires only that you run the Getting Started Wizard and enter a few basic settings. The wizard then uses default settings to automatically complete the following processes:

Provision self-signed certificates for the IP-HTTPS site and the network location server (NLS).

Enable Kerberos proxy.

In an IPv6-only environment, enable NAT64 and DNS64 for protocol translation.

For all mobile computers in the domain, apply a WMI filter to the client settings GPO.

After you verify your DirectAccess deployment, you can begin managing your client computers from the monitoring dashboard. Client computers can access network resources from any Internet-equipped remote location; no VPN setup or initiation is required.


8

Server configurationThe first step in the express setup process for DirectAccess is to install the Remote Server role on the computer running Windows Server 2012. This role includes both DirectAccess and Routing and Remote Access Services (RRAS). In this workshop, you will use the Server Manager console to install the Remote Access role.

To complete the server configuration, you will run the Getting Started Wizard to set up DirectAccess on the server.

Install the Remote Server role

To deploy Remote Access, you must install the Remote Access role on a server in your organization that will act as the Remote Access server.

Steps1. Connect to the 3-EDGE1 virtual machine.

2. In the Server Manager console, in the Dashboard, click Add roles and features.


9

3. Click Next through the next three windows to get to the server role selection screen.

4. In the Select server roles dialog box, select Remote Access.


10

5. Click Add Features, and then click Next.

6. Click Next through the next five windows.

7. In the Confirm installation selections dialog box, click Install.

8. In the Installation progress dialog box, verify that the installation was successful, and then click Close.


11

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet performs the same function as the preceding procedure:

Install-WindowsFeature RemoteAccess –IncludeManagementTools

Configure DNS records on INET1

1. Connect to the INET1 virtual machine.

2. On the Start screen, type dnsmgmt.msc and then press Enter.

3. In the left pane of the DNS Manager console, expand the forward lookup zone for your domain. Right-click the corp.contoso.com domain, and then click New Host (A or AAAA).


12

4. In the New Host dialog box, in the Name (uses parent domain name if blank) box, enter 3-edge1 for the network location server website (this is the name that the DirectAccess clients use to connect to the network location server).

5. In the IP address box, enter the IPv4 address of the network location server 131.107.0.32, and then click Add Host.

6. In the DNS dialog box, click OK.

7. Click Done.


13

Configure DNS records on DC1

1. Connect to the DC1 virtual machine.

2. On the Start screen, type dnsmgmt.msc, and then press Enter.

3. In the left pane of the DNS Manager console, expand the forward lookup zone for your domain. Right-click the corp.contoso.com domain, and then clickNew Host (A or AAAA).

4. In the New Host dialog box, in the Name (uses parent domain name if blank) box, enter 3-edge1 for the network location server website (this is the name that the DirectAccess clients use to connect to the network location server).


14

5. In the IP address box, type the IPv4 address of the network location server 10.0.0.32, and then click Add Host.

6. In the DNS dialog box, click OK.

7. Click Done.


15

Run the Getting Started wizard

The DirectAccess Getting Started wizard in Windows Server 2012 offers a very simple configuration experience. You can complete a basic DirectAccess setup in just a few easy steps. The wizard configures the Kerberos proxy automatically to eliminate the need for an internal PKI deployment.

Steps1. Connect to the 3-EDGE1 virtual machine.

2. Make sure that 3-EDGE1 is joined to the CORP domain, if it is not, join it to the domain.

3. Make sure you are signed in with the following credentials:User: CORP\AdminstratorPassword: P@ssw0rd

4. In Server Manager, click Tools, and then click Remote Access Management.


16

5. In the Remote Access Management console, click Run the Getting Started Wizard.

6. Click Deploy DirectAccess only.


17

7. Wait for the wizard to finish checking prerequisites.

8. Select the Edge topology and type the public name 3-edge1.contoso.com to which remote access clients will connect. Click Next.

9. Click Finish.


18

10. Wait for the wizard to apply all settings.

11. After the wizard successfully finishes applying the configuration, click Close.

Because no PKI is used in this deployment, the wizard does the following if certificates are not found:

Automatically provisions self-signed certificates for IP-HTTPS and the Network Location Server.

Enables Kerberos proxy.

Enables NAT64 and DNS64 for protocol translation in an IPv4-only environment.

Now that you’ve tried out the DirectAccess Getting Started wizard, shut down the virtual machine and restore the snapshot.


19

Demonstrate the DirectAccess user experienceIn this section, you will use the CLIENT1 virtual machine. Using Hyper-V, you connect CLIENT1 directly to the Private Corpnet virtual switch and then take it to the Private Homenet virtual switch. This simulates a scenario in which a user takes home a laptop or mobile device and can connect to resources on the private enterprise network seamlessly, without having to initiate a VPN connection or log in.

1. Open the Hyper-V Console on the host.

2. In the virtual machine settings for CLIENT1, make sure that the Private Corpnet adapter is not connected to a virtual switch. This simulates the virtual machine acting like a laptop that a user takes home.


20

3. In the virtual machine settings for CLIENT1, make sure that the Private Homenet adapter is connected to the Private Homenet virtual switch.

4. Turn on the CLIENT1 virtual machine, and wait for it to boot.5. Make sure that you are logged on with the following credentials:

User: CORP\AdministratorPassword: P@ssw0rd


21

Check the DirectAccess connection

DirectAccess automatically connects CLIENT1 to the Corpnet. In this step, you will verify this connection.

1. From the Desktop, click the network icon in the notification area.

Notice the Workplace Connection shows a status of Connected. You will also see the local connection to the Private Homenet.

2. Right-click Workplace Connection, and then click View connection properties.


22

Notice that the DirectAccess properties show that you are connected remotely in the Status section, and that Multisite shows you which site you are connected to.

3. Click OK to close the DirectAccess Properties window.

Verify that CLIENT1 is connected to the Private Corpnet

1. From the Start window, type PowerShell, and then right-click the PowerShell tile.


23

2. Click Run as Administrator at the bottom of the screen.

3. From the elevated PowerShell window. type ping DC1 and then press ENTER.

4. From the Desktop, click the Explorer icon on the task bar.


24

5. In the address bar, type the following UNC path and press ENTER: \\DC1\Files

6. Close the Explorer window.7. From the Desktop, click the Internet Explorer icon on the task bar.

Notice that the APP1 intranet site appears in the browser window.

8. Close Internet Explorer.

Verify that the connection is two-way1. Connect to the DC1 virtual machine.2. Open PowerShell.


25

3. Type the following and press ENTER: ping client1

4. Close PowerShell.5. From the Desktop, open Explorer.6. Type the following UNC path into the address bar and press ENTER: \\CLIENT1\Files

Notice that DC1 is able to ping CLIENT1 and connect to its file shares even though the user has not initiated the connection. CLIENT1 is connected to the Workplace Network as long as it has a working Internet connection.

7. If you want, you can disconnect CLIENT1 from the Private Homenet virtual switch and then connect CLIENT1 directly to the Private Corpnet virtual switch in Hyper-V.

This section showed that the user experience is seamless whether CLIENT1 is connected directly to the private corpnet or through a remote DirectAccess connection. It also showed that CLIENT1 can be managed from the corpnet.


26

Next stepsIn this workshop, you learned how to use the Quick Setup Wizard for a basic DirectAccess deployment. You also saw a demo of the DirectAccess user experience that simulated a user taking home a laptop and connecting to the corporate network.

In the next workshop, you will learn how to perform a basic PKI deployment.

Additional resourcesTo use Windows PowerShell cmdlets to automate setup operations, see Remote Access Cmdlets in Windows PowerShell.


http://technet.microsoft.com/library/hh918399.aspx

http://technet.microsoft.com/library/hh918399.aspx

Documents

Verify that the connection is two-way · Web viewThe express setup process applies to a scenario in which a single computer running Windows Server 2012 must be configured as a server