DirectAccess, do’s and don’ts

Tags:

Preview:

Click to see full reader

DESCRIPTION

Are you considering deploying DirectAccess? DirectAccess is Microsoft’s next generation remote access solution providing a seamless corporate network connectivity experience. The session will cover a number of issues that IT professionals deploying DirectAccess should be aware of including load balancing, certificates, and IP Infrastructure requirements.

Citation preview

DIRECT ACCESS, DO’S AND DON’TS

KIERAN JACOBSEN

HP ENTERPRISE SERVICES

PLAN FOR THE NIGHT

• Pre-deployment design considerations

• Deploying your first server

• Diagnosing Issues

WINDOWS 7 OR 8/8.1

Windows 7:

• Requires certificate based computer authentication

• Doesn’t support the use of NULL ciphers when IPHTTPS is used

• Will require connectivity assistant to be installed

• Has limited support for multi site deployments

HIGH AVAILABILITY OPTIONS

• Load Balancing

• NLB

• External Load Balancer

• Multi Site

• Clients can select entry points automatically or can specify them manually

• Global load balanced IP support

• Limited Windows 7 support

• Cannot deploy DirectAccess load balancing or multi-site on 2012 R2 when Web Proxy Server installed

3RD PARTLY LOAD BALANCERS

• F5 & Riverbed support various different deployment types

• Ensure you enable NULL SSL Ciphers

• Can provide SSL offload support (if supporting Windows 7)

DIRECTACCESS AND PKI

• CRL and Strong CRL validation

• IPSEC will fail to establish a connection if using certificate based computer authentication with computer certificates that use SHA512 hashing algorithm

LET’S DEPLOY

DON’T USE THE GETTING STARTED WIZARD

DIRECTACCESS WITH OR WITHOUT VPN

JUST 4 SIMPLE STEPS

STEP1: FULL ACCESS OR MANAGE OUT?

STEP 1: GROUPS

STEP 1: NETWORK CONNECTIVITY

STEP 2: NETWORK PLACEMENT

STEP 2: NETWORK ADAPTERS

STEP 2: AUTHENTICATION

STEP 3: NETWORK LOCATION SERVICE

STEP 3: NETWORK LOCATION SERVICE

STEP 3: DNS AND NRPT

NRPT RESOLUTION: EXCHANGE.CITADEL.UMBRELLACORP.INFO

Whilst connected to DirectAccess, User’s Outlook client needs to connect to exchange.citadel.umbrellacorp.info

1. FQDN will be compared to the NRPT – only matches first entry in table, which direct it to DNS proxy on DirectAccess Server

2. User’s computer will send a DNS request to the DirectAccess server

3. DirectAccess server uses locally configured network interfaces to resolve request, if response from corporate DNS servers is an IPv4 address, DirectAccess server will substitute a IPv6 address.

4. Response is sent to the DirectAccess client

NRPT RESOLUTION:INSIDE.CITADEL.UMBRELLACORP.INFO (NLS ADDRESS)

Whilst connected to DirectAccess, DirectAccess performs a connectivity test to see if it is connected to the corporate network

1. FQDN will be compared to the NRPT – matches second entry in table, which is the NRPT exemption.

2. User’s computer will send a DNS request directly to the DNS server configured on the client’s NIC

3. Public DNS unable to resolve the address, DirectAccess determines it is still externally connected.

NRPT RESOLUTION:MICROSOFT.COMWhilst connected to DirectAccess, User opens Internet Explorer and attempts to open up the Microsoft web page

1. FQDN will be compared to the NRPT – no matching entries are found

2. If Split Tunnelling (Default) : User’s computer will send a DNS request directly to the DNS server configured on the client’s NIC, Public DNS will then resolve the address and respond to the client.

OR

If Force Tunnelling: User’s computer will send DNS request to DirectAccess server, and the DirectAccess server will use locally configured network interfaces to resolve request, if response from corporate DNS servers is an IPv4 address, DirectAccess server will substitute a IPv6 address. The address is then sent to the client.

NRPT RESOLUTION: INTRANET (SINGLE LABEL)Whilst connected to DirectAccess, User opens Internet Explorer, types intranet in the box, hits enter:

1. Single-label is in use, append DNS suffix to request to form an FQDN

2. FQDN will be compared to the NRPT – only matches first entry in table, which direct it to DNS proxy on DirectAccess Server

3. User’s computer will send a DNS request to the DirectAccess server

4. DirectAccess server uses locally configured network interfaces to resolve request, if response from corporate DNS servers is an IPv4 address, DirectAccess server will substitute a IPv6 address.

5. Response is sent to the DirectAccess client – Either 1) resolved address or 2) Name not found

6. If name has been resolved, process completed all is done, if name not found, return to step 2 and try the next entry in the DNS suffix search order. If all suffix search entries have been exhausted, continue to 7.

7. Attempt to use LLMNR, NetBIOS or WINS * Special Warning *

NRPT RESOLUTION: INTRANET (SINGLE LABEL) – LOCAL NAME RESOLUTION

STEP 3: DNS AND NRPT (FORCE TUNNEL)

STEP 3: DNS SUFFIXES

STEP 3: MANAGEMENT SERVERS

STEP 4: APPLICATION SERVERS

FINISHING YOUR DEPLOYMENT

DEPLOYMENT DONE

DIRECTACCESS DIAGNOSTICS

• Check Operation Status in Remote Access Management Console

• DirectAccess diagnostic log available from client

• Access steps changed in 8.1 from 8

• Information Logged:

• NCA Connection Status (Probes List)

• IP-HTTPs Configuration (Get-NetIPHttpsConfiguration) and IP-HTTPs State (Get-NetIPHttpsState)

• NRPT Policy (Get-DnsClientNrptPolicy)

• IPsec Main Mode SA's (Get-NetIPsecMainModeSA)

• IPsec Quick Mode SA's (Get-NetIPsecQuickModeSA)

• And more…

DIRECTACCESS DIAGNOSTICS – EXTRA COMMANDS

• “Custom Commands” group policy

• Computer Configuration -> Admin Templates -> Network -> DirectAccess Client Experience Settings -> Custom Commands

• Can be any PowerShell Command/Cmdlet/Function/Script

• Recommended:

• $wc=new-object net.webclient; $wc.downloadstring(“<your NLS address”)

• $wc=new-object net.webclient; $wc.downloadstring(“<your NCA address”)

• Nltest /dnsgetdc:<domain name>

• netsh advfirewall show currentprofile

DIRECTACCESS AND GROUP POLICY

• Server and workstation configured using group policy

• Created by management console

• Server policy filtered by server AD account

• Client policy filtered by specified groups in step 1 wizard

• Multi site creates server policies for each site

• Policies created at root of domain

ANTIVIRUS AND SECURITY SOFTWARE

• DirectAccess requires Windows Firewall IPSEC components

• Be careful of web filtering functions

• Ensure network IPS/IDS exclusions are correct

QUESTIONS AND LINKS

• My Blog: http://aperturescience.su

• My Twitter: @kjacobsen

• Richard Hicks’ Blog: http://directaccess.richardhicks.com/

• Tom Schinder’s Blog: http://blogs.technet.com/b/tomshinder

Recommended

DEMOLITION DO’S AND DON’TS
Documents
Do’s (and don’ts) of getting ink
Documents
Do’s and Don’ts of Process Improvement€¦ · Do’s and Don’ts of Process Improvement Pat O’Toole, PACT March, 2004. 2 Do’s and Don’ts - v1.0 Acknowledgments Terms like
Documents
Copywriting do’s and don’ts (pt ii – the don’ts)
Marketing
The Do’s and Don’ts of - NAM
Documents
Completed Do’s & Don’ts in Building Construction.docx
Documents
The Ten Biggest Do’s and Don’ts of Ecommerce - … this uide The Ten Biggest Do’s and Don’ts of Ecommerce 11 The Ten Biggest Do’s and Don’ts of Ecommerce ... This means
Documents
Study Space Do’s & Don’ts Activity
Documents
Do’s and Don’ts when Visiting Italy
Travel
Multisite WordPres Network Do’s & Don’ts
Internet
DO’S AND DON’TS FOR GENERAL CONDUCT Do’s - irctc.com
Documents
Oral Presentation Do’s & Don’ts! Do’s & Don’ts!. First, … the “Do’s” Speak clearly Use large fonts. Use large fonts. Anything smaller than 24 point
Documents
Pupil Transportation Do’s and Don’ts
Documents
Do’s & Don’ts van E-commerce
Documents
Do’s and Don’ts of Employee Recordkeeping
Recruiting & HR
Public Speaking: Do’s and Don’ts
Business
DO’S AND DON’TS OF SPAINISH CULTURE
Documents
Study Space Safety Do’s & Don’ts Activity
Documents
Dating: Do’s, Don’ts & Taboos
Documents
Facebook (ads) workshop: do’s & don’ts
Marketing