Introductiondownload.microsoft.com/.../POC_Lab_Guide.docx · Web viewThis paper contains an introduction to DirectAccess and step-by-step instructions for creating a Proof of Concept

Forefront UAG DirectAccess Proof of Concept Lab GuideMicrosoft CorporationPublished: August 2010

AbstractDirectAccess is a new feature in the Windows® 7 and Windows Server® 2008 R2 operating systems that enables remote users to securely access intranet shared folders, Web sites, and applications without connecting to a virtual private network (VPN). Forefront UAG DirectAccess extends the benefits of Windows DirectAccess across your infrastructure by enhancing availability and scalability, as well as simplifying deployments and ongoing management. This paper contains an introduction to DirectAccess and step-by-step instructions for creating a Proof of Concept test lab that breaks out the UAG DirectAccess server and DirectAccess client machines into a forest separate from the production forest.

Copyright InformationThis document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2010 Microsoft Corporation. All rights reserved.

Date of last update: August 7, 2010

Microsoft, Windows, Active Directory, Internet Explorer, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

ContentsIntroduction.................................................................................................................................................1

Overview of the POC Lab Environment.......................................................................................................2

Overview of Configuration Steps.................................................................................................................4

1. Configure DC1 (PILOT DOMAIN)..........................................................................................................6

A. Install the OS on DC1.......................................................................................................................8

B. Configure TCP/IP Properties on DC1................................................................................................9

C. Rename the DC1 Computer or Virtual Machine..............................................................................9

D. Configure DC1 as a Domain Controller and DNS Server.................................................................10

E. Create Reverse Lookup Zone on DNS Server on DC1.....................................................................11

F. Enter PTR Record for DC1..............................................................................................................11

G. Enable ISATAP Name Resolution on DNS Server on DC1...............................................................12

H. Create DNS Records for NLS and ISATAP on DC1...........................................................................12

I. Configure Conditional Forwarding to the CORP Domain on DC1...................................................13

J. Configure DC1 as DHCP and Certificate Server..............................................................................14

K. Create a New Administrator Account in Active Directory on DC1.................................................15

L. Create a Security Group for DirectAccess Clients on DC1..............................................................16

M. Create and Deploy a Security Template for the IP-HTTPS Listener Certificate and Network Location Server Certificate....................................................................................................................17

N. Create ICMPv4 and ICMPv6 Echo Request Firewall Rules in Domain Group Policy on DC1...........18

O. Enable Computer Certificate Autoenrollment in Group Policy for the PILOT Domain on DC1.......21

P. Configure DNS Suffix Search List in Group Policy on DC1...............................................................21

Q. Create a Shared Folder on the C:\ Drive on DC1............................................................................22

2. Configure DC2 (CORP DOMAIN)........................................................................................................22

A. Install the OS on DC2.....................................................................................................................24

B. Configure TCP/IP Properties on DC2..............................................................................................24

C. Rename the DC2 Computer to DC2...............................................................................................25

D. Configure DC2 as a Domain Controller and DNS Server.................................................................25

E. Enable ISATAP Name Resolution on DNS Server on DC2...............................................................26

F. Create a Reverse Lookup Zone on the DC2 DNS Server.................................................................27

G. Enter Pointer (PTR) Record for DC2 on the DC2 DNS Server..........................................................27

H. Create a Host (A) Record for ISATAP on the DC2 DNS Server........................................................28

I. Configure Conditional Forwarding to the PILOT Domain on the DC2 DNS Server..........................28

J. Create a New Administrator User Account in Active Directory on DC2.........................................29

K. On DC2 Configure a Two-way Trust between the CORP and PILOT Forests...................................30

L. Install Web Server Role on DC2.....................................................................................................31

M. Create a Shared Folder on the C:\ Drive....................................................................................31

3. Configure APP1 (PILOT Domain)........................................................................................................32

A. Install the OS on APP1...................................................................................................................32

B. Configure TCP/IP Properties on APP1............................................................................................33

C. Rename the APP1 Computer or Virtual Machine and Join the PILOT Domain...............................34

D. Obtain NLS Certificate for SSL Connections to Network Location Server on APP1........................34

E. Install the Web Server Role on APP1.............................................................................................35

F. Configure the HTTPS Security Binding on the NLS Web Site on APP1............................................36

4. Configure UAG1 (PILOT DOMAIN).....................................................................................................36

A. Install the OS on UAG1..................................................................................................................39

B. Configure TCP/IP Properties on UAG1...........................................................................................39

C. Rename the Computer and Join UAG1 to the PILOT Domain........................................................40

D. Obtain the IP-HTTPS Listener Certificate on UAG1........................................................................41

E. Install Forefront UAG on UAG1......................................................................................................42

F. Run the UAG Getting Started Wizard.............................................................................................43

G. Run the UAG DirectAccess Configuration Wizard..........................................................................44

H. Confirm Group Policy Settings on UAG1........................................................................................46

I. Confirm IPv6 Settings on UAG1......................................................................................................47

J. Update IPv6 Settings on DC1.........................................................................................................47

K. Update IPv6 Settings on DC2.........................................................................................................48

L. Confirm IPv6 Address Registration in DNS.....................................................................................48

M. Confirm IPv6 Connectivity between DC1/DC2/UAG1................................................................49

5. Configure CLIENT1 (PILOT DOMAIN)..................................................................................................49

A. Install the Operating System on CLIENT1.......................................................................................50

B. Join CLIENT1 to the PILOT Domain................................................................................................51

C. Add CLIENT1 to the DA_Clients Security Group.............................................................................51

D. Add CORP\User2 to Local Administrators Group on CLIENT1........................................................52

E. Test IPv6 Configuration, Confirm Group Policy Settings and Machine Certificate on CLIENT1......52

F. Test Connectivity to a Network Share and the Network Location Server......................................53

6. Configure INET1.................................................................................................................................54

A. Install the Operating System..........................................................................................................54

B. Configure TCP/IP Properties on INET1...........................................................................................55

C. Rename the Computer on INET1...................................................................................................55

D. Install and Configure the DNS Server Role on INET1......................................................................56

E. Install the DHCP Server Role on INET1...........................................................................................57

7. Configure NAT1.................................................................................................................................58

A. Install the OS on NAT1...................................................................................................................59

B. Rename the Network Interfaces on NAT1.....................................................................................59

C. Disable 6to4 on NAT1....................................................................................................................60

D. Configure ICS on the External Interface of NAT1...........................................................................60

8. Configure APP3..................................................................................................................................61

A. Install the OS on APP3...................................................................................................................61

B. Install Web Services.......................................................................................................................62

C. Create a Shared Folder on C:\........................................................................................................63

9. Test DirectAccess Connectivity from the Internet.............................................................................63

10. Test DirectAccess Connectivity from Behind a NAT Device...........................................................66

A. Testing Teredo Connectivity..........................................................................................................66

B. Testing IP-HTTPS Connectivity.......................................................................................................68

11. Test Connectivity When Returning to the Corpnet........................................................................70

IntroductionIntroducing DirectAccess into a production environment can be a potentially challenging task to multiple entities within an organization. Network security administrators, Active Directory domain and forest administrators, desktop management administrators, and many other may be concerned with the introduction of a new technology. While many organizations have great interest in DirectAccess technology and the scenarios that it enables, they have concerns about integrating a new technology into their corporate network, especially one that that interfaces with their Active Directory infrastructure.

For these reasons, many organizations may prefer that UAG DirectAccess server and DirectAccess client computer accounts be deployed in a dedicated forest that is separate from the production environment. The UAG proof of concept forest is then configured to have a two-way trust with the organizations resources forest(s). The advantages of this approach include:

Making network security professionals more comfortable with placing an Internet facing domain member on the network, as the UAG DirectAccess server must be joined to an Active Directory domain

Reducing the number of user accounts in the UAG DirectAccess domain to just two: the default domain administrator account and a domain/forest admin account that is used for configuration and management. The default domain account can be renamed and given a very complex password, and the admin account used for configuration and management can be given a hard to guess name and a complex, but more wieldy password than the default domain administrator account. This helps reduce the risk of compromising the UAG domain/forest accounts, which otherwise might be used to launch an attack against the production domains/forests

Computer accounts for the Proof of Concept belong to the UAG DirectAccess forest, but the user accounts are part of the production domains and forests. This enables administrators to have a higher fidelity experience with DirectAccess, enabling the DirectAccess client to connect to production resources. This enables the organization to test DirectAccess and determine if DirectAccess is compatible with their current application suite and provides a foundation for determining which applications may not be compatible and identify candidates for upgrade or replacement

Reducing the organizations risk related to Group Policy Object configuration. IT organizations may be concerned about deploying UAG DirectAccess Group Policy settings into the production domains and forests before thoroughly testing the solution.

It needs to be emphasized that this breaking out of the UAG DirectAccess forest and UAG DirectAccess GPOs from the production environment should be considered as part of Proof of Concept (POC) deployment. Organizations should not interpret this design to be the Microsoft recommended configuration for production deployments. Instead, this approach is implemented as a Proof of Concept deployment approach that enables organizations to get a more “real world” experience from the

1

perspectives of both the end-user with the organization’s current application suite and the IT group’s ability to “manage out” or remotely manage DirectAccess clients.

The goal of separating out the UAG DirectAccess forest from the production forest is to create a safe POC deployment environment where organizations can safely deploy Group Policy Objects to a UAG DirectAccess forest, while leaving the production Active Directory GPOs untouched. We consider this a superior approach for deploying a POC. It is simple to deploy a separate forest for the UAG DirectAccess server and computer accounts, which can easily be taken down after completing the POC stage.

Important:This document is designed to provide a test lab environment that highlights the configuration options you would carry out for your own UAG DirectAccess Proof of Concept. Many of the settings created in this document are specific to the lab environment, and are not to be considered appropriate for a live Proof of Concept deployment or to be considered best practices. It is critical that you review the Forefront UAG DirectAccess Deployment Guide before you begin your live Proof of Concept. This POC lab guide will help bring many of the principles you about in the deployment guide into a practical context.

Overview of the POC Lab EnvironmentThe POC lab environment is depicted in figure 1. Figure 1 includes the names of the servers and clients, the domains participating in the solution, and the network connections used by each of the clients and servers. There is an IP addressing table at the bottom of the figure.

2

http://technet.microsoft.com/en-us/library/dd857320.aspx

Figure 1: Diagram of the POC/Pilot lab environment

In figure 1, note that there are three network segments, each of which represents an isolated Ethernet broadcast domain. You can use physical servers and separate physical switches, or physical servers and VLANs, or virtual machines and virtual networks to accomplish this goal. If you are using Hyper-V, configure three different Private virtual networks for VN1 (Corpnet), VN2 (Internet) and VN3 (Homenet).

The computers on the network include:

DC1. This is the Windows Server 2008 R2 Enterprise Edition domain controller for the pilot.contoso.com forest. The PILOT domain is the UAG DirectAccess domain, and will contain the computer accounts used in the POC project. UAG DirectAccess GPOs are deployed only to this forest. DC1 also provides DHCP, DNS, Web, and Certificate services to the network.

3

DC2. This is the Windows Server 2008 R2 Enterprise Edition domain controller for the corp.contoso.com forest. The CORP domain is the resource domain, and thus contains the user accounts used by the DirectAccess clients; it also includes the application resources that are accessed by the CORP domain users when connecting as DirectAccess clients. A two-way trust is established between the PILOT and CORP domains to enable Kerberos authentication required for building out the second (intranet) tunnel.

APP1. This is a Windows Server 2008 R2 computer that belongs to the PILOT domain. APP1 is responsible for hosting the Network Location Server (NLS), which enables DirectAccess clients to detect if they are currently located on the intranet.

APP3. This is an IPv4-only application server in the CORP (resource) domain used to demonstrate DirectAccess user’s ability to connect to IPv4-only resources on the corpnet. Runs Windows Server 2003 Enterprise Edition.

UAG1. This is the UAG DirectAccess server acting in only DirectAccess server mode; no other UAG roles are deployed on this server. UAG1 is a member of the UAG DirectAccess domain, which is the PILOT domain. UAG1 runs Windows Server 2008 R2 (required for the UAG DirectAccess server installation)

INET1. This is on the simulated Internet. This computer supplies DNS and DHCP services to computers connected to the simulated Internet. Specially, it provides Internet IP addressing information for CLIENT1 so that it can act as a 6to4 client, and provides name resolution services so that CLIENT1 can resolve the name of the UAG DirectAccess server to the IP address used to accept 6to4 connections on the external interface of the UAG server.

NAT1. This is a Windows 7 computer acting as a NAT device that connects a private address (RFC 1918) network to the simulated Internet. Internet Connection Services (ICS) is enabled on NAT1 to provide NAT, DHCP and name resolution services to CLIENT1. CLIENT1 will be placed behind NAT1 to test Teredo and IP-HTTPS connectivity.

CLIENT1. This is a Windows 7 client that will act as the DirectAccess client. The CLIENT1 machine account will belong to the PILOT domain so that UAG DirectAccess client Group Policy Object settings can be enforced on this machine. However, when CLIENT1 is placed on the simulated Internet and behind the NAT device, a user from the resource domain (CORP) will be connecting to the network over a DirectAccess connection.

NOTE: Many of the configuration settings included in this document are specific for the lab environment, and are enabled to streamline the lab environment and facilitate various activities, such as name resolution. Where appropriate, this document calls out what activities are specific for the DirectAccess solution to work correctly, and which activities or configuration settings are optional and not required for DirectAccess to work correctly.

Overview of Configuration Steps The following provides a high level view of what you will do in this POC lab:

4

STEP1: Configure DC1 (PILOT Domain)You will configure DC1 to be a domain controller in the PILOT domain. The PILOT domain contains the computer accounts and the UAG DirectAccess client and server GPOs that are applied to the PILOT domain computer accounts. You will configure DC1 to be a DNS server, DHCP server, Enterprise Certificate Server and Web server. DC1 will host a network share to determine SMB connectivity to the PILOT domain over the intranet tunnel.

STEP2: Configure DC2 (CORP Domain)You will configure DC2 to be a domain controller in the CORP domain, which is the resource domain containing the user accounts and application resources. This machine is also a DNS server for the CORP domain. A two-way trust between the CORP and PILOT forests will be created, and DNS settings configured so that all machines in both domains and resolve names in both domains.

STEP3: Configure APP1 (PILOT Domain)APP1 is a Windows Server 2008 R2 computer that acts in the role of the Network Location Server on the network. We have chosen to not to install the Network Location Server on the domain controller, even though that would have reduced the number of machines required for the lab network. The reason for this is that locating NLS on the DC can be a problematic if the DC is IPv6 based (which isn’t the case in this POC lab and vast majority of networks at this time). However, to insure a successful pilot experience, we will dedicate a server resource to the NLS role.

STEP4: Configure UAG1 (PILOT Domain)UAG1 is a member of the PILOT domain and is the UAG DirectAccess server for the network. Forefront Unified Access Gateway 2010 will be installed on this machine and then DirectAccess will be configured. IPv6 settings will also be checked on each server in this step.

STEP5: Configure CLIENT1 (PILOT Domain)CLIENT1 is a Windows 7 client that will act as the DirectAccess client in the POC lab. This machine is a member of the PILOT domain and will move between the intranet, the simulated Internet, and the private network behind the NAT device. CLIENT1 receives the UAG DirectAccess client GPO settings.

STEP6: Configure INET1INET1 is located on the simulated Internet and acts as an Internet DNS and DHCP server. You will install and configure the DNS and DHCP services on this machine. It will provide DHCP and DNS services to CLIENT1 when connected to the simulated Internet, and to NAT1’s external interface.

STEP7: Configure NAT1NAT1 is a NAT device that separates a private address network from the simulated Internet and the UAG DirectAccess server. NAT1 runs Windows 7 and Internet Connection Sharing (ICS) is enabled so that it can provide NAT, DHCP and DNS services to ICS clients behind NAT1, such as when CLIENT1 is moved to the private network.

STEP8: Configure APP3 (CORP Domain)APP3 is a Windows Server 2003 Enterprise Edition computer that is a member of the CORP domain. This machine is used to demonstrate NAT64/DNS64 connectivity to IPv4-only resources.

5

STEP9: Test DirectAccess from a Direct Internet ConnectionIn this step you will move CLIENT1 to the simulated Internet and test DirectAccess client connectivity when using the 6to4 IPv6 transition technology (more information about 6to4 is included later in this document).

STEP10: Test DirectAccess from Behind a NAT DeviceIn this step you will move CLIENT1 to the private network located behind NAT1. From the private network, you will test DirectAccess client connectivity when it is acting as a Teredo client. Then you will disable Teredo and test connectivity as an IP-HTTPS client. Both Teredo and IP-HTTPS are IPv6 transition technologies and will be discussed later in this document.

STEP11: Test Connectivity when returning to the CorpnetMany of your users will move between remote location and the corpnet, so it’s important that when they connect again to the corpnet that they are able to access resources without having to make any configuration changes to their computers. UAG DirectAccess makes this possible because when the DirectAccess client return to the corpnet, they are able to make a connection to the Network Location Server. Once the HTTPS connection is successfully established to the Network Location Server, the DirectAccess client disables it DirectAccess client configuration and uses a direct connection to the corpnet

NOTE: In the step-by-step instructions, you will see some steps that are preceded by an asterisk (*). The * indicates that you will be moving focus to a different machine. This is used as an aid to remind you that the configuration step should be performed on a different machine than you were at when you executed the instructions on the step before the *.

1. Configure DC1 (PILOT DOMAIN)DC1 will act as the domain controller, Certificate server, DNS server, File Server and DHCP server for the pilot.contoso.com domain. You will perform the following steps to prepare DC1 to carry out these roles to support a working DirectAccess solution:

A. Install the operating system on DC1. The first step is to install the Windows Server 2008 R2 operating system on the PILOT domain’s domain controller, DC1.

B. Configure TCP/IP Properties on DC1. After installing the operating system on DC1, configure the TCP/IP Properties to provide the server an IP address, subnet mask, DNS server and connection specific suffix.

C. Rename the Computer on DC1. Change the default name of the computer assigned during setup to DC1.

D. Configure DC1 as a Domain Controller and DNS Server.DC1 will be the domain controller and the authoritative DNS server for the PILOT domain. The domain controller and DNS server is required as part of the part infrastructure and for the DirectAccess solution.

6

E. Create a Reverse Lookup Zone on the DNS Server on DC1.A reverse lookup zone for network ID 10.0.0.0/24 is required to create a pointer record for DC1. The pointer record will allow reverse name resolution for DC1, which will prevent name resolution errors during several of the DNS related configuration steps covered in this document. The reverse lookup zone is not required for a functional DirectAccess solution.

F. Enter a Pointer Record for DC1.A pointer record for DC1 will allow services to perform reverse name resolution for the DC1 computer. This will be useful when perform several DNS related operations later in this document. It is not required for a functional DirectAccess solution.

G. Enable ISATAP Name Resolution in DNS on DC1.By default, the Windows Server 2008 R2 DNS server will not answer queries for the ISATAP and WPAD host names. You will configure the DNS server so that it will answer queries for ISATAP.

H. Create DNS Records for NLS and ISATAP on DC1.The DirectAccess client uses a Network Location Server to determine if the computer is on or off the intranet. If on the intranet, the computer will be able to connect to the Network Location Server using an HTTPS connection. A DNS record is required to resolve the name of the Network Location Server. In addition, a DNS record for ISATAP is required so that ISATAP capable computers on the network can obtain IPv6 addressing and routing information.

I. Configure Conditional Forwarding to the CORP Domain on DC1.DirectAccess clients on the Internet will need to be able to resolve names in both the DirectAccess pilot domain (PILOT) and the user account, production domain (CORP). The UAG DirectAccess server acts as a caching only DNS server for DirectAccess clients and uses the DC1 computer in the DirectAccess domain to resolve names. We will configure the DNS server on DC1 to forward requests for the CORP domain to the CORP domain DNS server; this enables the DNS server on DC1 to resolve names in both the PILOT and CORP domains.

J. Configure DC1 as a DHCP and Certificate Server.DC1 is configured as a DHCP server so that CLIENT1 can automatically obtain IP addressing information when connected to the corpnet. Certificate Services are installed on DC1 so that computer certificates can be automatically assigned to all members of the PILOT domain, which are used for IPsec communications, as well as Web site certificates, which are used by the Network Location Server and the UAG DirectAccess server’s IP-HTTPS listener. DHCP is not required to support a DirectAccess solution. Certificates are required by the DirectAccess solution; however you can use either or both commercial or private certificates as part of the DirectAccess solution.

K. Create a New Administrator Account on DC1.As a network management best practice, you should not use the default domain administrator account for regular network operations. For this reason we will create a new domain administrator account and use this when making configuration changes. Using an alternate domain admin account is not required for a functional DirectAccess solution.

L. Create a Security Group for DirectAccess Clients on DC1.When DirectAccess is configured on the UAG DirectAccess server, it automatically creates Group Policy Objects and GPO settings that are applied to the DirectAccess client and server. The

7

DirectAccess client GPO uses security group filtering to assign the GPO settings to the security group that DirectAccess computer belongs to. A custom security group that is populated with the computer accounts of DirectAccess computers is a required component of a DirectAccess solution.

M. Create and Deploy a Security Template for the IP-HTTPS Listener Certificate and the Network Location Server Certificate.A Web site certificate is required for the Network Location Server so that computers can use HTTPS to connect to it when they are on the corpnet. The UAG DirectAccess server uses a Web site certificate on its IP-HTTPS listener so that it can accept incoming connections from DirectAccess clients that are behind network devices that limit outbound connections to only HTTP/HTTPS. We will create a Web site certificate template that we will use to request a certificate from the Microsoft Certificate Server installed on DC1. A Web site certificate bound to the UAG DirectAccess server’s IP-HTTPS is a required component of a working DirectAccess solution.

N. Create ICMPv4 and ICMPv6 Echo Request Firewall Rules in Domain Group Policy on DC1.ICMP v4 and v6 echo requests inbound and outbound are required for Teredo support.

O. Enable Computer Certificate Autoenrollment in Group Policy for the PILOT Domain on DC1.DirectAccess clients use computer certificates to establish IPsec connections to the UAG DirectAccess server. In addition, in an end to end scenario, IPsec is used to connect to the destination resource server. Computer certificates are required for a working DirectAccess solution.

P. Configure DNS Suffix Search List in Group Policy on DC1.Most users prefer to use single label names when connecting to corpnet resources. To enable single label name resolution for DirectAccess clients and servers in this POC test lab (and in your production environment), you can assign a DNS suffix search list using Group Policy. This is not a requirement for a working DirectAccess solution, but facilitates access to corpnet resources.

Q. Create a Shared Folder on the C:\ Drive on DC1.We will create a shared folder on the C:\drive of DC1 to test SMB connectivity for DirectAccess clients to a resource on the PILOT domain.

A. Install the OS on DC1The first step is to install the Windows Server 2008 R2 Enterprise Edition software on the DC1 computer or virtual machine. We choose Enterprise Edition to support the installation of an Enterprise CA later, which will enable autoenrollment of the CA certificate to all domain members, which reduces administrative overhead.

Perform the following steps to install the operating system on DC1:

1. On the DC1 computer or virtual machine, start the installation of Windows Server 2008 R2 Enterprise Edition.

8

2. Follow the instructions to complete the installation, specifying Windows Server 2008 R2 Enterprise Edition and a strong password for the local Administrator account. Log on using the local Administrator account.

3. Connect the network adapter to the Corpnet subnet or the virtual switch representing the corpnet subnet.

B. Configure TCP/IP Properties on DC1After installing the operating system on DC1, configure its TCP/IP Properties to provide the server an IP address, subnet mask, DNS server address and connection specific suffix. Note that the connection specific suffix is not required for a working DirectAccess solution, but simplifies name resolution prior to completing the DNS infrastructure in the POC lab environment.

Perform the following steps to configure TCP/IP properties on DC1:

1. On the DC1 computer or virtual machine, in Initial Configuration Tasks, clicks Configure networking.

2. In Network Connections, right-click Local Area Connection, and then click Properties.

3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

4. Select Use the following IP address, type 10.0.0.1 next to IP address, and type 255.255.255.0 next to Subnet mask.

5. Select the Use the following DNS server addresses option. Enter 10.0.0.1 in the Preferred DNS server text box.

6. Click Advanced, and then click the DNS tab.

7. In DNS suffix for this connection, type pilot.contoso.com, click OK twice, and then click Close. (Note: configuring a DNS suffix is not required for DirectAccess to work correctly, but is used to simplify name resolution before a search suffix list is assigned via Group Policy, which we will configure later).

8. Close the Network Connections window.

C. Rename the DC1 Computer or Virtual MachineThe installation routine created a default computer name. Now you will change the computer name from its default to DC1.

Perform the following steps to change the computer name on DC1:

1. On the DC1 computer or virtual machine, In Initial Configuration Tasks, click Provide computer name and domain.

9

2. In the System Properties dialog box, click Change. In the Computer Name/Domain Change dialog box, in the Computer name text box, enter DC1, and click OK twice, and then click Close. When prompted to restart the computer, click Restart Now.

3. After restarting, login using the local administrator account.

D. Configure DC1 as a Domain Controller and DNS Server DC1 will be the domain controller and the authoritative DNS server for the PILOT (pilot.contoso.com) domain. The domain controller and DNS server is required as part of the part infrastructure and for the DirectAccess solution.

Perform the following steps to configure DC1 as a domain controller and DNS server:

1. On the DC1 computer or virtual machine, on the Initial Configuration Tasks page, click the Add Roles link.

2. Click Next on the Before You Begin page.

3. On the Select Server Roles page, click Active Directory Domain Services, click Add Required Features, click Next on the Introduction to the Active Directory Domain Services page, and click Install on the Confirm Installation Selections page. Click Close on the Installation Results page.

4. To start the Active Directory Installation Wizard, click Start, type dcpromo in the Search box, and then press ENTER.

5. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.

6. On the Operating System Compatibility page, click Next.

7. On the Choose a Deployment Configuration page, click Create a new domain in a new forest, and then click Next.

8. On the Name the Forest Root Domain page, type pilot.contoso.com, and then click Next.

9. On the Set Forest Functional Level page, in Forest Functional Level, click Windows Server 2008 R2, and then click Next. (Note that Windows Server 2008 R2 Forest Functional Level is not required for the DirectAccess solution to work correctly. You can use any of the available Forest Functional Levels.)

10. On the Additional Domain Controller Options page, insure that the DNS Server option is selected and click Next, click Yes in the Active Directory Domain Service Installation Wizard dialog box, and then on the Location for Database, Log Files, and SYSVOL page, click Next.

11. On the Directory Services Restore Mode Administrator Password page, type a strong password twice, and then click Next.

12. On the Summary page, click Next.

10

13. In the Active Directory Domain Services Installation Wizard dialog box, put a checkmark in the Reboot on completion checkbox.

14. Log on to DC1 as PILOT\Administrator after the server automatically restarts.

E. Create Reverse Lookup Zone on DNS Server on DC1A reverse lookup zone on DC1 for network ID 10.0.0.0/24 is required to create a pointer record for DC1. The pointer record will allow reverse name resolution for DC1, which will prevent name resolution errors during several of the DNS related configuration steps covered in this document. The reverse lookup zone is not required for a functional DirectAccess solution and is used as a convenience in this lab.

Perform the following steps to create the reverse lookup zone on the DNS server on DC1:

1. On the DC1 computer or virtual machine, click Start, and point to Administrative Tools. Click DNS.

2. In the DNS Manager console, in the left pane of the console, expand the server name, and click Reverse Lookup Zones. Right click Reverse Lookup Zones and click New Zone.

3. On the Welcome to the New Zone Wizard page, click Next.

4. On the Zone Type page, click Next.

5. On the Active Directory Zone Replication Scope page, click Next.

6. On the Reverse Lookup Zone Name page, click Next.

7. On the Reverse Lookup Zone Name page, select the Network ID option, and then enter 10.0.0 in the text box. Click Next.

8. On the Dynamic Update page, click Next.

9. On the Completing the New Zone Wizard page, click Finish.

10. Leave the DNS console open for the next operation.

F. Enter PTR Record for DC1A pointer record for DC1 will allow services to perform reverse name resolution for the DC1 computer. This will be useful when performing several DNS related operations later in this document. It is not required for a functional DirectAccess solution and it configured as a convenience for this POC lab.

Perform the following steps to enter the PTR record for DC1:

1. On the DC1 computer or virtual machine, in the DNS Manager console, expand the Forward Lookup Zones node in the left pane of the console. Click on pilot.contoso.com.

11

2. Double click on dc1 in the right pane of the console.

3. In the DC1 Properties dialog box, put a checkmark in the Update associated pointer (PTR) record checkbox and click OK.

4. Expand the Reverse Lookup Zones node in the left pane of the console and click 0.0.10.in-addr.arpa. Confirm that there is an entry for 10.0.0.1 in the middle pane of the console.

5. Leave the DNS console open.

G. Enable ISATAP Name Resolution on DNS Server on DC1By default, the Windows Server 2008 R2 DNS server will not answer queries for the ISATAP and WPAD host names because these names are included in the DNS server’s Global Query Block List. You will configure the DNS server so that it will answer queries for ISATAP by removing ISATAP from the Global Query Block List.

Perform the following steps to enable ISATAP name resolution on the DNS server on DC1:

1. On the DC1 computer or virtual machine, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

2. In the command window, type dnscmd /config /globalqueryblocklist wpad, and then press ENTER.

3. In the command prompt window, type dnscmd /info /globalqueryblocklist to confirm that ISATAP is not included in the list, and that the printout reads Query result: String: wpad

4. Close the command window.

For more information on configuring the global query block list, please see http://download.microsoft.com/download/5/3/c/53cdc0bf-6609-4841-a7b9-cae98cc2e4a3/DNS_Server_Global_%20Query_Block%20List.doc

H. Create DNS Records for NLS and ISATAP on DC1DirectAccess clients use a Network Location Server to determine if the computer is on the intranet. If the computer can connect to the Network Location Server using HTTPS, the computer determines that it is on the intranet and the Name Resolution Policy Table (NRPT) is disabled. If the computer cannot connect to the Network Location Server, the NRPT is enabled and uses the DNS proxy on the UAG DirectAccess server to resolve intranet host names. A DNS record is required for the DirectAccess client to resolve the name of the Network Location Server. In addition, all IPv6 capable hosts on the corpnet need to resolve the name ISATAP to the internal interface of the UAG DirectAccess server, so a DNS record is required for ISATAP. The UAG DirectAccess server will act as an ISATAP router for the organization and provides prefix and routing information for ISATAP clients.

Perform the following steps to create the NLS and ISATAP DNS records:

12

http://download.microsoft.com/download/5/3/c/53cdc0bf-6609-4841-a7b9-cae98cc2e4a3/DNS_Server_Global_%20Query_Block%20List.doc


1. On the DC1 computer or virtual machine, in the DNS console, click the pilot.contoso.com forward lookup zone in the left pane of the console. Right click pilot.contoso.com and click New Host (A or AAAA).

2. In the New Host dialog box, enter isatap in the Name (uses parent domain name if blank) text box. Then enter 10.0.0.2 in the IP address text box. (IP address 10.0.0.2 will be the IP address of the internal interface of the UAG server, which will act as the ISATAP router in this scenario).

3. Click Add Host. Then click OK in the DNS dialog box.

4. In the New Host dialog box, enter nls in the Name (uses parent domain name if blank) text box (this is the name the DirectAccess clients will use to connect to the Network Location Server). Enter 10.0.0.3 in the IP address text box, then click Add Host. Click OK in the DNS text box. (Note that IP address 10.0.0.3 is the IP address of APP1, which will act as a network location server in this scenario).

5. Click Done.

6. Confirm that there are entries for DC1, ISATAP and NLS in the middle pane of the console. Leave the DNS console open for the next section.

7. Open a command prompt window and enter nslookup isatap and press ENTER. Confirm that DC1 is able to resolve ISATAP to 10.0.0.2. Close the command prompt window.

I. Configure Conditional Forwarding to the CORP Domain on DC1In the POC lab scenario, there are two domains: the UAG DirectAccess domain (PILOT) that contains the DirectAccess computer accounts, and the “production” domain (CORP), which contains the user accounts and information resources. The DirectAccess client computer and users will need to resolve names in both domains. The UAG DirectAccess server acts as a DNS proxy for DirectAccess clients, and the UAG DirectAccess server is configured to use the UAG DirectAccess domain’s DNS server as its DNS server. This enables the UAG DirectAccess server to resolve names in the PILOT domain. To provide name resolution for the CORP domain, we will create a conditional forwarder on DC1 to forward queries for corp.contoso.com to the DNS server for the CORP domain. Configuring conditional forwarding is not a required component of a DirectAccess solution, but enables name resolution throughout the enterprise for DirectAccess clients. Note that there are other methods for configuring name resolution for multiple domains, such as configuring zone transfers between primary and secondary servers.

Perform the following steps to configure conditional forwarding:

1. On the DC1 computer or virtual machine, in the left pane of the DNS Manager console, click on Conditional Forwarders. Right click on Conditional Forwarders and click New Conditional Forwarder.

2. In the New Conditional Forwarder dialog box, in the DNS Domain text box, enter corp.contoso.com.

13

3. In the IP addresses of the master servers list, enter 10.0.0.10 and press ENTER. (Note: IP address 10.0.0.10 will be the IP address of the corp.contoso.com DNS server and domain controller that you will configure later; name resolution at this point will fail because the server is not yet online).

4. Click OK.

5. Close the DNS Manager console.

J. Configure DC1 as DHCP and Certificate ServerA DHCP server is used on the simulated corpnet to provide IP addressing information for the DirectAccess client when it is connected to the corpnet. DHCP is not required for a working DirectAccess solution, but facilitates automatic addressing when the DirectAccess client moves between the corpnet and external networks. The Microsoft Certificate Server is used to provide computer certificates to domain member computers, which can be used for computer authentication and IPsec connectivity. In addition, the Certificate Server will be used to obtain Web site certificates for the Network Location Server and the UAG DirectAccess server’s IP-HTTPS listener. Note that a Microsoft Certificate Server is not required for either computer or Web site certificates. However, it is the preferred method for computer certificate assignment as it can significantly lower administrative overhead. In a production environment, the IP-HTTPS Listener will typically use a commercial certificate, though this is not a requirement; a commercial certificate simplifies DirectAccess client access to the Certificate Revocation List, which is required. Both computer and Web site certificates are required for a working DirectAccess solution.

Perform the following steps to configure DC1 as a DHCP and Certificate server:

1. On the DC1 computer or virtual machine, in the Initial Configuration Tasks window, click the Add Roles link.

2. On the Before You Begin page, click Next.

3. On the Select Server Roles page, put a checkmark in the Active Directory Certificate Services and DHCP Server checkboxes. Click Next.

4. On the Introduction to DHCP Server page, click Next.

5. On the Select Network Connection Bindings page, confirm that in the Network Connections section that 10.0.0.1 is selected. Click Next.

6. On the Specify IPv4 DNS Server Settings dialog page, confirm that the Parent domain text box contains pilot.contoso.com. In the Preferred DNS server IPv4 address text box, enter 10.0.0.1. Click Validate. A green circle with a checkmark should appear and it should state Valid to the right of that circle. Click Next.

7. On the Specify IPv4 WINS Server Settings page, click Next.

14

8. On the Add or Edit DHCP Scopes page, click the Add button.

9. In the Add Scope dialog box, in the Scope name text box enter Corpnet. In the Starting IP address text box, enter 10.0.0.100. In the Ending IP address text box, enter 10.0.0.150. In the subnet mask text box, enter 255.255.255.0. Click OK.

10. On the Add or Edit DHCP Scopes page, click Next.

11. On the Configure DHCPv6 Stateless Mode page, select the Disable DHCPv6 stateless mode for this server option and click Next. (Note: Disabling stateless mode is not a requirement for the DirectAccess solution; this option is selected because we are not using a native IPv6 infrastructure in this POC lab network).

12. On the Authorize DHCP Server page, click Next.

13. On the Introduction to Active Directory Certificate Services page, click Next.

14. On the Select Role Services page, confirm that there is a checkmark in the Certification Authority checkbox, then click Next.

15. On the Specify Setup Type page, confirm that Enterprise is selected and click Next. (Note: we use an Enterprise CA so that we can use autoenrollment to distribute the CA certificate and computer certificates).

16. On the Specify CA Type page, confirm that Root CA is selected and click Next.

17. On the Set Up Private key page, confirm that Create a new private key is selected and click Next.

18. On the Configure Cryptography for CA page, click Next.

19. On the Configure CA Name page, click Next.

20. On the Set Validity Period page, click Next.

21. On the Configure Certificate Database page, click Next.

22. On the Confirm Installation Selections page, click Install.

23. On the Installation Results page, click Close.

K. Create a New Administrator Account in Active Directory on DC1As a network management best practice, you should not use the default domain administrator account for regular network operations. For this reason we will create a new domain administrator account and use this when making configuration changes. Using an alternate domain admin account is not required for a functional DirectAccess solution, and is done as a best practice example for this POC lab.

15

Perform the following steps to create a new administrator account in Active Directory on DC1:

1. On the DC1 computer or virtual machine, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the console tree, expand pilot.contoso.com, right-click Users, point to New, and then click User.

3. In the New Object - User dialog box, next to Full name, type User1, and in User logon name, type User1.

4. Click Next.

5. In Password, type the password that you want to use for this account, and in Confirm password, type the password again.

6. Clear the User must change password at next logon check box, and select the Password never expires check box.

7. Click Next, and then click Finish.

8. In the console tree, click Users.

9. In the details pane, double-click Domain Admins.

10. In the Domain Admins Properties dialog box, click the Members tab, and then click Add.

11. Under Enter the object names to select (examples), type User1, and then click OK twice.

12. Leave the Active Directory Users and Computers console open for the following procedure.

L. Create a Security Group for DirectAccess Clients on DC1When you run the UAG DirectAccess wizard on the UAG1 computer, the wizard will create Group Policy Objects and deploy them in Active Directory. One GPO is created for the UAG DirectAccess server, and the second is created for DirectAccess clients. Security Group filtering is used to apply the DirectAccess GPO settings to the DirectAccess Clients security Group. Therefore, in order to obtain the settings required to be a DirectAccess client, the computer must be a member of this security group. Do not use any of the built in security groups as your DirectAccess security Group. Here you will create the DirectAccess clients security group. This group is required for a working DirectAccess solution.

Perform the following steps to create a security group for DirectAccess clients on DC1:

1. On the DC1 computer or virtual machine, in the Active Directory Users and Computers console tree, right-click Users, point to New, and then click Group.

16

2. In the New Object - Group dialog box, under Group name, type DA_Clients. (Note that the group name “DA_Clients” is not a hard coded value; you can use any name you like for the DirectAccess clients security group).

3. Under Group scope, choose Global, under Group type, choose Security, and then click OK.

4. Close the Active Directory Users and Computers console.

M. Create and Deploy a Security Template for the IP-HTTPS Listener Certificate and Network Location Server Certificate

A Web site certificate is required for the Network Location Server so that computers can use HTTPS to connect to it when they are on the corpnet. The UAG DirectAccess server uses a Web site certificate on its IP-HTTPS listener so that it can accept incoming connections from DirectAccess clients that are behind network devices that limit outbound connections to only HTTP/HTTPS. We will create a Web site certificate template that we will use to request a certificate from the Microsoft Certificate Server installed on DC1. A Web site certificate bound to the UAG DirectAccess server’s IP-HTTPS listener and a Web site certificate bound to the Network Location Server Web site are both required for a working DirectAccess solution.

WARNING:The certificate template configured in this lab does not include certificate revocation list information. This is done as a convenience for the lab so that you do not need to publish the CRL for the CA that issued the certificate used for the IP-HTTPS listener. Do not do this in a production environment. The DirectAccess must be able to access the CRL of the CA that issued the IP-HTTPS listener certificate.

Perform the following steps to create and deploy a security template:

1. On the DC1 computer or virtual machine, click Start, enter mmc in the Search box, and then press ENTER.

2. Click File, and then click Add/Remove Snap-in.

3. In the list of snap-in, click Certificate Templates, click Add, and then click OK.

4. In the console tree, click Certificate Templates.

5. In the contents pane, right-click the Web Server template, and then click Duplicate Template.

6. Click Windows Server 2008 Enterprise, and then click OK. (Note that you can use either the Windows Server 2003 or Windows Server 2008 templates – we choose to use the Windows Server 2008 template in this example).

7. In Template display name, type Web Server 2008.

8. Click the Security tab.

17

9. Click Authenticated Users, and then select Enroll in the Allow column.

10. Click Add, enter Domain Computers in the Enter the object names to select text box, and then click OK.

11. Click Domain Computers, and then select Enroll in the Allow column.

12. Click the Request Handling tab.

13. Select Allow private key to be exported. [Note that this is done for convenience for this lab and for future labs built out using this document. When the private key is marked as “exportable” you will be able to export the certificate with its private key from the first UAG server in the array and use that certificate on new array members when you them]

14. Click the Server tab. On the Server tab put a checkmark in the Do not include revocation information in issued certificates (Applicable only for Windows Server 2008 R2 and above). Note that we are using this option for the test lab only so that we do not need to publish the CRL to support the CRL check required to establish an IP-HTTPS connection.

15. Click OK.

16. Close the MMC window without saving changes.

17. Click Start, point to Administrative Tools, and then click Certification Authority.

18. In the console tree, expand pilot-DC1-CA, right-click Certificate Templates, point to New, and then click Certificate Template to Issue.

19. In the list of certificate templates, click Web Server 2008, and then click OK.

20. In the right pane of the console, you should see the Web Server 2008 certificate template with an Intended Purpose of Server Authentication.

21. Close the Certification Authority console.

N. Create ICMPv4 and ICMPv6 Echo Request Firewall Rules in Domain Group Policy on DC1

Support for incoming and outgoing ICMPv4 and v6 is required for Teredo clients. DirectAccess clients will use Teredo as their IPv6 transition technology to connect to the UAG DirectAccess server over the IPv4 Internet when they are assigned a private (RFC 1918) IP address, such as when they are located behind a NAT device or firewall. In addition, enabling ping facilitates connectivity testing between participants in the DirectAccess solution.

Perform the following steps to create the ICMP firewall rules:

1. On the DC1 computer or virtual machine, click Start, click Administrative Tools, and then click Group Policy Management.

18

2. In the console tree, expand Forest: pilot.contoso.com. Then expand Domains, and then expand pilot.contoso.com.

3. In the console tree, right-click Default Domain Policy, and then click Edit.

4. In the console tree of the Group Policy Management Editor, expand Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security-LDAP://.

5. In the console tree, click Inbound Rules, right-click Inbound Rules, and then click New Rule.

6. On the Rule Type page, click Custom, and then click Next.

7. On the Program page, click Next.

8. On the Protocols and Ports page, for Protocol type, click ICMPv4, and then click Customize.

9. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK.

10. Click Next.

11. On the Scope page, click Next.

12. On the Action page, click Next.

13. On the Profile page, click Next.

14. On the Name page, for Name, type Inbound ICMPv4 Echo Requests, and then click Finish.

15. In the console tree, right-click Inbound Rules, and then click New Rule.





20. Click Next.


22. On the Action page, click Next.


19

24. On the Name page, for Name, type Inbound ICMPv6 Echo Requests, and then click Finish.

25. In the console tree, right-click Outbound Rules, and then click New Rule.





30. Click Next.


32. On the Action page, click Allow the connection, and then click Next.


34. On the Name page, for Name, type Outbound ICMPv4 Echo Requests, and then click Finish.

35. In the console tree, right-click Outbound Rules, and then click New Rule.





40. Click Next.


42. On the Action page, click Allow the connection, and then click Next.


44. On the Name page, for Name, type Outbound ICMPv6 Echo Requests, and then click Finish.

45. Confirm that the rules you created appear in the Inbound Rules and Outbound Rules nodes. Close the Group Policy Management Editor.

20

O. Enable Computer Certificate Autoenrollment in Group Policy for the PILOT Domain on DC1

In the DirectAccess solution, computer certificates can be used for computer authentication and IPsec connection establishment. One efficient method for distributing computer certificates is to take advantage of Group Policy based autoenrollment for computer certificates.

Perform the following steps to enable computer certificate autoenrollment:

1. On the DC1 computer or virtual machine, from the Administrative Tools menu, open Group Policy Management.

2. In the Group Policy Management console, expand Forest: pilot.contoso.com and then expand Domains. Expand pilot.contoso.com and then right click Default Domain Policy and click Edit.

3. In the console tree of the Group Policy Management Editor, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.

4. In the details pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.

5. In the Automatic Certificate Request Wizard, click Next.

6. On the Certificate Template page, click Computer, click Next, and then click Finish.

7. Leave the Group Policy Management Editor open for the next procedure.

P. Configure DNS Suffix Search List in Group Policy on DC1DirectAccess clients will need to be able to resolve single label names for servers located in either the PILOT or CORP domain. One method that you can use to fully qualify single label names is to configure a DNS suffix search list. This can be manually configured on each DirectAccess client, or you can reduce administrative overhead by using Active Directory Group Policy to deliver a DNS suffix search. We will configure a DNS Suffix Search list using the Group Policy option in this scenario.

Perform the following steps to configure the DNS suffix search list:

1. On the DC1 computer or virtual machine, in the console tree of the Group Policy Management Editor, navigate to Computer Configuration\Policies\Administrative Templates\Network\DNS Client.

2. Double click on the DNS Suffix Search List entry in the right pane.

3. In the DNS Suffix Search List dialog box, select the Enabled option. In the DNS Suffixes text box, enter pilot.contoso.com,corp.contoso.com (do not put a space between the two FQDN entries). Click OK.

21

4. Close the Group Policy Management Editor console and close the Group Policy Management console.

Q. Create a Shared Folder on the C:\ Drive on DC1When the DirectAccess client is connected to the simulated Internet, or connecting from behind a NAT device over the Internet, we want to determine if the DirectAccess user can connect to a Server Message Block (SMB) resource on the PILOT domain. We will create a network share on DC1 to support this test.

Perform the following steps to create a shared folder on DC1:

1. Click Start, and then click Computer.

2. Double-click the drive on which Windows Server 2008 R2 is installed.

3. Click New Folder, type Files, and then press ENTER. Leave the Local Disk window open.

4. Click Start, click All Programs, click Accessories, right-click Notepad, and then click Run as administrator.

5. In the Untitled – Notepad window, type This is a shared file on DC1.

6. Click File, click Save, double-click Computer, double-click the drive on which Windows Server 2008 R2 is installed, and then double-click the Files folder.

7. In File name, type Example.txt, and then click Save. Close the Notepad window.

8. In the Local Disk window, right-click the Files folder, point to Share with, and then click Specific people.

9. Click Share, and then click Done. (Note: this provides Full Control Share Permissions to Everyone, and NTFS Full Control permissions to SYSTEM, Administrator, and PILOT\Administrators).

10. Close the Local Disk window.

2. Configure DC2 (CORP DOMAIN)In the POC lab, DC2 acts as a domain controller, DNS server , Web server and File server on the CORP domain. The CORP domain represents the domain containing the user accounts and resources that are currently in production on the corporate network. While the DirectAccess computer accounts will be members of the PILOT domain for the POC deployment, users in the current production domain (CORP) will continue to use the same user accounts that they have been using prior to joining their computers to the PILOT domain. You will perform the following steps when configuring DC2:

22

A. Install the OS on DC2.The first step is to install the Windows Server 2008 R2 operating system on the CORP domain’s domain controller, DC2. Note that we used Windows Server 2008 R2 in this example out of choice, not out of requirements. You can use Windows Server 2003 as a domain controller if you like, and it will be supported by the DirectAccess configuration.

B. Configure TCP/IP Properties on DC2After installing the operating system on DC2, configure the TCP/IP Properties to provide the server an IP address, subnet mask, DNS server and connection specific suffix.

C. Rename the Computer to DC2Change the default name of the computer assigned during setup to DC2.

D. Configure DC2 as a Domain Controller and DNS ServerDC2 will be the domain controller and the authoritative DNS server for the CORP domain. The CORP domain is the user account and resource domain in this POC lab scenario. The domain controller and DNS server is required as part of the part infrastructure and for the DirectAccess solution.

E. Enable ISATAP Name Resolution on the DC2 DNS ServerBy default, the Windows Server 2008 R2 DNS server will not answer queries for the ISATAP and WPAD host names. You will configure the DNS server so that it will answer queries for ISATAP.

F. Create a Reverse Lookup Zone on the DC2 DNS ServerA reverse lookup zone for network ID 10.0.0.0/24 is required to create a pointer record for DC2. The pointer record will allow reverse name resolution for DC2, which will prevent name resolution errors during several of the DNS related configuration steps covered in this document. The reverse lookup zone is not required for a functional DirectAccess solution.

G. Enter a Pointer (PTR) Record on the DC2 DNS ServerA pointer record for DC2 will allow services to perform reverse name resolution for the DC2 computer. This will be useful when perform several DNS related operations later in this document. It is not required for a functional DirectAccess solution.

H. Create a Host (A) Record for ISATAP on the DC2 DNS ServerA DNS record for ISATAP is required so that ISATAP capable computers on the network can obtain IPv6 addressing and routing information used by their ISATAP adapters.

I. Configure Conditional Forwarding to the PILOT domain on the DC2 DNS ServerIn the POC lab scenario, computers in the CORP domain will need to resolve names of computers in the PILOT domain. We will configure conditional forwarding to the pilot.contoso.com domain on the DC2 DNS server so that computers using DC2 as a DNS server can resolve names in the PILOT domain.

J. Create a New Administrator Account in the Active Directory on DC2As a network management best practice, you should not use the default domain administrator account for regular network operations. For this reason we will create a new domain administrator account and use this when making configuration changes. Using an alternate domain admin account is not required for a functional DirectAccess solution.

23

K. Configure a Two-Way Trust between the CORP and PILOT forests on DC2We will create a two-way trust between the CORP and PILOT forests so that DirectAccess client users will be able to log into and access resources in the CORP domain.

L. Install the Web Server Role on DC2We will install the Web server role on DC2 to demonstrate how DirectAccess client users are able to access Web services located on a IPv6 capable host on the production network (CORP).

M. Create a Shared Folder on the C:\ Drive of DC2We will configure a shared folder on DC2 to demonstrate how DirectAccess client users are able to connect to Server Message Block (SMB) resources on the production network (CORP).

A. Install the OS on DC2The first step is to install the Windows Server 2008 R2 operating system on the CORP domain’s domain controller, DC2. Note that we used Windows Server 2008 R2 in this example out of choice, not out of requirements. You can use Windows Server 2003 as a domain controller if you like, as UAG DirectAccess supports an IPv4 network infrastructure using IPv6/IPv4 protocol transition technologies, including NAT64/DNS64. In this POC lab, we will demonstrate the ability to connect to IPv4 resources configuring the APP3 computer on Windows Server 2003 later in this document.

Perform the following steps to install the operating system on DC2:

1. *On the DC2 computer or virtual machine, start the installation of Windows Server 2008 R2.


3. Connect the network adapter to the Corpnet subnet or corpnet virtual switch.

B. Configure TCP/IP Properties on DC2After installing the operating system on DC2, configure the TCP/IP Properties to provide the server an IP address, subnet mask, DNS server and connection specific suffix.

Perform the following steps to configure TCP/IP properties on DC2:

1. In Initial Configuration Tasks, click Configure networking.





24


7. In DNS suffix for this connection, type corp.contoso.com, click OK twice, and then click Close. (Note: configuring a DNS suffix is not required for DirectAccess to work correctly, but is used to simplify name resolution before a search suffix is assigned via domain membership , which we will configure later).


C. Rename the DC2 Computer to DC2Change the default name of the computer assigned to the DC2 computer or virtual machine during setup to DC2.

Perform the following steps to rename DC2:

1. In Initial Configuration Tasks, click Provide computer name and domain.

2. In System Properties, click Change. In Computer name, type DC2, and click OK twice, and then click Close. When prompted to restart the computer, click Restart Now.

3. After restarting, login using the local administrator account.

D. Configure DC2 as a Domain Controller and DNS ServerDC2 will be the domain controller and the authoritative DNS server for the CORP domain. The CORP domain is the user account and resource domain in this POC lab scenario. The CORP domain controller and DNS server are required to authenticate production network users connecting over the DirectAccess client connection from the Internet.

Perform the following steps to configure DC2 as a domain controller and DNS server:

1. On the DC2 computer or virtual machine, on the Initial Configuration Tasks page, click the Add Roles link.

2. Click Next on the Before You Begin page.

3. On the Select Server Roles page, click Active Directory Domain Services, click Add Required Features, click Next on the Introduction to the Active Directory Domain Services page, and click Install on the Confirm Installation Selections page. Click Close on the Installation Results page.

4. To start the Active Directory Installation Wizard, click Start, type dcpromo, and then press ENTER.

5. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.

6. On the Operating System Compatibility page, click Next.

25

7. On the Choose a Deployment Configuration page, click Create a new domain in a new forest, and then click Next.

8. On the Name the Forest Root Domain page, type corp.contoso.com, and then click Next.

9. On the Set Forest Functional Level page, in Forest Functional Level, click Windows Server 2008 R2, and then click Next. (Note that Windows Server 2008 R2 Forest Functional Level is not required for the DirectAccess solution to work correctly. You can use any of the available Forest Functional Levels.)

10. On the Additional Domain Controller Options page, insure that the DNS Server option is select and click Next, click Yes in the Active Directory Domain Service Installation Wizard dialog box, and then on the Location for Database, Log Files, and SYSVOL page, click Next.

11. On the Directory Services Restore Mode Administrator Password page, type a strong password twice, and then click Next.

12. On the Summary page, click Next.

13. In the Active Directory Domain Services Installation Wizard dialog box, put a checkmark in the Reboot on completion checkbox.

14. Log on to DC2 as CORP\Administrator.

E. Enable ISATAP Name Resolution on DNS Server on DC2By default, the Windows Server 2008 R2 DNS server will not answer queries for the ISATAP and WPAD host names. You will configure the DNS server so that it will answer queries for ISATAP.

Perform the following steps to enable ISATAP name resolution on the DNS server on DC2:

1. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

2. In the command window, type dnscmd /config /globalqueryblocklist wpad, and then press ENTER.

3. In the command prompt window, type dnscmd /info /globalqueryblocklist to confirm that ISATAP is not included in the list. The output of the command should include Query result: String: wpad


For more information on configuring the global query block list, please see http://download.microsoft.com/download/5/3/c/53cdc0bf-6609-4841-a7b9-cae98cc2e4a3/DNS_Server_Global_%20Query_Block%20List.doc

26



F. Create a Reverse Lookup Zone on the DC2 DNS ServerA reverse lookup zone for network ID 10.0.0.0/24 is required to create a pointer record for DC2. The pointer record will allow reverse name resolution for DC2, which will prevent name resolution errors during several of the DNS and forest related configuration steps covered in this document. The reverse lookup zone is not required for a functional DirectAccess solution.

Perform the following steps to create the reverse lookup zone:

1. Click Start, and point to Administrative Tools. Click DNS.

2. In the DNS Manager console, in the left pane of the console, expand the server name, and click Reverse Lookup Zones. The right click Reverse Lookup Zones and click New Zone.

3. On the Welcome to the New Zone Wizard page, click Next.


5. On the Active Directory Zone Replication Scope page, click Next.

6. On the Reverse Lookup Zone Name page, click Next.

7. On the Reverse Lookup Zone Name page, select the Network ID option, and then enter 10.0.0 in the text box. Click Next.

8. On the Dynamic Update page, click Next.

9. On the Completing the New Zone Wizard page, click Finish.

10. Leave the DNS console open to complete the next procedure.

G. Enter Pointer (PTR) Record for DC2 on the DC2 DNS ServerA pointer record for DC2 will allow for reverse name resolution for the DC2 computer. This will be useful when we perform several DNS and forest related operations later in this document. It is not required for a functional DirectAccess solution.

Perform the following steps to create the pointer record:

1. In the DNS Manager console, expand the Forward Lookup Zones node in the left pane of the console. Click on corp.contoso.com.

2. Double click on DC2 in the right pane of the console.

3. In the DC2 Properties dialog box, put a checkmark in the Update associated pointer (PTR) record checkbox and click OK.

4. Expand the Reverse Lookup Zones node in the left pane of the console and click 0.0.10.in-addr.arpa. Confirm that there is an entry for 10.0.0.10 in the middle pane of the console.

27

H. Create a Host (A) Record for ISATAP on the DC2 DNS ServerA DNS record for ISATAP is required so that ISATAP capable computers on the network can obtain IPv6 addressing and routing information used by their ISATAP adapters. The ISATAP DNS record will resolve to the IP address on the internal interface of the UAG DirectAccess computer in the PILOT domain.

Perform the following steps to add the ISATAP DNS record:

1. Click the corp.contoso.com forward lookup zone in the left pane of the console. Right click corp.contoso.com and click New Host (A or AAAA).

2. In the New Host dialog box, enter isatap in the Name (uses parent domain name if blank) text box. Then enter 10.0.0.2 in the IP address text box. (IP address 10.0.0.2 will be the IP address of the internal interface of the UAG server, which will act as the ISATAP router in this scenario).

3. Click Add Host. Then click OK in the DNS dialog box.

4. Click Done.

5. Confirm that there are entries for DC2 and ISATAP in the middle pane of the console.

6. Open a command prompt window and enter nslookup isatap and press ENTER. Confirm that DC2 is able to resolve ISATAP to 10.0.0.2. Close the command prompt window.

I. Configure Conditional Forwarding to the PILOT Domain on the DC2 DNS Server

In the POC lab scenario, computers in the CORP domain will need to resolve names of computers in the PILOT domain. We will configure conditional forwarding to the pilot.contoso.com domain on the DC2 DNS server so that computers using DC2 as a DNS server can resolve names in the PILOT domain.

Perform the following steps to enable conditional forwarding:

1. In the left pane of the DNS Manager console, click on Conditional Forwarders. Right click on Conditional Forwarders and click New Conditional Forwarder.

2. In the New Conditional Forwarder dialog box, in the DNS Domain text box, enter pilot.contoso.com.

3. In the IP addresses of the master servers list, enter 10.0.0.1 and press ENTER. (Note: you will see an error indicated by a red circle with a “X” inside it indicating that the server with this IP address is not authoritative for the required zone; this is incorrect).

4. Click OK.

5. Expand Conditional Forwarders and click pilot.contoso.com, the right click pilot.contoso.com and click Properties.

28

6. In the pilot.contoso.com Properties dialog box, click the Edit button.

7. In the Edit Conditional Forwarder dialog box, you will see in the IP addresses of the master servers section that the IP address is validated. Click OK.

8. Click OK in the pilot.contoso.com Properties dialog box.


10. *Move to the DC1 computer and open the DNS Manager.

11. Expand the computer name, then expand the Conditional Forwarders node. Click the corp.contoso.com node and then right click it. Click Properties.

12. In the corp.contoso.com Properties dialog box, click the Edit button.

13. Confirm that the address of the corp.contoso.com master server is validated. Click OK.

14. Click OK in the corp.contoso.com Properties dialog box.


16. *Return to the DC2 computer.

J. Create a New Administrator User Account in Active Directory on DC2As a network management best practice, you should not use the default domain administrator account for regular network operations. For this reason we will create a new domain administrator account and use this when making configuration changes. Using an alternate domain admin account is not required for a functional DirectAccess solution.

Perform the following steps to create a new administrator account:

1. At the DC2 computer, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the console tree, open corp.contoso.com, right-click Users, point to New, and then click User.

3. In the New Object - User dialog box, next to Full name, type User2 and in User logon name, type User2.

4. Click Next.

5. In Password, type the password that you want to use for this account, and in Confirm password, type the password again.

6. Clear the User must change password at next logon check box, and select the Password never expires check box.

29

7. Click Next, and then click Finish.

8. In the console tree, click Users.

9. In the details pane, double-click Domain Admins.

10. In the Domain Admins Properties dialog box, click the Members tab, and then click Add.

11. Under Enter the object names to select (examples), type User2, and then click OK twice.


K. On DC2 Configure a Two-way Trust between the CORP and PILOT ForestsWe will create a two-way trust between the CORP and PILOT forests so that DirectAccess client users will be able to log into and access resources in the CORP domain.

Perform the following steps to create the two-way trust between the CORP and PILOT Forests:

1. At the DC2 computer, click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.

2. In the Active Directory Domains and Trusts console, click the corp.contoso.com entry in the left pane and then right click it. Click Properties.

3. In the corp.contoso.com Properties dialog box, click the Trusts tab.

4. On the Trusts tab, click the New Trust button.

5. On the Welcome to the New Trust Wizard page, click Next.

6. On the Trust Name page, in the Name text box, enter pilot.contoso.com. Click Next.

7. On the Trust Type page, select the Forest Trust option. Click Next.

8. On the Direction of Trust page, select the Two-way option. Click Next.

9. On the Sides of Trust page, select the Both this domain and the specified domain option and click Next.

10. On the User Name and Password page, enter in the User name text box PILOT\Administrator and the administrator’s password in the PILOT domain. Click Next.

11. On the Outgoing Trust Authentication Level-Local Forest page, select the Forest-wide authentication option and click Next.

12. On the Outgoing Trust Authentication Level—Specified Forest page, select the Forest-wide authentication option and click Next.

30

13. On the Trust Selections Complete page, click Next.

14. On the Trust Creation Complete page, click Next.

15. On the Confirm Outgoing Trust page, select Yes, confirm the outgoing trust option and click Next.

16. On the Confirm Incoming Trust page, select Yes, confirm the incoming trust option and click Next.

17. On the Completing the New Trust Wizard page, click Finish.

18. In the corp.contoso.com Properties dialog box, click OK.

19. Close the Active Directory Domains and Trusts console.

L. Install Web Server Role on DC2We will install the Web server role on DC2 to demonstrate how DirectAccess client users are able to access Web services located on an IPv6 capable host on the production network (CORP).

Perform the following steps to install the web services role on DC2:

1. On the DC2 computer or virtual machine, in the Initial Configuration Tasks window, click the Add Roles link.


3. On the Select Server Roles page, select the Web Server (IIS) check box, and then click Next.

4. On the Introduction to Web Server (IIS) page, click Next.

5. On the Select Role Services page, click Next.


7. Verify that all installations were successful, and then click Close.

M. Create a Shared Folder on the C:\ DriveWe will configure a shared folder on DC2 to demonstrate how DirectAccess client users are able to connect to Server Message Block (SMB) resources on the production network (CORP).

Perform the following steps to create the shared folder on DC2:

1. At the DC2 computer or virtual machine, click Start, and then click Computer.

2. Double-click the drive on which Windows Server 2008 R2 is installed.

3. Click New Folder, type Files, and then press ENTER. Leave the Local Disk window open.

31

4. Click Start, click All Programs, click Accessories, right-click Notepad, and then click Run as administrator.

5. In the Untitled – Notepad window, type This is a shared file on DC2.

6. Click File, click Save, double-click Computer, double-click the drive on which Windows Server 2008 R2 is installed, and then double-click the Files folder.

7. In File name, type Example.txt, and then click Save. Close the Notepad window.

8. In the Local Disk window, right-click the Files folder, point to Share with, and then click Specific people.

9. Click Share, and then click Done. (Note: this provides Full Control Share Permissions to Everyone, and NTFS Full Control permissions to SYSTEM, Administrator, and PILOT\Administrators).

10. Close the Local Disk window.

3. Configure APP1 (PILOT Domain)APP1 is a Windows Server 2008 R2 computer that acts in the role of the Network Location Server. We have chosen to not to install the Network Location Server on the domain controller, even though that would have reduced the number of machines required for the lab network. The reason for this is that NLS on the DC can be a problematic if the DC is IPv6 based.

You will perform the following operations to configure APP1:

A. Install the operating system on APP1The first step is to install Windows Server 2008 Enterprise Edition on APP1.

B. Obtain a Web site certificate for APP1.APP1 will act as the Network Location Server. To enable this role, APP1 will need a web site certificate so that the DirectAccess clients will be able to establish an SSL connection to a Web site on APP1. DirectAccess client this site by connecting to Network Location Server name, which is nls.pilot.contoso.com in this scenario.

C. Install Web services on APP1You will install IIS Web services on APP1 so that it can host the Network Location Server web site.

D. Configure the HTTPS Security Binding on the APP1 web site. You need to bind the web site certificate to a web site on APP1 so that it can respond to SSL connection requests from the DirectAccess clients on the corporate network.

A. Install the OS on APP1The first step is to install Windows Server 2008 R2 Enterprise Edition on APP1. This is not a requirement. We could use another IPv4 only operating system to host the NLS web site. The goal is to provide an SSL

32

web site that the DirectAccess clients can connect to so that they can determine if they are on the corporate network.

Perform the following steps to install the operating system on APP1:

1. On the APP1 computer or virtual machine, start the installation of Windows Server 2008 R2 Enterprise Edition.


3. Connect the network adapter to the Corpnet subnet or the virtual switch representing the corpnet subnet.

B. Configure TCP/IP Properties on APP1After installing the operating system on APP1, configure its TCP/IP Properties to provide the server an IP address, subnet mask, DNS server address and connection specific suffix. Note that the connection specific suffix is not required for a working DirectAccess solution, but simplifies name resolution prior to completing the DNS infrastructure in the POC lab environment.

Perform the following steps to configure the TCP/IP properties on APP1:

1. On the APP1 computer or virtual machine, in Initial Configuration Tasks, clicks Configure networking.






7. In DNS suffix for this connection, type pilot.contoso.com, click OK twice, and then click Close. (Note: configuring a DNS suffix is not required for DirectAccess to work correctly, but is used to simplify name resolution before a search suffix list is assigned via Group Policy, which we will configure later).

8. Close the Network Connections window

33

C. Rename the APP1 Computer or Virtual Machine and Join the PILOT DomainThe installation routine created a default computer name. Now you will change the computer name from its default to APP1.

Perform the following steps to rename APP1 and join it to the PILOT domain:

1. On the APP1 computer or virtual machine, In Initial Configuration Tasks, click Provide computer name and domain.

2. In the System Properties dialog box, click Change. In the Computer Name/Domain Change dialog box, in the Computer name text box, enter APP1. In the Member of frame, select the Domain option, and enter pilot.contoso.com in the text box. Click OK.

3. In the Computer Name/Domain Changes dialog box, enter PILOT\User1 in the User name text box and the password in the Password text box. Click OK.

4. After restarting, login as PILOT\User1.

D. Obtain NLS Certificate for SSL Connections to Network Location Server on APP1

The Network Location Server is used by computers configured to be DirectAccess clients to determine if the computer is on-network or off-network. If the computer can connect to the Network Location Server using HTTPS, then the computer determines that it is on the intranet and will turn off the Name Resolution Policy Table (NRPT). If the computer is not able to connect to the Network Location Server using HTTPS, then it determines that it is the intranet and will use the DNS server configured on its local interface instead of the servers listed in the NRPT. The Network Location Server requires a Web site certificate to enable SSL session establishment with the computer configured as a DirectAccess client. The subject name on this certificate must match the name that the computer will use to connect to the Network Location Server. On our POC lab network, the computer will try to connect to nls.pilot.contoso.com. You will use this name later in the DirectAccess configuration wizard on the UAG server.

Perform the following steps to obtain the NLS certificate:

1. On the APP1 computer or virtual machine, click Start, type mmc, and then press ENTER.

2. Click File, and then click Add/Remove Snap-in.

3. Click Certificates, click Add, select Computer account, click Next, select Local computer, click Finish, and then click OK.

4. In the left pane of the console, expand Certificates (Local Computer)\Personal\Certificates.

5. Right-click Certificates, point to All Tasks, and then click Request New Certificate.


34

7. On the Select Certificate Enrollment Policy page, select the Active Directory Enrollment Policy entry and click Next.

8. On the Request Certificates page, put a checkmark in the Web Server 2008 checkbox, and then click More information is required to enroll for this certificate.

9. On the Subject tab of the Certificate Properties dialog box, in Subject name section, for Type, select Common Name.

10. In Value, type nls.pilot.contoso.com, and then click Add.

11. In Alternative name section, for Type, select DNS.

12. In Value, type nls.pilot.contoso.com, and then click Add.

13. Click OK, click Enroll, and then click Finish.

14. In the details pane of the Certificates snap-in, verify that a new certificate with the name nls.pilot.contoso.com was enrolled with Intended Purposes of Server Authentication.

15. Right click the nls.pilot.contoso.com certificate and click Properties.

16. In the nls.pilot.contoso.com Properties dialog box, in the Friendly name text box, enter NLS Certificate. Click OK. (Note: this is not required for the DirectAccess solution to work, but this makes the certificate easy to identify when binding it to the NLS Web site’s SSL listener).

17. Close the console window. If you are prompted to save settings, click No.

E. Install the Web Server Role on APP1APP1 will host the Network Location Server. Since the Network Location Server is a web server that can accept SSL connections from computers configured to be DirectAccess clients, we must install the web server role on the Network Location Server.

Perform the following steps to install the web server role on APP1:

1. On the APP1 computer or virtual machine, in the Initial Configuration Tasks window, click the Add Roles link.


3. On the Select Server Roles page, select the Web Server (IIS) check box, and then click Next.

4. On the Introduction to Web Server (IIS) page, click Next.

5. On the Select Role Services page, click Next.


35

7. Verify that all installations were successful, and then click Close.

F. Configure the HTTPS Security Binding on the NLS Web Site on APP1After the web server role is installed, you need to bind the Network Location Server web site certificate to an SSL listener on the web site. This is required for the web server to establish an SSL connection with the computer configured as a DirectAccess client, and is a required component of a DirectAccess solution.

Perform the following steps to configure the HTTPS security binding on APP1:

1. On the APP1 computer or virtual machine, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

2. In the left pane of the console, open APP1/Sites, and then click Default Web site.

3. In the Actions pane, click Bindings.

4. In the Site Bindings dialog box, click Add.

5. In the Add Site Binding dialog box, in Type, click https. In SSL Certificate, click the nls.pilot.contoso.com.

6. Click the View button.

7. In the Certificate dialog box, confirm that the certificate was Issued to: nls.pilot.contoso.com. (this is the name the DirectAccess client computer must use to connect to the Network Location Server).

8. In the Add Site Binding dialog box, click OK.

9. In the Site Bindings dialog box, click Close.

10. Close the Internet Information Services (IIS) Manager console.

4. Configure UAG1 (PILOT DOMAIN)The UAG1 computer or virtual machine will act as the UAG DirectAccess server for the network, and will belong to the PILOT domain. UAG1 will be connected to both the simulated Internet and the intranet and will need one network interface connected to each of these networks. The UAG DirectAccess server provides the following network services:

ISATAP routerAn ISATAP router is an IPv6 router that advertises subnet prefixes to ISATAP hosts and forwards IPv6 traffic between ISATAP hosts and hosts on other IPv6 subnets. The ISATAP router provides ISATAP clients the information they need to properly configure their ISATAP adapters. For more

36

information about ISATAP, please see http://technet.microsoft.com/en-us/magazine/2008.03.cableguy.aspx

Teredo server A Teredo server is an IPv6/IPv4 node that is connected to both the IPv4 Internet and the IPv6 intranet, supports a Teredo tunneling interface over which packets are received. The general role of the Teredo server is to assist in the address configuration of Teredo client and to facilitate the initial communication between Teredo clients and other Teredo clients or between Teredo clients and IPv6-only hosts. The Teredo server listens on UDP port 3544 for Teredo traffic. DirectAccess clients located behind NAT devices and firewalls use Teredo to connect to the UAG DirectAccess server. For more information on Teredo, please see http://technet.microsoft.com/en-us/library/bb457011.aspx

IPsec gatewayThe Full Intranet access model (which is used in this POC lab document) allows DirectAccess clients to connect to all resources inside the intranet. It does this by using IPsec-based tunnel policies that require authentication and encryption and IPsec sessions terminate at the IPsec Gateway. The IPsec Gateway is a function that is hosted on the UAG DirectAccess server.

IP-HTTPS serverIP-HTTPS is a new protocol for Windows 7 and Windows Server 2008 R2 that allows hosts behind a Web proxy server or firewall to establish connectivity by tunneling IPv6 packets inside an IPv4-based HTTPS session. HTTPS is used instead of HTTP so that Web proxy servers will not attempt to examine the data stream and terminate the connection. The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections.

NAT64/DNS64 IPv6/IPv4 protocol translatorThe UAG DirectAccess server includes NAT64 and DNS64, which enables DirectAccess clients on the Internet to connect to IPv4 resources on the intranet. DirectAccess clients always use IPv6 to communicate with intranet servers. When a DirectAccess client needs to connect to an IPv4 resources on the intranet, it issues a DNS query for the FQDN of the resource. DNS64 intercepts the request, sends the query to the intranet DNS server, and obtain the IPv4 address of the resource. DNS64 then dynamically generates an IPv6 address for the client of the IPv6 address dynamically assigned to the IPv4 resource; in addition, DNS64 informs NAT64 of the IPv4/IPv6 mapping. The client issues a request for the dynamically generated IPv6 address, which is intercepted by NAT64, and then NAT64 forwards the request to the IPv4 address of the intranet resource. NAT64 also returns the response based on entries in its state table. For more information about DNS64 and NAT64, please see http://blogs.technet.com/edgeaccessblog/archive/2009/09/08/deep-dive-into-directaccess-nat64-and-dns64-in-action.aspx

6to4 relay routerA 6to4 relay router can accept traffic from DirectAccess clients using the 6to4 IPv6 transition technology and forward the traffic over an IPv4 intranet. The UAG DirectAccess server acts as the 6to4 relay router and provides addressing information to the DirectAccess clients. DirectAccess clients use this information to configure their 6to4 tunnel adapter to forward IPv6

37

http://blogs.technet.com/edgeaccessblog/archive/2009/09/08/deep-dive-into-directaccess-nat64-and-dns64-in-action.aspx

http://blogs.technet.com/edgeaccessblog/archive/2009/09/08/deep-dive-into-directaccess-nat64-and-dns64-in-action.aspx

http://technet.microsoft.com/en-us/library/bb457011.aspx

http://technet.microsoft.com/en-us/magazine/2008.03.cableguy.aspx

messages over the IPv4 Internet to the UAG DirectAccess servers. For more information on 6to4 please see http://technet.microsoft.com/en-us/library/cc756770(WS.10).aspx

We will perform the following procedures on the UAG1 computer or virtual machine:

A. Install the operating system on UAG1.The first step is to install the Windows Server 2008 R2 operating system on the UAG1 computer or virtual machine. Forefront Unified Access Gateway 2010 required Windows Server 2008 R2.

B. Configure TCP/IP Properties on UAG1.After installing the operating system on UAG1, configure the TCP/IP Properties to provide the server an IP address, subnet mask, DNS server and connection specific suffix on both the internal and external interfaces. Settings are configured on both the Internet and the corpnet interfaces.

C. Rename the UAG1 Computer and Join it to the PILOT DomainChange the default computer name assigned during setup to UAG1.

D. Obtain a Certificate for the IP-HTTPS Listener on UAG1The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections from DirectAccess clients on the Internet. The IP-HTTPS Listener requires a web site certificate to support the SSL connection between itself and the DirectAccess client.

E. Install Forefront UAG on UAG1You will install the Forefront Unified Access Gateway software on the UAG computer or virtual machine.

F. Run the UAG Getting Started Wizard on UAG1The UAG Getting Started Wizard walks you through the process of initial configuration of the UAG server.

G. Run the UAG DirectAccess Configuration Wizard on UAG1DirectAccess is not enabled by default. To enable DirectAccess features and capabilities on UAG1, you will need to run the DirectAccess Configuration wizard.

H. Confirm Group Policy Settings on UAG1The UAG DirectAccess wizard configures GPO objects and settings that are automatically deployed to the Active Directory. One GPO is assigned to the UAG DirectAccess server, and one is deployed to machines that belong to the DirectAccess Clients security group. You will confirm that the Group Policy settings were deployed to the UAG DirectAccess server.

I. Confirm IPv6 Settings on UAG1For the DirectAccess solution to function, the IPv6 settings on must be correct. You will confirm these setting on UAG1.

J. Update IPv6 Settings on DC1DC1 is capable of being a ISATAP host. However, this functionality might not be immediately available. You can expedite DC1 setting itself up as an ISATAP host by updating its IPv6 configuration.

K. Update IPv6 Settings on DC2DC2 is capable of being a ISATAP host. However, this functionality might not be immediately

38

http://technet.microsoft.com/en-us/library/cc756770(WS.10).aspx

available. You can expedite DC1 setting itself up as a ISATAP host by updating its IPv6 configuration.

L. Confirm IPv6 Address Registration in DNSIPv6 capable hosts can communicate with one another over IPv6 using their ISATAP adapters. However, they must be able to resolve the destination host to an IPv6 address to use this capability. You will confirm that the IPv6 ISATAP addressees are registered in DNS.

M. Confirm IPv6 Connectivity between DC1/DC2/UAG1After activity the IPv6 settings on DC1, DC2 and UAG1, test IPv6 connectivity by using the ping utility.

A. Install the OS on UAG1The first step is to install the Windows Server 2008 R2 operating system on the UAG1 computer or virtual machine. Forefront Unified Access Gateway 2010 requires Windows Server 2008 R2.

1. *At the UAG1 computer or virtual machine, start the installation of Windows Server 2008 R2.


3. Connect one network interface to the simulated Internet or virtual switch representing the simulated Internet and one to the corpnet or virtual switch representing the corpnet.

B. Configure TCP/IP Properties on UAG1After installing the operating system on UAG1, configure the TCP/IP Properties to provide the server an IP address, subnet mask, DNS server and connection specific suffix on both the internal and external interfaces. Settings are configured on both the Internet and the corpnet interfaces. Note that you will enter two consecutive public IP addresses to the external interface of UAG1. The is required to support DirectAccess clients and Teredo. Public IP addresses are required. If you use private IP address, the UAG DirectAccess Configuration Wizard will warn you of the configuration and not enable DirectAccess.

Perform the following steps to configure TCP/IP properties on UAG1:

1. At the UAG1 computer or virtual machine, in Initial Configuration Tasks, click Configure networking.

2. In Network Connections, right-click the network connection that is connected to the Corpnet subnet or virtual switch, and then click Rename.

3. Type Corpnet, and then press ENTER.

4. Right-click Corpnet, and then click Properties.


39

6. Select Use the following IP address. In IP address, type 10.0.0.2. In Subnet mask, type 255.255.255.0.

7. Select Use the following DNS server addresses. In Preferred DNS server, type 10.0.0.1.

8. Click Advanced, and then the DNS tab.

9. In DNS suffix for this connection, type pilot.contoso.com, click OK twice, and then click Close. (A connection specific DNS suffix is not required for DirectAccess to work correctly).

10. In the Network Connections window, right-click the network connection that is connected to the Internet subnet, and then click Rename.

11. Type Internet, and then press ENTER.

12. Right-click Internet, and then click Properties.


14. Select Use the following IP address. In IP address, type 131.107.0.2. In Subnet mask, type 255.255.255.0.

15. Click Advanced. On the IP Settings tab, click Add for IP Addresses.

16. In IP address, type 131.107.0.3. In Subnet mask, type 255.255.255.0, and then click Add.

17. Click the DNS tab.

18. In DNS suffix for this connection, type isp.example.com, and then click OK twice and then click Close. (A connection specific DNS suffix is not required for DirectAccess to work correctly).


20. To check network communication between UAG1 and DC1/DC2, click Start, click All Programs, click Accessories, and then click Command Prompt.

21. In the command window, type ping dc1.pilot.contoso.com and press ENTER. Then type dc2.corp.contoso.com and press ENTER.

22. Verify that there are four responses from 10.0.0.1 and 10.0.0.10


C. Rename the Computer and Join UAG1 to the PILOT DomainChange the default computer name assigned during setup to UAG1 and join the UAG1 computer or virtual machine to the pilot.contoso.com domain.

Perform the following steps to rename UAG1 and join it to the domain:

40

1. At the UAG1 computer or virtual machine, in the Initial Configuration Tasks window, click the Provide computer name and domain link.

2. On the Computer Name tab, click the Change button.

3. In the Computer Name/Domain Changes dialog box, in the Computer name text box, enter UAG1. In the Member of frame, select the Domain option. Enter pilot.contoso.com in the text box. Click OK.

4. In the Windows Security dialog box, in the User name text box enter Administrator and enter the PILOT domain’s Administrator password. Click OK.

5. Click OK in the Welcome to the domain dialog box.

6. Click OK in the Computer Name/Domain Changes dialog box informing you that you must restart the computer.

7. Click Close in the System Properties dialog box.

8. Click Restart Now in the dialog box informing you that you must restart to apply the changes.

9. Log on as PILOT\User1

D. Obtain the IP-HTTPS Listener Certificate on UAG1The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections from DirectAccess clients on the Internet. The IP-HTTPS Listener requires a web site certificate to support the SSL connection between itself and the DirectAccess client. The common name on this certificate will be the name the external DirectAccess client will use to the connect to the IP-HTTPS Listener, and must be resolvable using an Internet based DNS server to the first of the two consecutive IP addresses bound to the external interface of the UAG DirectAccess server.

Perform the following steps to obtain the IP-HTTPS certificate:

1. At the UAG1 computer or virtual machine, click Start, type mmc, and then press ENTER. Click Yes at the User Account Control prompt.

2. Click File, and then click Add/Remove Snap-ins.

3. Click Certificates, click Add, click Computer account, click Next, select Local computer, click Finish, and then click OK.

4. In the console tree of the Certificates snap-in, open Certificates (Local Computer)\Personal\Certificates.

5. Right-click Certificates, point to All Tasks, and then click Request New Certificate.

6. Click Next twice.

41

7. On the Request Certificates page, click Web Server 2008, and then click More information is required to enroll for this certificate.

8. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select Common Name.

9. In Value, type uag1.contoso.com, and then click Add.

10. In Alternative name, for Type, select DNS.

11. In Value, type uag1.contoso.com, and then click Add.

12. Click OK, click Enroll, and then click Finish.

13. In the details pane of the Certificates snap-in, verify that a new certificate with the name uag1.contoso.com was enrolled with Intended Purposes of Server Authentication.

14. Right-click the certificate and then click Properties.

15. In the Friendly Name text box, enter IP-HTTPS Certificate, and then click OK.

16. Close the console window. If you are prompted to save settings, click No.

E. Install Forefront UAG on UAG1You will install the Forefront Unified Access Gateway software on the UAG computer or virtual machine.

Perform the following steps to install UAG on UAG1:

1. At the UAG1 computer or virtual machine, insert the Forefront UAG DVD into the CD drive. (Note: Ensure you install Forefront UAG from the DVD. Network installations are not supported.)

2. Click Start, click Computer, double-click the DVD drive Forefront UAG 2010, and then double-click Setup.

3. In the Setup window, under Prepare and Install, click Install Forefront UAG. Click Yes in the User Account Control dialog box.

4. On the Welcome to the Forefront UAG Setup Wizard page, click Next.

5. Read the License Terms, and if you choose to proceed, select I accept the License Terms for Microsoft Software, and then click Next.

6. On the Select Installation Location page, click Next, and wait for the installation to complete successfully.

7. On the You have successfully completed the Forefront UAG Setup page, click Restart now, and then click Next. Wait for the server to restart.

42

8. Log on to UAG1 as PILOT\User1.

F. Run the UAG Getting Started WizardThe UAG Getting Started Wizard walks you through the process of initial configuration of the UAG server. This will set up the basic information required to configure the networking settings on the server, define the server topology (standalone or array) and whether or not to join Microsoft update for updating the server.

Perform the following steps to run the Getting Started Wizard:

1. At the UAG1 computer, click Start, point to All Programs, click Microsoft Forefront UAG, and then click Forefront UAG Management. Click Yes in the User Account Control dialog box. UAG will start to configure itself for the first time. The Getting Started Wizard splash screen appears.

2. In the Getting Started Wizard, click Configure Network Settings to start the Network Configuration Wizard.

3. On the Welcome to the Network Configuration Wizard page, click Next.

4. On the Define Network Adapters page, select Corpnet in the Internal column, and Internet in the External column. Leave SSL Network tunneling as unassigned, and then click Next.

5. On the Define Internal Network IP Address Range page, verify that the range that appears is 10.0.0.0 to 10.0.0.255, and then click Next.

6. On the Completing the Network Configuration Wizard page, click Finish.

7. On the Getting Started Wizard, click Define Server Topology.

8. On the Welcome to the Server Management Wizard page, click Next.

9. On the Select Configuration page, select Single server, and then click Next.

10. On the Completing the Server Management Wizard page, click Finish.

11. In the Getting Started Wizard, click Join Microsoft Update.

12. On the Use Microsoft Update for Forefront UAG page, select I don’t want to use Microsoft Update, and then click OK. (NOTE: in a production environment it is highly recommended that you select the use Microsoft Update option).

13. On the Getting Started Wizard page, click Close.

14. In the Getting Started Wizard dialog box, when prompted Do you want to activate the configuration now, click Yes.

43

15. On the Activate Configuration page, enter a password and confirm the password for the backup file that will save the current UAG configuration. Click Next.

16. On the Activate Configuration page, confirm that there is a checkmark in the Back up configuration before performing this activation checkbox, then click Activate.

17. Wait for the Activation completed successfully message, and then click Finish.

18. To exit the Microsoft Forefront UAG Management console, click the File menu, click Exit, and then click Yes when prompted Do you want to close the Forefront UAG Management console.

G. Run the UAG DirectAccess Configuration WizardDirectAccess is not enabled by default. To enable DirectAccess features and capabilities on UAG1, you will need to run the DirectAccess Configuration wizard. After running the DirectAccess Configuration Wizard, two new Group Policy objects are created – one is linked to the computer account for the UAG DirectAccess server, and the second is linked to the DirectAccess clients security group you configured earlier. In addition, the IPv6 components, including support for IPv6 transition technologies and IPv6/IPv4 protocol transition technologies are enabled.

Perform the following steps to run the UAG DirectAccess Configuration Wizard:

1. Click Start, point to All Programs, click Microsoft Forefront UAG, and then click Forefront UAG Management. Click Yes in the User Account Control dialog box.

2. In the left pane of the Forefront Unified Access Gateway console, click DirectAccess. In the Forefront UAG DirectAccess Configuration pane, in the Clients box, click Configure.

3. On the UAG DirectAccess Client Configuration dialog box, click Add.

4. In the Select Group dialog box, type DA_Clients, click OK, and then click Finish. (Note that you must use a custom security group that you create for the DirectAccess clients. Never use a built-in security group).

5. In the DirectAccess Server box, click Configure.

6. On the Connectivity page, in First Internet-facing IPv4 address, select 131.107.0.2. In Internal IPv4 address, select 10.0.0.2, and then click Next. (Note the information that appears regarding ISATAP being enabled on the UAG server, and that an ISATAP entry must be entered into DNS and that ISATAP must be removed from the Global Query Block List. We have done this on both the DC1 and DC2 DNS servers, so this step is already configured).

7. On the Managing DirectAccess Services page, click Next. (Note: the default settings on this page enable both NAT64 and DNS64, which allow DirectAccess clients to communicate with IPv4 resources on the corpnet).

44

8. On the Authentication Options page, for Browse and select a root or intermediate certificate that verifies certificates sent by DirectAccess clients, select Use root certificate, and then click Browse. In the list of certificates, click the pilot-DC1-CA root certificate, and then click OK.

9. For Select the certificate that authenticates the UAG DirectAccess server to a client connecting using IP-HTTPS, click Browse. In the list of certificates, click the IP-HTTPS certificate, click OK, and then click Finish.

10. In the Infrastructure Servers box, click Configure.

11. On the Network Location Server page, type nls.pilot.contoso.com, click Validate and wait for the notice Validation successful. The URL https://nls.pilot.contoso.com is reachable, and then click Next.

12. On the DNS Suffixes page, double click in the area where it says Double-click here to add.. .

13. In the Name Resolution Servers used by DirectAccess dialog box, select the DNS Suffix option. In the text box, enter corp.contoso.com. From the Choose the DNS server to resolve DNS suffix queries options, select the UAG DNS64 server option. Click OK.

14. On the DNS Suffixes page, confirm that you see the *.corp.contoso.com entry in the Name Suffix list and then click Next.

15. On the Management Servers and DCs page, click the Domains\pilot.contoso.com entry. Note in the Servers List that DC1.pilot.contoso.com was automatically discovered. Click the Add Domain button. In the New Item dialog box, in the Enter a new domain name text box, enter corp.contoso.com and click OK. Notice that the domain controller for corp.contoso.com is automatically discovered. Click Finish. (Note: infrastructure servers are those servers that are accessed through the infrastructure tunnel, which is established before the use logs on and enables DirectAccess client computer management).

16. In the Application Servers box, click Configure. Confirm that the Require end-to-edge authentication and encryption option is selected. Click Finish.

17. In the Forefront UAG DirectAccess pane, click Generate Policies.

18. In the Forefront UAG DirectAccess Configuration Review dialog box, click Apply Now. After the script has finished executing, in the DirectAccess Policy Configuration message box, click OK, and then click Close.

19. Open and elevated command prompt. In the command prompt window, enter gpupdate /force and wait for the command to complete. Close the command prompt window.

20. In the Microsoft Forefront UAG Management console, click the File menu, and then click Activate. In the Activate Configuration dialog box, click Activate. Wait for the Activation completed successfully message, and then click Finish.

45

https://nls.pilot.contoso.com/

21. To exit the Microsoft Forefront UAG Management console, click the File menu, click Exit, and then click Yes when prompted Do you want to close the Forefront UAG Management console.

H. Confirm Group Policy Settings on UAG1The UAG DirectAccess wizard configures GPO objects and settings that are automatically deployed to the Active Directory. One GPO is assigned to the UAG DirectAccess server, and one is deployed to machines that belong to the DirectAccess Clients security group. You will confirm that the Group Policy settings were deployed to the UAG DirectAccess server.

Perform the following steps to confirm Group Policy settings on UAG1:

1. *Go to the DC1 computer. At DC1, click Start, point to Administrative Tools and click Group Policy Management.

2. Expand Forest: pilot.contoso.com and then expand Domains and then expand pilot.contoso.com.

3. You will find two new GPOs linked to the default domain policy. UAG DirectAccess: Client{3491980e-ef3c-4ed3-b176-a4420a810f12} is applied to members of the DA_Clients security group. UAG DirectAccess: DaServer{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300} is applied to the UAG server. Confirm that the correct security filtering is done for each of these Group Policy Objects by clicking on the GPO and then viewing the entries in the Security Filtering section on the Scope tab in the right pane of the console.

4. *Go to the UAG1 computer. Open an elevated command prompt. Change the focus to c:\Users\User1\Desktop. .

5. At the command prompt, enter gpupdate /force

6. At the command prompt, enter gpresult /scope computer /f /h report.html and press ENTER

7. On the desktop, double click the report file. In the Group Policy Objects section, notice in the Group Policy Objects\Applied GPOs section that UAG DirectAccess: DAServer{ab991ef0-6fa9-4bd9-bc42-3c397ce8ad300} appears, shows that the DirectAccess server GPO has been applied to UAG1. Close the Internet Explorer window.

8. Click Start and enter wf.msc in the Search box and press ENTER.

9. In the Windows Firewall with Advanced Security console, notice in the middle pane that it says that the Domain Profile is Active and Public Profile is Active. It is important that the Windows Firewall is enabled and both the Domain and Public Profiles are active. If the Windows Firewall with Advanced Security is disabled, or if Domain or Public profiles are disabled, then DirectAccess will not work correctly.

10. In the left pane of the Windows Firewall with Advanced Security Console, click the Connection Security Rules node. Notice in the middle pane of the console that there are two connection

46

security rules: UAG DirectAccess Gateway – Clients Access Enabling Tunnel – All and UAG DirectAccess Gateway – Clients Corp Tunnel. The first rule is used for the infrastructure tunnel and the second rule is used to establish the intranet tunnel. Both of these rules are delivered to UAG1 using Group Policy.

11. Close the Windows Firewall with Advanced Security console.

I. Confirm IPv6 Settings on UAG1For the DirectAccess solution to function, the IPv6 settings on must be correct. You will confirm these setting on UAG1.

Perform the following steps to update IPv6 settings on UAG1:

1. At the UAG1 computer or virtual machine, click Start and right click on the command prompt and click Run as administrator. Click Yes in the User Account Control dialog box.

2. In the command prompt window, enter ipconfig /all and press ENTER.

3. The ipconfig /all printout will show information related to the UAG1 computer’s networking configuration. There are several sections here of interest. The Tunnel adapter 6TO4 Adapter section shows information that includes the Global IPv6 address used by UAG1 on it’s external interface. The Tunnel adapter isatap.pilot.contoso.com section shows information regarding UAG1’s ISATAP interface; here you will find the ISATAP address for UAG1. In the Tunnel adapter IPHTTPSInterface section, you’ll see information regarding the IP-HTTPS interface. If you are using the IP addressing scheme suggested in this Lab Tester’s Guide, you should see the following addresses in use:6TO4 Adapter: 2002:836b:2::836b:2 and 2002:836b:2::836b:3ISATAP: 2002:836b:2:8000:0:5efe:10.0.0.2IPHTTPS: 2002:836b:2:8100:c887:6a74:6ef0:bf (Note that the “debolded” values will vary due to how the IP-HTTPS address is generated)

4. To see information regarding the Teredo interface on UAG1, enter netsh interface Teredo show state and press ENTER. The output should include an entry State: online

J. Update IPv6 Settings on DC1DC1 is capable of being a ISATAP host. However, this functionality might not be immediately available. You can expedite DC1 setting itself up as a ISATAP host by updating its IPv6 configuration.

Perform the following steps to update IPv6 settings on DC1:

1. *At the DC1 computer or virtual machine, click Start and then right click the command prompt icon. Click Run as administrator.

2. In the command prompt window, enter sc control iphlpsvc paramchange and press ENTER.

3. Close the command prompt window after the command completes.

47

K. Update IPv6 Settings on DC2DC2 is capable of being an ISATAP host. However, this functionality might not be immediately available. You can expedite DC1 setting itself up as an ISATAP host by updating its IPv6 configuration.

Perform the following steps to update IPv6 settings on DC2:

1. *At the DC2 computer or virtual machine, click Start and then right click the command prompt icon. Click Run as administrator.

2. In the command prompt window, enter sc control iphlpsvc paramchange and press ENTER.

3. Close the command prompt window after the command completes.

L. Confirm IPv6 Address Registration in DNSIPv6 capable hosts can communicate with one another over IPv6 using their ISATAP adapters. However, they must be able to resolve the destination host to an IPv6 address to use this capability. You will confirm that the IPv6 ISATAP addressees are registered in DNS.

Perform the following steps to confirm IPv6 address registration:

1. *At the DC1 computer or virtual machine, click Start, point to Administrative Tools and click DNS.

2. In the DNS Manager, expand the server name, then expand the Forward Lookup Zones node in the left pane of the console. Click pilot.contoso.com.

3. Click the Name column in the right pane of the console so that computer names are listed alphabetically. For APP1, DC1 and UAG1 there should be an IPv4 address and IPv6 address. If there is no IPv6 address, return to the machine that does not have an IPv6 address and open an elevated command prompt. At the elevated command prompt enter ipconfig /registerdns. Then return to the DNS console on DC1 and confirm that the IPv6 address is registered in DNS.

4. *Move to the DC2 computer or virtual machine and click Start, point to Administrative Tools folder and click DNS.

5. In the DNS Manager, expand the server name, then expand Forward Lookup Zones. Click on corp.contoso.com. Confirm that DC2 has both an IPv4 and IPv6 address registered in DNS. If no IPv6 address appears, use an elevated command prompt on DC2 and use ipconfig /registerdns to register that computers address in DNS. Return to the DNS console on DC2 and refresh to view the newly registered IPv6 address.

Note that the ISATAP addresses listed in the DNS resource records do not use the dotted decimal format for the last 32 bits of the IPv6 address that you see when using ipconfig to view IP addressing information on the hosts. However, these addresses represent the same information; the only difference is that the last 32 bits are represented in HEX instead of dotted decimal format.

48

M. Confirm IPv6 Connectivity between DC1/DC2/UAG1After activating the IPv6 settings on DC1, DC2 and UAG1, test IPv6 connectivity by using the ping utility.

Perform the following steps to confirm IPv6 connectivity:

1. *At the DC1 computer or virtual machine, click Start and right click the command prompt icon and click Run as administrator.

2. In the command prompt window, enter ipconfig /flushdns to remove IPv4 address entries that might already be in the DNS client cache.

3. In the command prompt window, enter ping UAG1 and press ENTER. You should see the ISATAP address of UAG1 in the reply, which is 2002:836b:2:8000:0:5efe:10.0.0.2.

4. In the command prompt windows, enter ping dc2 and press ENTER. You should see the ISATAP address of DC2 in the reply, which is 2002:836b:2:8000:0:5efe:10.0.0.10. Close the command prompt window.

5. *At DC2, use an elevated command prompt window to ping DC1 and UAG1 and confirm that the responses are from the ISATAP addresses of those servers. Then close the command prompt window. Note: if you receive a response from the link-local address of DC1 or UAG1, reissue the request using a FQDN. For example, use ping dc1.pilot.contoso.com and uag1.pilot.contoso.com. You can recognize the link-local address because it will start with FE80. The ISATAP address will begin with 2002 and end with 5efe:w.x.y.z, where w.x.y.z represents the four octets of the IPv4 address. The reason for this is that the CORP domain members don’t have a suffix search list that includes the pilot.contoso.com domain, so local name resolution results in obtaining the link-local address for single label name requests.

6. *At UAG1, use an elevated command prompt window to DC1 and DC2 and confirm that the responses are from the ISATAP addresses of those servers. The close the command prompt window.

5. Configure CLIENT1 (PILOT DOMAIN)CLIENT1 is a computer or virtual machine running Windows 7 that you will use to demonstrate how DirectAccess works in a number of scenarios. You will connect CLIENT1 to the corpnet to join the machine to the domain and receive the DirectAccess Group Policy settings. Then you will move CLIENT1 to the simulated Internet to test DirectAccess connectivity over 6to4 and finally move CLIENT1 behind a NAT device to test both Teredo and IP-HTTPS DirectAccess connectivity.

NOTE:CLIENT1 is a Windows 7 computer and after installation the default power plan is applied. The CLIENT1 computer my go to sleep before you reach the end of the lab configuration. You can

49

prevent this from happening by selecting the High Performance power plan in the Control Panel. We will not describe the steps for configuring the new power plan in this lab document.

You will perform the following operations to configure CLIENT1:

A. Install the Windows 7 operating system on the CLIENT1 computer or virtual machineWindows 7 is required for DirectAccess client connectivity. The first step is to install Windows 7 on the DirectAccess computer or virtual machine.

B. Join CLIENT1 to the PILOT domainDirectAccess support only domain member client machines for authentication and Group Policy settings assignment. To meet this requirement, we will join CLIENT1 to the PILOT domain.

C. Add CLIENT1 to the DA_Clients Active Directory Security GroupThe DirectAccess client settings are assigned only to members of the DA_Clients Active Directory Security Group. You will place CLIENT1 in the DA_Clients security group so that the Group Policy settings are assigned to CLIENT1.

D. Add CORP\User2 to the Local Administrators Group on CLIENT1To improve the user experience on the CLIENT1 computer and reduce the number of UAC prompts seen when performing various configuration options on CLIENT1, we will place CORP\User2 into the local administrators group on CLIENT1. We want User2 from the CORP domain to log on to the DirectAccess client computer or virtual machine to demonstrate that a member in the resource domain is able to transparently connect to resources in the domain that the user normally participates in.

E. Test IPv6 Configuration, Confirm Group Policy Settings and Machine Certificate on CLIENT1Before you move CLIENT1 out of the corpnet and onto the simulated Internet and behind a NAT device on the Internet, you will check the IPv6 configuration on CLIENT1, confirm that DirectAccess client Group Policy Settings are enabled on CLIENT1, and that CLIENT1 has the computer certificate required to establish the IPsec connections to the UAG DirectAccess server.

F. Test Connectivity to a Network Share and Network Location Server The final check on CLIENT1 before moving it outside the corpnet is to confirm connectivity to a network share on the corpnet and to the Network Location Server. Connectivity to the Network Location Server is required so that the DirectAccess client can determine if it is on-network or off-network.

A. Install the Operating System on CLIENT1Windows 7 is required for DirectAccess client connectivity. The first step is to install Windows 7 on the DirectAccess computer or virtual machine.

Perform the following steps to install the operating system on CLIENT1:

1. Connect CLIENT1 to the Corpnet subnet.

2. Start the installation of the Windows 7 Enterprise or Windows 7 Ultimate.

50

3. When prompted for a user name, type User1. When prompted for a computer name, type CLIENT1.

4. When prompted for a password, type a strong password twice.

5. When prompted for protection settings, click Use recommended settings.

6. When prompted for your computer's current location, click Work network.

B. Join CLIENT1 to the PILOT DomainDirectAccess support only domain member client machines for authentication and Group Policy settings assignment. To meet this requirement, we will join CLIENT1 to the PILOT domain.

Perform the following steps to join CLIENT1 to the PILOT domain:

1. At the CLIENT1 computer or virtual machine, click Start, right-click Computer, and then click Properties.

2. Under Computer name, domain, and workgroup settings, click Change settings.

3. In the System Properties dialog box, click Change.

4. In the Computer Name/Domain Changes dialog box, click Domain, type pilot.contoso.com, and then click OK.

5. When prompted for a user name and password, type the user name and password for the User1 domain account, and then click OK.

6. When you see a dialog box that welcomes you to the corp.contoso.com domain, click OK.

7. When you see a dialog box that prompts you to restart the computer, click OK.

8. In the System Properties dialog box, click Close.

9. In the dialog box that prompts you to restart the computer, do not click anything and proceed to the following procedure.

C. Add CLIENT1 to the DA_Clients Security GroupThe DirectAccess client settings are assigned only to members of the DA_Clients Active Directory Security Group. You will place CLIENT1 in the DA_Clients security group so that the Group Policy settings are assigned to CLIENT1.

Perform the following steps to add CLIENT1 to the DA_Clients security group:

1. *On the DC1 computer or virtual machine, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

2. In the console tree, expand corp.contoso.com, and then click Users.

51

3. In the details pane, double-click DA_Clients.

4. In the DA_Clients Properties dialog box, click the Members tab, and then click Add.

5. In the Select Users, Contacts, Computers, or Groups dialog box, click Object Types, click Computers, and then click OK.

6. Under Enter the object names to select (examples), type CLIENT1, and then click OK.

7. Verify that CLIENT1 is displayed below Members, and then click OK.


9. *On CLIENT1, in the dialog box that prompts you to restart the computer, click Restart Now.

10. After CLIENT1 has been restarted, click Switch User, then click Other User and log on to the CORP domain with the User1 account.

D. Add CORP\User2 to Local Administrators Group on CLIENT1To improve the user experience on the CLIENT1 computer and reduce the number of UAC prompts seen when performing various configuration options on CLIENT1, we will place CORP\User2 into the local administrators group on CLIENT1. We want to User2 from the CORP domain to log on to the DirectAccess client computer or virtual machine to demonstrate that a member in the resource domain is able to transparently connect to resources in the domain that the user normally participates in.

Perform the following steps to add CORP\User2 to the local administrators group on CLIENT1:

1. On the CLIENT1 computer or virtual machine, click Start and then click Control Panel.

2. In the Control Panel window, click User Accounts.

3. In the User Accounts window, click Give other users access to this computer.

4. In User Accounts dialog box, on the Users tab, click the Add button.

5. On the Add New User page, enter User2 in the User Name text box, and in the Domain text box, enter CORP. Click Next.

6. On the Add New User page, select the Administrator option. Click Finish.

7. In the User Accounts dialog box, click OK.

8. Close the User Accounts window.

E. Test IPv6 Configuration, Confirm Group Policy Settings and Machine Certificate on CLIENT1

Before you move CLIENT1 out of the corpnet and onto the simulated Internet and behind a NAT device on the Internet, you will check the IPv6 configuration on CLIENT1, confirm that DirectAccess client Group

52

Policy Settings are enabled on CLIENT1, and that CLIENT1 has the computer certificate required to establish the IPsec connections to the UAG DirectAccess server.

Perform the following steps to confirm Group Policy settings and machine certificate:

1. On the CLIENT1 computer or virtual machine, click Start and then click All Programs. Click Accessories and then right click command prompt. Click Run as administrator. Click Yes in the UAC dialog box.

2. In the command prompt window, enter ping dc1 and press ENTER. Confirm that the reply comes from an IPv6 ISATAP address, 2002:836b:2:8000:0:5efe:10.0.0.1.

3. Ping DC2 and UAG1 to confirm that both these machines reply with IPv6 ISATAP addresses, 2002:836b:2:8000:0:5efe:10.0.0.10 and 2002:836b:2:8000:0:5efe:10.0.0.2.

4. Ping APP1. You should see replies from the address 2002:836b:2:8000:0:5efe:10.0.0.3.

5. In the command prompt window, enter netsh namespace show policy and press ENTER. This command shows the DNS name resolution policy table (NRPT) settings, which were provided to CLIENT1 via Group Policy. For more information about DirectAccess and the NRPT, please see http://technet.microsoft.com/en-us/library/dd637795(WS.10).aspx

6. In the command prompt window, enter netsh namespace show effectivepolicy and press ENTER. This command shows the current DNS name resolution policy table settings and indicates that the client is in the corporate network and DirectAccess settings are turned off.

7. In the command prompt windows, enter certutil –store my and press ENTER. The output will display information about the certificate installed on CLIENT1. The subject name on the certificate should CN=CLIENT1.pilot.contoso.com and the certificate template name (certificate type) should be Machine, Computer. This machine certificate was assigned using Group Policy autoenrollment and will be used to create the IPsec tunnels between CLIENT1 and UAG1 when CLIENT1 leaves the corporate network.

F. Test Connectivity to a Network Share and the Network Location ServerThe final check on CLIENT1 before moving it outside the corpnet is to confirm connectivity to a network share on the corpnet and to the Network Location Server. Connectivity to the Network Location Server is required so that the DirectAccess client can determine if it is on-network or off-network.

Perform the following steps to test connectivity to a network share and the Network Location Server:

1. ON the CLIENT1 computer or virtual machine, from the taskbar, click the Internet Explorer icon.

2. In the Welcome to Internet Explorer 8 window, click Next. In the Turn on Suggested Sites window, click No, don’t turn on, and then click Next. In the Choose your settings dialog box, click Use express settings, and then click Finish.

53

http://technet.microsoft.com/en-us/library/dd637795(WS.10).aspx

3. In the Toolbar, click Tools, and then click Internet Options. For Home page, click Use blank, and then click OK.

4. In the Address bar, type https://nls.pilot.contoso.com/, and then press ENTER. You should see the default IIS 7 Web page on DC1.

5. Close the Internet Explorer window.

6. Click Start, type \\DC1\Files, and then press ENTER.

7. You should see a folder window with the contents of the Files file share.

8. In the Files folder window, double-click the Example.txt file. You should see the contents of the Example.txt file.

9. Close the example.txt - Notepad and the Files folder windows.

6. Configure INET1In the POC lab environment the INET1 computer will provide simulated Internet DNS and DHCP services to the CLIENT1 computer when the CLIENT1 computer is connected to the simulated Internet. CLIENT1, when connected to the simulated Internet needs to be able to resolve the public name of the UAG DirectAccess computer to connect using the 6to4 IPv6 transition technology. INET1 will also host a DHCP server to assign CLIENT1 a public IP address.

You will perform the following operation to configure INET1 to perform these duties:

A. Install the Windows Server 2008 R2 operating system on INET1The first step is to install the operating system on the INET1 computer or virtual machine. In the POC lab environment, you’ll use Windows Server 2008 R2. This is not a requirement for the DirectAccess solution, since in a production environment any OS might be used to provide DNS and DHCP services to the Internet-based DirectAccess client.

B. Configure the TCP/IP Properties on INET1You will assign a public IP address to the INET1 computer or virtual machine’s interface.

C. Rename the computer on INET1You will rename the computer from the default name provided by the OS installer to INET1.

D. Install and Configure the DNS Server Role on INET1The DNS server role is installed on the INET1 computer or virtual machine so that the Internet connected DirectAccess client can resolve the name of the UAG DirectAccess server to create the 6to4 connection.

E. Install the DHCP server role on INET1The DHCP server role is installed on INET1 so that the DirectAccess client can obtain a public IP address automatically after being connected to the Internet subnet or virtual switch.

54

A. Install the Operating SystemThe first step is to install the operating system on the INET1 computer or virtual machine. In the POC lab environment, you’ll use Windows Server 2008 R2. This is not a requirement for the DirectAccess solution, since in a production environment any OS might be used to provide DNS and DHCP services to the Internet-based DirectAccess client.

Perform the following steps to install the operating system on INET1:

1. At the INET1 computer or virtual machine, start the installation of Windows Server 2008 R2.

2. Follow the instructions to complete the installation, specifying a strong password for the local Administrator account. Log on using the local Administrator account.

3. Connect the network adapter to the Internet subnet or virtual switch.

B. Configure TCP/IP Properties on INET1You will assign a public IP address to the INET1 computer or virtual machine’s interface.

Perform the following steps to configure the TCP/IP properties on INET1:

1. At the INET1 computer and virtual machine, in Initial Configuration Tasks, click Configure networking.

2. In the Network Connections window, right-click Local Area Connection, and then click Properties.


4. Select Use the following IP address. In IP address, type 131.107.0.1. In Subnet mask, type 255.255.255.0. For Preferred DNS server enter 131.107.0.1.


6. In DNS suffix for this connection, type isp.example.com, and then click OK.

7. Click OK, and then click Close to close the Local Area Connection Properties dialog box.


9. Click Start, right-click Network, and then click Properties.

10. In the Network and Sharing Center window, click Change advanced sharing settings.

11. In the Advanced sharing settings window, click Turn on file and printer sharing, and then click Save changes. (Note: this is done so that inbound ICMP ping requests are allowed for INET1 to test connectivity. It is not required by the DirectAccess solution itself).

12. Close the Network and Sharing Center window.

55

C. Rename the Computer on INET1You will rename the computer from the default name provided by the OS installer to INET1.

Perform the following steps to rename INET1:

1. At the INET1 computer or virtual machine, in Initial Configuration Tasks, click Provide Computer Name and Domain.

2. In the System Properties dialog box, on the Computer Name tab, click Change.

3. In Computer Name, type INET1.

4. Click OK.

5. When you are prompted that you must restart the computer, click OK.

6. On the System Properties dialog box, click Close.

7. When you are prompted to restart the computer, click Restart Now.

8. After the computer has restarted, log on with the local Administrator account.

D. Install and Configure the DNS Server Role on INET1The DNS server role is installed on the INET1 computer or virtual machine so that the Internet connected DirectAccess client can resolve the name of the UAG DirectAccess server to create the 6to4 connection.

Perform the following steps to install and configure the DNS server role on INET1:

1. At the INET1 computer or virtual machine, in the Initial Configuration Tasks window, click the Add Roles link. Click Next on the Before You Begin page.

2. On the Select Server Roles page, select the DNS Server checkbox, and then click Next.

3. Click Next twice and then click Install.

4. Verify that the installation was successful, and then click Close.

5. Click Start, point to Administrative Tools, and then click DNS.

6. In the console tree of DNS Manager, expand INET1.

7. Click Forward Lookup Zones, right-click Forward Lookup Zones, click New Zone, and then click Next.


9. On the Zone Name page, type isp.example.com, and then click Next.

10. On the Zone File page, click Next.

56

11. On the Dynamic Update page, click Next, and then click Finish.

12. In the console tree, expand Forward Lookup zones, right click isp.example.com, and then click New Host (A or AAAA).

13. In Name, type INET1. In IP address, type 131.107.0.1. Click Add Host.

14. Click OK, and then click Done.

15. In the console tree, right-click Forward Lookup Zones, click New Zone, and then click Next.


17. On the Zone Name page, type contoso.com, and then click Next.

18. On the Zone File page, click Next.

19. On the Dynamic Update page, click Next, and then click Finish.

20. In the console tree, right click contoso.com, and then click New Host (A or AAAA).

21. In Name, type uag1. In IP address, type 131.107.0.2.

22. Click Add Host. Click OK, and then click Done.

23. Close the DNS console.

E. Install the DHCP Server Role on INET1The DHCP server role is installed on INET1 so that the DirectAccess client can obtain a public IP address automatically after being connected to the Internet subnet or virtual switch.

Perform the following steps to install and configure the DHCP server on INET1:

1. On the INET1 computer or virtual machine, in the Initial Configuration Tasks window, click the Add roles link.


3. On the Select Server Roles page, select the DHCP Server check box, and then click Next twice.

4. On the Select Network Connection Bindings page, verify that 131.107.0.1 is selected, and then click Next.

5. On the Specify IPv4 DNS Server Settings page, verify that isp.example.com is listed under Parent domain.

6. Type 131.107.0.1 under Preferred DNS server IP address, and click Validate. Verify that the result returned is Valid, and then click Next.

57

7. On the Specify IPv4 WINS Server Settings page, accept the default setting of WINS is not required on this network, and then click Next.

8. On the Add or Edit DHCP Scopes page, click Add.

9. In the Add Scope dialog box, type Internet next to Scope Name. Next to Starting IP Address, type 131.107.0.100, next to Ending IP Address, type 131.107.0.150, and next to Subnet Mask, type 255.255.255.0.

10. Select the Activate this scope check box, click OK, and then click Next.

11. On the Configure DHCPv6 Stateless Mode page, select Disable DHCPv6 stateless mode for this server, and then click Next.


13. Verify that the installation was successful, and then click Close.

7. Configure NAT1NAT1 is a Windows 7 computer that will be configured as a NAT device that separates a private network from the Internet. The built-in Internet Connection Service (ICS) will be used as a NAT server. ICS includes DHCP server-like functionality (DHCP allocator) and will automatically assign IP addressing information to clients located behind the NAT1 ICS NAT device. NAT1 will have two network interfaces – one connected to the simulated Internet and one connected to a “home” network.

NOTE:CLIENT1 is a Windows 7 computer and after installation the default power plan is applied. The CLIENT1 computer my go to sleep before you reach the end of the lab configuration. You can prevent this from happening by selecting the High Performance power plan in the Control Panel. We will not describe the steps for configuring the new power plan in this lab document.

You will perform the following operations to configure NAT1 as a NAT device:

A. Install the operating system on NAT1The first step is to install the Windows 7 operating system. Note that this is not a requirement; you can use any NAT device to simulate NAT device functionality.

B. Rename the interfaces on NAT1In this step you will rename the network interfaces in the Network Connections window to make them easier to identify. Note that this is not required, but makes applying the correct settings on the appropriate interface easier.

C. Disable 6to4 functionality on NAT1You must disable 6to4 functionality on NAT 1. The reason for this is that if you don’t disable 6to4 on NAT1, it will act as a 6to4 router and issue a native IPv6 address to CLIENT1 when it is

58

connected to the Homenet subnet. This will prevent CLIENT1 from acting as a Teredo or IP-HTTPS DirectAccess client.

D. Configure ICS on the External Interface of NAT1Internet Connection Services enable NAT1 to act as a NAT device and DHCP server for clients located behind NAT1. This enables CLIENT1 to automatically obtain IP addressing information and connect to the simulated Internet when connected to the “Homenet” subnet behind NAT1.

A. Install the OS on NAT1The first step is to install the Windows 7 operating system. Note that this is not a requirement; you can use any NAT device to simulate NAT device functionality.

Perform the following steps to install the operating system on NAT1:

1. At the NAT1 computer or virtual machine, connect one network adapter to the Internet subnet or virtual switch, and the other to the Homenet subnet or virtual switch.

2. Start the installation of Windows 7 Enterprise Edition, or Windows 7 Ultimate Edition.

3. When prompted for a user name, type User1. When prompted for a computer name, type NAT1.

4. When prompted for a password, type a strong password twice.

5. If prompted for a Password Hint, type a password hint.

6. When prompted for protection settings, click Use recommended settings.

7. When prompted for your computer's current location, click Public network.

B. Rename the Network Interfaces on NAT1In this step you will rename the network interfaces in the Network Connections window to make them easier to identify. Note that this is not required, but makes applying the correct settings on the appropriate interface easier.

Perform the following steps to rename the interfaces on NAT1:

1. Click Start, and then click Control Panel.

2. Under Network and Internet, click View status and tasks, and then click Change adapter settings.

3. In the Network Connections window, right-click the network connection that is connected to the Homenet subnet, and then click Rename.

4. Type Homenet, and then press ENTER.

59

5. In the Network Connections window, right-click the network connection that is connected to the Internet subnet, and then click Rename.

6. Type Internet, and then press ENTER.

7. Leave the Network Connections window open for the next procedure.

8. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

9. To check network communication between NAT1 and INET1, in the command window, type ping inet1.isp.example.com, and then press ENTER.

10. Verify that there are four responses from 131.107.0.1.

C. Disable 6to4 on NAT1In the POC lab environment we use a Windows 7 computer to simulate a NAT device located in a remote location. One issue we can have with Windows 7 when configured as an Internet Connection Service server is that it can act as a 6to4 router. When this is the case, it will assign the CLIENT1 computer behind the NAT1 ICS computer a 6to4 address and prevent it from acting as a Teredo and IP-HTTPS client. We want to be able to demonstrate both Teredo and IP-HTTPS functionality, so we will disable 6to4 on the NAT1 Windows 7 computer.

Perform the following steps to disable 6to4 on NAT1:

1. Open an elevated command prompt window. In the command window, type netsh interface 6to4 set state state=disabled, and then press ENTER. You should get an Ok response after the command completes.


D. Configure ICS on the External Interface of NAT1Internet Connection Services enable NAT1 to act as a NAT device and DHCP server for clients located behind NAT1. This enables CLIENT1 to automatically obtain IP addressing information and connect to the simulated Internet when connected to the “Homenet” subnet behind NAT1.

Perform the following steps to configure ICS on the external interface of NAT1:

1. At the NAT1 computer or virtual machine, in the Network Connections window, right-click Internet, and then click Properties.

2. Click the Sharing tab, select Allow other network users to connect through this computer’s Internet connection, and then click OK.

3. Right click the Homenet interface on NAT1 and click Status.

4. In the Local Area Connection Status dialog box, on the General tab, click the Details button.

60

5. In the Network Connection Details dialog box, notice that the internal interface has been assigned an IP address and subnet mask by the Internet Connection Service, using a network ID of 192.168.137.0/24. DHCP clients placed behind NAT1 will obtain an IP address on this network ID and DNS server settings from the Internet Connection Services.

6. Click Close in the Network Connection Details dialog box, and click Close in the Local Area Connection Status dialog box.


8. Configure APP3APP3 is a Windows Server 2003 Enterprise Edition computer that acts as an IPv4 only host and is used to demonstrate DirectAccess connectivity to IPv4 only resources using the UAG DNS64 and NAT64 features. APP3 hosts both HTTP and SMB resources that the DirectAccess client computer will be able to access from other the simulated Internet. APP3 belongs to the resource domain (CORP), and the user account logged on to the DirectAccess client belongs to the CORP domain (CORP\User2).

You will perform the following operations to configure APP3:

A. Install the operating system on APP3The first step is to install Windows Server 2003 Enterprise Edition on APP3. This is not a requirement. We could use another IPv4 only operating system, such as Windows 2000 Server or even Windows XP. The goal is to provide a IPv4 resource for the DirectAccess clients to connect to from over the Internet.

B. Install Web services on APP3You will install IIS Web services on APP3 so that you can demonstrate HTTP connectivity over the DirectAccess connection.

C. Create a shared folder on APP3You will create a shared folder on APP3 so that you can demonstrate SMB connectivity over the DirectAccess connection.

A. Install the OS on APP3The first step is to install Windows Server 2003 Enterprise Edition on APP3. This is not a requirement. We could use another IPv4 only operating system, such as Windows 2000 Server or even Windows XP. The goal is to provide an IPv4 resource for the DirectAccess clients to connect to from over the Internet.

Perform the following steps to install the operating system on APP3:

1. *Connect the APP3 computer or virtual machine to the Corpnet subnet.

2. Start the installation of Windows Server 2003.

3. On the Welcome to the Windows Setup Wizard page, click Next.

61

4. On the Regional and Language Options page, click Next.

5. On the Personalize Your Software page, enter your Name and Organization information, click Next.

6. On the Licensing Modes page, select Per server. Number of concurrent connections option and enter 100. Click Next.

7. On the Computer Name and Administrator Password page, in the Computer name text box, enter APP3. Enter a complex Administrator password and Confirm password. Click Next.

8. On the Date and Time Settings page, set the correct date and time and click Next.

9. On the Networking Settings page, select Custom Settings and click Next.

10. On the Networking Components page, select Internet Protocol (TCP/IP) and click Properties.

11. On the Internet Protocol (TCP/IP) Properties page, select the Use the following IP address option. In the IP address text box, enter 10.0.0.4. In the Subnet Mask text box, enter 255.255.255.0 Select the Use the following DNS server addresses option. In the Preferred DNS server text box, enter 10.0.0.10.

12. In the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.

13. In the Advanced TCP/IP Settings dialog box, click the DNS tab.

14. On the DNS tab, in the DNS Suffix for this connection text box, enter corp.contoso.com. Click OK. In the Internet Protocol (TCP/IP) Properties dialog box, click OK. On the Networking Components page, click Next.

15. On the Workgroup or Computer Domain page, select the Yes make this computer a member of the following domain option. In the text box under that option, enter CORP.

16. In the Join Computer to CORP Domain dialog box, in the User name text box, enter CORP/User2 and in the Password text box, enter User2’s password. Click OK.

17. Log on as CORP\Administrator.

B. Install Web ServicesYou will install IIS Web services on APP3 so that you can demonstrate HTTP connectivity over the DirectAccess connection.

Perform the following steps to install IIS web services on APP3:

1. At APP3, click Start and point to Control Panel. Click Add or Remove Programs.

2. In the Add or Remove Programs window, click Add/Remove Windows Components button.

62

3. On Windows Components page, click Application Server and then click Details.

4. In the Application Server dialog box, put a checkmark in the Internet Information Services (IIS) checkbox. Click OK.

5. On the Windows Components page, click Next.

6. On the Completing the Windows Components Wizard page, click Finish.

7. Close the Add or Remove Programs window.

8. Click the Internet Explorer icon in the Quick Start Bar.

9. In the dialog box that informs you Internet Explorer Enhanced Security Configuration is enabled, put a checkmark in the In the future, do not show this message checkbox and then click OK.

10. In the Internet Explorer address bar, enter http://localhost and press ENTER.

11. You should see the IIS Under Construction page, indicating that the default IIS Web site is available and running.

C. Create a Shared Folder on C:\The first step is to install Windows Server 2003 Enterprise Edition on APP3. This is not a requirement. We could use another IPv4 only operating system, such as Windows 2000 Server or even Windows XP. The goal is to provide an IPv4 resource for the DirectAccess clients to connect to from over the Internet.

1. At APP3, click Start and click Windows Explorer.

2. In the left pane of the Windows Explorer window, expand My Computer and click Local Disk (C:)

3. Click the File menu, point to New and click Folder.

4. Rename New Folder to Files.

5. Right click the Files folder and click Sharing and Security.

6. In the Files Properties dialog box, on the Sharing tab, select the Share this folder option. Accept the default share name, which is Files. Click OK.

7. Double click the Files folder.

8. Click the File menu, point to new, and click New Text Document.

9. Double click the New Text Document.txt file.

10. In the New Text Document.txt – Notepad window, enter This is a new text document.

11. Close the Notepad window. In the Notepad dialog box, click Yes to save the changes.

63

http://localhost/

9. Test DirectAccess Connectivity from the InternetNow you can DirectAccess connectivity on CLIENT1. For your first set of tests, you will connect CLIENT1 to the simulated Internet. When connected to the simulated Internet, CLIENT1 will be assigned a public IP address. When a DirectAccess client is assigned a public IP address, it will try to establish a connection to the DirectAccess server using an IPv6 6to4 connection over its 6to4 tunnel adapter. After connecting to the simulated Internet and establishing the DirectAccess connection, you will carry out a number of tests to confirm IPv6 connectivity and connectivity to resource domain assets from over the simulated Internet.

1. *On the CLIENT1 computer or virtual machine, log off from CLIENT1. Log on as CORP\User2.

2. Unplug CLIENT1 from the corpnet switch and connect it to the Internet switch.

3. Open an elevated command prompt. In the command prompt window, enter ipconfig /all and press ENTER.

4. Examine the output from the ipconfig command. This computer is now connected to the Internet and has a public IP address. When the DirectAccess client has a public IP address, it will use the 6to4 IPv6 transition technology to tunnel the IPv6 messages over an IPv4 Internet between the DirectAccess client and UAG DirectAccess server. Look at the information in the Tunnel adapter 6TO4 adapter. You will see a tunnel adapter address that begins with 2002:836b, which is a globally routable address.

5. In the command prompt window, enter ipconfig /flushdns and press ENTER. This will flush name resolution entries that may still exist in the client DNS cache from when CLIENT1 was connected to the corpnet.

6. In the command prompt window, enter ping dc1 and press ENTER. You should see replies from the ISATAP address assigned to DC1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.1


8. In the command prompt window, enter ping uag1 and press ENTER. You should see replies from the ISATAP address assigned to UAG1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.2

9. In the command prompt window, enter ping app3 and press ENTER. You should see replies from the NAT64 address assigned by UAG1 to APP3, which in this case is 2002:836b:2:8001::a00:4 The ability to ping APP3 is important, as it indicates that NAT64/DNS64 is working correctly.

10. In the command prompt window, enter netsh namespace show effectivepolicy and press ENTER. The output shows the current settings for the Name Resolution Policy Table (NRPT). These settings indicate that all connections to .corp.contoso.com and .pilot.contoso.com should be resolved by the DirectAccess DNS64 DNS proxy , which is the UAG DirectAccess server, with the IPv6 address of 2002:836b:3::836b:3. Also, note the NRPT entry indicating that there is an

64

exemption for the name nls.pilot.contoso.com; names on the exemption list are not answered by the DirectAccess DNS server. You can ping the DirectAccess DNS server IP address to confirm connectivity to the DirectAccess server; for example, you can ping 2002:836b:3::836b:3 in this example.

11. Click the Internet Explorer icon, click the Tools menu and click Internet Options. In the Internet Options dialog box, on the General tab, click the Use Blank button to set the default Web page as blank. Close the Internet Explorer window.

12. In the Internet Explorer address bar, enter http://dc2.corp.contoso.com and press ENTER. You will see the default IIS site on DC2.

13. In the Internet Explorer address bar, enter http://app3.corp.contoso.com and press ENTER. You will see the default web site on APP3. The connection to APP3 differs from that made by the connection to DC2; DC2 is accessible over the infrastructure tunnel (because this server is listed as a management sever in the DirectAccess configuration), which uses computer certificate and NTLMv2 authentication. In contrast, the connection to APP3 is to a server that is not on the management servers list, and thus must be made over the intranet tunnel, which requires Kerberos authentication.

14. Click Start and in the Search box, enter \\App3\Files and press ENTER. Double click on the New Text Document file. This demonstrates that you were able to connect to an IPv4 only server using SMB to obtain a resource in the resource domain.

15. Click Start and in the Search box, enter wf.msc and press ENTER.

16. In the Windows Firewall with Advanced Security console, notice that only the Public Profile is active. The Windows Firewall must be enabled for DirectAccess to work correctly. If for some reason that the Windows Firewall were disabled, DirectAccess connectivity would fail.

17. Expand the Monitoring node in the left pane of the console and click the Connection Security Rules node. You should see the active connection security rules: UAG DirectAccess Client – Client Access Enabling Tunnel – All, UAG DirectAccess Client – Clients Corp Tunnel and UAG DirectAccess Client – Exempt NLA. Scroll the middle pane to the right to expose the 1st Authentication Methods and 2nd Authentication Methods columns. Notice that the first rule uses NTLMv2 to establish the infrastructure tunnel and the second rule uses Kerberos V5 to establish the intranet tunnel.

18. In the left pane of the console, expand the Security Associations node and click the Main Mode node. Notice the infrastructure tunnel security associations using NTLMv2 and the intranet tunnel security association using Kerberos V5. Right click the entry that shows User (Kerberos V5) as the 2nd Authentication Method and click Properties. On the General tab, notice the Second authentication Local ID is CORP\User2, indicating that User2 was able to successfully authenticate to the CORP domain over the forest trust.

65

http://app3.corp.contoso.com/

http://dc2.corp.contoso.com/

19. Close all open windows before moving to the next step.

10.Test DirectAccess Connectivity from Behind a NAT DeviceWhen a DirectAccess client is connected to the Internet from behind a NAT device or a Web proxy server, the client will use either Teredo or IP-HTTPS to connect to the DirectAccess server. If the NAT device enables outbound UDP port 3544 to the DirectAccess server’s public IP address, then Teredo will be used. If Teredo access is not available, the DirectAccess client will fall back to IP-HTTPS over outbound TCP port 443, which enables access through firewalls or Web proxy servers over the traditional SSL port. Teredo is the preferred access method, because of its superior performance.

In this section you will perform the same tests that you performed when connecting using a 6to4 connection in the previous section.

A. Testing Teredo ConnectivityThe DirectAccess client can use either Teredo or IP-HTTPS when connecting to the DirectAccess server from behind a NAT device. You will first examine the settings and test connectivity using Teredo.

Perform the following steps to test Teredo connectivity:

1. Unplug CLIENT1 from the Internet switch and connect it to the Homenet switch. If asked what type of network you want to define the current network, select Home Network.

2. Open an elevated command prompt. In the command prompt window, enter ipconfig /all and press ENTER.

3. Examine the output of the ipconfig command. This computer is now connect to the Internet from behind a NAT device and is assigned a private IPv4 address. When the DirectAccess client is behind a NAT device and assigned a private IPv4 address, the preferred IPv6 transition technology is Teredo. If you look at the output of the ipconfig command, you should a section for Tunnel adapter Local Area Connection and then a Description Teredo Tunneling Pseudo-Interface, with an IP address that starts with 2001: indicating that this is a Teredo address. You will not see a default gateway listed for the Teredo tunnel adapter.




66


8. In the command prompt window, enter ping app3 and press ENTER. You should see replies from the NAT64 address assigned by UAG1 to APP3, which in this case is 2002:836b:2:8001::a00:4

9. In the command prompt windows, enter netsh namespace show effectivepolicy and press ENTER. The output shows the current settings for the Name Resolution Policy Table (NRPT). These settings indicate that all connections to .corp.contoso.com and .pilot.contoso.com should be resolved by the DirectAccess DNS64 DNS proxy, which is the UAG DirectAccess server, with the IPv6 address of 2002:836b:3::836b:3. Also, note the NRPT entry indicating that there is an exemption for the name nls.pilot.contoso.com; names on the exemption list are not answered by the DirectAccess DNS server. You can ping the DirectAccess DNS server IP address to confirm connectivity to the DirectAccess server; for example, you can ping 2002:836b:3::836b:3 in this example.


11. In the Internet Explorer address bar, enter http://app3.corp.contoso.com and press ENTER. You will see the default web site on APP3. The connection to APP3 differs from that made by the connection DC2; DC2 is accessible over the infrastructure tunnel (because this server is listed as management severs in the DirectAccess configuration), which uses computer certificate and NTLMv2 authentication. In contrast, the connection to APP3 is to a server that is not on the management servers list, and thus must be made over the intranet tunnel, which requires Kerberos authentication.



14. In the Windows Firewall with Advanced Security console, notice that only the Private profile is active. The Windows Firewall must be enabled for DirectAccess to work correctly. If for some reason that the Windows Firewall were disabled, DirectAccess connectivity would fail.


67



16. In the left pane of the console, expand the Security Associations node and click the Main Mode node. Notice the infrastructure tunnel security associations using NTLMv2 and the intranet tunnel security association using Kerberos V5. Right click the entry that shows User (Kerberos V5) as the 2nd Authentication Method and click Properties. On the General tab, notice the Second authentication Local ID is CORP\User2, indicating that User2 was able to successfully authenticate to the CORP domain over the forest trust.

17. Close the System Control Panel window and the Windows Firewall with Advanced Security console. Close all other open windows before moving to the next step.

B. Testing IP-HTTPS ConnectivityWhen the DirectAccess client is unable to establish a Teredo connection with the DirectAccess server (typically when a firewall or router has blocked outbound UDP port 3544), the DirectAccess client will configure itself to use IP-HTTP to tunnel IPv6 messages over the IPv4 Internet. In the following exercises you will confirm that the host is configured as a IP-HTTPS host and check its connectivity characteristics.

Perform the following steps to enable IP-HTTPS connectivity:

1. Open an elevated command prompt. In the command prompt window, enter netsh interface teredo set state disabled and press ENTER.

2. Open an elevated command prompt. In the command prompt window, enter ipconfig /all and press ENTER. You should see an Ok response when the command completes.

3. Examine the output of the ipconfig command. This computer is now connected to the Internet from behind a NAT device and is assigned a private IPv4 address. We have disabled Teredo functionality and the DirectAccess client falls back to IP-HTTPS. When you look at the output of the ipconfig command, you should see a section for Tunnel adapter iphttpsinterface with an IP address that starts with 2002:836b:2:8100 indicating that this is a IP-HTTPS address. You will not see a default gateway listed for the IP-HTTPS tunnel adapter.





68

8. In the command prompt window, enter ping app3 and press ENTER. You should see replies from the NAT64 address assigned by UAG1 to APP3, which in this case is 2002:836b:2:8001::a00:4

9. In the command prompt windows, enter netsh namespace show effectivepolicy and press ENTER. The output shows the current settings for the Name Resolution Policy Table (NRPT). These settings indicate that all connections to .corp.contoso.com and .pilot.contoso.com should be resolved by the DirectAccess DNS Server, which is the UAG DirectAccess server, with the IPv6 address of 2002:836b:3::836b:3. Also, note the NRPT entry indicating that there is an exemption for the name nls.pilot.contoso.com; names on the exemption list are not answered by the DirectAccess DNS server. You can ping the DirectAccess DNS server IP address to confirm connectivity to the DirectAccess server; for example, you can ping 2002:836b:3::836b:3 in this example.


11. In the Internet Explorer address bar, enter http://app3.corp.contoso.com and press ENTER. You will see the default web site on APP3. The connection to APP3 differs from that made by the connections to DC1 and DC2; both DC1 and DC2 are accessible over the infrastructure tunnel (because these two servers are listed as management severs in the DirectAccess configuration), which uses computer certificate and NTLMv2 authentication. In contrast, the connection to APP3 is to a server that is not on the management servers list, and thus must be made over the intranet tunnel, which requires Kerberos authentication.



14. In the Windows Firewall with Advanced Security console, notice that only the Private profile is active. The Windows Firewall must be enabled for DirectAccess to work correctly. If for some reason that the Windows Firewall were disabled, DirectAccess connectivity would fail.


16. In the left pane of the console, expand the Security Associations node and click the Main Mode node. Notice the infrastructure tunnel security associations using NTLMv2 and the intranet

69



tunnel security association using Kerberos V5. When you right click the Kerberos security association, you will see authentication for CORP\User2.

17. Close the System Control Panel window and the Windows Firewall with Advanced Security console. Close all other open windows before moving to the next step

11.Test Connectivity When Returning to the CorpnetMany of your users will move between remote location and the corpnet, so it’s important that when they connect again to the corpnet that they are able to access resources without having to make any configuration changes to their computers. UAG DirectAccess makes this possible because when the DirectAccess client return to the corpnet, they are able to make a connection to the Network Location Server. Once the HTTPS connection is successfully established to the Network Location Server, the DirectAccess client disables it DirectAccess client configuration and uses a direct connection to the corpnet.

Perform the following steps to test connectivity after returning CLIENT1 to the Corpnet subnet:

1. Shut down CLIENT1. Unplug CLIENT1 from the Home subnet or virtual switch and connect it to the Corpnet subnet or virtual switch. If asked what type of network you want to define the current network, select Work Network.

2. Log on as CORP\User2.

3. Open an elevated command prompt. In the command prompt window, enter ipconfig /all. The output will indicate that CLIENT1 has a local IP address, and that there is no active 6to4, Teredo or IP-HTTPS tunnel.

4. Test connectivity to the network share on APP3. Click Start and enter \\APP3\Files and press enter. You will be able to open the file in that folder.

70

71

Documents

Introductiondownload.microsoft.com/.../POC_Lab_Guide.docx · Web viewThis paper contains an introduction to DirectAccess and step-by-step instructions for creating a Proof of Concept