www.it-ebooks.info Microsoft DirectAccess Best Practices and Troubleshooting Secure and efcient functioning of your DirectAccess environment Jordan Krause BIRMINGHAM - MUMBAI www.it-ebooks.info Microsoft DirectAccess Best Practices and Troubleshooting Copyright © 2013 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: October 2013 Production Reference: 1071013 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78217-106-5 www.packtpub.com Cover Image by Fereze Babu (mail@feroze.me) www.it-ebooks.info Credits Author Jordan Krause Reviewers Shannon Fritz Richard Hicks Acquisition Editor Vinay Argekar Commissioning Editor Neha Nagwekar Technical Editors Novina Kewalramani Rohit Kumar Singh Project Coordinator Sherin Padayatty Proofreader Clyde Jenkins Indexer Mariammal Chettiyar Graphics Yuvraj Mannari Production Coordinator Aparna Bhagat Cover Work Aparna Bhagat www.it-ebooks.info www.it-ebooks.info Foreword Microsoft DirectAccess is a revolutionary remote access solution for managed (domain-joined) Windows clients. DirectAccess provides always-on corporate network connectivity, enabling remote users to securely access on-premises data and applications anywhere they have a connection to the public Internet. Many mistakenly believe that DirectAccess is itself a protocol. It is not. DirectAccess leverages multiple Microsoft technologies to deliver this service, such as Active Directory, IPsec, IPv6, digital certicates, and more. Harnessing the power of Windows Server 2012 and Windows 8 Enterprise edition, DirectAccess represents a paradigm shift in the way we think about providing remote access. Traditional Virtual Private Networking (VPN) solutions require the user to proactively initiate a connection back to the corporate network when they need to access corporate resources. By contrast, DirectAccess is seamless and transparent, and does not require any input from the user to establish remote network connectivity. Through the use of Connection Security Rules in the Windows Firewall with Advanced Security (WFAS), IPsec tunnels are established automatically in the background any time the user has an active Internet connection. A distinct advantage that DirectAccess has over VPN is that DirectAccess is bidirectional, allowing hosts on the corporate intranet to initiate connections outbound to connected DirectAccess clients. This allows system administrators to "manage out" and enables help desk administrators to initiate remote desktop sessions or security administrators to conduct vulnerability scans, among other things. DirectAccess fundamentally extends the corporate network to the remote user, wherever they may be located. DirectAccess has been around for a few years, originally appearing as a feature of the Windows Server 2008 R2 operating system. Windows Server 2008 R2 DirectAccess wasn't widely deployed, as it carried with it very steep infrastructure requirements in order to support DirectAccess, including the requirement for a Public Key Infrastructure (PKI) for management of digital certicates and IPv6 for network layer transport. My rst experience with DirectAccess came when Forefront Unied Access Gateway (UAG) 2010 was released. UAG included support for the DirectAccess role, and also included new features that eliminated the need to deploy IPv6 internally to take advantage of the solution. www.it-ebooks.info As a Microsoft Most Valuable Professional (MVP) in the Forefront discipline, I began to deploy Forefront UAG for DirectAccess on a regular basis. With the release of Windows Server 2012, DirectAccess is now fully integrated into the operating system, and the adoption rate is accelerating faster. Today, I spend most of my time deploying Windows Server 2012 DirectAccess solutions for some of the largest organizations in the world. I met Jordan Krause a few years ago when he was rst awarded the MVP from Microsoft. Our MVP group is small and tight-knit, and from the beginning Jordan t right in. He had a wealth of knowledge and experience with DirectAccess and freely shared this with the rest of us in the group. All of us in the DirectAccess community have gained important knowledge from Jordan. With this book, Jordan is now able to share his valuable experience with the rest of the world. This book is focused on sharing real-world, practical advice for deploying DirectAccess in the best possible way for your given deployment model. Jordan pulls no punches, and isn't afraid to tell you when you shouldn't do something, even if it is possible! He provides valuable context to help you with your implementation, and makes sure that you avoid the common pitfalls and mistakes that many engineers who are new to DirectAccess invariably make. If you're going to deploy Windows Sever 2012 DirectAccess now or in the future, you'll denitely want to read this book rst. Enjoy! Richard Hicks Director of Sales Engineering at Iron Networks, Inc. www.it-ebooks.info About the Author Jordan Krause is a Microsoft MVP in Enterprise Security, and specializes in DirectAccess, which is a part of Forefront Unied Access Gateway (UAG) 2010 and Unied Remote Access (URA) in Windows Server 2012. As a Senior Engineer and Security Specialist for IVO Networks, he spends the majority of each workday planning, designing, and implementing DirectAccess for companies all over the world. Committed to continuous learning, Jordan holds Microsoft certications as an MCP, MCTS, MCSA, and MCITP Enterprise Administrator. He regularly writes tech notes and articles about some of the fun and exciting ways that DirectAccess can be used, which can be found at http://www.ivonetworks.com/news/. He also strives to spend time helping the DirectAccess community, mostly by way of the Microsoft TechNet forums. Jordan is always open to direct contact for answering questions or helping out in any way that he can, so don't hesitate to head over to the forums and nd him personally. Huge thanks to my family for taking more on their plates while I worked on this. Laura, Grace, and Jackson—you are my motivation for doing what I do! Another big thank you to my family at IVO; without the opportunities you have provided, I may never have heard the word DirectAccess. www.it-ebooks.info About the Reviewers Shannon Fritz is an Infrastructure Architect and regional leader in Remote Connectivity solutions, including DirectAccess, Remote Desktop Services, and supporting technologies such as Hyper-V and Active Directory. Shannon is the Datacenter and Azure Team Lead for Concurrency's Infrastructure Practice, a systems integrator who is solely focused on Microsoft solutions. Richard Hicks (MCP, MCSE, MCTS, and MCITP Enterprise Administrator) is a network and information security expert specializing in Microsoft technologies. As a four-time Microsoft Most Valuable Professional (MVP), he has traveled around the world speaking to network engineers, security administrators, and IT professionals about Microsoft edge security and remote access solutions. Richard has nearly two decades of experience working in large scale corporate computing environments, and has designed and deployed perimeter defense and secure remote access solutions for some of the largest companies in the world. He blogs extensively about Microsoft edge security and remote access solutions, and is a contributing author at popular sites such as WindowSecurity.com, ISAserver.org, and the Petri IT Knowledgebase. In addition, he is a Pluralsight author and has served as the technical reviewer on several Windows server and network security books. Richard is the Director of Sales Engineering for Iron Networks, a Microsoft OEM partner developing secure remote access, network virtualization, and converged cloud infrastructure solutions. He's an avid fan of Major League Baseball and in particular the Los Angeles Angels (of Anaheim!), and also enjoys craft beer and single malt Scotch whisky. Born and raised in beautiful, sunny Southern California, he still resides there with Anne, the love of his life and wife of 27 years, along with their four children. You can keep up with Richard by visiting http://www.richardhicks.com/. www.it-ebooks.info www.PacktPub.com Support les, eBooks, discount offers and more You might want to visit www.PacktPub.com for support les and downloads related to your book. Did you know that Packt offers eBook versions of every book published, with PDF and ePub les available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at service@packtpub.com for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks. TM http://PacktLib.PacktPub.com Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read and search across Packt's entire library of books. Why Subscribe? • Fully searchable across every book published by Packt • Copy and paste, print and bookmark content • On demand and accessible via web browser Free Access for Packt account holders If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access. Instant Updates on New Packt Books Get notied! Find out when new books are published by following @ PacktEnterprise on Twitter, or the Packt Enterprise Facebook page. www.it-ebooks.info [...]... users and executive team Trust me, it's that cool What this book covers Chapter 1, DirectAccess Server Best Practices, describes the step-by-step procedure you should take to prepare your DirectAccess server Following the procedures listed here will ensure that your server adheres to critical security practices Chapter 2, DirectAccess Environmental Best Practices, brings detail to the infrastructure and. .. very regularly, are UAG DirectAccess and Server 2012 DirectAccess As you can infer from the name, the latter runs on Server 2012 and is simply a role that you can add into Windows (don't do this until you read Chapter 1, DirectAccess Server Best Practices) UAG, on the other hand, is a software platform that needs to be installed on top of Server 2008 R2 If one is Server 2008 R2 and the other is Server... which DirectAccess can be implemented, how is one supposed to sift through and figure out what is best for them? This is a large part of the intention of this book, to clear the air on the options that are out there, and particularly address them from a set of "Best Practices" glasses We are going to talk about specific settings and some general ideology about how to make DA work its hardest for you and. .. actual server itself, and not necessarily DirectAccess environmental practices, as we will discuss those topics in Chapter 2, DirectAccess Environmental Best Practices Here's the layout of what we are going to look at: • Preparing your Remote Access servers for DirectAccess • NIC configuration • NIC binding • MAC address spoofing for virtual machines • Adding static routes • Hostname and domain membership... and click on the Add… button to input your second IP address and Subnet mask You are not required to input another default gateway, only the IP and mask [ 12 ] www.it-ebooks.info Chapter 1 7 Now head over to the DNS tab and uncheck the Register this connection's addresses in DNS checkbox [ 13 ] www.it-ebooks.info DirectAccess Server Best Practices 8 Finally, move one more tab over to the WINS tab and. .. cause major confusion on the server and will almost certainly stop DirectAccess from working [ 19 ] www.it-ebooks.info DirectAccess Server Best Practices You should now have all the information you need to finalize your IP addressing and routing on your DirectAccess servers These steps are necessary on each server Just one more side note to add here; implementing DirectAccess in the single NIC configuration... aspect of the book, and we will do our best to address it [6] www.it-ebooks.info DirectAccess Server Best Practices In this chapter we are going to take a step-by-step approach in the preparation of your Windows Server 2012 Remote Access servers for use with DirectAccess By walking through the process of preparing your servers, we will have ample opportunity to discuss what the changes and options that... you want to rid yourself of all these issues and give users a completely seamless connection that they don't even have to know exists you might get a big bonus check Oh, and you might be a DirectAccess Administrator! DirectAccess rocks I always said if I had an opportunity to write something about DirectAccess, I would at some point say "DirectAccess rocks", and so there it is I spend at least part of... hardening the server www.it-ebooks.info DirectAccess Server Best Practices Preparing your Remote Access servers for DirectAccess We are first going to walk through some standard operating procedures that you will want to take on every one of your Windows Server 2012 servers that you are planning to turn into Remote Access / DirectAccess servers Whether working on the first DirectAccess server in your entire... also apply to UAG DirectAccess I used Server 2012 to create my command output, screenshots, and for all of the verbiage within the book But all of the security concepts and guides to troubleshooting client-side scenarios really apply to either solution Let's get rolling I had a lot of fun putting this together, and I hope you get some enjoyment out of reading it I genuinely believe that DirectAccess is . www.it-ebooks.info Microsoft DirectAccess Best Practices and Troubleshooting Secure and efcient functioning of your DirectAccess environment Jordan Krause BIRMINGHAM - MUMBAI www.it-ebooks.info Microsoft DirectAccess. security practices. Chapter 2, DirectAccess Environmental Best Practices, brings detail to the infrastructure and environmental considerations that need to be taken when implementing DirectAccess. . Jordan holds Microsoft certications as an MCP, MCTS, MCSA, and MCITP Enterprise Administrator. He regularly writes tech notes and articles about some of the fun and exciting ways that DirectAccess