Test Lab Guide: Demonstrate DirectAccess
Microsoft Corporation
Published: May 2009Updated: July 2010
Abstract
DirectAccess is a new feature in the Windows® 7 and Windows Server® 2008 R2 operating systems that enables remote users to securely access intranet shared folders, Web sites, and applications without connecting to a virtual private network (VPN). This document contains an introduction to DirectAccess and step-by-step instructions for extending the Base Configuration test lab to demonstrate DirectAccess in Windows Server 2008 R2 with a simulated Internet, intranet, and home network.
Copyright Information
This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2010 Microsoft Corporation. All rights reserved.
Date of last update: August 25, 2010
Microsoft, Windows, Active Directory, Internet Explorer, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Contents
Introduction 5
In this guide 6
Test lab overview 7
Hardware and software requirements 8
Steps for Configuring the DirectAccess Test Lab 9
Step 1: Set up the Base Configuration Test Lab 10
Step 2: Configure DC1 10
Create a DNS record 11
Create a security group for DirectAccess client computers 11
Configure permissions of the Web Server certificate template 12
Create and enable firewall rules for ICMPv6 traffic 12
Remove ISATAP from the DNS global block list 14
Configure CRL distribution settings 14
Step 3: Configure EDGE1 15
Install the Web Server (IIS) role 15
Create a Web-based CRL distribution point 16
Configure permissions on the CRL distribution point file share 16
Publish the CRL on EDGE1 17
Obtain an additional certificate on EDGE1 18
Step 4: Configure APP1 19
Obtain an additional certificate on APP1 19
Configure the HTTPS security binding 20
Step 5: Configure INET1 20
Create a DNS record 21
Step 6: Add and Configure NAT1 21
Install the operating system on NAT1 21
Configure Network Connections properties 22
Configure Internet Connection Sharing 23
Step 7: Configure CLIENT1 23
Test access to the network location server 23
Step 8: Configure DirectAccess 23
Install the DirectAccess feature on EDGE1 23
Run the DirectAccess Setup wizard on EDGE1 24
Update IPv6 settings on APP1 25
Update IPv6 settings on DC1 25
Update Group Policy and IPv6 settings on CLIENT1 26
Verify ISATAP-based connectivity 26
Step 9: Verify DirectAccess Functionality for CLIENT1 when Connected to the Internet Subnet 27
Connect CLIENT1 to the Internet subnet 27
Verify connectivity to Internet resources 27
Verify intranet access to Web and shared folder resources on APP1 28
Examine the CLIENT1 IPv6 configuration 29
Step 10: Verify DirectAccess Functionality for CLIENT1 when Connected to the Homenet Subnet 29
Connect CLIENT1 to the Homenet subnet 29
Verify connectivity to Internet resources 30
Verify intranet access to Web and shared folder resources on APP1 30
Examine the CLIENT1 IPv6 configuration 31
Disable Teredo connectivity on CLIENT1 31
Verify intranet access to Web and file share resources on APP1 32
Enable Teredo connectivity on CLIENT1 32
Connect CLIENT1 to the Corpnet subnet 32
Snapshot the Configuration 33
Additional Resources 33
DirectAccess is a new feature in the Windows® 7 and Windows Server® 2008 R2 operating systems that gives users the experience of being seamlessly connected to their intranet any time they have Internet access. With DirectAccess enabled, requests for intranet resources (such as e-mail servers, shared folders, or intranet Web sites) are securely directed to the intranet, without requiring users to connect to a VPN. DirectAccess provides increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside the office.
IT professionals can benefit from DirectAccess in many ways:
· Improved Manageability of Remote Users. Without DirectAccess, IT professionals can only manage mobile computers when users connect to a VPN or physically enter the office. With DirectAccess, IT professionals can manage mobile computers by updating Group Policy settings and distributing software updates any time the mobile computer has Internet connectivity, even if the user is not logged on. This flexibility allows IT professionals to manage remote computers on a regular basis and ensures that mobile users stay up-to-date with security and system health policies.
· Secure and Flexible Network Infrastructure. Taking advantage of technologies such as Internet Protocol version 6 (IPv6) and Internet Protocol security (IPsec), DirectAccess provides secure and flexible network infrastructure for enterprises. Below is a list of DirectAccess security and performance capabilities:
· Authentication. DirectAccess authenticates the computer, enabling the computer to connect to the intranet before the user logs on. DirectAccess can also authenticate the user and supports two-factor authentication using smart cards.
· Encryption. DirectAccess uses IPsec to provide encryption for communications across the Internet.
· Access Control. IT professionals can configure which intranet resources different users can access using DirectAccess, granting DirectAccess users unlimited access to the intranet or only allowing them to use specific applications and access specific servers or subnets.
· IT Simplification and Cost Reduction. By default, DirectAccess separates intranet from Internet traffic, which reduces unnecessary traffic on the intranet by sending only traffic destined for the intranet through the DirectAccess server. Optionally, IT can configure DirectAccess clients to send all traffic through the DirectAccess server.
The following figure shows a DirectAccess client on the Internet.
This document contains instructions for configuring and demonstrating DirectAccess using four server computers and two client computers. The starting point for this document is a test lab based on the “Steps for Configuring the Corpnet Subnet “ and “Steps for Configuring the Internet Subnet “ sections of the Test Lab Guide: Base Configuration. The resulting DirectAccess test lab simulates an intranet, the Internet, and a home network and demonstrates DirectAccess functionality in different Internet connection scenarios.
Important
The following instructions are for configuring a DirectAccess test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. This configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.
Attempting to adapt this DirectAccess test lab configuration to a pilot or production deployment can result in configuration or functionality issues. For example, in this test lab configuration, you configure the DirectAccess server with static IPv4 addresses but no default gateways. In a pilot or production deployment on your intranet, you must configure a default gateway only on the Internet interface and static routes on the intranet interface. To ensure proper configuration and operation for your pilot or production DirectAccess deployment, use the information in the DirectAccess Design Guide for planning and design decisions and the DirectAccess Deployment Guide for the steps to configure the DirectAccess server and supporting infrastructure servers.
In this test lab, DirectAccess is deployed with:
· One computer running Windows Server 2008 R2 Enterprise Edition named DC1 that is configured as an intranet domain controller, Domain Name System (DNS) server, Dynamic Host Configuration Protocol (DHCP) server, and an enterprise root certification authority (CA).
· One intranet member server running Windows Server 2008 R2 Enterprise Edition named APP1 that is configured as a general application server and network location server.
· One intranet member server running Windows Server 2008 R2 Enterprise Edition named EDGE1 that is configured as the DirectAccess server.
· One standalone server running Windows Server 2008 R2 Enterprise Edition named INET1 that is configured as an Internet DNS server, DHCP server, and web server.
· One standalone client computer running Windows 7 Ultimate Edition named NAT1 that is configured as a network address translator (NAT) device using Internet Connection Sharing.
· One roaming member client computer running Windows 7 Ultimate Edition named CLIENT1 that is configured as a DirectAccess client.
The DirectAccess test lab consists of three subnets that simulate the following:
· The Internet (131.107.0.0/24).
· A home network named Homenet (192.168.137.0/24) connected to the Internet by a NAT.
· An intranet named Corpnet (10.0.0.0/24) separated from the Internet by the DirectAccess server.
Computers on each subnet connect using a hub, switch, or virtual switch. See the following figure.
CLIENT1 initially connects to the Corpnet subnet. After EDGE1 is configured as a DirectAccess server and CLIENT1 is updated with the associated Group Policy settings, CLIENT1 connects to the Internet subnet and the Homenet subnet and tests DirectAccess connectivity to intranet resources on the Corpnet subnet.
The following are required components of this test lab:
· The product disc or files for Windows Server 2008 R2 Enterprise Edition.
· The product disc or files for Windows 7 Ultimate Edition...
qfx