20411B-ENU-TrainerHandbook
.pdf
Administering Windows Server® 2012 7-39
DNS settings are configured depending on the client location: |
MCT |
|
|
• For a remote client computer, the DNS servers are typically the Internet DNS servers that are |
USE |
configured through the ISP. |
|
• For a DirectAccess client on the intranet, the DNS servers are typically the intranet DNS servers that |
|
are configured through DHCP. |
Single-label names, for example, http://internal, typically have configured DNS search suffixes appended to the name before they are checked against the NRPT.
If no DNS search suffixes are configured, and if the single-label name does not match any other singlelabel name entry in the NRPT, the request is sent to the DNS servers that are specified in the client’s TCP/IP settings.
Namespaces—for example, internal.adatum.com—are entered into the NRPT, followed by the DNS servers
to which requests matching that namespace should be directed. If an IP address is entered for the DNS |
ONLY. |
||||
server, all DNS requests are sent directly to the DNS server over the DirectAccess connection; you need |
|||||
not specify any additional security for such configurations. However, if a name is specified for the DNS |
|||||
server (such as dns.adatum.com) in the NRPT, the name must be publicly resolvable when the client |
|||||
STUDENT |
|||||
queries the DNS servers specified in its TCP/IP settings. |
|||||
|
|
|
|||
The NRPT allows DirectAccess clients to use intranet DNS servers for name resolution of internal resources, |
|||||
and Internet DNS for name resolution of other resources. Dedicated DNS servers are not required for |
|
|
|||
name resolution. DirectAccess is designed to prevent the exposure of your intranet namespace to the |
|
|
|||
Internet. |
|
|
|||
Some names need to be treated differently with regards to name resolution; these names should not be |
|||||
resolved by using intranet DNS servers. To ensure that these names are resolved with the DNS servers |
|
|
|||
specified in the client’s TCP/IP settings, you must add them as NRPT exemptions. |
|
|
|||
NRPT is controlled through Group Policy. When the computer is configured to use NRPT, the name |
|
|
|||
resolution mechanism uses the following in order: |
|
|
|||
• The local name cache |
|
|
|||
• |
The hosts file |
|
|
||
• |
NRPT |
|
|
||
Then the name resolution mechanism finally sends the query to the DNS servers that are specified in the |
|||||
TCP/IP settings. |
USE |
||||
How DirectAccess Works for Internal Clients |
|
|
|||
An NLS is an internal network server that hosts |
|
|
|
||
|
|
PROHIBITED |
|||
an HTTPS-based URL. DirectAccess clients try to |
|
|
|||
access a NLS URL to determine if they are located |
|
|
|||
on the intranet or on a public network. The |
|
|
|||
DirectAccess server can also be the NLS. In some |
|
|
|||
organizations where DirectAccess is a business- |
|
|
|||
critical service, the NLS should be highly available. |
|
|
|||
Generally, the web server on the NLS does not |
|
|
|||
have to be dedicated to just supporting |
|
|
|||
DirectAccess clients. |
|
|
|||
|
|
|
|
||
|
|
|
|
|
|
7-40 MCT
2. The DirectAccess client accesses the HTTPS-based URL of the NLS, during which process it obtains theUSEONLY certificate of the NLS.
3. Based on the CRL distribution points field of the NLS certificate, the DirectAccess client checks the
.
CRL revocation files in the CRL distribution point to determine if the NLS certificate has been revoked.
By design, the DirectAccess Connection Security tunnel rules are scoped for the public and private firewallSTUDENTUSE profiles, and they are disabled from the list of active connection security rules.
PROHIBITED
|
|
Administering Windows Server® 2012 |
|
MCT |
||
|
|
7-41 |
|
|||
How DirectAccess Works for External Clients |
|
|
|
|
||
When a DirectAccess client starts, the DirectAccess |
|
|
|
USE |
||
|
|
|
||||
client tries to reach the URL address specified for |
|
|
|
|||
NLS, and assumes that it is not connected to the |
|
|
|
|||
|
|
|
|
|
||
intranet because it cannot communicate with NLS. |
|
|
|
|
|
|
Instead, the DirectAccess client starts to use NRPT |
|
|
|
|
|
|
and connection security rules. The NRPT has |
|
|
|
|
|
|
DirectAccess–based rules for name resolution, and |
|
|
|
.ONLY |
||
connection security rules define DirectAccess |
|
|
|
|||
|
|
|
|
|
||
IPsec tunnels for communication with intranet |
|
|
|
|
|
|
resources. Internet-connected DirectAccess clients |
|
|
|
|
|
|
use the following high-level steps to connect to |
|
|
|
|
|
|
intranet resources: |
|
|
|
|
|
|
|
|
|
|
|
||
• |
The DirectAccess client first attempts to access the NLS. |
|
|
|
|
|
• |
Then, the client attempts to locate a domain controller. |
|
STUDENT |
|||
3. |
Because the NLS is not found on the same network on which the DirectAccess client is currently |
|
||||
• |
Finally, the client attempts to access intranet resources, and then Internet resources. |
|
|
|
|
|
1. |
The client tries to resolve the FQDN of the NLS URL. Because the FQDN of the NLS URL corresponds |
|||||
|
to an exemption rule in the NRPT, the DirectAccess client does not send the DNS query to a locally |
|
|
|
||
|
configured (Internet-based) DNS server. An external Internet-based DNS server would not be able to |
|||||
|
resolve the name. |
|
|
|
|
|
2. |
The DirectAccess client processes the name resolution request as defined in the DirectAccess |
|
|
|
|
|
|
exemption rules in the NRPT. |
|
|
|
|
|
|
located, the DirectAccess client applies a public or private firewall network profile to the attached |
|
USE |
|||
|
network. |
|
||||
4. |
The Connection Security tunnel rules for DirectAccess, scoped for the public and private profiles, |
|
||||
|
provide the public or private firewall network profile. |
|
||||
The DirectAccess client uses a combination of NRPT rules and connection security rules to locate and |
|
|||||
access intranet resources across the Internet through the DirectAccess server.
1.The DNS name for the domain controller matches the intranet namespace rule in the NRPT, which PROHIBITED specifies the IPv6 address of the intranet DNS server. The DNS client service constructs the DNS name
query that is addressed to the IPv6 address of the intranet DNS server, and then forwards it to the DirectAccess client’s TCP/IP stack for sending.
2.Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing rules or connection security rules for the packet.
7-42 Configuring and Troubleshooting Remote Access |
MCT |
|||
|
|
|||
|
|
|
|
|
3. Because the destination IPv6 address in the DNS name query matches a connection security rule |
|
|
||
|
|
that corresponds with the infrastructure tunnel, the DirectAccess client uses Authenticated IP (AuthIP) |
|
|
|
|
and IPsec to negotiate and authenticate an encrypted IPsec tunnel to the DirectAccess server. The |
USE |
|
|
|
DirectAccess client (both the computer and the user) authenticates itself with its installed computer |
||
|
|
certificate and its Microsoft Windows NT® LAN Manager (NTLM) credentials, respectively. |
||
|
|
|
|
|
|
|
Note: AuthIP enhances authentication in IPsec by adding support for user-based |
|
|
|
|
|
|
|
authentication with Kerberos v5 or SSL certificates. AuthIP also supports efficient protocol |
|
|
||
4.The DirectAccess client sends the DNS name query through the IPsec infrastructure tunnel to the ONLY DirectAccess server.
5.The DirectAccess server forwards the DNS name query to the intranet DNS server. The DNS name
query response is sent back to the DirectAccess server, and then back through the IPsec infrastructure tunnel to the DirectAccess client. .negotiation and usage of multiple sets of credentials for authentication.
Subsequent domain logon traffic goes through the IPsec infrastructure tunnel. When the user on the |
STUDENT |
||
DirectAccess client logs on, the domain logon traffic goes through the IPsec infrastructure tunnel. |
|||
|
|||
DirectAccess Client Attempts to Access Intranet Resources |
|
||
The first time that the DirectAccess client sends traffic to an intranet location that is not on the list of |
|
||
destinations for the infrastructure tunnel (such as an internal website), the following process occurs: |
|
||
1. |
The application or process that attempts to communicate constructs a message or payload, and then |
|
|
|
hands it off to the TCP/IP stack for sending. |
|
|
2. |
Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall |
|
|
|
outgoing rules or connection security rules for the packet. |
|
|
3. |
Because the destination IPv6 address matches the connection security rule that corresponds with the |
|
|
|
intranet tunnel (which specifies the IPv6 address space of the entire intranet), the DirectAccess client |
USE |
|
|
uses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess |
||
|
server. The DirectAccess client authenticates itself with its installed computer certificate and the user |
||
|
|
||
|
account’s Kerberos credentials. |
|
|
4. |
The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server. |
|
|
5. |
The DirectAccess server forwards the packet to the intranet resources. The response is sent back to |
PROHIBITED |
|
|
the DirectAccess server and back through the intranet tunnel to the DirectAccess client. |
||
|
|
||
Any subsequent intranet access traffic that does not match an intranet destination in the infrastructure |
|
||
tunnel connection security rule goes through the intranet tunnel. |
|
||
DirectAccess Client Attempts To Access Internet Resources |
|
||
When the user or a process on the DirectAccess client attempts to access an Internet resource (such as an |
|
||
Internet web server), the following process occurs: |
|
||
1. |
The DNS client service passes the DNS name for the Internet resource through the NRPT. There are |
|
|
|
no matches. The DNS client service constructs the DNS name query that is addressed to the IP |
|
|
|
address of an interface-configured Internet DNS server, and hands it off to the TCP/IP stack for |
|
|
|
sending. |
|
|
2. |
Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall |
|
|
|
outgoing rules or connection security rules for the packet. |
|
|
|
|
Administering Windows Server® 2012 7-43 |
|||
3. |
Because the destination IP address in the DNS name query does not match the connection security |
MCT |
|||
|
|
|
|||
|
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query |
|
|
|
|
|
normally. |
USE |
|||
4. |
The Internet DNS server responds with the IP address of the Internet resource. |
||||
5. |
The user application or process constructs the first packet to send to the Internet resource. Before |
||||
|
sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing |
||||
|
rules or connection security rules for the packet. |
||||
|
|
|
|||
6. |
Because the destination IP address in the DNS name query does not match the connection security |
|
|
|
|
|
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally. |
|
|
|
|
Any subsequent Internet resource traffic that does not match a destination in either the infrastructure |
|
|
|
||
Internet tunnel or connection security rules is sent and received normally. |
|
|
|
||
Like the connection process, accessing the domain controller and intranet resources is also a very similar |
|||||
process, because both of these processes are using NRPT tables to locate appropriate DNS server to |
.ONLY |
||||
resolve the name queries. The difference is the IPsec tunnel that is established between the client and |
|||||
|
|
|
|||
DirectAccess server. When accessing the domain controller, all the DNS queries are sent through the IPsec |
|||||
infrastructure tunnel, and when accessing intranet resources, a second IPsec (intranet) tunnel is |
|
|
|
||
established. |
|
|
|
||
Prerequisites for Implementing DirectAccess |
|
|
|
||
|
|
|
|
|
|
Requirements for DirectAccess Server |
|
|
STUDENT |
||
To deploy DirectAccess, you need to ensure that |
|
|
|||
your server meets the following hardware and |
|
|
|||
network requirements: |
|
|
|||
• |
The server must be joined to an AD DS |
|
|
||
|
|
USE |
|||
|
domain. |
|
|
||
• |
The server must have Windows Server 2012 or |
|
|
||
|
Windows Server 2008 R2 operating system |
|
|
||
|
installed. |
|
|
||
• |
|
|
|
||
The Windows Server 2012 that will be |
|
|
|
|
|
|
installed as the DirectAccess server can have a single network adapter installed, which is connected to |
||||
|
the intranet and published over Microsoft Forefront Threat Management Gateway (TMG) 2010 or |
PROHIBITED |
|||
|
|
|
|||
|
Microsoft Forefront Unified Access Gateway (UAG) 2010 for Internet connection. In the deployment |
||||
|
scenario where DirectAccess is installed on an Edge server, it needs to have two network adapters: |
|
|
|
|
|
one that is connected to the internal network, and one that is connected to the external network. An |
||||
|
edge server is any server that resides on the edge between two or more networks, typically a private |
||||
|
network and Internet. |
|
|
|
|
• |
Implementation of DirectAccess in Windows Server 2012 does not require two consecutive static, |
|
|
|
|
|
public IPv4 addresses be assigned to the network adapter. |
|
|
|
|
• |
You can circumnavigate the need for an additional public address by deploying Windows Server 2012 |
||||
|
DirectAccess behind a NAT device, with support for a single or multiple interfaces. In this |
|
|
|
|
configuration, only IP over HTTPS (IP-HTTPS) is deployed, which allows a secure IP tunnel to be established using a secure HTTP connection.
Administering Windows Server® 2012 7-45
Configuring DirectAccess |
MCT |
|||
To configure DirectAccess, perform the |
|
|||
|
|
USE |
||
following steps: |
|
|
||
1. Configure AD DS and DNS requirements: |
|
|
||
o Create a security group in AD DS, and |
|
|
||
add all client computer accounts that will |
|
|
||
be accessing the intranet through |
|
|
||
|
|
|
||
DirectAccess. |
|
|
|
|
o Configure both internal and external DNS |
|
|
|
|
servers with appropriate host names and |
|
|
|
|
IP addresses. |
|
|
|
|
|
|
|
|
|
2. Configure the PKI environment: |
|
|
||
o Add and configure the Certificate Authority server role, create the certificate template and CRL.ONLY |
||||
distribution point, publish the CRL list, and distribute the computer certificates. This is not needed |
||||
if you launch the setup from the Getting Started Wizard. |
STUDENT |
|||
3. Configure the DirectAccess server: |
||||
o Install Windows Server 2012 on a server computer with one or two physical network adapters |
||||
(depending on the DirectAccess design scenario). |
||||
o Join the DirectAccess server to an Active Directory domain. |
||||
o Install the Remote Access role, and configure the DirectAccess server so that it is one of the |
||||
following: |
||||
The DirectAccess server is on the perimeter network with one network adapter that is |
||||
connected to the perimeter network, and at least one other network adapter that is |
||||
connected to the intranet. In this deployment scenario, the DirectAccess server is placed |
||||
between a front-end firewall and back-end firewall. |
||||
USE |
||||
|
|
|||
The DirectAccess server is published by using TMG, UAG, or other third-party firewalls. In this deployment scenario, DirectAccess is placed behind a front-end firewall and it has one network adapter connected to internal network.
The DirectAccess server is installed on an edge server (typically front end firewall) with one network adapter that is connected to the Internet, and at least one other network adapter that is connected to the intranet.
An alternative design is that the DirectAccess server has only one network interface, not two. For this design, perform the following steps:
oVerify that the ports and protocols that are needed for DirectAccess and ICMP Echo Request are enabled in the firewall exceptions and opened on the perimeter and Internet-facing firewalls.
o |
externally-facing DNS server. |
PROHIBITED |
The DirectAccess server in simplified implementation can use a single public IP address in |
|
|
|
combination with Kerberos Proxy services for client authentication against domain controllers. |
|
|
For two-factor authentication and integration with NAP, you need to configure at least two |
|
|
consecutive public, static IPv4 addresses that are externally resolvable through DNS. Ensure that |
|
|
you have an IPv4 address available, and that you have the ability to publish that address in your |
|
oIf you have disabled IPv6 on clients and servers, you must re-enable IPv6, because it is required for DirectAccess.
Administering Windows Server® 2012 7-47
Lab B: Configuring DirectAccess |
MCT |
|
Scenario |
||
USE |
||
Because A. Datum Corporation has expanded, many of the employees are now frequently out of the |
||
office, either working from home or traveling. A. Datum wants to implement a remote access solution |
||
|
for its employees so they can connect to the corporate network while they are away from the office. Although the VPN solution that you implemented provides a high level of security, business management is concerned about the complexity of the environment for end users. In addition, IT management is concerned that they are not able to manage the remote clients effectively. To address these issues, A.
As a senior network administrator, you are required to deploy and validate the DirectAccess deployment. You will configure the DirectAccess environment, and validate that the client computers can connect to the internal network when operating remotely.
Datum has decided to implement DirectAccess on client computers that are running Windows 8. ONLY
.
• |
|
USESTUDENT |
|
Configure the server infrastructure to deploy DirectAccess. |
|||
• Configure the DirectAccess clients. |
|||
• |
Validate the DirectAccess implementation. |
||
|
|
|
|
|
|
|
|
|
|
|
|
1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V ManagerPROHIBITED.
2.In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3.In the Actions pane, click Connect. Wait until the virtual machine starts.
4.Sign in using the following credentials: o User name: Adatum\Administrator o Password: Pa$$w0rd
5.Perform steps 2 through 4 for 20411B-LON-SVR1 and 20411B-LON-RTR.
6.Do not start 20411B-LON-CL1 until directed to do so.
