Configure DirectAccess Connection Security Rules for NAP

Updated: May 20, 2010

Applies To: Windows Server 2008 R2

Important

This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).

Configuring DirectAccess with Network Access Protection (NAP) consists of the following:

  • Adding the Health Registration Authorities (HRAs) and remediation servers on your intranet to the list of management servers.

  • If you are using NAP full enforcement, configuring the intranet tunnel connection security rule on the DirectAccess server to require health certificates for authentication.

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to change Group Policy settings. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

The following procedure uses the DirectAccess Setup Wizard to add your HRAs and remediation servers to the list of management servers.

To add HRAs and remediation servers as management servers using the DirectAccess Setup Wizard

  1. Click Start, click Run, type damgmt.msc, and then press ENTER.

  2. In the console tree, click Setup.

  3. In the details pane, click Configure for step 3.

  4. On the Location page, click Next.

  5. On the DNS and Domain Controller page, click Next.

  6. On the Management page, right-click the empty row, and then click New.

  7. In the IPv4 Address dialog box, specify either the host name or Internet Protocol version 4 (IPv4) address of the HRA or remediation server, and then click OK. In the IPv6 Address/Prefix dialog box, specify either the host name or Internet Protocol version 6 (IPv6) address or prefix of the HRA or remediation server, and then click OK.

  8. Repeat steps 6 and 7 for additional servers.

  9. Click Finish.

  10. Click Save, and then click Finish.

  11. In the DirectAccess Review dialog box, click Apply. In the DirectAccess Policy Configuration message box, click OK.

The following procedure uses Netsh.exe commands to modify the connection security rules for the management tunnel to allow DirectAccess clients to access the HRAs and remediation servers on the intranet.

Note

Before performing this procedure, you must determine the list of IPv6 addresses for the HRAs and remediation servers on your intranet.

To add HRAs and remediation servers as management servers using the Netsh.exe tool

  1. On a domain controller, start a command prompt as an administrator.

  2. From the Command Prompt window, run the netsh –c advfirewall command.

  3. From the netsh advfirewall prompt, run the set store gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}” command.

    This is the Group Policy object (GPO) for DirectAccess clients.

  4. From the netsh advfirewall prompt, run the consec show rule name=“DirectAccess Policy-ClientToMgmt” command.

  5. From the display of the consec show rule command, note the IPv6 addresses for Endpoint2.

  6. From the netsh advfirewall prompt, run the **consec set rule “DirectAccess Policy-ClientToMgmt” new endpoint2=**ExistingIPv6Addresses,ListOfAdditionalServerIPv6Addresses command, where ExistingIPv6Addresses is the comma-separated list of IPv6 addresses from step 5 and ListOfAdditionalServerIPv6Addresses is the comma-separated list of IPv6 addresses for your HRAs and remediation servers on the intranet.

  7. From the netsh advfirewall prompt, run the set store gpo=”DomainName\DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}" command.

    This is the GPO for the DirectAccess server.

  8. From the netsh advfirewall prompt, run the **consec set rule “DirectAccess Policy-DaServerToMgmt” new endpoint1=**ExistingIPv6Addresses,ListOfAdditionalServerIPv6Addresses command.

The following procedure modifies the intranet tunnel connection security rule on the DirectAccess server to require the use of health certificates by DirectAccess clients. Perform this procedure only when you are using NAP full enforcement for DirectAccess connections.

To modify the connection security rule for the intranet tunnel

  1. On a domain controller, start a command prompt as an administrator.

  2. From the Command Prompt window, run the netsh –c advfirewall command.

  3. From the netsh advfirewall prompt, run the set store gpo=”DomainName\DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}” command.

    This is the GPO for the DirectAccess server.

  4. From the netsh advfirewall prompt, run the consec show rule name=“DirectAccess Policy-DaServerToCorp” command.

  5. From the display of the consec show rule command, note the certification authority (CA) name string for Auth1CAName.

  6. From the netsh advfirewall prompt, run the **consec set rule “DirectAccess Policy-DaServerToCorp” new auth1=computercert auth1ca=**CANameString auth1healthcert=yes applyauthz=yes command.

Important

When you use Netsh.exe to customize connection security rules for DirectAccess, those changes are overwritten the next time you apply the settings of the DirectAccess Setup Wizard. To ensure that the custom settings are maintained, you should either no longer use the DirectAccess Setup Wizard for configuration changes or compile a list of custom changes in a script and run the script each time you apply the DirectAccess Setup Wizard settings.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.