(0) exportieren Drucken
Alle erweitern

Add DirectAccess to an Existing Remote Access (VPN) Deployment

Veröffentlicht: August 2012

Letzte Aktualisierung: August 2012

Betrifft: Windows Server 2012

Windows Server 2012 combines DirectAccess and Routing and Remote Access Service (RRAS) VPN into a single Remote Access role. This topic provides an introduction to the Remote Access Enable DirectAccess Wizard, which is used to set up a single Remote Access server with recommended settings after you have already set up VPN.

In this scenario a single computer running Windows Server 2012 is configured as a Remote Access server with recommended settings after you have already installed and configured VPN. If you want to configure Remote Access with enterprise features such as a load-balanced cluster, multisite deployment, or two-factor client authentication, complete the scenario described in this topic to set up a single server, and then set up the required enterprise scenario using Deploy Remote Access in an Enterprise.

To set up a Remote Access single server, a number of planning and deployment steps are required.

Planning is divided into two phases:

  1. Planning for the Remote Access infrastructure—This phase describes the planning required to set up the network infrastructure before beginning the Remote Access deployment. It includes planning the network and server topology, certificate planning, DNS, Active Directory and Group Policy object (GPO) configuration, and the DirectAccess network location server.

  2. Planning for the Remote Access deployment—This phase describes the planning steps required to prepare for the Remote Access deployment. It includes planning for Remote Access client computers, server and client authentication requirements, and infrastructure servers.

Deployment is divided into three phases:

  1. Configuring the Remote Access infrastructure—This phase includes configuring network and routing, configuring firewall settings if required, configuring certificates, DNS servers, Active Directory and GPO settings, and the DirectAccess network location server.

  2. Configuring Remote Access server settings—This phase includes steps for configuring Remote Access client computers, the Remote Access server and infrastructure servers.

  3. Verifying the deployment—This phase includes steps to verify that the deployment is working as required.

Deploying a single Remote Access server provides the following:

  • Ease-of-access—Managed client computers running Windows® 8 and Windows 7 can be configured as DirectAccess client computers. These clients can access internal network resources via DirectAccess any time they are located on the Internet without needing to log in to a VPN connection. Client computers not running one of these operating systems can connect to the internal network via VPN. Both DirectAccess and VPN are managed in the same console and with the same set of wizards.

  • Ease-of-management—DirectAccess client computers located on the Internet can be remotely managed by remote access administrators over DirectAccess, even when the client computers are not located in the internal corporate network. Client computers that do not meet corporate requirements can be remediated automatically by management servers.

The following table lists the roles and features required for the scenario:

 

Role/feature How it supports this scenario

Remote Access role

The role is installed and uninstalled using the Server Manager console or Windows PowerShell. This role encompasses both DirectAccess, which was previously a feature in Windows Server 2008 R2, and Routing and Remote Access Services which was previously a role service under the Network Policy and Access Services (NPAS) server role. The Remote Access role consists of two components:

  1. DirectAccess and Routing and Remote Access Services (RRAS) VPN—DirectAccess and VPN are managed together in the Remote Access Management console.

  2. RRAS Routing—RRAS routing features are managed in the legacy Routing and Remote Access console.

The Remote Access Server Role is dependent on the following server roles/features:

  • Internet Information Services (IIS) Web Server – This feature is required to configure the network location server on the Remote Access server, and the default web probe.

  • Windows Internal Database—Used for local accounting on the Remote Access server.

Remote Access Management Tools feature

This feature is installed as follows:

  • It is installed by default on a Remote Access server when the Remote Access role is installed, and supports the Remote Management console user interface and the Windows PowerShell cmdlets.

  • It can be optionally installed on a server not running the Remote Access server role. In this case it is used for remote management of a Remote Access computer running DirectAccess and VPN.

The Remote Access Management Tools feature consists of the following:

  • Remote Access GUI

  • Remote Access module for Windows PowerShell

Dependencies include:

  • Group Policy Management Console

  • RAS Connection Manager Administration Kit (CMAK)

  • Windows PowerShell 3.0

  • Graphical Management Tools and Infrastructure

Hardware requirements for this scenario include the following:

  • Server requirements:

    • A computer that meets the hardware requirements for Windows Server 2012.

    • The server must have at least one network adapter installed and enabled and joined to the internal network. When two adapters are used, there should be one adapter connected to the internal corporate network, and one connected to the external network (Internet).

    • If Teredo is required as an IPv4 to IPv6 transition protocol, the external adapter of the server requires two consecutive public IPv4 addresses. Note that the Enable DirectAccess Wizard does not enable Teredo, even if two consecutive IP addresses are present. To enable Teredo, see Bereitstellen erweiterten Fernzugriffs. If a single IP address is available, then only IP-HTTPS can be used as the transition protocol.

    • At least one domain controller. The Remote Access server and DirectAccess clients must be domain members.

    • The Enable DirectAccess Wizard requires certificates for IP-HTTPS and network location server. If SSTP VPN is already using a certificate, it is re-used for IP-HTTPS. If SSTP VPN is not configured, you can configure a certificate for IP-HTTPS or use an automatically created self-signed certificate. For the network location server, you can configure a certificate or use an automatically created self-signed certificate.

  • Client requirements:

    • A client computer must be running Windows® 8 or Windows 7. Note that only the following can be used as a DirectAccess client: Windows 7 Enterprise, Windows 7 Ultimate, Windows 8 Enterprise, Windows Server 2008 R2, or Windows Server 2012.

  • Infrastructure and management server requirements:

    • During remote management of DirectAccess client computers, clients initiate communications with management servers such as domain controllers, System Center Configuration Servers, and Health Registration Authority (HRA) servers for services that include Windows and antivirus updates and Network Access Protection (NAP) client compliance. The required servers should be deployed before beginning the Remote Access deployment.

    • If remote access requires client NAP compliance, NPS and HRA servers should be deployed before beginning remote access deployment

    • A DNS server running Windows Server 2008 SP2; Windows Server 2008 R2; or Windows Server 2012 is required.

There are a number of requirements for this scenario:

  • Server requirements:

    • The Remote Access server must be a domain member. The server can be deployed at the edge of the internal network, or behind an edge firewall or other device.

    • If the Remote Access server is located behind an edge firewall or NAT device, the device must be configured to allow traffic to and from the Remote Access server.

    • The person deploying remote access on the server requires local administrator permissions on the server, and domain user permissions. In addition, the administrator requires permissions for the GPOs used in DirectAccess deployment. To take advantage of the features that restricts DirectAccess deployment to mobile computers only, permissions to create a WMI filter on the domain controller are required.

  • Remote access client requirements:

    • DirectAccess clients must be domain members. Domains containing clients can belong to the same forest as the Remote Access server, or have a two-way trust with the Remote Access server forest or domain.

    • An Active Directory security group is required to contain the computers that will be configured as DirectAccess clients. If a security group is not specified when configuring DirectAccess client settings, by default, the client GPO is applied on all laptop computers (that are DirectAccess capable) in the Domain Computers security group. The DirectAccess capable versions of Windows are: Windows 7 Enterprise, Windows 7 Ultimate, Windows 8 Enterprise, Windows Server 2008 R2 and Windows Server 2012.

      noteHinweis
      It is recommended that you create a security group for each domain containing computers that will be configured as DirectAccess clients.

The following table provides links to additional resources.

 

Content type References

Remote Access on TechNet

Remote Access TechCenter

Product evaluation

Demonstrate DirectAccess in a cluster with NLB

Demonstrate a DirectAccess multisite deployment

Demonstrate a DirectAccess multisite deployment

Deployment

Remote Access Remote Access

Troubleshooting

Troubleshooting Remote Access documentation, when available.

Tools and settings

Remote Access PowerShell cmdlets

Community resources

RRAS Product Team blog | DirectAccess Wiki entries

Related technologies

How IPv6 works

Fanden Sie dies hilfreich?
(1500 verbleibende Zeichen)
Vielen Dank für Ihr Feedback.

Community-Beiträge

HINZUFÜGEN
Anzeigen:
© 2014 Microsoft