Export (0) Print
Expand All

Step 1: Configure DC1

Published: January 11, 2010

Updated: April 8, 2010

Applies To: Unified Access Gateway

DC1 acts as the domain controller, network location server (NLS), Certificate server, DNS server, File Server and DHCP server for the corp.contoso.com domain. The following steps prepare DC1 to carry out these roles to support a working DirectAccess solution:

DC1 configuration consists of the following steps:

  1. A. Install the operating system on DC1—The first step is to install the Windows Server 2008 R2 operating system on the corp.contoso.com domain’s domain controller, DC1.

  2. B. Configure TCP/IP Properties on DC1—After installing the operating system on DC1, configure the TCP/IP Properties to provide the server an IP address, subnet mask, DNS server address and connection specific DNS suffix.

  3. C. Rename DC1—Change the default name of the computer assigned during setup to DC1.

  4. D. Configure DC1 as a domain controller and DNS server—DC1 is the domain controller and the authoritative DNS server for the corp.contoso.com domain. The domain controller and DNS server is required as part of the DirectAccess solution.

  5. E. Create a Reverse Lookup Zone on the DC1 DNS Server—A reverse lookup zone for network ID 10.0.0.0/24 is required to create a pointer record for DC1. The pointer record allows reverse name resolution for DC1, and prevents name resolution errors during DNS related configuration steps. The reverse lookup zone is not required for a functional DirectAccess solution.

  6. F. Enter a Pointer Record for DC1—A pointer record for DC1 will allow services to perform reverse name resolution for DC1. This is when performing DNS related operations. It is not required for a functional DirectAccess solution.

  7. G. Enable ISATAP Name Resolution on the DC1 DNS Server—By default, the Windows Server 2008 R2 DNS server will not answer queries for the ISATAP and WPAD host names. The DNS server is configured so that it will answer queries for ISATAP.

  8. H. Create DNS Records for NLS and ISATAP on DC1—The DirectAccess client uses a network location server to determine if the computer is on or off the corporate network. If it is on the corporate network, the DirectAccess can connect to the network location server using an HTTPS connection. A DNS record is required to resolve the name of the network location server. In addition, a DNS record for ISATAP is required so that ISATAP capable hosts on the network can obtain IPv6 addressing and routing information.

  9. I. Configure DC1 as a DHCP and Certificate Server—DC1 is configured as a DHCP server so that CLIENT1 can automatically obtain IP addressing information when connected to the corpnet. Certificate Services are installed on DC1 so that computer certificates can be automatically assigned to all members of the CORP domain. Certificates are used for IPsec communications, as well as Web site certificates, which are used by the network location server and the Forefront UAG DirectAccess server’s IP-HTTPS listener. Certificates are required by the DirectAccess solution; however, you can use either or both commercial or private certificates as part of the DirectAccess solution. DHCP is not required to support a DirectAccess solution.

  10. J. Create a New Administrator Account in Active Directory on DC1—As a network management best practice, the default domain administrator account should not be used for routine network operations. For this reason, a new domain administrator account is created and used when making configuration changes. Using an alternate domain admin account is not required for a functional DirectAccess solution.

  11. K. Create a Security Group for DirectAccess Clients on DC1—When DirectAccess is configured on the UAG DirectAccess server, it automatically creates Group Policy objects and GPO settings that are applied to DirectAccess clients and servers. The DirectAccess client GPO uses security group filtering to assign the GPO settings to a designated DirectAccess security group. The is populated with the computer accounts of DirectAccess client computers. This is a required component of a DirectAccess solution.

  12. L. Create and Deploy a Security Template for the IP-HTTPS Listener Certificate and Network Location Server Certificate—A Web site certificate is required for the network location server so that computers can use HTTPS to connect to it when they are on the corporate network. The UAG DirectAccess server uses a Web site certificate on its IP-HTTPS listener, so that it can accept incoming connections from DirectAccess clients that are behind network devices that limit outbound connections to only HTTP/HTTPS. A Web site certificate template is created and used for certificate requests to the Microsoft Certificate Server installed on DC1. A Web site certificate bound to the UAG DirectAccess server’s IP-HTTPS is a required component of a working DirectAccess solution.

  13. M. Create ICMPv4 and ICMPv6 Echo Request firewall rules in Domain Group Policy on DC1—ICMP v4 and v6 echo requests inbound and outbound are required for Teredo support. Firewall Rules are configured using the Windows Firewall with Advanced Security GPO snap-in to distribute the configuration.

  14. N. Enable computer certificate autoenrollment in Group Policy for the CORP Domain on DC1—DirectAccess clients use computer certificates to establish IPsec connections to the UAG DirectAccess server. In addition, in an end to end scenario, IPsec is also used to connect the DirectAccess client to the destination resource server. Computer certificates are required for a working DirectAccess solution.

  15. O. Remove CRL Distribution Settings on the Certificate Authority on DC1—When IP-HTTPS clients connect to the UAG DirectAccess server, a certificate revocation check is performed by the client. If the CRL check fails or if the CRL is unavailable, the IP-HTTPS connection will fail. The Certificate Server is configured to remove CRL distribution settings so that the CRL check will not fail. In a production environment, DirectAccess requires access to the CRL from clients situated on the Internet.

  16. P. Create a Shared Folder on the C:\ Drive on DC1—A shared folder is created on the C:\drive of DC1 to test SMB connectivity for DirectAccess clients to a resource on the CORP domain.

The following sections explain these steps in detail.

The first step is to install the Windows Server 2008 R2 Enterprise Edition software on DC1. Windows Server 2008 R2 is required by UAG 2010. UAG 2010 can be installed on either Windows Server 2008 R2 Standard or Enterprise Edition. Enterprise Edition supports the installation of an Enterprise Certification Authority, which enables autoenrollment of the CA certificate to all domain members thereby reducing administrative overhead.

To install the operating system on DC1

  1. On DC1, start the installation of Windows Server 2008 R2 Enterprise Edition.

  2. Follow the instructions to complete the installation, specifying Windows Server 2008 R2 Enterprise Edition and a strong password for the local Administrator account. Log on using the local Administrator account.

  3. Connect the network adapter to the corpnet subnet or the virtual switch representing the corpnet subnet.

After installing the operating system on DC1, configure its TCP/IP Properties to provide the server an IP address, subnet mask, DNS server address and connection specific suffix.

noteNote:
The connection specific suffix is not required for a working DirectAccess solution, but simplifies name resolution prior to completing the DNS infrastructure in the POC lab environment.

To configure TCP/IP on DC1

  1. On DC1, in Initial Configuration Tasks, click Configure networking.

  2. In Network Connections, right-click Local Area Connection, and then click Properties.

  3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  4. Select Use the following IP address, enter 10.0.0.1 next to IP address, and enter 255.255.255.0 next to Subnet mask.

  5. Select the Use the following DNS server addresses option. Enter 10.0.0.1in the Preferred DNS server box.

  6. Click Advanced, and then click the DNS tab.

  7. In DNS suffix for this connection, enter corp.contoso.com, click OK two times, and then click Close.

    noteNote:
    Configuring a DNS suffix is not required for DirectAccess to work correctly, but it is used to simplify name resolution.

  8. Close the Network Connections window.

The installation routine created a default computer name. Now you need to rename the computer or virtual machine to DC1.

To rename DC1

  1. On DC1, in Initial Configuration Tasks, click Provide computer name and domain.

  2. In the System Properties dialog box, click Change. In the Computer Name/Domain Change dialog box, in the Computer name text box, enter DC1, and click OK two times, and then click Close. When prompted to restart the computer, click Restart Now.

  3. After restarting, log in using the local administrator account.

DC1 is the domain controller and authoritative DNS server for the CORP (corp.contoso.com) domain. The domain controller and DNS server roles are required for the DirectAccess solution.

To configure DC1 as a domain controller and DNS server

  1. On DC1, on the Initial Configuration Tasks page, click the Add Roles link.

  2. Click Next on the Before You Begin page.

  3. On the Select Server Roles page, click Active Directory Domain Services, click Add Required Features, click Next on the Introduction to the Active Directory Domain Services page, and then click Install on the Confirm Installation Selections page. Click Close on the Installation Results page.

  4. To start the Active Directory Installation Wizard, click Start, enter dcpromo in the Search box, and then press ENTER.

  5. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.

  6. On the Operating System Compatibility page, click Next.

  7. On the Choose a Deployment Configuration page, click Create a new domain in a new forest, and then click Next.

  8. On the Name the Forest Root Domain page, enter corp.contoso.com, and then click Next.

  9. On the Set Forest Functional Level page, in Forest Functional Level, click Windows Server 2008 R2, and then click Next.

    noteNote:
    Windows Server 2008 R2 Forest Functional Level is not required for the DirectAccess solution. You can use any of the available Forest Functional Levels.

  10. On the Additional Domain Controller Options page, ensure that the DNS Server option is selected and click Next, click Yes in the Active Directory Domain Service Installation Wizard dialog box, and then on the Location for Database, Log Files, and SYSVOL page, click Next.

  11. On the Directory Services Restore Mode Administrator Password page, enter a strong password two times, and then click Next.

  12. On the Summary page, click Next.

  13. In the Active Directory Domain Services Installation Wizard dialog box, select the Reboot on completion check box.

  14. Log on to DC1 as Administrator after the server automatically restarts.

A reverse lookup zone on DC1 for network ID 10.0.0.0/24 is required to create a pointer record for DC1. The pointer record will allow reverse name resolution for DC1, which will prevent name resolution errors during several DNS related configuration steps. The reverse lookup zone is not required for a functional DirectAccess solution and is used as a convenience in this lab.

To Create a Reverse Lookup Zone on the DC1 DNS server

  1. On DC1, click Start, and point to Administrative Tools. Click DNS.

  2. In the DNS Manager console, in the left pane of the console, expand the server name, and click Reverse Lookup Zones. Right click Reverse Lookup Zones, and click New Zone.

  3. On the Welcome to the New Zone Wizard page, click Next.

  4. On the Zone Type page, click Next.

  5. On the Active Directory Zone Replication Scope page, click Next.

  6. On the Reverse Lookup Zone Name page, click Next.

  7. On the Reverse Lookup Zone Name page, select the Network ID option, and then enter 10.0.0 in the box. Click Next.

  8. On the Dynamic Update page, click Next.

  9. On the Completing the New Zone Wizard page, click Finish.

  10. Leave the DHCP console open for the next operation.

A pointer record for DC1 will allow services to perform reverse name resolution for the DC1 computer. This is useful when performing several DNS related operations. It is not required for a functional DirectAccess solution and it is configured as a convenience for this lab.

To enter a point record for DC1

  1. On DC1, in the DNS Manager console, expand the Forward Lookup Zones node in the left pane of the console. Click corp.contoso.com.

  2. Double click dc1 in the right pane of the console.

  3. In the DC1 Properties dialog box, select the Update associated pointer (PTR) record check box, and click OK.

  4. Expand the Reverse Lookup Zones node in the left pane of the console, and click 0.0.10.in-addr.arpa. Confirm that there is an entry for 10.0.0.1 in the middle pane of the console.

  5. Leave the DNS console open.

By default, the Windows Server 2008 R2 DNS server will not answer queries for ISATAP and WPAD host names. These names are included in the DNS server’s Global Query Block list. The following procedures configure the DNS server so that it will answer queries for ISATAP by removing ISATAP from the Global Query Block list.

To enable ISATAP name resolution on the DC1 DNS server

  1. On DC1, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. In the command window, type dnscmd /config /globalqueryblocklist wpad, and then press ENTER.

  3. In the command prompt window, type dnscmd /info /globalqueryblocklist to confirm that ISATAP is not included in the list, and that Query result: String: wpad is displayed.

  4. Close the command window.

For more information on configuring the global query block list, see http://download.microsoft.com/download/5/3/c/53cdc0bf-6609-4841-a7b9-cae98cc2e4a3/DNS_Server_Global_%20Query_Block%20List.doc

DirectAccess clients use a network location server to determine if the computer is on or off the corporate network. If the DirectAccess client can connect to the network location server using HTTPS, it determines that it is on the corporate network and the DirectAccess client configuration is disabled. If the DirectAccess client cannot connect to the network location server, the DirectAccess client configuration is enabled, and the computer configures itself to use the appropriate IPv6 adapter and IPv6 transition technology to connect to the DirectAccess server (the adapter used can be 6to4, Teredo, or IP-HTTPS).

A DNS record is required for the DirectAccess client to resolve the name of the network location server. In addition, all IPv6 capable hosts on the corpnet must resolve the name ISATAP to the internal interface of the UAG DirectAccess server, so a DNS record is required for ISATAP. The UAG DirectAccess server will act as an ISATAP router for the organization, and provide prefix and routing information for ISATAP hosts on the corporate network.

To create DNS records for NLS and ISATAP on DC1

  1. On DC1, click the corp.contoso.com forward lookup zone in the left pane of the console. Right click corp.contoso.com and click New Host (A or AAAA).

  2. In the New Host dialog box, enter ISATAP in the Name (uses parent domain name if blank) box. Then enter 10.0.0.2 in the IP address box. (IP address 10.0.0.2 will be the IP address of the internal interface of the UAG server, which will act as the ISATAP router in this lab).

  3. Click Add Host. Then click OK in the DNS dialog box.

  4. In the New Host dialog box, enter NLS in the Name (uses parent domain name if blank) box (this is the name the DirectAccess clients use to connect to the network location server). Enter 10.0.0.3 in the IP address box, and then click Add Host. Click OK in the DNS box.

    noteNote:
    IP address 10.0.0.3 is the IP address of APP1, which acts as a network location server in this lab.

  5. Click Done.

  6. Confirm that there are entries for DC1, ISATAP, and NLS in the middle pane of the console.

  7. Open a command prompt window, enter nslookup isatap and then press ENTER. Confirm that DC1 resolves ISATAP to 10.0.0.2. Close the command prompt window.

A DHCP server is used on the simulated corpnet to provide IP addressing information for the DirectAccess client when it is connected to the corpnet. DHCP is not required for a working DirectAccess solution, but facilitates automatic addressing when the DirectAccess client moves between the corpnet and external networks. The Microsoft Certificate Server is used to provide computer certificates to domain member computers, which can be used for computer authentication and IPsec connectivity. In addition, the Certificate Server is used to obtain Web site certificates for the network location server and the UAG DirectAccess server’s IP-HTTPS listener.

noteNote:
A Microsoft Certificate Server is not required for either computer or Web site certificates. However, it is the preferred method for computer certificate assignment, as it can significantly lower administrative overhead compared to other approaches. In a production environment, the IP-HTTPS Listener typically uses a commercial certificate, though this is not a requirement; a commercial certificate simplifies DirectAccess client access to the Certificate Revocation List listed in the certificate used by the IP-HTTPS listener, which is required. Both computer and Web site certificates are required for a working DirectAccess solution.

To configure DC1 as a DHCP and certificate server

  1. On DC1, in the Initial Configuration Tasks window, click the Add Roles link.

  2. On the Before You Begin page, click Next.

  3. On the Select Server Roles page, select the Active Directory Certificate Services and DHCP Server check boxes. Click Next.

  4. On the Introduction to DHCP Server page, click Next.

  5. On the Select Network Connection Bindings page, confirm that 10.0.0.1 is selected in the Network Connections section. Click Next.

  6. On the Specify IPv4 DNS Server Settings page, confirm that the Parent domain box contains corp.contoso.com. In the Preferred DNS server IPv4 address box, enter 10.0.0.1. Click Validate. A green circle with a check mark should display, and it should state Valid to the right of that circle. Click Next.

  7. On the Specify IPv4 WINS Server Settings page, click Next.

  8. On the Add or Edit DHCP Scopes page, click the Add button.

  9. In the Add Scope dialog box, in the Scope name box, enter Corpnet. In the Starting IP address box, enter 10.0.0.100. In the Ending IP address box, enter 10.0.0.150. In the subnet mask box, enter 255.255.255.0. Click OK.

  10. On the Add or Edit DHCP Scopes page, click Next.

  11. On the Configure DHCPv6 Stateless Mode page, select the Disable DHCPv6 stateless mode for this server option, and click Next.

    noteNote:
    Disabling stateless mode is not a requirement for the DirectAccess solution; this option is selected because we are not using a native IPv6 infrastructure in this lab.

  12. On the Authorize DHCP Server page, click Next.

  13. On the Introduction to Active Directory Certificate Services page, click Next.

  14. On the Select Role Services page, confirm that the Certification Authority check box is selected, and then click Next.

  15. On the Specify Setup Type page, confirm that Enterprise is selected, and click Next.

    noteNote:
    An Enterprise CA is used so that autoenrollment automatically distributes the CA and computer certificates.

  16. On the Specify CA Type page, confirm that Root CA is selected, and then click Next.

  17. On the Set Up Private key page, confirm that Create a new private key is selected, and click Next.

  18. On the Configure Cryptography for CA page, click Next.

  19. On the Configure CA Name page, click Next.

  20. On the Set Validity Period page, click Next.

  21. On the Configure Certificate Database page, click Next.

  22. On the Confirm Installation Selections page, click Install.

  23. On the Installation Results page, click Close.

As a network management best practice, the default domain administrator account should not be used for regular network operations. For this reason, a new domain administrator account is created and used when making configuration changes. Using an alternate domain admin account is not required for a functional DirectAccess solution, and is done as a best practice example for this lab.

To create a new administrator account in Active Directory on DC1

  1. On DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, expand corp.contoso.com, right-click Users, point to New, and then click User.

  3. In the New Object - User dialog box, next to Full name, enter User1, and then, in User logon name enter User1.

  4. Click Next.

  5. In Password, type the password that you want to use for this account, and in Confirm password, type the password again.

  6. Clear the User must change password at next logon check box, and select the Password never expires check box.

  7. Click Next, and then click Finish.

  8. In the console tree, click Users.

  9. In the details pane, double-click Domain Admins.

  10. In the Domain Admins Properties dialog box, click the Members tab, and then click Add.

  11. Under Enter the object names to select (examples), enter User1, and then click OK two times.

  12. Leave the Active Directory Users and Computers console open for the following procedure.

When you run the UAG DirectAccess Wizard on the UAG1 computer, the wizard creates Group Policy objects and deploys them in Active Directory. One GPO is created for the UAG DirectAccess server, and another is created for DirectAccess clients. Security group filtering is used to apply the DirectAccess GPO settings to the DirectAccess Clients security group. To obtain the settings required to be a DirectAccess client, the computer must be a member of this security group. Do not use any of the built-in security groups as your DirectAccess security group. Use the following procedure to create the DirectAccess security group. This group is required for a working DirectAccess solution.

To create a security group for DirectAccess clients on DC1

  1. On DC1, in the Active Directory Users and Computers console tree, right-click Users, point to New, and then click Group.

  2. In the New Object - Group dialog box, under Group name, enter DA_Clients.

    noteNote:
    The group name “DA_Clients” is not a mandatory name; you can use any name you want for the DirectAccess clients security group.

  3. Under Group scope, select Global, under Group type, select Security, and then click OK.

  4. Close the Active Directory Users and Computers console.

A Web site certificate is required for the network location server so that computers can use HTTPS to connect to it located on the corporate network. In addition, the UAG DirectAccess server uses a Web site certificate on its IP-HTTPS listener so that it can accept incoming connections from DirectAccess clients that are behind network devices that limit outbound connections to only HTTP/HTTPS. The following procedures describes how to create a Web site certificate template to use for requests to the Microsoft Certificate Server installed on DC1. A Web site certificate bound to the UAG DirectAccess server’s IP-HTTPS listener and a Web site certificate bound to the network location server Web site are both required for a working DirectAccess solution.

To create and deploy a security template for the IP-HTTPS listener certificate and network location server certificate

  1. On DC1, click Start, enter mmc in the Search box, and then press ENTER.

  2. Click the File menu, and then click Add/Remove Snap-in.

  3. In the list of snap-ins, click Certificate Templates, click Add, and then click OK.

  4. In the console tree, expand Certificates Templates.

  5. In the contents pane, right-click the Web Server template, and then click Duplicate Template.

  6. Click Windows Server 2003 Enterprise, and then click OK. (You can use either the Windows Server 2003 or Windows Server 2008 templates). In Template display name, type Web Server 2003.

  7. Click the Security tab.

  8. Click Authenticated Users, and then select Enroll in the Allow column.

  9. Click Add, enter Domain Computers in the Enter the object names to select box, and then click OK.

  10. Click Domain Computers, and then select Enroll in the Allow column.

  11. Click the Request Handling tab.

  12. Select Allow private key to be exported.

    noteNote:
    We do this as a convenience for this lab. Making the private key exportable is not required by DirectAccess; however, in order to create a UAG DirectAccess array, the same certificate must be installed on all array members. Enabling export of the private key greatly simplifies this requirement.

  13. Click OK.

  14. Close the MMC window without saving changes.

  15. Click Start, point to Administrative Tools, and then click Certification Authority.

  16. In the console tree, expand corp-DC1-CA, right-click Certificate Templates, point to New, and then click Certificate Template to Issue.

  17. In the list of certificate templates, click Web Server 2003, and then click OK.

  18. In the right pane of the console, you should see the Web Server 2003 certificate template with an Intended Purpose of Server Authentication.

  19. Close the Certification Authority console.

Support for incoming and outgoing ICMPv4 and v6 is required for Teredo clients. DirectAccess clients will use Teredo as their IPv6 transition technology to connect to the UAG DirectAccess server over the IPv4 Internet, when they are assigned a private (RFC 1918) IP address and are located behind a NAT device or firewall. In addition, enabling ping facilitates connectivity testing between participants in the DirectAccess solution.

To Create ICMPv4 and ICMPv6 Echo Request firewall rules in Domain Group policy on DC1

  1. On DC1, click Start, click Administrative Tools, and then click Group Policy Management.

  2. In the console tree, expand Forest: corp.contoso.com. Then expand Domains and corp.contoso.com.

  3. In the console tree, right-click Default Domain Policy, and then click Edit.

  4. In the console tree of the Group Policy Management Editor, expand Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security-LDAP://.

  5. In the console tree, click Inbound Rules, right-click Inbound Rules, and then click New Rule.

  6. On the Rule Type page, click Custom, and then click Next.

  7. On the Program page, click Next.

  8. On the Protocols and Ports page, for Protocol type, click ICMPv4, and then click Customize.

  9. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK.

  10. Click Next.

  11. On the Scope page, click Next.

  12. On the Action page, click Next.

  13. On the Profile page, click Next.

  14. On the Name page, for Name, type Inbound ICMPv4 Echo Requests, and then click Finish.

  15. In the console tree, right-click Inbound Rules, and then click New Rule.

  16. On the Rule Type page, click Custom, and then click Next.

  17. On the Program page, click Next.

  18. On the Protocols and Ports page, for Protocol type, click ICMPv6, and then click Customize.

  19. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK.

  20. Click Next.

  21. On the Scope page, click Next.

  22. On the Action page, click Next.

  23. On the Profile page, click Next.

  24. On the Name page, for Name, type Inbound ICMPv6 Echo Requests, and then click Finish.

  25. In the console tree, right-click Outbound Rules, and then click New Rule.

  26. On the Rule Type page, click Custom, and then click Next.

  27. On the Program page, click Next.

  28. On the Protocols and Ports page, for Protocol type, click ICMPv4, and then click Customize.

  29. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK.

  30. Click Next.

  31. On the Scope page, click Next.

  32. On the Action page, click Allow the connection, and then click Next.

  33. On the Profile page, click Next.

  34. On the Name page, for Name, type Outbound ICMPv4 Echo Requests, and then click Finish.

  35. In the console tree, right-click Outbound Rules, and then click New Rule.

  36. On the Rule Type page, click Custom, and then click Next.

  37. On the Program page, click Next.

  38. On the Protocols and Ports page, for Protocol type, click ICMPv6, and then click Customize.

  39. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK.

  40. Click Next.

  41. On the Scope page, click Next.

  42. On the Action page, click Allow the connection, and then click Next.

  43. On the Profile page, click Next.

  44. On the Name page, for Name, type Outbound ICMPv6 Echo Requests, and then click Finish.

  45. Confirm that the rules you created appear in the Inbound Rules and Outbound Rules nodes. Close the Group Policy Management Editor.

In the DirectAccess solution, computer certificates can be used for computer authentication and IPsec connection establishment. One efficient method for distributing computer certificates is to take advantage of Group Policy based autoenrollment for computer certificates. The following procedure enables autoenrollment for computer certificates for domain member computers.

To enable autoenrollment for computer certificates for domain member computers

  1. On DC1, from the Administrative Tools menu, open Group Policy Management.

  2. In the Group Policy Management console, expand Forest: corp.contoso.com and then expand Domains. Expand corp.contoso.com, then right click Default Domain Policy and click Edit.

  3. In the console tree of the Group Policy Management Editor, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.

  4. In the details pane, right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.

  5. In the Automatic Certificate Request Wizard, click Next.

  6. On the Certificate Template page, click Computer, click Next, and then click Finish.

  7. Leave the Group Policy Management Editor open for the next procedure.

When a DirectAccess client uses the IP-HTTP IPv6 transition protocol to connect to the DirectAccess server over the IPv4 Internet, it must be able to find and check the Certificate Revocation List noted in the web site certificate that is presented by the DirectAccess server’s IP-HTTPS listener. In a production environment, a commercial or private certificate can be used for the IP-HTTPS listener certificate. If a commercial certificate is chosen, no action is required to make the CRL available to the DirectAccess client located on the Internet. If a private certificate from your own organization’s PKI is used, the CRL must be published or made available in some other way to Internet based hosts. In this lab, the CRL check issue is eliminated by configuring the CA to not assign CRL publishing points; this prevents the CRL check from failing when the DirectAccess client connects to the IP-HTTPS listener.

noteNote:
This is done as a convenience for this lab, and must not be done in a production environment, as it removes the ability to revoke certificates. The CRL must be available to DirectAccess clients that need to use IP-HTTPS in order to create a working production DirectAccess solution that supports IP-HTTPS.

To remove CRL distribution settings on the certificate authority on DC1

  1. On DC1, click Start, point to Administrative Tools, and then click Certification Authority.

  2. In the console tree, right-click corp-DC1-CA, and then click Properties.

  3. Click the Extensions tab. In Specify locations for which users can obtain a certificate revocation list, check all locations of the CRL Distribution Point (CDP) Authority Information Access (AIA), and verify that Publish CRLs to this location or Publish Delta CRLs to this location is not selected.

    noteNote:
    This step is done as a convenience for this lab, and should not be done in a production environment.

  4. Click OK, click Yes to restart Active Directory Certificate Services, and then close the Certification Authority console.

DirectAccess clients should be able to connect to SMB resources, when the DirectAccess client is connected to the simulated Internet or connecting from behind a NAT device over the Internet. A network share is created on DC1 to test this.

To create a shared folder on the C:\ drive on DC1

  1. Click Start, and then click Computer.

  2. Double-click the drive on which Windows Server 2008 R2 is installed.

  3. Click New Folder, type Files, and then press ENTER. Leave the Local Disk window open.

  4. Click Start, click All Programs, click Accessories, right-click Notepad, and then click Run as administrator.

  5. In the Untitled – Notepad window, type This is a shared file on DC1.

  6. Click File, click Save, double-click Computer, double-click the drive on which Windows Server 2008 R2 is installed, and then double-click the Files folder.

  7. In File name, type Example.txt, and then click Save. Close the Notepad window.

  8. In the Local Disk window, right-click the Files folder, point to Share with, and then click Specific people.

  9. Click Share, and then click Done.

    WarningWarning:
    This provides Full Control Share Permissions to Everyone, and NTFS Full Control permissions to SYSTEM, Administrator, and CORP\Administrators.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft