Step 2: Configure APP1

  • Article

Applies To: Unified Access Gateway

APP1 is a Windows Server 2008 R2 computer that acts in the role of the network location server on the network. For this lab, we have chosen not to install the network location server on the domain controller (even though this would have reduced the number of machines required for the lab network). The reason for this is that if the domain controller is IPv6-based (which is not the case in this lab and currently in the vast majority of networks), it is not recommended to use IPsec to connect to the network location server before the client is aware that it is inside the corporate network. When this happens, the DirectAccess client applies the public IPv6 policy. The DirectAccess solution does create a client side policy to make sure Network Location Awareness detection is skipped, which leads to a situation in which if we put the NLA location on the same IP address as the domain controller, the domain controller would be exempt from IPsec. To work around this problem, you could add another IP address to the domain controller and then add the NLA to that or just put it on another computer. Since it’s easier to use a separate computer, and the fact that a production environment will use a high availability array for network location servers, we decided to use a separate computer for the network location server.

DA1 configuration consists of the following steps:

  1. A. Install the operating system on APP1—Windows Server 2008 R2 is installed on APP1. Note that this is not required, as any machine that can host the SSL Web site for the NLS server will work.

  2. B. Configure TCP/IP properties on APP1—After installing the operating system on APP1, configure static IP addressing information on its network adapter.

  3. C. Rename APP1 and join it to the CORP domain—To simplify deployment of the Web site certificate, APP1 is joined to the corp.contoso.com domain.

  4. D. Obtain an NLS certificate for SSL connections to the network location server on APP1—APP1 acts as the network location server. To enable this role, APP1 needs a Web site certificate so that the DirectAccess clients can establish an SSL connection to a Web site on APP1. DirectAccess clients access this site by connecting to network location server name: nls.corp.contoso.com (in this scenario).

  5. E. Install the Web server role on APP1—Install IIS Web services on APP1 so that it can host the network location server Web site.

  6. F. Configure the HTTPS security binding on the NLS Web site on APP1—The Web site certificate must be bound to a Web site on APP1, so that it can respond to SSL connection requests from the DirectAccess clients on the corporate network.

Note

DA1 must have two network adapters installed.

A. Install the operating system on APP1

The first step is to install Windows Server 2008 R2 Enterprise Edition on APP1. This is not a requirement. The goal is to provide an SSL Web site that the DirectAccess clients can connect to, so that they can determine if they are on the corporate network.

To install the operating system on APP1

  1. On APP1, start the installation of Windows Server 2008 R2 Enterprise Edition.

  2. Follow the instructions to complete the installation, specifying Windows Server 2008 R2 Enterprise Edition, and a strong password for the local Administrator account. Log on using the local administrator account.

  3. Connect the network adapter to the corpnet subnet or the virtual switch representing the corpnet subnet.

B. Configure TCP/IP properties on APP1

After installing the operating system on APP1, configure the TCP/IP properties to provide the server with an IP address, subnet mask, DNS server address, and connection specific suffix.

Note

The connection specific suffix is not required for a working DirectAccess solution, but it simplifies name resolution prior to completing the DNS infrastructure in the lab environment.

To configure TCP/IP properties on APP1

  1. On APP1, in Initial Configuration Tasks, click Configure networking.

  2. In Network Connections, right-click Local Area Connection, and then click Properties.

  3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  4. Select Use the following IP address, enter 10.0.0.3 next to IP address, and enter 255.255.255.0 next to Subnet mask.

  5. Select the Use the following DNS server addresses option. Enter 10.0.0.1 in the Preferred DNS server box.

  6. Click Advanced, and then click the DNS tab.

  7. In DNS suffix for this connection, enter corp.contoso.com, click OK two times, and then click Close.

    Note

    Configuring a DNS suffix is not required for DirectAccess to work correctly.

  8. Close the Network Connections window.

C. Rename APP1 and join it to the corp.contoso.com domain

The installation routine created a default computer name. The follow procedure changes the computer name from its default to APP1, and joins APP1 to the CORP domain.

To rename APP1 and join it to the corp.contoso.com domain

  1. On APP1, in Initial Configuration Tasks, click Provide computer name and domain.

  2. In the System Properties dialog box, click Change. In the Computer Name/Domain Change dialog box, in the Computer name box, enter APP1. In the Member of frame, select the Domain option, and enter corp.contoso.com in the text box. Click OK.

  3. In the Computer Name/Domain Changes dialog box, enter CORP\User1 in the User name box and the password in the Password box. Click OK.

  4. After restarting, log in using CORP\User1.

D. Obtain an NLS certificate for SSL connections to the network location server on APP1

The network location server is used by computers configured to be DirectAccess clients, to determine if the DirectAccess client is on the corporate network. If the DirectAccess client can connect to the network location server using HTTPS, then it determines that it is on the corporate network and will not turn on its DirectAccess client configuration. If the computer is not able to connect to the network location server using HTTPS, then it determines that it is off the corporate network, and will turn on its DirectAccess client configuration, and attempt to use one of several IPv6 transition technologies to connect to the Forefront UAG DirectAccess over the IPv4 Internet. The network location server requires a Web site certificate to enable SSL session establishment with the DirectAccess client. The subject name on this certificate must match the name that the DirectAccess client uses to connect to the network location server. On this lab network, the DirectAccess client tries to connect to nls.corp.contoso.com. This name is used later in the DirectAccess Configuration Wizard on the UAG server.

To obtain an NLS certificate for SSL connections to the network location server on APP1

  1. On APP1, click Start, enter mmc, and then press ENTER.

  2. Click the File menu, and then click Add/Remove Snap-in.

  3. Click Certificates, click Add, select Computer account, click Next, select Local computer, click Finish, and then click OK.

  4. In the left pane of the console, expand Certificates (Local Computer)\Personal\Certificates.

  5. Right-click Certificates, point to All Tasks, and then click Request New Certificate.

  6. On the Before You Begin page, click Next.

  7. On the Select Certificate Enrollment Policy page, select the Active Directory Enrollment Policy entry and click Next.

  8. On the Request Certificates page, select the Web Server 2003 check box, and then click More information is required to enroll for this certificate.

  9. On the Subject tab of the Certificate Properties dialog box, in Subject name section, for Type, select Common Name.

  10. In the Value section, enter nls.corp.contoso.com, and then click Add.

  11. In the Alternative name section, for Type, select DNS.

  12. In Value, type nls.corp.contoso.com, and then click Add.

  13. Click OK, click Enroll, and then click Finish.

  14. In the details pane of the Certificates snap-in, verify that a new certificate with the name nls.corp.contoso.com was enrolled with Intended Purposes of Server Authentication.

  15. Right click the nls.corp.contoso.com certificate, and click Properties.

  16. In the nls.corp.contoso.com Properties dialog box, in the Friendly name box, enter NLS Certificate. Click OK.

    Note

    This is not required for the DirectAccess solution to work, but it makes it easy to identify the certificate when binding it to the NLS Web site’s SSL listener.

  17. Close the console window. If you are prompted to save settings, click No.

E. Install the Web server role on APP1

APP1 hosts the network location server. Since the network location server is a Web server that can accept SSL connections from computers configured to be DirectAccess clients, the Web server role is required on the network location server.

To install the Web server role on APP1

  1. On APP1, in the Initial Configuration Tasks window, click the Add Roles link.

  2. On the Before You Begin page, click Next.

  3. On the Select Server Roles page, select the Web Server (IIS) check box, and then click Next.

  4. On the Introduction to Web Server (IIS) page, click Next.

  5. On the Select Role Services page, click Next.

  6. On the Confirm Installation Selections page, click Install.

  7. Verify that all installations were successful, and then click Close.

F. Configure the HTTPS security binding on the NLS Web site on APP1

After the Web server role is installed, the Web site certificate must be bound to the network location server Web site. This is required for the Web server to establish an SSL connection with the computer configured as a DirectAccess client, and is a required component of a DirectAccess solution.

To configure the HTTPS security binding on the NLS Web site on APP1

  1. On APP1, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the left pane of the console, open APP1\Sites, and then click Default Web site.

  3. In the Actions pane, click Bindings.

  4. In the Site Bindings dialog box, click Add.

  5. In the Add Site Binding dialog box, in Type, click https. In SSL Certificate, click the NLS Certificate.

  6. Click the View button.

  7. In the Certificate dialog box, confirm that the certificate was Issued to: nls.corp.contoso.com. This is the name the DirectAccess client computer must use to connect to the network location server.

  8. In the Add Site Binding dialog box, click OK.

  9. In the Site Bindings dialog box, click Close.

  10. Close the Internet Information Services (IIS) Manager console.

Next Steps

Step 3: Configure APP3