Managing Remote Access

Because DirectAccess client computers are connected to the intranet whenever the DirectAccess client is connected to the Internet, regardless of whether the user has logged on to the computer, they can be more easily managed as intranet resources and kept current with Group Policy changes, operating system updates, anti-malware software updates, and other changes.

In some cases, intranet servers or computers must initiate connections to DirectAccess clients. For example, helpdesk department computers can use remote desktop connections to connect to and troubleshoot remote DirectAccess clients. This scenario lets you keep your existing remote access solution in place for user connectivity, while using DirectAccess just for remote management.

Windows Server 2012 DirectAccess provides support for a manage-out only configuration through a deployment wizard option that limits the creation of policies to only those needed for remote management of client computers. In this deployment, user level configuration options such as force tunneling, NAP integration, and two-factor authentication are not available.

The DirectAccess Remote Client Management deployment scenario includes the following steps:

• Plan the deployment—There are only a few requirements for planning this scenario:
  
  
  • Network and server topology—With DirectAccess, you can place your Remote Access server at the edge of your intranet, or behind a Network Address Translation (NAT) device or firewall.
    
    
  • DirectAccess network location server—The network location server is used by DirectAccess clients to determine whether they are located on the internal network. The network location server can be installed on the DirectAccess server or on another server.
    
    
  • DirectAccess clients—Decide which managed computers will be configured as DirectAccess clients.
    
    
• Configure the deployment—This consists of a number of configuration steps:
  
  
  1. Configuring the infrastructure—Configure DNS settings, join the server and client computers to a domain if required, and configure Active Directory security groups. In this deployment scenario, GPOs will be created automatically by Remote Access. For advanced certificate GPO options, see Deploy a Single Remote Access Server with Advanced Settings.
     
     
  2. Configuring Remote Access server and network settings—Configure network adapters, IP addresses and routing.
     
     
  3. Configuring certificate settings—In this deployment scenario, the Getting Started Wizard creates self-signed certificates, so there is no need to configure the more advanced certificate infrastructure used in Deploy a Single Remote Access Server with Advanced Settings.
     
     
  4. Configuring the network location server—In this scenario, the network location server will be installed on the Remote Access server.
     
     
  5. DirectAccess management servers—Administrators can remotely manage DirectAccess client computers located outside the corporate network on the Internet. Plan for management servers (such as update servers) that are used during remote client management.
     
     
  6. Configuring the Remote Access server—Install the Remote Access role and Run the DirectAccess Getting Started Wizard to configure DirectAccess.
     
     
  7. Verify the Deployment—Test a DirectAccess client to make sure it is able to connect to the internal network and Internet with DirectAccess.
     
     

Deploying a single Remote Access server for managing DirectAccess clients provides the following:

• Ease-of-access—Managed client computers running Windows® 8 and Windows 7 can be configured as DirectAccess client computers. These clients can access internal network resources via DirectAccess any time they are located on the Internet without needing to log in to a VPN connection. Client computers not running one of these operating systems can connect to the internal network via VPN. Both DirectAccess and VPN are managed in the same console and with the same set of wizards.
  
  
• Ease-of-management—DirectAccess client computers located on the Internet can be remotely managed by remote access administrators over DirectAccess, even when the client computers are not located in the internal corporate network. Client computers that do not meet corporate requirements can be remediated automatically by management servers. One or more Remote Access servers can be managed from a single Remote Access Management console.
  
  

The following table lists the roles and features required for the scenario:

Hardware requirements for this scenario include the following:

• Server requirements:
  
  
  • A computer that meets the hardware requirements for Windows Server 2012.
    
    
  • The server must have at least one network adapter installed and enabled. There should be only one adapter connected to the internal corporate network, and only one connected to the external network (Internet).
    
    
  • If Teredo is required as an IPv6 to IPv4 transition protocol, the external adapter of the server requires two consecutive public IPv4 addresses. If a single network adapter is available, then only IP-HTTPS can be used as the transition protocol.
    
    
  • At least one domain controller. Both the Remote Access servers and DirectAccess clients must be domain members.
    
    
  • A CA server is required if you do not want to use self-signed certificates for IP-HTTPS or the network location server, or if you want to use client certificates for client IPsec authentication.
    
    
• Client requirements:
  
  
  • A client computer must be running Windows® 8 or Windows 7.
    
    
• Infrastructure and management server requirements:
  
  
  • During remote management of DirectAccess client computers, clients initiate communications with management servers such as domain controllers, System Center Configuration Servers, and Health Registration Authority (HRA) servers for services that include Windows and antivirus updates and Network Access Protection (NAP) client compliance. The required servers should be deployed before beginning the Remote Access deployment.
    
    
  • A DNS server running Windows Server 2008 SP2; Windows Server 2008 R2; or Windows Server 2012 is required.
    
    

There are a number of requirements for this scenario:

• Server requirements:
  
  
  • The Remote Access server must be a domain member. The server can be deployed at the edge of the internal network, or behind an edge firewall or other device.
    
    
  • If the Remote Access server is located behind an edge firewall or NAT device, the device must be configured to allow traffic to and from the Remote Access server.
    
    
  • The person deploying remote access on the server requires local administrator permissions on the server, and domain user permissions. In addition, the administrator requires permissions for the GPOs used in DirectAccess deployment. To take advantage of the features that restricts DirectAccess deployment to mobile computers only, permissions to create a WMI filter (Domain Admins) on the domain controller are required.
    
    
  • If the network location server is not located on the Remote Access server, a separate server to run it is required.
    
    
• Remote access client requirements:
  
  
  • DirectAccess clients must be domain members. Domains containing clients can belong to the same forest as the Remote Access server, or have a two-way trust with the Remote Access server forest or domain.
    
    
  • An Active Directory security group is required to contain the computers that will be configured as DirectAccess clients. Note that computers should not be included in more than one security group that includes DirectAccess clients. If clients are included in multiple groups name resolution for client requests will not work as expected.
    
    

The following table provides links to additional resources.