Windows Server Essentials
United States (English) Sign in
Home 2012 2011 2008 2003 Library Forums
8 out of 16 rated this helpful - Rate this topic

Configure DirectAccess in Windows Server 2012 Essentials

Published: July 9, 2012

Updated: October 4, 2012

Applies To: Windows Server 2012 Essentials

DirectAccess is a feature in Windows Server 2012 Essentials that enables you to seamlessly connect to your organization’s network from any Internet-equipped remote location without having to establish a virtual private network (VPN) connection. DirectAccess provides increased productivity for your organization’s mobile workforce by offering the same connectivity experience inside and outside of the office. This topic provides step-by-step instructions to configure DirectAccess in Windows Server 2012 Essentials.

noteNote
This document applies to configuring DirectAccess in Windows Server 2012 Essentials for Windows 8 client computers only. Step-by-step instructions for configuring DirectAccess in Windows Server 2012 Essentials for Windows 7 client computers will be added later to this document.

To configure DirectAccess in Windows Server 2012 Essentials, you must complete the following steps after you have enabled the virtual private network (VPN) by using the Set up Anywhere Access Wizard:

  1. On the server, in the bottom left corner of the screen, click the Server Manager icon.

  2. If a User Account Control warning message displays, click Yes.

  3. In the Server Manager dashboard, click Manage, and then click Add Roles and Features.

  4. In the Add Roles and Features Wizard, do the following:

    1. On the Installation Type page, click Role-based or feature-based installation.

    2. On the Select destination server page, click Select a server from the server pool.

    3. On the Features page, expand Remote Server Administration Tools (Installed), expand Remote Access Management Tools (installed), and then select Remote Access GUI and Command-Line tools.

    4. Follow instructions to complete the wizard.

noteNote
If you have not enabled virtual private network using the Set up Anywhere Access Wizard, you need to check Remote Access to add the role in the Add Roles and Features Wizard.

DirectAccess requires an adapter with a static IP address. You need to change the IP address for the local network adapter on your server.

  1. On the server, click Start, and in the Start window, click Control Panel.

  2. Click Network and Internet, and then click View network status and tasks.

  3. In the task pane of the Network and Sharing Center, click Change adapter settings.

  4. Right-click the local network adapter, and then click Properties.

  5. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  6. On the General tab, click Use the following IP address, and then type the IP address that you want to use.

    A default value for subnet mask appears automatically in the Subnet mask box. Accept the default value, or type the subnet mask value that you want to use.

  7. In the Default gateway box, type the IP address of your default gateway.

  8. In the Preferred DNS server box, type the IP address of your DNS server.

    noteNote
    Use the IP address that is assigned to your adapter by DHCP, (for example, 192.168.X.X) instead of a loopback network (for example,127.0.0.1).

  9. In the Alternate DNS Server box, type the IP address of your alternate DNS server, if any.

  10. Click OK, and then click Close.

ImportantImportant
Ensure that you configure the router to forward ports 80 and 443 to the new static IP address of the server.

This section includes step-by-step instructions for the following tasks:

  • Grant full permissions to authenticate users for the web server’s certificate template in the certification authority.

  • Enroll a certificate for the network location server with a common name that is unresolvable from the external network.

  • Add a new host on the DNS server and map it to the Windows Server 2012 Essentials server address.

  1. On the server, click Search. In the Search box, type Certification Authority, and in the results pane, click Certification Authority.

  2. In the Certification Authority (Local) console, expand <servername>-CA, right-click Certificate Templates, and then click Manage.

  3. In the Certification Authority (Local) console, right-click Web Server, and then click Properties.

  4. In the <servername>-CA Properties box, on the Security tab, click Authenticated Users, select Full Control, and then click OK.

  1. On the server, click Search, and then in the Search box, type mmc.

  2. If a User Account Control warning message appears, click Yes.

  3. The Microsoft Management Console (MMC) appears.

  4. On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

  5. On the Certificates snap-in page, click Computer account, and then click Next.

  6. On the Select Computer page, click Local computer, click Finish, and then click OK.

  7. In the Certificates console, in the details pane, click Personal, right-click Certificates, and then in All Tasks, click Request New Certificate. The Certificate Enrollment Wizard appears. Click Next.

  8. On the Select Enrollment Policy page, click Next.

  9. On the Request Certificate page, click Web Server, and then click More information is required to enroll this certificate.

  10. In the Certificate Properties box, for Subject name:, click Common Name from the drop-down menu. For Value, type the name of the network location server (for example, DirectAccess-NLS.contoso.local), and then click Add.

  11. Click Next, and then click Finish.

  1. Open DNS Manager, right-click Forward Lookup Zones with domain suffix, and then click New Host (A or AAAA)…

  2. Type the name and IP address of the server (for example, DirectAccess-NLS.contoso.local) and its corresponding server address (for example, 192.168.x.x).

  3. Click Add host, and then click Done.

To enable and configure DirectAccess in Windows Server 2012 Essentials, you must do the following:

This section provides step-by-step instructions to enable DirectAccess in Windows Server 2012 Essentials.

  1. On the server, click Search. In the Search box, type Remote Access Management, and in the Results section, click Remote Access Management.

  2. In the Remote Access Management console, click Configuration, and then in the Remote Access Setup pane, click Enable DirectAccess. The Enable DirectAccess Wizard appears.

    noteNote
    If you have not enabled the VPN from the server dashboard, to enable DirectAccess, in the Remote Access Management console, click Configuration, and then in the Remote Access Setup middle pane, in Step 1, click Edit

  3. In the Enable DirectAccess Wizard, do the following:

    1. In DirectAccess Prerequisites, click Next.

    2. On the Select Groups tab, add a security group for DirectAccess clients.

      noteNote
      You can add all domain computers to the security group by selecting Domain Computers, or you can use a security group that you created for remote computers in your organization.

    3. On the Select Groups tab, click Enable DirectAccess for mobile computers only if you want to enable mobile computers to use DirectAccess to remotely access the server, and then click Next.

    4. In Network Topology, select the topology of the server, and then click Next.

    5. In DNS Suffix Search List, add the additional DNS suffix for the client computers, if needed, and then click Next.

      noteNote
      By default, the DirectAccess Wizard already adds the DNS suffix for current domain. However, you can add more if needed.

    6. Review the Group Policy Objects (GPOs) that will be applied, and modify them if needed.

    7. Click Next, and then click Finish.

Open Windows PowerShell as an Administrator and run the following commands:

Copy 
Restart-Service RaMgmtSvc
Copy 
$key = Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemoteAccess\config\MachineSIDs | Where-Object{$_.GetValue("IPv6RrasPrefix") -ne $null}
Copy 
Remove-GPRegistryValue -Name “DirectAccess Server Settings” -Key $key.Name -ValueName IPv6RrasPrefix
Copy 
gpupdate

This section provides step-by-step instructions to configure the network location server settings.

noteNote
Before you begin, copy all the content in the $env:SystemDrive\inetpub\wwwroot folder to the $env:SystemDrive \Program Files\Windows Server\Bin\WebApps\Site\insideoutside folder. Also copy the content of the $env:SystemDrive\Program Files\Windows Server\Bin\WebApps\Site\default.aspx folder to the $env:SystemDrive \Program Files\Windows Server\Bin\WebApps\Site\insideoutside folder.

  1. In the Remote Access Management console, click Configuration, and in the Remote Access Setup details pane, in Step 3, click Edit.

  2. In the Remote Access Server Setup Wizard, on the Network Location Server tab, select The network location server is deployed on the Remote Access server, and then select the certificate that was previously issued in the following step: Step 3: Prepare a certificate and DNS record for the network location server.

  3. Follow the instructions to complete the wizard, and then click Finish.

  1. On the server, click Search. In the Search box, type regedit, and in Results section, click regedit.

  2. Expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IKEEXT\Parameters. In the navigation pane, expand Computer, expand HKEY_LOCAL_MACHINE, expand System, expand CurrentControlSet, expand Services, expand IKEEXT, and then expand Parameters. Right-click Parameters, click New, and then select DWORD (32 bit) Value.

  3. Rename the newly added value to ikeflags. Double-click ikeflags, set its value data to 8000, set the Type as Hexadecimal, and then click OK.

This section provides instructions for editing the Name Resolution Policy Table (NPRT) entries for internal addresses (for example, those with an sbs.local suffix) for DirectAccess client GPOs, and then set the IPHTTPS interface address.

  1. On the server, click Search. In the Search box, type Group Policy Management, and then in Results section, click Group Policy Management.

  2. In the Group Policy Management console, click the default forest and domain, right-click DirectAccess Client Settings, and then click Edit.

  3. Click Computer Configurations, click Policies, click Windows Settings, click Name Resolution Policy. Choose the entry that has the namespace that is identical to your DNS suffix, and then click Edit Rule.

  4. Click the DNS Settings for DirectAccess tab, then select Enable DNS settings for DirectAccess in this rule. Add the IPv6 address for the IP-HTTPS interface in the DNS server list.

    noteNote
    You can use the following Windows PowerShell command to get the IPv6 address: Get-NetIPAddress -InterfaceAlias IPHTTPSInterface | Get-NetIPAddress -PrefixLength 128)[1].IPAddress

This section includes step-by-step instructions to configure TCP and UDP firewall rules for the DirectAccess server GPOs.

  1. On the server, click Search. In the Search box, type Group Policy Management, and in Results section, click Group Policy Management.

  2. In the Group Policy Management console, click the default forest and domain, right-click DirectAccess Server Settings, and then click Edit.

  3. Click Computer Configurations, click Policies, click Windows Settings, click Security Settings, click Windows Firewall with Advanced Security, click Inbound Rules. Right-click Domain name Server (TCP-In), and then click Properties.

  4. Click the Scope tab, and in the Local IP address list, add the IPv6 address of the IP-HTTPS interface.

  5. Repeat the same procedure for Domain Name Server (UDP-In).

You must change the DNS64 configuration to listen to the IP-HTTPS interface by using the following Windows PowerShell command.

Copy 
Set-NetDnsTransitionConfiguration –AcceptInterface IPHTTPSInterface

Use the following PowerShell command and replace "192.168.1.100" with the actual IPv4 address of your Windows Server 2012 Essentials server.

Copy 
Set-NetNatTransitionConfiguration –IPv4AddressPortPool @("192.168.1.100, 10000-47000")

You can exempt additional ports if there is conflict in port range with other application. For example, the following command will exempt port 46500 from reserved port range:

Copy 
Set-NetNatTransitionConfiguration –IPv4AddressPortPool @("192.168.1.100, 10000-46499","192.168.1.100, 46499-47000" )

You must start the Windows NAT Driver (winnat) service by using the following Windows PowerShell command.

Copy 
Restart-Service winnat

This section describes how to set up and configure DirectAccess by using Windows PowerShell.

Before you begin configuring your server for DirectAccess, you must complete the following:

  1. Follow the procedure in Step 3: Prepare a certificate and DNS record for the network location server to enroll a certificate named DirectAccess-NLS.contoso.com (where contoso.com is replaced by your actual internal domain name), and to add a DNS record for the network location server (NLS).

  2. Add a security group named DirectAccessClients in Active Directory, and then add client computers for which you want to provide the DirectAccess functionality.

Copy 
#Add Remote Access role if not installed yet
$ra = Get-WindowsFeature RemoteAccess
If ($ra.Installed -eq $FALSE) { Add-WindowsFeature RemoteAccess }

#Server may need to restart if you installed RemoteAccess role in the above step



#Set the internet domain name to access server, replace contoso.com below with your own domain name
$InternetDomain = "www.contoso.com"
#Set the SG name which you create for DA clients
$DaSecurityGroup = "DirectAccessClients"
#Set the internal domain name
$InternalDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name

#Set static IP and DNS settings
$NetConfig = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled=$true"
$CurrentIP = $NetConfig.IPAddress[0]
$SubnetMask = $NetConfig.IPSubnet | Where-Object{$_ -like "*.*.*.*"}
$NetConfig.EnableStatic($CurrentIP, $SubnetMask)
$NetConfig.SetGateways($NetConfig.DefaultIPGateway)
$NetConfig.SetDNSServerSearchOrder($CurrentIP)

#Get physical adapter name and the certificate for NLS server
$Adapter = (Get-WmiObject -Class Win32_NetworkAdapter -Filter "NetEnabled=$true").NetConnectionId
$Certs = dir cert:\LocalMachine\My
$nlscert = $certs | Where-Object{$_.Subject -like "*CN=DirectAccess-NLS*"}

#Add regkey to bypass CA cert for IPsec authentication
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\IKEEXT\Parameters -Name ikeflags -Type DWORD -Value 0x8000

#Install DirectAccess. 
Install-RemoteAccess -NoPrerequisite  -DAInstallType FullInstall  -InternetInterface $Adapter  -InternalInterface $Adapter -ConnectToAddress $InternetDomain -nlscertificate $nlscert -force

#Restart Remote Access Management service
Restart-Service RaMgmtSvc

#Remove the unnecessary IPv6 prefix GPO
$key = Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemoteAccess\config\MachineSIDs | Where-Object{$_.GetValue("IPv6RrasPrefix") -ne $null}
Remove-GPRegistryValue -Name "DirectAccess Server Settings" -Key $key.Name -ValueName IPv6RrasPrefix
gpupdate

#Set the appropriate security group used for DA client computers. Replace the group name below with the one you created for DA clients
Add-DAClient -SecurityGroupNameList $DaSecurityGroup 
Remove-DAClient -SecurityGroupNameList "Domain Computers"
Set-DAClient -OnlyRemoteComputers Disabled

#Gather DNS64 IP address information
$Remoteaccess = get-remoteaccess
$IPinterface = get-netipinterface -InterfaceAlias IPHTTPSInterface | get-netipaddress -PrefixLength 128
$DNS64IP=$IPInterface[1].IPaddress
$Natconfig = Get-NetNatTransitionConfiguration

# Configure TCP and UDP firewall rules for the DirectAccess server GPO
$GpoName = 'GPO:'+$InternalDomain+'\DirectAccess Server Settings'
Get-NetFirewallRule -PolicyStore $GpoName -Displayname "Domain Name Server (TCP-IN)"|Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -LocalAddress $DNS64IP
Get-NetFirewallrule -PolicyStore $GpoName -Displayname "Domain Name Server (UDP-IN)"|Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -LocalAddress $DNS64IP

# Configure the name resolution policy settings for the DirectAccess server, replace the DNS suffix below with the one in your domain
$Suffix = '.' + $InternalDomain
set-daclientdnsconfiguration -DNSsuffix $Suffix -DNSIPAddress $DNS64IP

# Change the DNS64 configuration to listen to IP-HTTPS interface
Set-NetDnsTransitionConfiguration -AcceptInterface IPHTTPSInterface

# Copy the necessary files to NLS site folder
XCOPY 'C:\inetpub\wwwroot' 'C:\Program Files\Windows Server\Bin\WebApps\Site\insideoutside' /E
XCOPY 'C:\Program Files\Windows Server\Bin\WebApps\Site\Default.aspx' 'C:\Program Files\Windows Server\Bin\WebApps\Site\insideoutside'

# Reserve port for NAT64

Set-NetNatTransitionConfiguration –IPv4AddressPortPool @("$CurrentIP, 10000-47000")

Restart-Service winnat

Did you find this helpful?
(1500 characters remaining)
© 2013 Microsoft
|
Site Feedback
© 2013 Microsoft. All rights reserved.