TechNet
United States (English) Sign in
Home Library Learn Downloads Support
This topic has not yet been rated - Rate this topic

Step 1: Plan the Remote Access Infrastructure

Published: August 10, 2012

Updated: August 10, 2012

Applies To: Windows Server 2012

The first step of planning for an advanced Remote Access manage out to clients only deployment on a single server is to perform planning for the infrastructure required for the deployment. This topic describes the infrastructure planning steps:

 

Task Description

Plan network topology and server settings

Decide where to place the Remote Access server (at the edge, or behind a Network Address Translation (NAT) device or firewall), and plan IP addressing and routing.

Plan firewall requirements

Plan for allowing Remote Access through edge firewalls.

Plan certificate requirements

Decide if you will use a Kerberos or certificates for client authentication, and plan your website certificates. IP-HTTPS is a transition protocol used by DirectAccess clients to tunnel IPv6 traffic over IPv4 networks. Decide whether to authenticate IP-HTTPS using server using a certificate issued by a CA, or using a self-signed certificate issued automatically by the Remote Access server.

Plan DNS requirements

Plan DNS settings for the Remote Access server, infrastructure servers, local name resolution options, and client connectivity.

Plan the network location server

The network location server is used by DirectAccess clients to determine whether they are located on the internal network. Decide where to place the network location server website in your organization (on the Remote Access server or an alternative server) and plan the certificate requirements if the network location server will be located on the Remote Access server.

Plan management servers

Administrators can remotely manage DirectAccess client computers located outside the corporate network on the Internet. Plan for management servers (such as update servers) that are used during remote client management.

Plan Active Directory

Plan your domain controllers, your Active Directory requirements, client authentication, and multiple domains.

Plan Group Policy Objects

Decide what GPOs are required in your organization and how to create or edit the GPOs.

The planning tasks do not need to be done in a specific order.

  1. Identify the network adapter topology you want to use. Remote Access can be set up with either of the following:

    • With two network adapters—Either at the edge with one network adapter connected to the Internet and the other to the internal network, or behind a NAT, firewall, or router device, with one network adapter connected to a perimeter network and the other to the internal network.

    • Behind a NAT device with one network adapter—The Remote Access server is installed behind a NAT device, and the single network adapter is connected to the internal network.

  2. Identity your IP addressing requirements:

    DirectAccess uses IPv6 with IPsec to create a secure connection between DirectAccess client computers and the internal corporate network. However, DirectAccess does not necessarily require connectivity to the IPv6 Internet or native IPv6 support on internal networks. Instead, it automatically configures and uses IPv6 transition technologies to tunnel IPv6 traffic across the IPv4 Internet (6to4, Teredo, IP-HTTPS) and across your IPv4-only intranet (NAT64 or ISATAP). For an overview of these transition technologies, see the following resources:

  3. Configured required adapters and addressing according to the following table. For deployments behind a NAT device using a single network adapter, configure your IP addresses using only the ‘Internal network adapter’ column.

     

      External network adapter Internal network adapter1, above Routing requirements

    IPv4 Internet and IPv4 intranet

    Configure the following:

    • Two static consecutive public IPv4 addresses with the appropriate subnet masks (required for Teredo only).

    • A default gateway IPv4 address of your Internet firewall or local Internet service provider (ISP) router.

    Note the following:

    • The Remote Access server requires two consecutive public IPv4 addresses so that it can act as a Teredo server and Windows-based Teredo clients can use the Remote Access server to perform detection of the type of NAT device that they are behind.

    Configure the following:

    • An IPv4 intranet address with the appropriate subnet mask.

    • A connection-specific DNS suffix of your intranet namespace. A DNS server should also be configured on the internal interface.

    • Do not configure a default gateway on any intranet interfaces.

    To configure the Remote Access server to reach all subnets on the internal IPv4 network do the following:

    1. List the IPv4 address spaces for all the locations on your intranet.

    2. Use the route add -p or netsh interface ipv4 add route commands to add the IPv4 address spaces as static routes in the IPv4 routing table of the Remote Access server.

    IPv6 Internet and IPv6 intranet

    Configure the following:

    • Use the autoconfigured address configuration provided by your ISP.

    • Use the route print command to ensure that a default IPv6 route pointing to the ISP router exists in the IPv6 routing table.

    • Determine whether the ISP and intranet routers are using default router preferences described in RFC 4191, and using a higher default preference than your local intranet routers. If both of these are true, no other configuration for the default route is required. The higher preference for the ISP router ensures that the active default IPv6 route of the Remote Access server points to the IPv6 Internet.

    Because the Remote Access server is an IPv6 router, if you have a native IPv6 infrastructure, the Internet interface can also reach the domain controllers on the intranet. In this case, add packet filters to the domain controller in the perimeter network that prevent connectivity to the IPv6 address of the Internet-facing interface of the Remote Access server.

    Configure the following:

    • If you are not using default preference levels, configure your intranet interfaces with the netsh interface ipv6 set InterfaceIndex ignoredefaultroutes=enabled command. This command ensures that additional default routes pointing to intranet routers will not be added to the IPv6 routing table. You can obtain the InterfaceIndex of your intranet interfaces from the display of the netsh interface show interface command.

    If you have an IPv6 intranet, to configure the Remote Access server to reach all of the IPv6 locations, do the following:

    1. List the IPv6 address spaces for all the locations on your intranet.

    2. Use the netsh interface ipv6 add route command to add the IPv6 address spaces as static routes in the IPv6 routing table of the Remote Access server.

    IPv4 Internet and IPv6 intranet

    The Remote Access server forwards default IPv6 route traffic using the Microsoft 6to4 Adapter interface to a 6to4 relay on the IPv4 Internet. You can configure a Remote Access server for the IPv4 address of the Microsoft 6to4 relay on the IPv4 Internet (used when native IPv6 is not deployed in the corporate network) with the following command : netsh interface ipv6 6to4 set relay name=<ipaddress> state=enabled command.

    noteNote
    1. If the DirectAccess client has been assigned a public IPv4 address, it will use the 6to4 transition technology to connect to the intranet. If assigned a private IPv4 address, it will use Teredo. If the DirectAccess client cannot connect to the DirectAccess server with either 6to4 or Teredo, it will use IP-HTTPS.

    2. To use Teredo, you must configure two consecutive IP addresses on the external facing network adapter.

    3. You cannot use Teredo if the Remote Access server has only one network adapter.

    4. Native IPv6 client computers can connect to the Remote Access server over native IPv6, and no transition technology is required.

ISATAP is required to use “manage out” DirectAccess capabilities, so that DirectAccess management servers can connect to DirectAccess clients located on the Internet for the purpose of remote management. ISATAP is not required to support connections initiated by DirectAccess client computers to IPv4 resources on the corporate network. NAT64/DNS64 is used for this purpose. If your deployment requires ISATAP, use the following table to identify your requirements.

 

ISATAP deployment scenario Requirements

Existing native IPv6 intranet (no ISATAP is required)

With an existing native IPv6 infrastructure, you specify the prefix of the organization during Remote Access deployment, and the Remote Access server does not configure itself as an ISATAP router. Do the following:

  1. To ensure that DirectAccess clients are reachable from the intranet, you must modify your IPv6 routing so that default route traffic is forwarded to the Remote Access server. If your intranet IPv6 address space uses something other than a single 48-bit IPv6 address prefix, you must specify the relevant organization IPv6 prefix during deployment.

  2. If you are currently connected to the IPv6 Internet, you must configure your default route traffic so that it is forwarded to the Remote Access server, and then configure the appropriate connections and routes on the Remote Access server, so that the default route traffic is forwarded to the device that is connected to the IPv6 Internet.

Existing ISATAP deployment

If you have an existing ISATAP infrastructure, during deployment you are prompted for the 48-bit prefix of the organization and the Remote Access server does not configure itself as an ISATAP router. To ensure that DirectAccess clients are reachable from the intranet, you must modify your IPv6 routing infrastructure so that default route traffic is forwarded to the Remote Access server. This change needs to be done on the existing ISATAP router to which the intranet clients must already be forwarding the default traffic.

No existing IPv6 connectivity

When the Remote Access setup wizard detects that the server has no native or ISATAP-based IPv6 connectivity, it automatically derives a 6to4-based 48-bit prefix (6to4 based prefix is used only if the server has public addresses, otherwise the prefix is auto-generated from a ULA range) for the intranet, and configures the Remote Access server as an ISATAP router to provide IPv6 connectivity to ISATAP hosts across your intranet. To use ISATAP do the following:

  1. Register the name ISATAP on a domain DNS server for each domain on which you want to enable ISATAP based connectivity, so that the ISATAP name is resolvable by the internal DNS server to the internal IPv4 address of the Remote Access server.

  2. By default, DNS servers running Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012, block the resolution of the name ISATAP with the global query block list. To enable ISATAP, you must remove the name ISATAP from the block list. For more information, see Remove ISATAP from the DNS Global Query Block List.

Windows-based ISATAP hosts that can resolve the name ISATAP, perform address auto configuration with the Remote Access server, resulting in the automatic configuration of the following:

  1. An ISATAP-based IPv6 address on an ISATAP tunneling interface.

  2. A 64-bit route that provides connectivity to the other ISATAP hosts on the intranet.

  3. A default IPv6 route that points to the Remote Access server. The default route ensures that intranet ISATAP hosts can reach DirectAccess clients.

When your Windows-based ISATAP hosts obtain an ISATAP-based IPv6 address, they begin to use ISATAP-encapsulated traffic to communicate, if the destination is also an ISATAP host. Because ISATAP uses a single 64-bit subnet for the entire intranet, your communication goes from a segmented, multi-subnet IPv4 model of communication, to a flat, single subnet communication model with IPv6. This can affect the way that some Active Directory Domain Services (AD DS), and other applications that rely on your Active Directory Sites and Services configuration, behave. For example, if you used the Active Directory Sites and Services snap-in to configure sites, IPv4-based subnets, and inter-site transports for forwarding of requests to servers within sites, this configuration is not used by ISATAP hosts.

  1. To configure Active Directory sites and services for forwarding within sites for ISATAP hosts, for each IPv4 subnet object, you must configure an equivalent IPv6 subnet object, in which the IPv6 address prefix for the subnet expresses the same range of ISATAP host addresses as the IPv4 subnet. For example, for the IPv4 subnet 192.168.99.0/24 and the 64-bit ISATAP address prefix 2002:836b:1:8000::/64, the equivalent IPv6 address prefix for the IPv6 subnet object is 2002:836b:1:8000:0:5efe:192.168.99.0/120. For an arbitrary IPv4 prefix length (set to 24 in the example), you can determine the corresponding IPv6 prefix length from the formula: 96 + IPv4PrefixLength.

  2. For the IPv6 addresses of DirectAccess clients, add the following:

    1. An IPv6 subnet for the range 2001:0:WWXX:YYZZ::/64, in which WWXX:YYZZ is the colon-hexadecimal version of the selected First Internet-facing IPv4 address of the Remote Access server. This IPv6 prefix is for Teredo-based DirectAccess clients.

    2. An IPv6 subnet for the range 2002:WWXX:YYZZ:8100::/56, in which WWXX:YYZZ is the colon-hexadecimal version of the selected First Internet-facing IPv4 address (w.x.y.z) of the Remote Access server. This IPv6 prefix is for IP-HTTPS-based DirectAccess clients.

    3. A series of 6to4-based IPv6 prefixes that begin with 2002: and represent the regional, public IPv4 address prefixes that are administered by Internet Assigned Numbers Authority (IANA) and regional registries. The 6to4-based prefix for a public IPv4 address prefix w.x.y.z/n is 2002:WWXX:YYZZ::/[16+n], in which WWXX:YYZZ is the colon-hexadecimal version of w.x.y.z.

      For example, the 7.0.0.0/8 range is administered by American Registry for Internet Numbers (ARIN) for North America. The corresponding 6to4-based prefix for this public IPv6 address range is 2002:700::/24. For information about the IPv4 public address space, see IANA IPv4 Address Space Registry. These IPv6 prefixes are for 6to4-based DirectAccess clients.
ImportantImportant
Ensure that you do not have public IP addresses on the internal interface of the DirectAccess server. If you have public IP address on the internal interface, connectivity through ISATAP may fail.

If the Remote Access server is behind an edge firewall, the following exceptions will be required for Remote Access traffic when the Remote Access server is on the IPv4 Internet:

  • Teredo traffic—User Datagram Protocol (UDP) destination port 3544 inbound, and UDP source port 3544 outbound.

  • 6to4 traffic—IP Protocol 41 inbound and outbound.

  • IP-HTTPS—Transmission Control Protocol (TCP) destination port 443, and TCP source port 443 outbound.

  • If you are deploying Remote Access with a single network adapter, and installing the network location server on the Remote Access server, TCP port 62000 should also be exempted.

    noteNote
    This exemption is on the Remote Access server, while the rest of the exemptions are on the edge firewall.

  • For Teredo and 6to4 traffic, these exceptions should be applied for both of the Internet-facing consecutive public IPv4 addresses on the Remote Access server. For IP-HTTPS the exceptions need to be applied on the address that is registered on the public DNS server.

The following exceptions will be required for Remote Access traffic when the Remote Access server is on the IPv6 Internet:

  • IP Protocol 50

  • UDP destination port 500 inbound, and UDP source port 500 outbound.

  • ICMPv6 traffic inbound and outbound (when using Teredo only).

When using additional firewalls, apply the following internal network firewall exceptions for Remote Access traffic:

  • ISATAP—Protocol 41 inbound and outbound

  • TCP/UDP for all IPv4/IPv6 traffic

  • ICMP for all IPv4/IPv6 traffic (when using Teredo only)

There are three scenarios that require certificates when deployed a single Remote Access server.

  • IPsec authentication—Certificate requirement for IPsec include a computer certificate used by DirectAccess client computers when establishing the IPsec connection between the client and the Remote Access server, and a computer certificate used by Remote Access servers to establish IPsec connections with DirectAccess clients. For DirectAccess in Windows Server® 2012 the use of these IPsec certificates is not mandatory. As an alternative the Remote Access server can act as a Kerberos proxy to perform IPsec authentication without requiring certificates. If Kerberos proxy is used, it works over SSL, and the Kerberos proxy uses the certificate configured for IP-HTTPS for this purpose. Note that some enterprise scenarios (including multisite deployment and OTP client authentication) require the use of certificate authentication, and not Kerberos proxy.

  • IP-HTTPS server—When you configure Remote Access, the Remote Access server is automatically configured to act as the IP-HTTPS web listener. The IP-HTTPS site requires a website certificate, and client computers must be able to contact the certificate revocation list (CRL) site for the certificate.

  • Network location server—The network location server is a website used to detect whether client computers are located in the corporate network. The network location server requires a website certificate. DirectAccess clients must be able to contact the CRL site for the certificate.

The certification authority (CA) requirements for each of these is summarized in the following table.

 

IPsec authentication IP-HTTPS server Network location server

An internal CA is required to issue computer certificates to the Remote Access server and clients for IPsec authentication when you don’t use the Kerberos proxy for authentication

Public CA—It is recommended to use a public CA to issue the IP-HTTPS certificate, this ensures that the CRL distribution point is available externally.

Internal CA—You can use an internal CA to issue the network location server website certificate. Make sure that the CRL distribution point is highly available from the internal network.

Internal CA—You can use an internal CA to issue the IP-HTTPS certificate; however, you must make sure that the CRL distribution point is available externally.

Self-signed certificate—You can use a self-signed certificate for the network location server website; however, you cannot use a self-signed certificate in multisite deployments.

Self-signed certificate—You can use a self-signed certificate for the IP-HTTPS server. A self-signed certificate cannot be used in a multisite deployment.

If you are using certificate-based IPsec authentication, the Remote Access server and clients are required to obtain a computer certificate. The simplest way to install the certificates it to configure group-policy based auto enrollment for computer certificates. This ensures that all domain members obtain a certificate from an enterprise CA. If you do not have an enterprise CA set up in your organization, see Active Directory Certificate Services. Note that the following is required for this certificate:

  • The certificate should have client authentication extended key usage (EKU).

  • Both the client and the server certificates should chain to the same root certificate. This root certificate must be selected in the DirectAccess configuration settings.

The Remote Access server acts as an IP-HTTPS listener, and you must manually install an HTTPS website certificate on the server. Note the following when planning:

  • Using a public CA is recommended, so that CRLs are readily available.

  • In the subject field, specify either the IPv4 address of the Internet adapter of Remote Access server, or the FQDN of the IP-HTTPS URL (the ConnectTo address). If the Remote Access server is located behind a NAT device, the public name or address of the NAT device should be specified.

  • The common name of the certificate should match the name of the IP-HTTPS site.

  • For the Enhanced Key Usage field, use the Server Authentication object identifier (OID).

  • For the CRL Distribution Points field, specify a CRL distribution point that is accessible by DirectAccess clients that are connected to the Internet.

    noteNote
    This is only required for Windows 7 clients.

  • The IP-HTTPS certificate must have a private key.

  • The IP-HTTPS certificate must be imported directly into the personal store.

  • IP-HTTPS certificates can have wildcards in the name.

When planning for the network location server website, note the following:

  • In the Subject field, specify either an IP address of the intranet interface of the network location server or the FQDN of the network location URL.

  • For the Enhanced Key Usage field, use the Server Authentication OID.

  • For the CRL Distribution Points field, use a CRL distribution point that is accessible by DirectAccess clients that are connected to the intranet. This CRL distribution point should not be accessible from outside the internal network.

noteNote
Ensure that the certificates for IP-HTTPS and network location server have a Subject Name. If the certificate does not have a Subject Name but has an Alternative Name, then it will not be accepted by the Remote Access wizard.

In a Remote Access deployment, DNS is required for the following:

  • DirectAccess client requests—DNS is used to resolve requests from DirectAccess client computers that are not located on the internal network. DirectAccess clients attempt to connect to the DirectAccess network location server in order to determine whether they are located on the Internet, or on the corporate network: If the connection is successful, then clients are determined to be on the intranet and DirectAccess is not used, and client requests are resolved using the DNS server configured on the network adapter of the client computer. If the connection does not succeed, clients are assumed to be on the Internet. DirectAccess clients will use the name resolution policy table (NRPT) to determine which DNS server to use when resolving name requests. You can specify that clients should use DirectAccess DNS64 to resolve names, or an alternative internal DNS server. When performing name resolution, the NRPT is used by DirectAccess clients to identify how to handle a request. Clients request an FQDN or single-label name such as http://internal. If a single-label name is requests, a DNS suffix is appended to make an FQDN. If the DNS query matches an entry in the NRPT, and DNS4 or an intranet DNS server is specified for the entry, then the query is sent for name resolution using the specified server. If a match exists but no DNS server is specified, then this indicates an exemption rule and normal name resolution is applied.

    Note that when a new suffix is added to the NRPT in the Remote Access Management console, the default DNS servers for the suffix can be automatically discovered by clicking the Detect button. Auto detection works as follows:

    1. If the corporate network is IPv4-based, or IPv4 and IPv6, the default address is the DNS64 address of the internal adapter on the Remote Access server.

    2. If the corporate network is IPv6-based, the default address is the IPv6 address of DNS servers in the corporate network.

  • Infrastructure servers

    1. Network location server—DirectAccess clients attempt to reach the network location server to determine if they are on the internal network. Clients on the internal network must be able to resolve the name of the network location server, but must be prevented from resolving the name when they are located on the Internet. To ensure this occurs, by default, the FQDN of the network location server is added as an exemption rule to the NRPT. In addition, when you configure Remote Access, the following rules are created automatically:

      1. A DNS suffix rule for root domain or the domain name of the Remote Access server, and the IPv6 addresses corresponding to the intranet DNS servers configured on the Remote Access server. For example, if the Remote Access server is a member of the corp.contoso.com domain, a rule is created for the corp.contoso.com DNS suffix.

      2. An exemption rule for the FQDN of the network location server. For example, if the network location server URL is https://nls.corp.contoso.com, an exemption rule is created for the FQDN nls.corp.contoso.com.

      IP-HTTPS server—The Remote Access server acts as an IP-HTTPS listener and uses its server certificate to authenticate to IP-HTTPS clients. The IP-HTTPS name must be resolvable by DirectAccess clients using public DNS servers.

      Connectivity verifiers—Remote Access creates a default web probe that is used by DirectAccess client computers use to verify connectivity to the internal network. To ensure the probe works as expected the following names must be registered manually in DNS:

      1. directaccess-webprobehost—should resolve to the internal IPv4 address of the Remote Access server, or to the IPv6 address in an IPv6-only environment.

      2. directaccess-corpconnectivityhost—should resolve to localhost (loopback) address. A and AAAA record should be created, A record with value 127.0.0.1 and AAAA record with value constructed out of NAT64 prefix with the last 32 bits as 127.0.0.1. The NAT64 prefix can be retrieved by running the cmdlet get-netnattransitionconfiguration.

        noteNote
        This is valid only in IPv4-only environments. In an IPv4+IPv6, or IPv6-only environment, only a AAAA record should be created with the loopback IP address ::1.

      You can create additional connectivity verifiers using other web addresses over HTTP or PING. For each connectivity verifier, a DNS entry must exist.

  • For DirectAccess clients, you must use either a DNS server running Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or any DNS server that supports IPv6.

  • You should use a DNS server that supports dynamic updates. You can use DNS servers that do not support dynamic updates, but entries must be manually updated.

  • The FQDN for your Internet-accessible CRL distribution points must be resolvable using Internet DNS servers. For example, if URL http://crl.contoso.com/crld/corp-DC1-CA.crl is in the CRL Distribution Points field of the IP-HTTPS certificate of the Remote Access server, you must ensure that the FQDN crld.contoso.com is resolvable using Internet DNS servers.

When planning for local name resolution, consider the following issues:

  • NRPT—You may need to create additional NRPT rules in the following cases:

    • You need to add more DNS suffixes for your intranet namespace.

    • If the FQDN of your CRL distribution points are based on your intranet namespace, you must add exemption rules for the FQDNs of the CRL distribution points.

    • If you have a split-brain DNS environment, you must add exemption rules for the names of resources for which you want DirectAccess clients located on the Internet to access the Internet version, rather than the intranet version.

    • If you are redirecting traffic to an external website through your intranet web proxy servers, the external website is available only from the intranet, and uses the addresses of your web proxy servers to permit the inbound requests. In this case, add an exemption rule for the FQDN of the external website, and specify that the rule uses your intranet web proxy server rather than the IPv6 addresses of intranet DNS servers.

      For example, when testing an external website named test.contoso.com. This name is not resolvable via Internet DNS servers, but the Contoso web proxy server knows how to resolve the name and to direct requests for the website to the external web server. To prevent users who are not on the Contoso intranet from accessing the site, the external website allows requests only from the IPv4 Internet address of the Contoso web proxy. Thus, intranet users can access the website because they are using the Contoso web proxy but DirectAccess users cannot because they are not using the Contoso web proxy. By configuring an NRPT exemption rule for test.contoso.com that uses the Contoso web proxy, webpage requests for test.contoso.com are routed to the intranet web proxy server over the IPv4 Internet.

  • Single label names—Single label names, such as http://paycheck, are sometimes used for intranet servers. If a single label name is requested, and a DNS suffix search list is configured, the DNS suffixes in the list will be appended to the single label name. For example, when a user on a computer that is a member of the corp.contoso.com domain types http://paycheck in the web browser, the FQDN constructed as the name is paycheck.corp.contoso.com. By default the appended suffix is based on the primary DNS suffix of the client computer.

    noteNote
    Note that in a disjoint name space scenario (where one or more domain computers has a DNS suffix that does not match the Active Directory domain to which the computers belong), you should ensure that the search list is customized to include all the required suffixes. The Remote Access wizard, by default, will configure the Active Directory DNS name as the primary DNS suffix on the client. Make sure to add the DNS suffix used by clients for name resolution.



    If multiple domains and WINS are deployed in your organization and you are connecting remotely, single-names can be resolved by:

    • Deploying a WINS forward lookup zone in the DNS—When trying to resolve computername.dns.zone1.corp.contoso.com, the request is directed to the WINS server that is only using computername. The client thinks it is issuing a regular DNS A RR request but it is actually a NetBIOS request. For more information see Managing a Forward Lookup Zone.

    • Adding a DNS suffix, for example dns.zone1.corp.contoso.com, to the default domain policy GPO.

  • Split-brain DNS—Split-brain DNS is the use of the same DNS domain for both Internet and intranet name resolution.

    For split-brain DNS deployments, you must list the FQDNs that are duplicated on the Internet and intranet, and decide which resources the DirectAccess client should reach, the intranet or the Internet version. For each name that corresponds to a resource for which you want DirectAccess clients to reach the Internet version, you must add the corresponding FQDN as an exemption rule to the NRPT for your DirectAccess clients. In a split-brain DNS environment, if you want both versions of the resource to be available, configure your intranet resources with alternate names, that are not duplicates of the names used on the Internet, and instruct your users to use the alternate name when on the Intranet. For example, configure the alternate name www.internal.contoso.com for the internal name www.contoso.com. In a non-split-brain DNS environment, the Internet namespace is different from the intranet namespace. For example, the Contoso Corporation uses contoso.com on the Internet and corp.contoso.com on the intranet. Because all intranet resources use the corp.contoso.com DNS suffix, the NRPT rule for corp.contoso.com routes all DNS name queries for intranet resources to intranet DNS servers. DNS name queries for names with the contoso.com suffix do not match the corp.contoso.com intranet namespace rule in the NRPT, and are sent to Internet DNS servers. With a non-split-brain DNS deployment, because there is no duplication of FQDNs for intranet and Internet resources, there is no additional configuration needed for the NRPT. DirectAccess clients can access both Internet and intranet resources for their organization.

  • Local name resolution behavior for DirectAccess clients—If a name cannot be resolved with DNS, the DNS Client service in Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7 can use local name resolution, with the Link-Local Multicast Name Resolution (LLMNR) and NetBIOS over TCP/IP protocols, to resolve the name on the local subnet. Local name resolution is typically needed for peer-to-peer connectivity when the computer is located on private networks, such as single subnet home networks. When the DNS Client service performs local name resolution for intranet server names and the computer is connected to a shared subnet on the Internet, malicious users can capture LLMNR and NetBIOS over TCP/IP messages to determine intranet server names. On the DNS page of the Infrastructure Server Setup wizard, you configure the local name resolution behavior based on the types of responses received from intranet DNS servers. The following options are available:

    • Use local name resolution if the name does not exist in DNS—This option is the most secure because the DirectAccess client performs local name resolution only for server names that cannot be resolved by intranet DNS servers. If the intranet DNS servers can be reached, the names of intranet servers are resolved. If the intranet DNS servers cannot be reached, or if there are other types of DNS errors, the intranet server names are not leaked to the subnet through local name resolution.

    • Use local name resolution if the name does not exist in DNS or DNS servers are unreachable when the client computer is on a private network (recommended)—This option is recommended because it allows the use of local name resolution on a private network only when the intranet DNS servers are unreachable.

    • Use local name resolution for any kind of DNS resolution error (least secure)—This is the least secure option because the names of intranet network servers can be leaked to the local subnet through local name resolution.

The network location server is a website used to detect whether DirectAccess clients are located in the corporate network. Clients in the corporate network do not use DirectAccess to reach internal resources, but instead connect directly.

The network location server website can be hosted on the Remote Access server or on another server in your organization. If you host the network location server on the Remote Access server, the website is created automatically when you deploy Remote Access. If you host the network location server on another server running a Windows operating system in your organization, you must make sure that Internet Information Services (IIS) is installed on that server, and that the website is created. Remote Access does not configure settings on the remote network location server.

Make sure that the network location server website meets the following requirements:

  • It is a website with an HTTPS server certificate.

  • DirectAccess client computers must trust the CA that issued the server certificate to the network location server website.

  • DirectAccess client computers on the internal network must be able to resolve the name of the network location server site.

  • The network location server site must be highly available to computers on the internal network.

  • The network location server must not be accessible to DirectAccess client computers on the Internet.

  • The server certificate must be checked against a Certificate Revocation List (CRL).

When obtaining the website certificate to use for the network location server, note the following:

  1. In the Subject field, specify either an IP address of the intranet interface of the network location server or the FQDN of the network location URL.

  2. For the Enhanced Key Usage field, use the Server Authentication OID.

  3. For the CRL Distribution Points field, use a CRL distribution point that is accessible by DirectAccess clients that are connected to the intranet. This CRL distribution point should not be accessible from outside the internal network.

DirectAccess clients attempt to reach the network location server to determine if they are on the internal network. Clients on the internal network must be able to resolve the name of the network location server, but must be prevented from resolving the name when they are located on the Internet. To ensure this occurs, by default, the FQDN of the network location server is added as an exemption rule to the NRPT.

DirectAccess clients initiate communications with management servers that provide services such as Windows update and antivirus updates. DirectAccess clients also contact domain controllers to authenticate using Kerberos before accessing the internal network. During remote management of DirectAccess clients, management servers communicate with client computers to perform management functions such as software or hardware inventory assessments. Remote Access can automatically discover some management servers, including:

  • Domain controllers—Auto-discovery of domain controllers is performed for the domains containing client computers containing client computers and for all domains in the same forest as the Remote Access server. .

  • System Center Configuration Manager servers

Domain controllers and System Center Configuration Manager servers are automatically detected the first time that DirectAccess is configured. Detected domain controllers are not displayed in the console, but settings can be retrieved using PowerShell cmdlets. If domain controller or System Center Configuration Manager servers are modified, then clicking Update Management Servers in the console refreshes the management server list.

Management server requirements

  • Management servers must be accessible over the first (infrastructure) tunnel. When you configure Remote Access, adding servers to the management servers list automatically makes them accessible over this tunnel.

  • Management servers that initiate connections to DirectAccess clients must fully support IPv6, either by means or a native IPv6 address or using one assigned by ISATAP.

Remote Access uses Active Directory and Active Directory Group Policy Objects as follows:

  • Authentication—Active Directory is used for authentication. The infrastructure tunnel uses NTLMv2 authentication for the computer account connecting to the Remote Access server, and the account must be in an Active Directory domain. The intranet tunnel uses Kerberos authentication for the user to create the second tunnel.

  • Group policy objects—Remote Access gathers configuration settings into group policy objects that are applied to Remote Access servers, clients, and internal application servers.

  • Security groups—Remote Access uses security groups to gather together and identify DirectAccess client computers. The group policies are applied to the required security group.

Active Directory Requirements

When planning Active Directory for a Remote Access deployment, the following is required:

  • At least one domain controller installed on the Windows Server 2012, Windows Server 2008 R2 Windows Server 2008, or Windows Server 2003 operating systems.

    If the domain controller is on a perimeter network (and therefore reachable from the Internet-facing network adapter of Remote Access server) prevent the Remote Access server from reaching it by adding packet filters on the domain controller, to prevent connectivity to the IP address of the Internet adapter.

  • The Remote Access server must be a domain member.

  • DirectAccess clients must be domain members. Clients can belong to:

    • Any domain in the same forest as the Remote Access server.

    • Any domain that has a two-way trust with the Remote Access server domain.

    • Any domain in a forest that has a two-way trust with the forest to which the Remote Access domain belongs.

noteNote
  • The Remote Access server cannot be a domain controller.

  • The Active Directory domain controller used for Remote Access must not be reachable from the external Internet adapter of the Remote Access server (the adapter must not be in the domain profile of Windows Firewall).

Remote Access in Windows Server® 2012 allows you to choose between using certificates for IPsec computer authentication or using a built in Kerberos proxy that authenticates using user names and passwords.

When you choose Active Directory credentials for authentication, DirectAccess uses one security tunnel that uses Computer Kerberos for the first authentication method, and User Kerberos for second authentication method. When using this mode for authentication, DirectAccess uses a single security tunnel that provides access to the DNS server, the domain controller, and to any other server on the internal network

When you choose to use two factor authentication or Network Access Protection, DirectAccess uses two security tunnels. The Remote Access Setup wizard configures Windows Firewall with Advanced Security connection security rules that specify the use of the following types of credentials when negotiating the IPsec security associations for the tunnels to the Remote Access server:

  • The infrastructure tunnel uses Computer certificate credentials for the first authentication and User (NTLMv2) for the second authentication. User (NTLMv2) credentials force the use of Authenticated Internet Protocol (AuthIP) and provide access to a DNS server and domain controller before the DirectAccess client can use Kerberos credentials for the intranet tunnel.

  • The intranet tunnel uses Computer certificate credentials for the first authentication and User (Kerberos V5) for the second authentication.

The management servers list should include domain controllers from all domain containing security groups that include DirectAccess client computers. It should contain all domains that contain user accounts that might use computers configured as DirectAccess clients. This ensures that users who are not located in the same domain as the client computer they are using are authenticated with a domain controller in the user domain. This will be done automatically if domains are in the same forest. Note that if there are computers in the security group used for client computers or application servers that are in different forests, the domain controllers of those forests are not detected automatically. forests are also not detected automatically. You can run the task Update Management Servers in the Remote Access Management UI to detect these domain controllers. You can run the task Update Management Servers in the Remote Access Management to detect these domain controllers.

Where possible, common domain name suffixes should be added to the NRPT during Remote Access deployment. For example, if you have two domains, domain1.corp.contoso.com and domain2.corp.contoso.com, instead of adding two entries into the NRPT, you can add a common DNS suffix entry, where the domain name suffix is corp.contoso.com. Note that this happens automatically for domains in the same root. Domains that are not in the same root must be added manually.

DirectAccess settings configured when you configure Remote Access are collected into Group Policy Objects (GPO). Two different GPOs are populated with DirectAccess settings, and distributed as follows:

  • DirectAccess client GPO—This GPO contains client settings, including IPv6 transition technology settings, NRPT entries, and Windows Firewall with Advanced Security connection security rules. The GPO is applied to the security groups specified for the client computers.

  • DirectAccess server GPO—This GPO contains the DirectAccess configuration settings that are applied to any server configured as a Remote Access server in your deployment. It also contains Windows Firewall with Advanced Security connection security rules.

noteNote
· Application servers GPO—Configuration of application servers is not supported in the DirectAccess manage out only configuration because clients cannot access the internal network of the DirectAccess server where application servers reside. Step four on the Remote Access Setup CONFIGURATION screen is greyed out and not accessible when using the manage out only configuration.

GPOs can be configured in two ways:

  1. Automatically—You can specify that they are created automatically. A default name is specified for each GPO.

  2. Manually—You can use GPOs that have been predefined by the Active Directory administrator.

Note that once DirectAccess is configured to use specific GPOs, it cannot be configured to use different GPOs.

CautionCaution
Use the following procedure to backup all Remote Access Group Policy Objects before executing DirectAccess cmdlets: Back up and Restore Remote Access Configuration

ImportantImportant
Whether you are using automatically or manually configured GPOs, you will need to add a policy for slow link detection if your clients will use 3G. The Group Policy path for Policy: Configure Group Policy slow link detection is: Computer configuration / Polices / Administrative Templates / System / Group Policy.

Note the following when using automatically-created GPOs:

Automatically created GPOS are applied according to the location and link target parameter, as follows:

  • For the DirectAccess server GPO, both the location and link parameters point to the domain containing the Remote Access server.

  • When client and application server GPOs are created, the location is set to a single domain in which the GPO will be created. The GPO name is looked up in each domain, and filled with DirectAccess settings if it exists. The link target is set to the root of the domain in which the GPO was created. A GPO is created for each domain that contains client computers or application servers, and the GPO is linked to the root of its respective domain.

When using automatically created GPOs, to apply DirectAccess settings, the Remote Access server administrator requires the following permissions:

  • GPO create permissions for each domain.

  • Link permissions for all the selected client domain roots.

  • Link permissions for the server GPO domain roots.

  • Create, edit, delete, and modify security permissions are required for the GPOs.

  • It is recommended that the Remote Access administrator has GPO read permissions for each required domain. This enables Remote Access to verify that GPOs with duplicate names do not exist when creating GPOs.

Note that if the correct permissions for linking GPOs do not exist, a warning is issued. The Remote Access operation will continue but linking will not occur. If this warning is issued links will not be created automatically, even after the permissions added later. Instead the administrator will need to create the links manually.

Note the following when using manually-created GPOs:

  • The GPOs should exist before running the Remote Access Setup wizard.

  • When using manually-created GPOs, to apply DirectAccess settings the Remote Access server administrator requires full GPO permissions (Edit, Delete, Modify security) on the manually-created GPOs.

  • When using manually created GPOs a search is made for a link to the GPO in the entire domain. If the GPO is not linked in the domain then a link is automatically created in the domain root. If the required permissions to create the link are not available a warning is issued.

Note that if the correct permissions for linking GPOs do not exist, a warning is issued. The Remote Access operation will continue but linking will not occur. If this warning is issued links will not be created automatically, even after the permissions are added later. Instead the administrator will need to create the links manually.

If a Remote Access server, client, or application server GPO has been deleted by accident and there is no backup available, you must remove the configuration settings and re-configure again. If a backup is available, you can restore the GPO from the backup.

Remote Access Management will display the following error message: GPO <GPO name> cannot be found. To remove the configuration settings, take the following steps:

  1. Run the PowerShell cmdlet Uninstall-remoteaccess.

  2. Re-open Remote Access Management.

  3. You will see an error message that the GPO is not found. Click Remove configuration settings. After completion, the server will be restored to an un-configured state.

Did you find this helpful?
(1500 characters remaining)

Community Additions

ADD
© 2013 Microsoft
|
Site Feedback
© 2013 Microsoft. All rights reserved.