The Cable Guy: DirectAccess with Network Access Protection (NAP)

DirectAccess is good. Team it up with Network Access Protection and the two are even better.

By The Cable Guy

Remote users can now have more secure access to your company networks. DirectAccess is a new feature in Windows 7 and Windows Server 2008 R2 that gives remote users secure access to intranet resources without connecting to a virtual private network (VPN).

Network Access Protection (NAP) is also built into Windows Server 2008 R2 and Windows 7. This monitors and assesses the health of client computers when they attempt to connect or communicate on a network.

The two together are a formidable combination. DirectAccess with NAP lets you specify that only DirectAccess clients that meet system health requirements can reach intranet resources across the Internet.

DirectAccess Tunnels

DirectAccess clients using full intranet access or selected server access models create the following Internet Protocol security (IPsec) tunnels to a DirectAccess server:

  • Infrastructure tunnel: reaches intranet Domain Name System (DNS) servers and Active Directory Domain Services (AD DS) domain controllers. By default, this tunnel requires a computer certificate and computer account NT LAN Manager version 2 (NTLMv2) credentials for authentication. The DirectAccess client creates this tunnel before the user logs on.
  • Management tunnel: reaches additional intranet locations before the user logs on. Intranet management servers can also create this tunnel to remotely manage DirectAccess clients. Like the infrastructure tunnel, by default this tunnel requires a computer certificate and computer account NTLMv2 credentials for authentication.
  • Intranet tunnel: reaches intranet locations not on the list of destination addresses in the infrastructure and management tunnel rules after the user has logged on. By default, this tunnel requires a computer certificate and user account Kerberos credentials for authentication.

NAP and IPsec Enforcement

There are a variety of enforcement methods in which you can deploy NAP to enforce system health requirements for connecting or communicating. The IPsec enforcement method uses health certificates—digital certificates with the System Health Authentication object identifier (OID) in the Enhanced Key Usage (EKU) field, and IPsec connection security rules that require IPsec protection of intranet traffic and IPsec peer authentication with health certificates.

This combination can enforce system health requirements for communication between computers on an intranet. Computers that are not compliant with system health requirements and lack a health certificate can’t initiate communication on the intranet.

An IPsec enforcement deployment requires the following:

  • Health Registration Authority (HRA): a Web server that receives and responds to NAP clients and their requests to validate their system health and obtain a health certificate.
  • NAP Certification Authority (CA): a CA in your public key infrastructure (PKI), typically dedicated, that issues health certificates for compliant NAP clients.
  • NAP health policy server: a Network Policy Server (NPS) that validates system health requests.
  • Remediation servers: servers that contain resources NAP clients need to correct their noncompliant system health.

Health certificates obtained through the HRA have short lifecycles, typically measured in hours. You can also issue exemption health certificates that have a long lifetime to servers that need health certificates for IPsec peer authentication but do not need to perform system health validation.

DirectAccess with NAP

DirectAccess with NAP integrates system health compliance with the DirectAccess connection process. When you combine DirectAccess with NAP to enforce system health requirements prior to allowing access to intranet resources, you leverage the NAP infrastructure to issue health certificates (HRAs, NAP CAs, NAP health policy servers) and correct system health (remediation servers). You also take advantage of DirectAccess connection security rules for the infrastructure, management, and intranet tunnels.

By default, the connection security rules configured on the DirectAccess client and server for the infrastructure, management and intranet tunnels do not require health certificates for authentication. The set of rules you need to modify to require health certificates depend on the following:

  • NAP deployment mode (reporting or full enforcement)

Reporting mode does not require system health compliance. Noncompliant DirectAccess clients can access the intranet. Therefore, no changes are required for DirectAccess connection security rules.

Full enforcement mode requires system health compliance. In this mode, you must configure connection security rules to require health certificates, rather than normal computer certificates.

  • Location of your HRAs and remediation servers

You can locate HRAs and remediation servers on your intranet or on the Internet.

The following sections describe these two possible locations of HRAs and remediation servers and the resulting changes you’ll need to make so the connection security rules require health certificates.

Intranet-Based HRAs and Remediation Servers

When the HRAs and remediation servers are located on the intranet, they must be accessible to DirectAccess clients with computer certificates, but no health certificates. Health validation occurs after creating the infrastructure and management tunnels. The DirectAccess client needs the infrastructure tunnel to access an intranet DNS server to resolve intranet names and the management tunnel to access the HRAs and remediation servers.

Figure 1  DirectAccess with NAP when the HRAs and remediation servers are on the intranet.

Figure 1  DirectAccess with NAP when the HRAs and remediation servers are on the intranet.

However, for full enforcement mode, the DirectAccess client needs a health certificate before it can reach other intranet resources. Therefore, the health certificate requirement only applies to the connection security rules for the intranet tunnel.

Configuration Steps

To configure DirectAccess with NAP when the HRAs and remediation servers are on the intranet, you need to:

  • Add the IPv6 addresses of the HRAs and remediation servers to the list of management servers. You can do this with step three of the DirectAccess Setup Wizard or with Netsh.exe commands.
  • Configure the intranet tunnel rule in DirectAccess server Group Policy object (GPO) to require health certificates with a Netsh.exe command.

For detailed steps, see Configure DirectAccess Connection Security Rules for NAP.

When you use Netsh.exe to customize DirectAccess connection security rules, the changes are overwritten the next time you apply the settings of the DirectAccess Setup Wizard. To ensure the custom settings are maintained, you should either no longer use the DirectAccess Setup Wizard for configuration changes or compile a list of custom changes in a script and run the script each time you apply the DirectAccess Setup Wizard settings.

How It Works

The following process describes how DirectAccess with NAP works for a DirectAccess client when the HRA and remediation servers are only on the intranet:

  1. When the DirectAccess client starts and attempts to log on to the AD DS domain with its computer account, it creates the infrastructure tunnel using its computer certificate. [infrastructure tunnel]
  2. When the NAP Agent starts, the DirectAccess client resolves the fully qualified domain name (FQDN) of a configured HRA uniform resource locator (URL), creates the management tunnel using its computer certificate, and then sends its current health state information to the HRA. [management tunnel]
  3. The HRA sends the DirectAccess client’s health state information to the NAP health policy server. [intranet traffic]
  4. The NAP health policy server evaluates the health state information of the DirectAccess client, determines whether it’s compliant, and sends the results to the HRA. [intranet traffic]
  5. The HRA sends the DirectAccess client the health evaluation results. [management tunnel]
  6. Assuming a compliant health state, the HRA obtains a health certificate from a NAP CA and sends it to the DirectAccess client. [management tunnel]
  7. When the DirectAccess client attempts to access a resource on the intranet, it first creates the intranet tunnel using the health certificate. [intranet tunnel]

If the DirectAccess client is not compliant:

  1. The HRA sends the DirectAccess client the health evaluation results, which include health remediation instructions, and does not obtain a health certificate. [management tunnel]
  2. Depending on the health evaluation components installed, the DirectAccess client might need to access remediation servers to correct its health state. If so, the DirectAccess client sends update requests to the appropriate remediation servers. [management tunnel]
  3. The remediation servers provision the DirectAccess client with the required settings or updates to comply with system health requirements. [management tunnel]
  4. The DirectAccess client sends its updated health state information to the HRA. [management tunnel]
  5. The HRA sends the updated health state information to the NAP health policy server. Assuming that all the required updates were made, the NAP health policy server determines that the DirectAccess client is compliant and sends that result to the HRA. [intranet traffic]
  6. The HRA obtains a health certificate from the NAP CA. [intranet traffic]
  7. The HRA sends the health certificate to the DirectAccess client. [management tunnel]
  8. When the DirectAccess client attempts to access a resource on the intranet, it creates the intranet tunnel using the health certificate. [intranet tunnel]

HRAs and Remediation Servers on the Internet

When the HRAs and remediation servers are located only on the Internet, they’re always accessible to DirectAccess clients and system health validation occurs independently of DirectAccess tunnels.

Figure 2 shows the configuration when the HRAs and remediation servers are only on the Internet. For more information about this configuration, see “NAP on the Internet,” The Cable Guy article for June 2009.

Figure 2  DirectAccess with NAP when the HRAs and remediation servers are on the Internet.

Figure 2  DirectAccess with NAP when the HRAs and remediation servers are on the Internet.

For full enforcement mode, the DirectAccess client needs a health certificate before it can reach any intranet resource with the exception of management servers, which might be needed to remotely manage or support non-compliant DirectAccess clients from the intranet. Therefore, requiring a health certificate applies to the connection security rules for the infrastructure, intranet, and management (optional) tunnels.

Configuration Steps

To configure DirectAccess with NAP when the HRAs and remediation servers are on the Internet, you need to change the infrastructure, intranet and management tunnel rules in DirectAccess server GPO to require health certificates with Netsh.exe commands.

The following commands use the default names of the GPOs and connection security rules as configured by the DirectAccess Setup Wizard in Windows Server 2008 R2:

  1. At an administrator-level command prompt, run the netsh –c advfirewall command.
  2. At the netsh advfirewall prompt, run the following commands:

 

set store gpo="DomainName\DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}"

consec set rule "DirectAccess Policy-DaServerToDnsDC" new auth1=computercert auth1ca=CANameString auth1healthcert=yes applyauthz=yes

consec set rule "DirectAccess Policy-DaServerToCorp" new auth1=computercert auth1ca=CANameString auth1healthcert=yes applyauthz=yes

consec set rule "DirectAccess Policy-DaServerToMgmt" new auth1=computercert auth1ca=CANameString auth1healthcert=yes applyauthz=yes

Notes: DomainName is the FQDN of your AD DS domain. CANameString is the value of the Auth1CAName field in the display of the consec show rule name=“DirectAccess Policy-DaServerToCorp” command.

Run the last command only if you have defined management servers and you want to prevent noncompliant DirectAccess clients from accessing them.

How It Works

The following process describes how DirectAccess with NAP works for a DirectAccess client when the HRAs and remediation servers are only on the Internet:

  1. When the DirectAccess client starts, it attempts to log on to the AD DS domain with its computer account and create the infrastructure tunnel. Because the DirectAccess client has no health certificate, this attempt fails. [Internet traffic]
  2. When the NAP Agent starts, the DirectAccess client resolves the FQDN of an HRA URL and then sends its current health state information to the HRA on the Internet. [Internet traffic]
  3. The HRA sends the DirectAccess client’s health state information to a NAP health policy server. [intranet traffic]
  4. The NAP health policy server evaluates the health state information of the DirectAccess client, determines whether it is compliant, and sends the results to the HRA. [intranet traffic]
  5. The HRA sends the DirectAccess client the health evaluation results. [Internet traffic]
  6. Assuming a compliant health state, the HRA obtains a health certificate from a NAP CA and sends it to the DirectAccess client. [Internet traffic]
  7. The next time the DirectAccess client computer attempts to log on to the AD DS domain with its computer account or resolve an intranet FQDN, it first creates the infrastructure tunnel using the health certificate. [infrastructure tunnel]
  8. When the DirectAccess client needs to access a resource on the intranet, it first creates the intranet tunnel using the health certificate. [intranet tunnel]

If the DirectAccess client is not compliant:

  1. The HRA sends the DirectAccess client the health evaluation results, which include health remediation instructions, and does not obtain a health certificate. [Internet traffic]
  2. Depending on the health evaluation components installed, the DirectAccess client might need to access remediation servers to correct its health state. If so, the DirectAccess client sends update requests to the appropriate remediation servers. [Internet traffic]
  3. The remediation servers provision the DirectAccess client with the required settings or updates for compliance with system health requirements. [Internet traffic]
  4. The DirectAccess client sends its updated health state information to the HRA. [Internet traffic]
  5. The HRA sends the updated health state information to the NAP health policy server. Assuming all the required updates were made, the NAP health policy server determines that the DirectAccess client is compliant and sends that result to the HRA. [intranet traffic]
  6. The HRA obtains a health certificate from the NAP CA. [intranet traffic]
  7. The HRA sends the health certificate to the DirectAccess client. [Internet traffic]
  8. The next time the DirectAccess client computer attempts to log on to the AD DS domain with its computer account or resolve an intranet FQDN, it first creates the infrastructure tunnel using the health certificate. [infrastructure tunnel]
  9. When the DirectAccess client needs to access a resource on the intranet, it creates the intranet tunnel using the health certificate. [intranet tunnel]

Joseph Davies* is a principal technical writer on the Windows networking writing team at Microsoft. He is the author and coauthor of a number of books published by Microsoft Press, including “Windows Server 2008 Networking and Network Access Protection (NAP),” “Understanding IPv6, Second Edition” and “Windows Server 2008 TCP/IP Protocols and Services.*