Appendix C – Scripted DirectAccess Single Server Installation Instructions

  • Article

Ensure the prerequisite steps from Appendix A have been completed prior to beginning.All of the following commands take place on the DirectAccess server. In order to determine your Interface Index, type the following command at the command prompt:

netsh interface ipv6 show interface

Take note of the index number associated with the physical interface you wish to configure. In all of the setup instructions, <interface index #> refers to this number for the appropriate interface.

d466386e-d583-46a1-ac60-15d5e77c4934

Configure Internet access components

Component Purpose From the Windows Command Prompt

Teredo Server

Configure Teredo with the name or IP address of the Teredo server

netsh interface ipv6 set teredo server <ipv4 address of teredo server>

Network Interface

Configure the interfaces on the DirectAccess server
  1. Run the following command for the 6to4 and Teredo interfaces:

    netsh interface ipv6 set interface <interface index #> forwarding=enabled

  2. If a Native IPv6 interface is present, run the following command:

    netsh interface ipv6 set interface <interface index #> forwarding=enabled

  3. For the IP-HTTPS interface, run the following command:

    netsh interface ipv6 set interface IPHTTPSInterface forwarding=enabled advertising=enabled

6to4

Enable the 6to4 protocol

netsh interface 6to4 set state enabled

Certificates

Install certificates
  1. Install certificates

  2. Run netsh http add sslcert <args>

IP-HTTPS Interface

Configure IP-HTTPS Interface

netsh interface httpstunnel add interface server https:// [public IPv4 address or FQDN]:443/IPHTTPS enabled {certificates}

IP-HTTPS Routing

Configure IP-HTTPS Routing

netsh interface ipv6 add route <6to4 prefix>:<IP-HTTP subnet ID>::/64 IPHTTPSInterface publish=yes

Configure intranet access components

Component Purpose From the Windows Command Prompt

ISATAP

Enable ISATAP

netsh interface isatap set state enabled

ISATAP

Configure ISATAP

netsh interface isatap set router <name or ipv4 address of ISATAP Router>

ISATAP

Configure ISATAP

netsh interface ipv6 add route 2002:<public_ipv4_address_hex_converted:1::/64 <interface index #> publish=yes

Network Interface

Configure interface forwarding and advertising

netsh interface ipv6 set interface <interface index #> forwarding=enabled advertise=enabled

DNS

Publish ISATAP name in DNS

dnscmd /recordadd <primary_dns_search_suffix> isatap A <internal_ipv4_address>

Note

Perform this command on your DNS server.

DNS

Allow DNS responses to ISATAP

For each DNS server in every Active Directory Domain containing users that use DirectAccess, perform the following steps:

  1. From any DNS server that has network connectivity to the authoritative DNS servers, open a command prompt

  2. Type “dnscmd <DNS server name> /info /globalqueryblocklist” to display the current contents of the block list

    • If the block list does not contain the name “isatap”, then end this procedure

    • If the block list does contain the name “isatap”, then identify all_other_names in the block list. For example, if the result of the above command is “wpad isatap xxx”, then all_other_names would be “wpad xxx”.

  3. Type “dnscmd <server name> /config /globalqueryblocklist all_other_names”.

  4. Type “dnscmd <server name> /info /globalqueryblocklist” to display the contents of the block list again and ensure that the name “isatap” is no longer in the block list.

Note

Perform this command on your DNS server.

Configure Security Services

Component From the Windows Command Prompt

IPsec DOS Prevention (Public)

netsh ipsecdosp add interface <Internet_interface_name> public

IPsec DOS Prevention (Public)

netsh ipsecdosp add interface <TLS-Interface_name> public

IPsec DOS Prevention (Internal)

netsh ipsecdosp add interface <intranet_interface_name> internal

IPSec configuration

IPsec gateway configuration (end-to-edge scenario)

Component From the Command Prompt window

Connection security rule for traffic to DNS/DC

netsh advfirewall consec add rule name="DirectAccess Policy ClientToDNSDC" mode=tunnel profile=public,private Endpoint1=<DNS/DC IPv6 address> Endpoint2=Any LocalTunnelEndpoint=<DA server internet interface IPv6 address or 6to4 address> RemoteTunnelEndpoint=Any Action=RequireInRequireOut Auth1=ComputerCert Auth1CA=<CA name> Auth2=UserNTLM qmsecmethods=ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb

Connection security rule for traffic to Management servers

netsh advfirewall consec add rule name="DirectAccess Policy ClientToDNSDC" mode=tunnel profile=public,private Endpoint1=<Management servers IPv6 addresses> Endpoint2=Any LocalTunnelEndpoint=<DA server internet interface IPv6 address or 6to4 address> RemoteTunnelEndpoint=Any Action=RequireInRequireOut Auth1=ComputerCert Auth1CA=<CA name> Auth2=UserNTLM qmsecmethods=ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb

Connection security rule for traffic to Rest of Corporate Network

netsh advfirewall consec add rule name=" DirectAccess Policy ClientToCorp" mode=tunnel profile=public,private Endpoint1=<Corporate network IPv6 prefix> Endpoint2=Any LocalTunnelEndpoint=<DA server internet interface IPv6 address or 6to4 address> RemoteTunnelEndpoint=Any Action=RequireInRequireOut Auth1=ComputerCert Auth1CA= Auth1CA=<CA name> Auth2=UserKerb qmsecmethods=ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb

IPsec client configuration (end-to-edge scenario)

Component From the Command Prompt window

Connection security rule for traffic to DNS/DC

netsh advfirewall consec add rule name="DirectAccess Policy ClientToDNSDC" mode=tunnel profile=public,private Endpoint1=Any Endpoint2=<DNS/DC IPv6 address> LocalTunnelEndpoint=Any RemoteTunnelEndpoint=<DA server internet interface IPv6 address or 6to4 address> Action=RequireInRequireOut Auth1=ComputerCert Auth1CA=<CA name> Auth2=UserNTLM qmsecmethods=ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb

Connection security rule for traffic to Corpnet

netsh advfirewall consec add rule name=" DirectAccess Policy ClientToCorp" mode=tunnel profile=public,private Endpoint1=Any Endpoint2=<Corporate network IPv6 prefix> LocalTunnelEndpoint=Any RemoteTunnelEndpoint=<DA server internet interface IPv6 address or 6to4 address> Action=RequireInRequireOut Auth1=ComputerCert Auth1CA= Auth1CA=<CA name> Auth2=UserKerb qmsecmethods=ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb

Connection security rule for traffic to Management servers

netsh advfirewall consec add rule name="DirectAccess Policy ClientToManagementservers" mode=tunnel profile=public,private Endpoint1=Any Endpoint2=<Management servers IPv6 addresses> LocalTunnelEndpoint=Any RemoteTunnelEndpoint=<DA server internet interface IPv6 address or 6to4 address> Action=RequireInRequireOut Auth1=ComputerCert Auth1CA=<CA name> Auth2=UserNTLM qmsecmethods=ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb

Connection security rule to exempt IPsec to NLA

Netsh advfirewall consec add rule name=”DirectAccess Policy clientToNlaExempt” mode=tunnel profile=public,private endpoint1=<Corporate network IPv6 prefix> endpoint2=<NLA IPv6 address> action=noauthentication protocol=tcp port2=443