DISCLAIMER: These are the features and functions available in the Windows Server 8 “Beta” Preview. All items are subject to change or removal by Microsoft and are not considered to be final until release of Windows 8.
Traditional VPNs require user intervention to initiate a remote connection to an intranet. In contrast, DirectAccess automatically establishes a bi-directional connection from client computers to the corporate network. This improves the overall user experience by making connecting to a corporate network from outside the workplace, as seamless as if a user was working from the office!
DirectAccess is based on a deperimitization model that uses advanced encryption, authentication, and authorization technologies that enable all points on a network to securely exchange information and data over the Internet. It is built on a foundation of proven industry standards such as Internet Protocol version 6 (IPv6) and Internet Protocol security (IPsec). DirectAccess supports a range of network scenarios, including pure IPv6 and IPsec environments (end-to-end) non-IPsec intranets with IPv6 application servers (end-to-edge), or IPv4-only application servers.
This article is to provide a walkthrough from the Beta to show just how easy it is to setup. At the end of the article, additional resources will be provided. For an overview of the requirements, roles and features for the scenario walkthrough below, see Simplified Remote Access with DirectAccess: scenario overview. For a lab manual walkthrough, which was used to base the screen captures below, see Test Lab Guide:Demonstrate Direct Access Single Server Setup with Mixed IPv4 and IPv6 in Windows Server “8” Beta.
Configure Direct Access in a Single Site with the Express Wizard
1. Configure DirectAccess using the Express Wizard from Remote Access Management. NOTE: to quickly access this console, go to the Start menu home screen and just start typing “Remote Access Management” and the search feature will make it appear!
a. Select Configure using Express Wizard
2. Choose to Deploy BOTH Direct Access and VPN, ONLY Direct Access, or ONLY VPN
3. In this example, I am only setting up Direct Access, so Deploy only DirectAccess was selected on the screen above.
After checking the prerequisites an doing some initial configuration, the following screen is presented. The three options (Edge, Back topology, single network adapter) are determined by the location of your Direct Access server. The machine can be either on the Edge of the network, exposed to the internet, behind a firewall, or only on the internal private network. For the first two options, they will require two network adapters: 1 private to the internal network and 1 public, exposed to the internet or firewall. The last option only requires one adapter card for the internal network. For my lab, I chose the “Edge” topology. The FQDN of the edge machine will be used for clients to connect. If a certificate for that machine exists in the computer store, it will be used. If not, a self signed certificate will be used.
4. On the last screen, you are presented with an option to review and modify settings where the screen says “please click here.” Here you will see the configuration settings that were made for GPO Information, Remote Clients, Remote Access Server -Direct Access configuration, and Infrastructure Server – DNS suffixes used by clients. You can modify any of these settings by clicking on Change and/or you can Save to a file at the bottom of the DirectAccess Review screen to save all of your settings. By default, the DOMAIN\Domain Computers group will receive all of the configured settings. If you want a smaller subset of users\computers to have direct access, remove that group and create a special Global Group for only the clients that you want to have these policies applied. For example, I made a Global Group called DirectAccessClients and added that to the configuration.
5. If you modified any setting above, simply click OK, and then Finish on the “Configure Remote Access window”. The configuration settings will be applied and you will get a confirmation window as below. Click Close to complete this simple setup!
6. After clicking Close above, you are presented with a nice topology diagram below, which allows you to easily go back in and modify any of the configuration settings that you may want to change now or later.
The final step for this simple scenario is to update the policy applied to the client, and then monitor the client connections from the Direct Access Server.
7. Do a gupdate from the new Windows Powershell ISE while connected to your corp connection. Not that you have to use this over a command prompt, but you should definitely explore this greatly enhanced tool with Intellisense, syntax coloring and visual debugging! If you are running a client in a test lab, you will then will want to disable your “public” interface to the corp domain and enable the “private” connection, which simulates a user connected from home to test your connectivity. In my test lab, I did two validation tests to confirm DirectAccess was working: I accessed an internal website on the corporate network as well as a file share on the corp server.
8. Finally, returning back to the Remote Access Management console, we can observe the results of the connection and view statistics as shown below. Click REMOTE CLIENT STATUS in the console on the left, and then your client should appear in the center. Double-click on the client machine, and you will see detailed client statistics. In a virtual lab environment, this may take a couple of minutes to refresh, so be patient.
There you have it! Direct Access has been greatly simplified to administer and deploy with Windows Server “8” Beta. Later I hope to blog on the Advanced Deployment Scenario, as it currently exists in the Beta Form.