Deploying Microsoft DirectAccess 2016 Step by Step

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this movie we're gonna show step-by-step how to deploy direct access if you'd like to learn how to deploy direct access and make it highly available please go to IT dvd's comm we go over that process step by step including how to create a public key infrastructure for direct access how to deploy the necessary certificates for direct access how to create Network load balance clusters for our direct access servers as well as our network location servers how to manage clients remotely and much more now we're going to do a very simple direct access deployment and normally this is not something we'd actually want to do in production we're just going to do it so we can see how simple it can be it could work for a very small small companies but even in that situation it's good to deploy it a more advanced way so that if we do need to scale it out and it does need to change its it's all setup in order to change it after the fact is pretty difficult so and the reason that this makes this a simple deployment is that we're not going to use a public key infrastructure or PKI so we're not going to deploy certificates to the clients and we're also going to use a wizard that takes care of a lot of the configuration but when we do this we lose a lot we lose support for Windows 7 we lose load balancing any kind of multi-site deployment OTP one-time password or smart card use of force tunneling and it's a bit less secure because we don't have that certificate on the client that's used for an extra layer of authentication so instead of using that certificate it's going to use Kerberos authentication which is good and is normal also we also part of the process in advanced deployment of direct access but again we lose that extra layer with the certificates so here's the diagram of our simple direct access deployment we've got our internal network here and our internal network has our direct access server and our domain controller domain controller is also our internal DNS server our direct access server when we deployed it's going to be automatically configured as the network location server and then that network location server is pretty important because if our direct access clients can't find the network location server when they're connected to the internal network then they'll think they're actually outside of the network and they'll try to connect to direct access and that will cause a lot of problems with our internal clients accessing internal resources so it's actually very important and one of the big reasons why we don't want to use this simple deployment we want to put our network location server on a some type of highly available cluster in the network location service pretty simple it's just a website doesn't have to do anything it's just a simple website so out here on the Internet we've got our external DNS server and we've got an example of let's say somebody's home router and a direct access client that's connected to the internet via a home router and this could be anything however this clients connected to the Internet it's just that they're not connected to the internal network so when they connect they're gonna connect to what we're going to configure da-da ITD's Corp comm and that's how they're going to connect to our direct access server to create the direct access server connection and on our firewall here that's on the edge of our network we're gonna create a nap and network address translation on port 443 for a public IP address that translates to the internal IP address of our direct access server so that's how our clients are going to connect to our direct access server in our direct access server is only going to have one Nick that Nick is going to configure with an internal IP address our direct access server is not going to be directly connected to the Internet or anything like that so again a very simple deployment we're not gonna have IP version 6 set up on our internal network now it does need to be enabled but we don't have to have IP version 6 routing and all of our clients have IP version 6 addresses or anything like that in order to use direct access and that goes for this simple direct access deployment as well as an advanced direct access deployment so even though direct access depends on IP version 6 again we don't have to have it set up and deployed on our internal network or anywhere for that matter we just have to have it enabled and it needs to be enabled on all of our computers all of our servers and our clients and by enabled what I mean here is if we go to the properties of a network adapter we can see IP version 6 it's checked here so that means it's enabled it's not configured in any special way it's just enabled and if we wanted to see if it was enabled on a server core installation I'll just enter a PS session into my direct access 0-1 server which is a server core installation and we're gonna use the get - network adapter our net adapter binding command let pipe that to format table because I just want to see the name display name and enabled and here we can see IP version 6 and able to set to true so that means it is enabled if this was set to false so we'd have a problem we need to go ahead and enable it so for this simple deployment we're gonna need to add an external DNS record here and this is going to be for the URL that our direct access clients are going to use to connect to our direct access server it can be anything we're gonna use da dot i to use Corp com as far as our internal DNS records go the wizard the simple wizard we're gonna use in order to set up direct access is gonna set those internal DNS records up for us now we're gonna set up an external DNS record we're going to use the URL da da t DV Corp comm and da stands for direct access we can make this whatever we want and it does not have to be the same domain as our internal domain if I'm using an internal domain like IT DVDs dot local or something like that I can use an external domain again it could be anything I want I just have to own it or at least the company has to own it in order to be able to configure external DNS on it an external DNS it's important to know is different from internal DNS external DNS is accessible out on the internet and internal DNS is what we query when we're connected to our internal network so it's very simple we're just going to create an a record and it's going to resolve to the public IP that we want to use for our direct access server in my case it's 98.1 91.1 19.2 47 and our external DNS server can be a lot of different things it can be a bind it could even be a Windows server unix/linux can be all sorts of things it can even be managed by our domain registrar this one is as managed by GoDaddy so I can just go to their website to configure the external DNS it makes it very easy so we're gonna scroll down here and again it's gonna be different depending on what we're using for external DNS I'm gonna click on add and I'm gonna create an a record it's gonna be the host is gonna be da and it appends the domain I'm working with to the end of it so it appends ITV's Corp comm so the fully qualified domain name is gonna be da ITV's Corp comm and it's gonna point to the IP address 98.1 91.1 19.2 for 7 TTL time-to-live we can make it whatever works for us I'm gonna do it a half an hour TTL is basically how long this record is cached for on caching naming servers so the longer we set it for the longer its cache so if we set it for something long like a week and then we want to go in and change it well the old IP address could be cached for a week so we might not see changes for a week so normally setting it that long is not a good idea I'm gonna set it short so if I need to change it that's fine I'll go and click Save then if I change it I only have to wait a half an hour for all the caching name servers to recontact this DNS server to get the the record so there it is ad eight ninety eight point one nine one point one 19.2 four seven so it may take a little bit it shouldn't take long though but we should be able to ping this from the internet now and get this address back now if we test it out and try to ping di Cuba's Corp com from a computer has connected to our internal network well then it's gonna query our internal DNS server for that record and it won't be there so it'll come back unresolved so we either want to ping it from a computer that's connected the internet out there somewhere or from our internal network there are a lot of different websites we can go to that can help us resolve our names so we go to like DNS stuff comm we can go to what they call the toolbox and there's lots of sorts of good tools on here for look ups I can type in da ITV's Corp comm and I can see the lookup succeeded I can scroll down I can see the name server and I can see what it resolves to so this should be what we want it to be in what we set up an external DNS if it's not well then we got a problem either DNS hasn't propagated out yet in your environment or there's something we need to fix because this has to resolve to that external IP address that we want to use for our direct access server if it doesn't then direct access is not going to work if you want to learn more about the ins and outs and all the advanced configuration setups with DNS please see the Windows Server 2016 administration training DNS DHCP and IPAN training on ITV's comm we really go into it in depth next we're gonna create a NAT on our firewall so that when our direct access client tries to contact da ITV's Corp comm it hits the external IP address 98.1 91.1 19.2 for seven our firewall then translates that to the internal IP address of our direct access server which is 192.168.1.2 for seven and it's going to be on port 443 so here I am on my firewall router now this is gonna be a Windows system normally it would probably be some sort of Cisco device or some sort of firewall device could even be a device that's supplied by your ISP whatever it is the concepts the same we're setting up a NAT network address translation if you only have one external IP address then it could also be called port forwarding you need to set up for port 443 but normally will have multiple public IP addresses that'll be on our external NIC that's on our firewall device so let's go to tools in our example we're going to routing and remote access so again we're on this device which is on the edge of our network that basically connects us to the Internet and for mine I'm going to right click on my external adapter let's go to properties and I can see the addresses that are on that particular general network adapter we're gonna go to services and ports let's go ahead and click Add this word we're gonna create an ad on a Windows Device we'll just give it a description I'm going to call it direct access I'm gonna use it on this external IP address and the external IP address is 98.1 91.1 19.2 for seven so I'll go ahead and type that in it's going to be TCP incoming ports 443 the private IP address is going to be the IP address of my direct access server which is gonna be 192.168.1.2 for seven and out going forward is port four for three as well all right our NAT is all set up now let's create a group in Active Directory for our direct access client so I'm gonna go to tools and it's go to Active Directory users and computers and I've got a no you here called groups where I create most of my groups so I'm just gonna right click on it let's go to new group and I'm gonna call this group direct access clients I'll leave it at Global and security click OK now this group is what we're going to use to determine which clients are actually direct access clients technically we don't have to use this group by default and we'll see this it uses a WMI filter so that any computers that have a mobile processor will be direct access clients that's certainly one way to do it using a group gives us a bit more control over who are really what is a direct access client because direct access clients are done by computer they're not done per user so let's go to members so I'm gonna add the computers that I want to be direct access clients will go up here to object types and we just want computers again because we're doing it by computer not by user so let's go to advanced here and maybe all the computers I want start with desktop so I'm gonna add desktop 122 again these are the computers that I want to be direct access clients desktop 205 and 221 so I'll go and click OK and click OK and we'll see when we configure it this group or any members of this group will have the group policy object apply to them that makes them direct access clients now let's install the direct access role on our direct access server which is direct access 0-1 and this is a server core installation so it does not have a GUI on it GUI mean graphical user interface so there are a couple different ways we can do this remotely we can do this with a server manager or we could do it with PowerShell and if you want to learn more about how to administer a server core installation remotely please see the Windows Server 2016 administration training on i.t i.t DVDs comm particularly the remotely administering Windows Server 2000 6-4 with server manager PowerShell computer management and also installing the remote server administration tools on Windows 10 so I've got the remote server administration tools installed on this Windows 10 machine and if I go into server manager all servers I can right click add a server and I'm going to type in direct access 0 1 let's go ahead and find it and we'll add it and now I can right click on it add roles and features let's expand that out let's go and click next it's going to be role based my server is selected then I want to configure and we're looking for remote access so I'd want to check that box click Next Next again next again in the role service we want is direct access and VPN and click on add features click Next Next again next again and install so that's one way to do it another way to do it remotely is with PowerShell so I'm just open up the PowerShell prompt as an administrator and if I want until I get to enter a PS session into direct access 0 1 or from here I can just use the command install - windows feature I'm going to run it against direct access 0 1 and then - name this is the name of the feature we want to install direct access - VPN and we're going to include the management tools and most likely we'll have to restart so adding this restart option will restart the computer if necessary so go and hit enter so that that's quick as opposed to going through server manager either way gets the same thing done know via the roles been installed and the restart has completed now we need to configure direct access so I've got my remote administration tools installed in Windows 10 here server manager all servers I've connected to direct access 0 1 now I'm going to right click on it go down and let's click on remote access management so let's go up here and click on direct access and VPN and we're gonna get this remote access setup wizard options if we haven't configured direct access yet so running the getting started wizard this is the the simple deployment that we're gonna do run the remote access setup wizard this is the more advanced deployment so I'm gonna click on run the getting started wizard and we want to deploy direct access only we could deploy direct access and VPN but normally we want to just deploy direct access on a specific server if we're gonna do VPN also we want to deploy VPN on another server and one of the main reasons for that is because if we have VPN on there also it does not let us use what's called null encryption for IP HTTP connections which is how our direct access clients are going to connect and that means a lot of traffic will be double encrypted which will actually slow down clients user experience and use more resources on our direct access server so I'm going to click on direct access only and we got a couple different topologies we could have used we could have used edge which means that our direct access servers on the edge of the network has one nic that actually has a public IP address on it and another nic that as an internal IP address could have been behind an edge device with two network adapters this is gonna be if you're behind a transparent firewall so you're still buying a firewall but one nic on your direct access server is still able to have a public IP address and the other would have an internal IP address and then what we're gonna do behind an edge device that's using that network address translation and it's going to have a single network adapter and down here we're going to type in the public name we could use an IP address but we want to use a name for the clients that are going to connect to our remote access server and that's going to be the DNS record we setup so my case is Dai TV's court comm so I'll go ahead and click Next and we could click finish at this point and that would be it we can go up here and possibly modify a few settings if we want to or at least see how things are configured we've got our GPO settings use the group policy objects that are gonna be created we can see the name they're gonna be created with we've got one for client settings and another one for server settings I'll just leave that at the default we've also got our remote clients settings here and this is something we will change so this is who the group policy for our clients is gonna apply to by default it's all domain computers and it's then filtered down by that WMI filter that looks for only computers with mobile processors and if we leave this checked that's what it does it adds that WMI filter enable direct access for mobile computers only so what we're actually going to do is add the group we created earlier our direct access clients and we're going to remove domain computers and we're also going to uncheck this enable direct access for mobile computers only what this will do is now any computer accounts that are added term direct act acts access clients group will then have this group policy object applied which will make them direct access clients so I'm going to click Next we could also add other resources that validate connectivity to the internal network it's actually going to create us create one for us so we don't need to add anything else helpdesk email address this is actually important to add so I'm gonna add supported iTunes Corp com and without this email it's actually not possible to collect diagnostic logs on the client another option here allow direct access clients to use local name resolution this allows them to kind of disable direct access and just use their internet connection for pretty much everything they will still be connected via direct access so if we wanted to manage that client remotely we still could but from their point of view it'll look as though that they're not connected to the internal network so this is if they want to allow them to do that or not I'll just leave it unchecked now let's go ahead and scroll down look at the other options here remote access server so this is our tarp topology in our name so if we want to change that we could you can see the adapter it's selected for us it's the only adapter on our direct access server so that's the correct one and here if we had a SSL certificate that we wanted to use we could select it here otherwise we're going to use a self-signed certificate since we don't have a public key infrastructure we're going to use the self sign one we could get an SSL certificate from a third-party certificate authority light thought Verisign or GoDaddy in that case we could add it here let's go ahead and click finish and our infrastructure servers this actually has to do with our name resolution policy table and that decides if we're trying to resolve a domain name whether or not we're gonna use our internal DNS servers on our network or the internet DNS servers that are configured if our client is just connected to the Internet or whatever DNS servers the client is configured for when it grabs an IP address normally via DHCP so if this is blank then it's going to use that whatever the client has configured via DHCP if there's a DNS server address listed then it's going to use that DNS server and it's going to use the direct access tunnel in order to resolve it so you'll notice this IP address is our direct access server we might think well that's not a DNS server what actually uses that DNS 6to4 in order to translate IP version 4 addresses into IP version 6 addresses because IP version 6 is what direct access uses so that's what makes it possible even though we're only using IP version 4 on our internal network in an added da-da Corp our da-da ITV's Corp com because we don't want that to resolve internally we want it to resolve externally and it had to add that because otherwise it would try to it internally because we have this name suffix here ITV News Corp comm so anything like DC 0 1 dot IT was Corp comm it's going to try to use our direct access server in order to resolve that name and again we don't want that with our external public DNS entry that we added so that our direct access client can contact our direct access server over the Internet and yet we'll get into name resolution policy tables more in the advanced configuration and this is the URL that it sets up for our network location server that's actually going to be on our direct access server so that's all the settings everything looks good I'll go ahead and click OK and finish ok the configuration was applied successfully with warnings if we want we can scroll up here we can see the warning and the warning we got was the NR PT entry for the DNS suffix ID was Corp comm contains the public name our DEA ITV's Corp comm the exemption was added automatically already to the NR PT table so we're good to go there we can also right click on here and do copies script if we wanted to and copy this everything that it executed executed with PowerShell so we gonna actually view it I'll just paste it into notepad and see that all the commandlets that ran in order to install direct access and configure it so that's actually it direct access is set up now let's take a look at the group policy objects that were created let's go to tools our group policy management and we'll just expand this out expand out our domains and I'll scroll down here to group policy objects so up here you can see I've got a lot of group policy objects but these were the two that were created direct access client settings and direct access server settings so we can see it's linked at the domain but it's filtered the server settings it only applies to the computer direct access 0-1 which is our direct access server the client settings it's linked at the domain but it's filtered by our direct access clients group so any computer we add to this group will automatically have this particular policy applied to it so this makes it very easy if we want to add a client or make a client a direct access client then we just add the computer account to this group in Active Directory if we want to remove it we just remove the computer account and we can take a look at what these group policy objects actually do so for our client settings if we go over to settings here it can generate a report for us Jos exactly what it's doing to our clients so we can see there are some some security settings public key trusted root certification authorities so it's basically adding the certificate for da ITV's Corp com this is because it's a sell signed certificate so it's not automatically trusted what this does is it makes it trusted by our direct access clients same goes for our network location server and they created a bunch of firewall rules and settings to make direct access work so you can see there are quite a few of them and also it configured our name resolution policy table so now direct access isn't going to happen immediately these group policy objects have to apply in order for it to work so first we probably want to take a look at our server and make sure this group policy object has applied to our server and if we wonder we can do that we could enter a PS session into direct access 0 1 and we can use the command GP result space /r and this is a great command when working with group policy and we can see the apply group policy objects and the direct access server settings has been applied to this computer which is our direct access server so that one's good to go next we probably want to take a look at one of our clients so go ahead and exit out in this computer just happens to be a client that we Desktop 2:05 to that security group in Active Directory users and computers if we take a look at it there it is desktop 2:05 so we can run the same command and see if the client version of the group policy object has been applied and I can see ok it has not yet so I there are multiple ways we can apply it one we can just wait and it'll apply automatically over time or we can use the GP update space slash force and I can see if the computer policy applied successfully and the user policy and now if I wanted to I could use a DP a result space /r to make sure everything's working the way it's supposed to and I could see ok well it wasn't applied yet and the beauty of this particular command says the following GPOs were not applied because they were filtered out and here's my direct access client settings we can see the filtering it was denied or it was filtered out and I can go and see the this computer is part of these certain groups and I don't see my direct access client group yet so he doesn't know it's a member of it yet so I might've run that GP update command and thought ok the policy is applied I'm good to go but it's good to check and see if it's actually applied so I'm gonna go ahead and reboot this computer ok I've gone ahead and rebooted the computer let's go ahead and open up a PowerShell prompt run our GP results base /r and we can scroll up to see now it's been applied direct access client settings because it knows it's part of the direct access clients group now another command we can run to check if the settings did apply I mean they did because we can see the group policy object ran against this particular computer but we can use the get - DNS client in our PT policy this will show us our name resolution policy table and then we can see the entries for direct access - and LSU's Corp comm as well as dat was Corp calm and ITV's Corp comment and you'll notice for direct access DNS server Fri to use Corp comm it's using this IP version 6 address which is the IP version 6 address that our direct access server is using for our DNS 6 to 4 so this client is good to go we can actually remove it from this network put it somewhere out there on the internet and it will connect to our direct access server seamlessly and it will look as though the computer is still connected to our internal network and we can verify that we've done it without a PKI a public key infrastructure if I just right click here let's go to run let's launch an MMC click yes and let's add remove snap in let's add our certificates it's gonna be for our computer account and the local computer let's go ahead and click OK we'll just expand this out expand out personal and there's nothing in there so we don't have any computer certificates we can also confirm this here by open up our Windows Firewall with advanced security and expand out monitoring expand out security associations and click on main mode and we can see our tunnels here so the first authentication method is for the computer it's using four barrows and the second is using cam barrows also for the user so that's really it for a simple direct access deployment we can see it's fairly easy to deploy without kind of any special network infrastructure design changes needed so let's do that let's take this computer right now I'm just gonna run the net Sh DNS client show state command lit and we can see the machine location right now it's inside the corporate network let's move it outside of our corporate network ok I've gone ahead and done that now our computer is over here it's just connected to a home router here just connect the Internet and if we run that net Sh DNS client show state command again we can see the location is outside the corporate network and it determines that and whether or not it can contact the network location server and I can just do an IP config we can see our IP address 172 dots 16 dot 1.50 and you ought to also notice I've got an HP r.i.p HTTP interface now and that has an IP address because that's what I'm using to actually connect to my direct access server so I should even though I'm outside of the network I should be able to ping like DC 0-1 Gonaives Corp comm and I can't man you notice he uses the IP version 6 address which it doesn't have but that's being translated by our DNS 6to4 which is what makes it so that even though I don't have IP version 6 setup on my network it's still able to communicate with it so pretty cool now I can access resources on my network I could like DC 0 1 the C Drive if I want to access it it's basically just like I'm on my corporate network so very cool and it all happens behind the scenes there's nothing I need to set up our configure or connect like a VPN is just always connected whenever I'm connected to the Internet I'm connected to my internal corporate network and all the traffic that goes to my internal network is encrypted through IPSec tunnels that travel through the Internet and to our direct access server
Info
Channel: ITdvds
Views: 49,588
Rating: undefined out of 5
Keywords: DirectAccess Training, deploy directaccess, directaccess step by step, install directaccess, direct access
Id: q6HotGGJZyw
Channel Id: undefined
Length: 32min 23sec (1943 seconds)
Published: Sun Aug 27 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.