Deploying DirectAccess

Deploying DirectAccess

Table of Contents
Deploying DirectAccess.......................................................................................................... 1
Exercise 1 Deploying DirectAccess ................................................................................................................................2

Deploying DirectAccess

Deploying DirectAccess
Objectives
After completing this lab, you will be better able to: Install Microsoft Forefront Unified Access Gateway (UAG) on a Windows Server 2008 R2 server Perform the initial configuration of the Forefront UAG server using the Getting Started Wizard Configure Active Directory as the authentication repository Create a portal trunk for application and network access Use the portal trunk to publish Microsoft Exchange Configure Forefront UAG to publish a remote desktop server Enable remote access to the internal network using the Secure Socket Tunneling Protocol (SSTP) Deploy an ISATAP IPv6 router to the internal network

Scenario

Adatum will deploy Forefront UAG to allow Adatum users to have access to its corporate network using a Virtual Private Network (VPN) service, provide secure access to Microsoft Office Outlook Web Access (OWA) and Outlook Anywhere, allow Adatum IT administrators to connect to internal servers using the Remote Desktop service, use DirectAccess to provide Windows 7 users seamless connectivity to the internal resources, while enforcing the company security policy on them. 60 Minutes

Estimated Time to Complete This Lab Computers used in this Lab

VAN-UAG1

VAN-DC1

VAN-CL1

VAN-NAP

The password for the Adatum\Administrator or Adatum\Jason accounts on all computers in this lab is: Pa$$w0rd

Page 1 of 8

Deploying DirectAccess

Exercise 1 Deploying DirectAccess

Scenario
In this lab youll use Microsoft Forefront Unified Access Gateway (UAG) to enable seamless access to the internal network for Windows 7 clients using the DirectAccess technology. Tasks Complete the following task on: VAN-DC1 1. Create global groups for DirectAccess servers and clients Detailed Steps Note: In this task, you will create global groups in the Adatum.com domain for DirectAccess clients and DirectAccess servers.
a. Click Start | Administrative Tools | Active Directory Users and Computers. b. On the left pane, right-click adatum.com, click New, and then click Organizational

Unit.
c. In the Name box, type DirectAccess and click OK. d. On the left pane, right-click DirectAccess, select New, and then Group. e. In the Group Name box, type DA Clients and click OK. f.

On the left pane, right-click DirectAccess again, click New, and then Group.

g. In the Group Name box, type DA Servers and click OK. h. On the right pane, double-click DA Clients. i. j. l.

Select the Members tab, and click Add. Click Object Types, select Computers, and click OK. Click OK again to close the DA Clients Properties window.

k. In the Enter the object names to select box, type VAN-CL1, and then click OK. m. On the right pane, double-click DA Servers. n. Select the Members tab, and click Add. o. Click Object Types, select Computers, and click OK. p. In the Enter the object names to select box, type VAN-UAG1, and click OK. q. Click OK again to close the DA Servers Properties window. r. Close the Active Directory Users and Computers window.

2.

Configure AutoEnrollment for IPSec computer certificates

Note: In this task, you will enable the AutoEnrollment feature for automatic certificate enrollment and renewal for the DirectAccess servers and clients.
a. Click Start | Administrative Tools | Certification Authority. b. This will open the Certification Authority console. c. In the left pane, expand Adatum-VAN-DC1-CA. Right-click Certificate Templates

and select Manage.

d. This will open the Certificate Templates Console window. e. In the right pane of the Certificate Templates Console, double-click Workstation

Authentication.
f.

The Workstation Authentication template contains the Client Authentication OID required for IPSec negotiation.

g. Click the Security tab, and then click Add. h. In the Enter the object names to select box, type DA Clients; DA Servers, and

then click OK.

i.

Under Permissions for DA Clients select both the Enroll and the Autoenroll check Page 2 of 8

Deploying DirectAccess Tasks Detailed Steps boxes in the Allow column.

j.

Under Permissions for DA Servers select both the Enroll and the Autoenroll check boxes in the Allow column. Close the Certificate Templates Console window. select New, and then click Certificate Template to Issue.

k. Click OK to close the template properties. l. m. Return to the Certification Authority console, right-click Certificate Templates, n. Select Workstation Authentication, and then click OK. o. On the left pane, right-click Adatum-VAN-DC1-CA, select All Tasks, and then Stop

Service.
p. Right-click Adatum-VAN-DC1-CA again, select All Tasks, and then Start Service. q. Close the Certification Authority console. r. Click Start | Administrative Tools | Group Policy Management. s. This will open the Group Policy Management console. t. On the Group Policy Management console, expand Forest: adatum.com, expand

Domains, and select adatum.com.

u. Right-click adatum.com, and then click Create a GPO in this domain, and Link it

here.
v. In the New GPO window, in the Name box, type DirectAccess IPsec Certificate

AutoEnrollment, and then click OK.

w. On the right pane, right-click DirectAccess IPsec Certificate AutoEnrollment, and

then click Edit.

x. This will open the Group Policy Management Editor console. y. On the Group Policy Management Editor console, in the left pane under

Computer Configuration, expand Policies | Windows Settings | Security Settings and then select Public Key Policies.
z. In the right pane, double-click Certificate Services Client Auto-Enrollment. aa. In Configuration Model, select Enabled, and then select both the Renew expired

certificates and Update certificates that use certificate templates check boxes.
bb. Click OK and close the Group Policy Management Editor console. cc. Return to the Group Policy Management window. In the left pane, expand

adatum.com, and then select DirectAccess IPsec Certificate AutoEnrollment. Click OK to close the warning dialog box.
dd. In the right pane, under Security Filtering, click Add. In the Enter the object name

to select box type DA Clients, and then click OK.

ee. Under Security Filtering click Add again. In the Enter the object name to select

box type DA Servers, and click OK.

ff. Select Authenticated Users and click Remove. Click OK to confirm.

3.

Configure DNS suffix for the DirectAccess clients

Note: In this task you will configure a group policy object setting the primary DNS suffix of the DirectAccess clients to adatum.com.
a. Still on the Group Policy Management console, expand Forest: adatum.com,

expand Domains, and select adatum.com.

b. Right-click adatum.com, and then click Create a GPO in this domain, and click

Link it here.
c. In the New GPO window, in the Name box, type DirectAccess Client DNS Suffix,

and click OK.

Page 3 of 8

Deploying DirectAccess Tasks Detailed Steps

d. In the right pane, right-click DirectAccess Client DNS Suffix, and select Edit. e. This will open the Group Policy Management Editor console. f.

On the Group Policy Management Editor console, in the left pane under Computer Configuration, expand Policies | Administrative Templates | Network, and then select DNS Client.

g. In the right pane, double-click Primary DNS Suffix. h. This will open the Primary DNS Suffix window. i. j. l.

Select Enabled, and then in the Enter a primary DNS suffix box, type adatum.com. Click OK. In the right pane, double-click Connection-Specific DNS Suffix. Select Enabled, and then in the Enter a primary DNS suffix box, type adatum.com.

k. This will open the Connection-Specific DNS Suffix window.

m. Click OK and close the Group Policy Management Editor console. n. Return to the Group Policy Management window. In the left pane expand

adatum.com, and select Direct Access Client DNS Suffix. Click OK to close the warning pop-up.
o. In the right pane, under Security Filtering, click Add. In the Enter the object name

to select box, type DA Clients, and click OK.

p. Select Authenticated Users and click Remove. Click OK to confirm. q. Close the Group Policy Management console.

Complete the following tasks on: VAN-UAG1 4. Enroll IPSec certificate for DirectAccess server

Note: In this task you will manually enroll a Workstation Authentication certificate to the VAN-UAG1 server, so there is no need to wait for AutoEnrollment. Enrolling the certificate could also be accomplished by simply restarting the VAN-UAG1 server at this point
a. Open the Start menu, select Run, type mmc, and then press ENTER to open the

Microsoft Management Console.

b. In the File menu, select Add/Remove Snap-in. c. In the left pane, select Certificates and click Add. d. In the Certificates snap-in window, select Computer account and click Next. e. Click Finish to confirm that the snap-in will manage the Local Computer, and click

OK.
f.

In the left pane, expand Certificates (local computer), expand Personal, rightclick Certificates, and click All Tasks | Request New Certificate.

g. This will open the Certificate Enrollment wizard. h. Click Next to start the wizard, and Next again to confirm the enrollment policy. i. j.

Select Workstation Authentication, and click Enroll. Click Finish to close the Certificate Enrollment wizard. computer certificates:

k. In the left pane, select Certificates. In the right pane you should see the following

*.adatum.com Used by the Forefront UAG portal and by the IP-HTTPS server interface. VAN-UAG1.adatum.com Used by the IPSec tunnels. Default Web Site and WMSvc-VAN-UAG1 Self-signed certificates created by the default Windows installation; they are not used by Forefront UAG.

Page 4 of 8

Deploying DirectAccess Tasks 5. Verify prerequisites and configure Forefront UAG DirectAccess Detailed Steps Note: After confirming the certificate perquisites, in this task you will verify the IP networking prerequisites. Enrolling the certificate could also be accomplished by simply restarting the VAN-UAG1 server at this point
a. Open the Start menu, select Run, type cmd, and then press ENTER to open the

Command prompt.
b. Type ipconfig, and then press ENTER to display the IP configuration. c. Confirm that the External interface has two consecutive IPv4 addresses

(157.54.1.1 and 157.54.1.2), and the Internal interface has one static IPv4 address (10.0.0.1).
d. Open the Start menu, and click Forefront UAG Management. e. This will open the Forefront UAG Management console. f.

In the left pane, select DirectAccess.

g. In the right pane, click Configure in the Clients box. h. This will open the UAG DirectAccess Client Configuration window. i. j. l.

Click Add. Type DA Clients in the Groups box, and then click OK. Click Finish to close the UAG DirectAccess Client Configuration window. This will open the UAG DirectAccess Server Configuration window. The wizard should automatically select 157.54.1.2 as the second Internet-facing IPv4 address.

k. In the DirectAccess Server box, click Configure. m. Under Internet-facing, select 157.54.1.1 as the first Internet-facing IPv4 address.

n. Under Internal, select 10.0.0.1, and click Next. o. Confirm that both the Enable UAG DirectAccess NAT64 and Enable UAG

DirectAccess DNS64 check boxes are selected, and click Next.

p. Confirm that Use root certificate is selected, and click Browse. q. Select Adatum-VAN-DC1-CA, and click OK. r. Click the second Browse button, and select Adatum wildcard as the IP-HTTPS

certificate. Click OK.

s. Since the certificate is a wildcard certificate, specify da.adatum.com as the full

URL for IP-HTTPS, and click OK.

t. Click Finish to close the UAG DirectAccess Server Configuration window. u. In the Infrastructure Servers box, click Configure. v. This will open the Infrastructure Server Configuration window. w. In the HTTPS URL of the network location server, type inside.adatum.com and

click Validate. Confirm that the validation is successful and click Next. Note: If the validation is not successful, ensure that the VAN-NAP virtual machine is running
x. Confirm that the *.adatum.com zone is configured as [DNS64] and both the

IP-HTTPS (da.adatum.com) and the network location server (inside.adatum.com) are excluded from the name resolution policy table.
y. Double-click on an empty row in the table. z. In the Name Resolution servers used by DirectAccess box, type

portal.adatum.com, select Do not use an internal DNS server for the specified server or suffix, and click OK.
aa. This is an example of a split-brain DNS, where the external name

Page 5 of 8

Deploying DirectAccess Tasks Detailed Steps portal.adatum.com should be resolved by the Internet DNS service.
bb. Confirm that the Fall back to local name resolution if the name does not exist in

DNS or the DNS servers are unreachable when the client computer is on a private network (recommended) option is selected, and click Next.
cc. In the left pane, select Adatum.com, and in the right pane confirm that

VAN-DC1.adatum.com is selected. Forefront UAG automatically identifies all domain controllers for the selected domains.
dd. Click Finish to close the Infrastructure Server Configuration window. ee. In the Application Servers box, click Configure. ff. This will open the Application Server Configuration window. gg. Confirm that Require end-to-edge authentication and encryption is selected, and

click Finish to close the Application Server Configuration window.

hh. In the bottom of the right pane, click Generate Policies. This will generate the

PowerShell script responsible for configuring the group policy objects (GPOs) for server and client configuration in Active Directory.
ii. The Forefront UAG DirectAccess Configuration Review window will pop up with

all the settings that will be configured by the PowerShell script.

jj. Review the settings in the Forefront UAG DirectAccess Configuration Review

window, and click Apply Now.

kk. A DirectAccess Policy Configuration window will appear with the results of the

PowerShell script. Note that you are able to execute the script because youre logged on as a Domain Admin.
ll. After the script is executed, click OK to close the DirectAccess Policy Configuration

window, and then click Close to close the Forefront UAG DirectAccess Configuration Review window.
mm.

Switch to the Command prompt, type gpupdate /force, and then press ENTER. This will force the application of the group policy objects on the Forefront UAG DirectAccess server. configuration.

nn. Switch back to the Forefront UAG Management console, and activate the UAG oo. Click Start | Administrative Tools | Windows Firewall with Advanced Security. pp. This will open the Windows Firewall with Advanced Security tool. qq. In the left pane, click Connection Security Rules. rr. In the right pane you should see two IPSec tunnel mode rules:

UAG DirectAccess Gateway Clients Access Enabling Tunnel All defines the infrastructure IPSec tunnel that enables access to resources like domain controllers, DNS servers, NAP servers, and others. This rule requires only computer credentials (certificates and NTLMv2). UAG DirectAccess Gateway Client Corp Tunnel defines the intranet IPSec tunnel that enables access to the intranet resources. This rule requires computer (certificate) and user (Kerberos) credentials.

ss. Close the Windows Firewall with Advanced Security tool.

Page 6 of 8

Deploying DirectAccess Tasks Complete the following task on: VAN-CL1 6. Confirm DirectAccess connectivity Detailed Steps Note: In this task you will provision DirectAccess on the VAN-CL1 computer and then use it to connect to internal file shares and Web sites from the Internet.
a. Restart the VAN-CL1 virtual machine. This will force it to receive the DirectAccess

client provisioning group policies.

b. Log on to VAN-CL1 using the adatum\jason user account. c. Click Start, type Windows firewall in the Search programs and files box, and

under Programs (1), click Windows Firewall with Advanced Security.

d. This will open the Windows Firewall with Advanced Security tool. e. In the left pane, click Windows Firewall with Advanced Security on Local

Computer.
f.

In the right pane, you should see that the Domain Profile is active.

g. In the left pane, click Connection Security Rules. h. You should see no IPSec rules defined in the right pane. The Domain Profile

selected by the client in the corporate network does not have any IPSec tunnel mode rules defined.
i.

Click Start, type cmd in Search programs and files, right-click the cmd symbol under Programs (1), and select Run as administrator. Click Yes when prompted by the User Account Control. This will open the Windows Command prompt with administrator privileges. You should see that the name resolution policy table (NRPT) is not active. The NRPT is only activated when the client is outside the corporate network.

j. l.

k. Type netsh namespace show effective, and then press ENTER.

m. You will move the VAN-CL1 system to the Internet network. This operation will be

done in the Hyper-V console. Note: If youre running this lab in a hosted environment, follow the instructions provided by your host to change the virtual machine to another network The rest of this lab is here for informational purposes and cannot be completed in this demonstration.
n. On your host machine, open the Hyper-V Manager. o. In the Virtual Machines pane, right-click VAN-CL1, and click Settings. p. This will open the settings for the VAN-CL1 virtual machine. q. In the left pane, select Network Adapter. r. In the right pane, under Network, select Internet and click OK. s. Return to the VAN-CL1 virtual machine, and on the desktop, right-click the

External icon, and then click Run as administrator. Click Yes at the User Account Control prompt.
t. This batch file will configure the network settings for the Adatum internal

network.
u. Switch to the Windows Firewall with Advanced Settings window. v. In the left pane, click Windows Firewall with Advanced Security on Local

Computer.
w. In the right pane, you should see that the Public Profile is now active. x. In the left pane, click Connection Security Rules. y. You should see the following IPSec rules now defined:

UAG DirectAccess Client Clients Access Enabling Tunnel All defines the infrastructure IPSec tunnel that enables access to resources like domain

Page 7 of 8

Deploying DirectAccess Tasks Detailed Steps controllers, DNS servers, NAP servers, and others.

UAG DirectAccess Client Client Corp Tunnel defines the intranet IPSec tunnel that enables access to the intranet resources. UAG DirectAccess Client Exempt NLA specified that IPSec should never be used when trying to communicate with the network location server.

z. Switch to the Windows command prompt window. aa. Type netsh namespace show effective, and then press ENTER. bb. You should see that the name resolution policy table (NRPT) is now active. cc. Type ipconfig | more, and then press ENTER. dd. Confirm that you have an active 6to4 interface with the 2002:9d36:115::9d36:115

6to4 address.
ee. Type gpupdate /force, and then press ENTER. ff. Confirm that you are able to successfully refresh your group policies while on the

Internet, using DirectAccess.

gg. Click Start, type \\van-dc1 in the Search programs and files box, and then press

ENTER.
hh. You should see the file shares in the VAN-DC1 domain controller, available

through the DirectAccess infrastructure IPSec tunnel.

ii. Click Start, type \\van-nap\c$ in the Search programs and files box, and then

press ENTER.
jj. You should see the C drive in the VAN-NAP server, available through the

DirectAccess intranet IPSec tunnel.

Page 8 of 8