This DirectAccess Test Lab Extension for DirectAccess in Windows Server 2008 R2 describes how to configure Selected Server access for DirectAccess clients of the corp.contoso.com domain. You configure and test end-to-end Internet Protocol security (IPsec) protection for traffic between CLIENT1 and members of a specified Active Directory Domain Services (AD DS) security group, which includes APP1.

Note  These instructions are designed for a working DirectAccess test lab that has been configured based on the instructions in the Test Lab Guide: Demonstrate DirectAccess document.

If you are running the DirectAccess Test Lab in a virtual environment, you can create snapshots of the virtual machines (VMs) for all of the test lab computers before performing the following procedures. 

 

Configuring and Demonstrating Selected Server Access

To demonstrate the lack of end-to-end protection between CLIENT1 and APP1 with the default DirectAccess test lab:

  1. Connect CLIENT1 to the Internet subnet.
  2. Open a command prompt.
  3. Click Start, type wf.msc, and then press Enter.
  4. In the console tree, open Monitoring\Security Associations.
  5. From the Command Prompt window, run the net view \\app1 command.
  6. In the Windows Firewall with Advanced Security console tree, open Main Mode and Quick Mode.

 

You should see a series of security associations (SAs) with the remote addresses of 2002:836b:2::836b:2 and 2002:836b:3::836b:3. These correspond to the SAs for the infrastructure (2002:836b:2::836b:2) and intranet (2002:836b:3::836b:3) tunnels to the DirectAccess server. There are no SAs to the remote address of 2002:836b:2:1:0:5efe:10.0.0.3, the ISATAP address of APP1, because there is no end-to-end protection defined between CLIENT1 and APP1.

 

To configure Selected Server access:

  1. On DC1, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click Users, point to New, and then click Group.
  3. In New Object-Group, type SelectedServers in Group name, and then click OK.
  4. In the details pane, double-click the new SelectedServers group, click the Members tab, and then click Add.
  5. Click Object Types, select Computers, and then click OK.
  6. Type APP1, and then click OK twice.
  7. Restart APP1.
  8. On DA1, click Start, point to Administrative Tools, and then click DirectAccess Management.
  9. In the console tree, click Setup.
  10. In the details pane, click Edit in Step 4.
  11. On the DirectAccess Application Server Setup page, click Require end-to-end authentication and traffic protection for the specified servers, and then click Add.
  12. In Select Group, type SelectedServers, click OK, and then click Finish.
  13. Click Finish, and then click Apply.
  14. When prompted, click OK.

 

To update APP1 and CLIENT1 and demonstrate end-to-end IPsec protection:

  1. On APP1, log on with the User1 user account credentials, open a command prompt, and then run the gpupdate /target:computer command.
  2. On CLIENT1, from the Command Prompt window, run the gpupdate /target:computer command.
  3. From the Command Prompt window, run the net view \\app1 command.
  4. In the Windows Firewall with Advanced Security console tree, refresh the Main Mode and Quick Mode nodes.

 

You should now see a main mode SA and quick mode SA with the remote address of 2002:836b:2:1:0:5efe:10.0.0.3. These are the SAs for the end-to-end protection between CLIENT1 and APP1.

.

If you are running the DirectAccess Test Lab in a virtual environment, you can discard the changes made by these procedures by restoring the previously made snapshots of the VMs for all of the computers in the test lab. Alternately, if you would like return to a working DirectAccess configuration with Selected Server access enabled, you can create a new set of snapshots before restoring the previously made snapshots.

.

To manually restore the configuration of the DirectAccess Test Lab, perform the following procedure.

.

 Restoring the DirectAccess Test Lab

To restore the DirectAccess Test Lab to its original configuration:

  1. On DA1, click Start, point to Administrative Tools, and then click DirectAccess Management.
  2. In the console tree, click Setup.
  3. In the details pane, click Edit in Step 4.
  4. On the DirectAccess Application Server Setup page, click Require no additional end-to-end authentication, and then click Finish.
  5. Click Finish, and then click Apply.
  6. When prompted, click OK.
  7. On APP1, from the Command Prompt window, run the gpupdate /target:computer command.
  8. On CLIENT1, from the Command Prompt window, run the gpupdate /target:computer command.

 

 

For additional DirectAccess Test Lab extensions and other resources for the DirectAccess Test Lab, click here.