locked
Remote Access 2012 how-to RRS feed

  • Question

  • Hi,

    Where can i find information about setting-up DA on a 2012 server with Windows 7 clients.

    I cannot find any documentation that covers the whole thing (Certificate, Ipv6, isatap, ...)

    Thursday, April 18, 2013 12:03 PM

All replies

  • Hello,

    Deploy the DirectAccess Gateway as you will do for the Windows 8 clients. And on the Step 2 don't forget to check this option for Windows 7 compatibility :


    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/

    Thursday, April 18, 2013 12:56 PM
  • Hi Lionel,

    I did that however it is not working yet.

    There are so many dependencies that i am not sure what i am overlooking.

    I ran the wizard and used self-signed certificate for DA and NLS, i also use auto enrollment for Win7 clients.

    After the wizard completes the GPO are created, if i test from a test laptop running Windows 7, i see the GPO is applied.

    My default network connection is renamed to Network1 and i cannot contact DCs anymore, running a gpupdate throws error like there is no network connectivity, i cannot use outlook as it fails to communicate with the Exchange server.

    Thursday, April 18, 2013 1:04 PM
  • As for Forefront UAG before did you check the following prerequisites:

    • On the DirectAccess Gateway deploy a private computer certificate with the EKU Server Authentication
    • On the DirectAccess clients deploy a private computer certificate with the EKU Client Authentication

     


    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/


    Thursday, April 18, 2013 1:06 PM
  • Here is what i did:

    On my CA:

    Created 2 templates from the default Workstation Authentication (basically followed http://syscomlab.blog.com/2012/09/how-to-get-windows-7-to-work-with-directaccess-server-2012/)

              • I created a new template called DirectAccess IPSec Server (Intended purposes: Server authentication, Client Authentication), i granted rights in Security tab for my DA server to enroll and also autoenroll.
              • I created a new template called DirectAccess IPSec Client (intended Purposes: Client Authentication), i granted rights in Security tab to my security group DirectAccessClients for enroll and autoenroll
    Then
    1. Right click on Certificate Templates, select New and then Certificate Template to Issue.
    2. Select both DirectAccess IPSec Client and DirectAccess IPSec Server. Click OK.

    I then ran the certification snap-in once more on my DA server and clicked request certificate, then choose Web Server (put the CN of my server direct-access.acme.com) clicked enroll.

    I then ran the Remote Access Management console:

    -Step1

    configured clients with default settings (used a probe like http://direct-access.corp.acme.com, validation is successful)

    -Step2

    Select the certificate to authenticate IP-HTTPS: i select the Web server certificate i requested earlier (the one with the CN direct-access.acme.com), it says Transition technologies are enabled for ipv4 support

    Authentication: i select Active Directory credentials, i select use computer certificates click use an intermediate CA and browse to my CA certificate finally i click Enable Windows 7 client computers

    Here is the settings saved to a file:

    <form id="form1">
    Review the configuration settings.

    GPO SettingsGPO Settings

    CORP
    DirectAccess server GPO name: DirectAccess Server Settings
    Client GPO name: DirectAccess Client Settings
    Remote ClientsRemote Clients
    • DirectAccess is deployed for client access and remote client management
    • DirectAccess security groups:
      CORP\DirectAccessComputers
    • Force tunneling is disabled
    • Resource used to verify internal network connectivity:
      A default web probe to check corporate connectivity will be created automatically
      HTTP:http://direct-access.corp.acme.local/
    • DirectAccess connection name: Workplace Connection
    • Helpdesk email address: itsupport@acme.com
    • DirectAccess clients can select to use local DNS servers for name resolution
    Remote Access ServerRemote Access Server
    DirectAccess configuration:
    • Public name or address to which remote clients connect: direct-access.acme.com
    • Network adapter connected to the Internet (via NAT device): Ethernet
    • The intermediate certificate to which remote clients chain is:
      CN=corp-REMCORPVDC11-CA, DC=corp, DC=acme, DC=local
    • IP-HTTPS certificate:
      direct-access.acme.com
    • Two-factor authentication is not enabled
    • Windows 7 client computers can connect via DirectAccess

    Infrastructure ServersInfrastructure Servers
    • Network location server certificate:
      CN=REMTC4URA01.corp.acme.local
    • DNS suffixes used by DirectAccess clients:
      Name Suffix DNS Server Address
      acme.local 10.1.1.11
      10.1.1.9
      10.1.1.10
      corp.acme.local 10.1.1.1
      10.1.1.12
      10.2.1.11
      REMTC4URA01.corp.acme.local
    • Local name resolution option:
      Use local name resolution if DNS servers are unavailable or the name does not exist in DNS

    Application ServersApplication Servers
    • DirectAccess client access and remote management is enabled. End-to-end authentication to specific application servers is disabled
    </form>


    • Edited by ReMark-IT Thursday, April 18, 2013 1:57 PM
    Thursday, April 18, 2013 1:53 PM
  • Another thing:

    On my  server both the isatap and teredo adapters are in state Disconnected.

    In the Remote Access Dashboard, the configuration Status is: Unavaliable: configuration cannot be retrieved from the DC

    I also configured the DA server as the NLS server but if i look on the IIS bindings i only see one bind for http on the default ipv4 address.

    Thursday, April 18, 2013 2:22 PM