Microsoft DirectAccess is a very cool technology when it comes to connecting to your corporate network from anywhere over the Internet in a very secure manner. DirectAccess was available since Server 2008R2 with very limited capabilities and then came the Microsoft Unified Access Gateway (UAG) which was an amazing technology at that time that allowed DirectAccess protected by Microsoft ISA server (Good old days).
The UAG offered core features like the DNS64 and NAT64 (Please note that DirectAccess works over IPV6) and these features was important because up till now we can rarely find any corporate running all its internal network on IPV6. Later on Windows 2012R2 server as well as Windows 2016 server came with the DirectAccess role offering most of the features in UAG and new ones that simplify the deployment especially for Windows 8 and Windows 10 clients.
Why do I love DirectAccess ?
- Seamless and Always on connection. No client is needed like regular VPN deployments. All you need is corporate configured Laptop/Computer/Server (Yes DirectAccess can be implemented on your remote site servers) and Internet connection (Any public Internet) and once you are logged you are connected securely.
- Transparent bi-directional. The DirectAccess client is connected to the corporate network as if its inside the network, it can connect to resources in the corporate and users from the corporate like help desk team can connect to the DirectAccess client for any troubleshooting. Also any management software like SCCM, Active Directory, WSUS……etc can still access and apply all policies on these remote DirectAccess clients.
- Installation and Implementation is done on Server 2016 (Latest version and updates as of July 2018). One server deployment (Single Server Site deployment)
- Recommended deployment is to have one server with two Network cards, the first network (Internal) is connected to the internal corporate network and the second network card (External) is connected to the DMZ which is behind your corporate firewall. This is the recommended deployment which I will go through these blog series however you can have the DirectAccess server with one NIC or on your network edge facing the Internet directly however each of these deployments has its drawbacks and its not fully secured. Again it depends whether production or lab but I highly recommend going with 2 NIC model behind the firewall.
- Since we are behind the Firewall then we need to create a Destination NAT rule to forward DirectAccess traffic (Inbound 443) to the DirectAccess External NIC. As we are behind the Firewall we will be using IP-HTTPS Not Teredo or direct IPv4 (IPV6 transition technologies to IPV4)
- Active Directory should be running DFSR
- Create an OU in your Active Directory and give it a convenient name. All DirectAccess computers will be under this OU.
- Create a Security Group for DirectAccess clients and give it any convenient name.
- DirectAccess can run with self signed certificate if you are running Windows 8 and 10 clients only (which is our case) however for more secure deployment you will need internal PKI to generate client certificates and you need public SSL certificate for your DirectAccess server. You can create one and name it “Directaccess.domain.com”. In your external DNS make sure to assign a public IP to this name, this IP will be used to create the Destination NAT from it to the server External NIC (DMZ) as we mentioned above. Some Key factors for the internal certificates that will be assigned to your clients are shown below.
- Internal PKI DirectAccess Client template, make sure to have the certificate recipient Windows 8.1 or higher to support Windows 8 and 10, If you need to support Windows 7 then the Authority should be Windows 2008 R2 and Recipient Windows 7
- Minimum Key size should be at least 2048
- Make sure Subjectname is built from Active Directory – DNS. The Certificate will have the DNS name of the computer.
- The most important step while creating the DirectAccess client certificate template is to ensure the DirectAccess Security group created in Active directory – step 6 (In my case i named it DirectAccess_Clients) has the enroll and Autoenroll check box. You will need to have an Autoenroll Group policy to allow these clients to pick and renew the certificates automatically.
- Installing DirectAccess can be done either by PowerShell or GUI. PowerShell is very simple single command to install it and the command is as follows “Install-Windowsfeature Directaccess-vpn -includeManagementTools“
- The other way is the GUI and we will go through the installation step by step. Open Server Manager and add new role
- Pick the Remote Access Role
- Choose DirectAccess and VPN role services and add the needed features needed by DirectAccess
- That’s all you need and then Finish and reboot the server.
In the next part of this series we will be discussing the post configuration for the server and share some tips to ensure you have a smooth up and running DirectAccess implementation.