DirectAccess has been around a while, but there seem to be a few misconceptions about it, maybe because it is much better and simpler now. On Server 2012 with Windows 8, it is awesome.
It basically allows your devices to be connected to your corporate network wherever they have internet access, without the hassle and requirement for a VPN.
So the problem of users having laptops, taking them home, and you never seeing them again is no longer a problem.
But you need IPv6 right? Only on the client, the laptop. But you need DA installed on an edge server? Nope, you can put it behind your firewall, in your DMZ. You need PKI? Nope, although obviously you should in a corporate live environment.
So what do you need? The simplest solution is a Windows 2012 server to host the role, a domain, and a Windows 8 Enterprise client. Windows 7 Enterprise is also supported, but it is more of a hassle to setup (and you need proper certificates (not self-signed).
Steps to install:
- Configure your external router/firewall. Basically, you need to forward HTTPS (TCP443) to the internal IP address of your DA server.
On your server which will provide the DirectAccess services (in my case, a VM with a single NIC), open SerOOnver Manager and go to “Add Roles and Features”. Press “next” until you get to the point where you can actually select the roles to add. Click “Remote Access”…..
- Open a Powershell window and run “add-windowsfeature remoteaccess -includeManagementTools -restart”
- Wait for the server to finish the install and then it will restart if required (or you can leave that out and restart it manually).
- Then from the Start Screen, run “Remote Access Management”
- Once this opens, you need to go to “Configuration” if it isn’t on there already.
- Then it is a matter of following the four steps, one after the other. So click “Edit” for step one.
- Choose “Deploy full DirectAccess for client acess and remote management” (unless you don’t want your users to be able to connect back to your network) and press “Next”.
- Choose a pre-created group of computers, that you will give access to this functionality, or be lazy and leave it as domain computers if you wish.
- Here, you want to enter an email address for the helpdesk (otherwise you can’t generate/collect client logs later), and of course you need a connection name.
- Then press finish, and “Edit” step two.
- Here, the wizard will try and detect whether you are an edge server, or behind a DMZ, and how many NIC’s you have. You also need to configure a method for clients to connect back to your site (and send data over HTTPS). So if you have a static IP, you can use that, or you can use a DNS name if you have one (there are several free ones around).
- At the next screen, you can select to use self-signed certificates, or not.
- Then you need to configure the client authentication, computer certificates, and options around Windows 7. If you want you users to connect automatically and seamlessly, active/directory credentials will be the one to choose. Maybe worth checking with your internal security over that though!
- Then click “finish”, and “Edit” step three.
- Here you will specify the location of the Network Locator Server. It doesn’t need to be installed on the same server, and there may be reasons to have it installed on a separate server for high-availability as the note says.
- Next you will be given the DNS configuration. How much (if anything) you need to change here will depend on your setup. For a simple installation with one domain, you probably won’t need to change anything though.
- Next you can add any additional DNS suffixes that will used, and press Next.
- Finally, you can enter the names of any machines that will be used to manage those clients connected via DirectAccess. This could be WSUS or SCCM servers.
- Click “finish”, and then “Edit” on step four.
- Here, if you are just playing with this on a test environment, you won’t be required to change anything, but otherwise you might want to extend the authentication to additional servers for end-to-end authentication/encryption. You will need IPv6 running internally to do this though.
- And once all that is done, press “Finish” at the bottom to do the configuration. You will be given a chance to review and make any changes before pressing the “apply” button.
- Once you have given it a bit of time, and all the components are green, you are ready to configure the Windows 8 client. To do this, just run “gpupdate /force” (or force it remotely from gpmc.msc).
Then on the laptop, if you look at connections, you will see a new connection, with the name you defined back in Step one. At that, point, take your laptop somewhere remote (a friends wifi connection for example), and connect to it. Once you are on the Internet, you should see a connection to your newly configured DirectAccess connection.
You can test it by running a few pings, connecting to some shares, etc.
Note that the IPv4 address of the remote system is encapsulated in the IPv6 address (after the colon).
All done! Connectivity to your network (and back) whenever and wherever you are connected to the Internet!