How to Setup Direct Access on Windows Server 2008 and Windows 7
What’s your main goal this year? Let me guess… is it increasing productivity, while at the same time saving your company some time and money?
Well, you’re not alone. These days, the main goal for many businesses is increasing productivity and having a mobile workforce that can access information instantly, saving valuable resources. Internal employees and external clients need accurate up-to-date information, even when they are on the go.
If your network is running Windows Server 2008 R2 and your clients are using Windows 7 you can take advantage of Direct Access to connect your mobile workforce.
Direct Access has many advantages over Virtual Private Networks (VPNs) and is meant to be a VPN replacement. With Direct Access the connection between the client computer and the company Intranet is as seamless as using the Internet, while at the same time being more secure than a VPN. P
lus your clients won’t have to worry about authentication and the several steps involved with establishing a VPN connection or dealing with the hassles of re-establishing a connection if the VPN is lost. Going through a VPN can also slow down Internet connections, so that is another advantage of using Direct Access instead of a VPN.
In spite of Direct Access creating a seamless connection on the client side, you as the administrator will have some work to do, to get Direct Access installed and configured correctly. But it is well worth the effort because not only is client productivity increased, network security is increased as well.
Direct Access creates a bi-directional connection which allows you to update client computers behind the scenes, whenever they are connected to the Internet. This means that you can install software updates and other security patches without the client actually being connected to the company Intranet.
If you truly want to understand how Direct Access works Microsoft suggests you familiarize yourself and understand:
- TCP/IP architecture,
- IPv6 addressing,
- IPv6 forwarding and routing,
- IPv6 transition technologies,
- how Internet Protocol security (IPsec) protocols work to protect network traffic,
- and how to create a public key infrastructure (PKI) with Active Directory Certificate Service (AD CS).
In this article I will touch on all these subjects but I won’t go in depth; consider this your introduction to Direct Access.
If you would like to use Direct Access on your network you will need a minimum of a direct access server running Windows Server 2008 R2 with two network adapters, one for the Internet and one for the Intranet. This server needs to be a member of an Active Directory Domain Services domain.
The Direct Access server also needs at least two IPv4 addresses assigned to the network adapter. Client computers need to be running Windows 7 Enterprise or Ultimate and be members of the AD DS domain. There needs to be at least one domain controller and one DNS server. You will also need a public key infrastructure (PKI) to issue certificates.
According to Microsoft the steps below can be used to create a Direct Access compatible network.
Steps For Setting Up A Direct Access Network
- Windows Server 2008 R2 needs to be installed on a server with two network adapters.
- Join the server to the AD DS server.
- Install a computer certificate for IPsec authentication.
- Configure the direct access server so one adapter is connected to the Internet and one adapter is connected to the Intranet. If your network does not have IPv6 connectivity enable both adapters and make sure their IPv4 Addresses are configured. This is necessary so that the Direct Access server can use automatic configuration.
- Verify open ports and protocols in firewall exceptions.
- The Direct Access server will need at least two consecutive, public static IPv4 addresses that are externally resolvable through DNS.
- Enable IPv6.
- Create a group security policy in Active Directory and add the client computer accounts.
- If the Direct Access server is also the network location server, install the IIS server role on the Direct Access server.
- Designate one of the server network adapters as the Internet-facing interface. That interface will require two consecutive, public IPv4 addresses. Both IPv4 addresses must be assigned to the same interface.
- On the Direct Access server, ensure the Internet-facing interface is configured to be either a “Public” or a “Private” interface (depending on your network design) and the intranet interfaces are configured to be “Domain” interfaces.
Installing the Direct Access Management Console
Once you have your network setup, you will need to install the Direct Access Management Console Feature.
In order to install the Direct Access Management Console use the Add Feature Wizard in Server Manager. Once the snap-in is installed you can run it by going to Administrative Tools and clicking on Direct Access Management.
The management console simplifies configuration of Direct Access with a four step wizard. In order to configure Direct Access click on setup and run the wizard. When you are finished going through the wizard you can save the settings as a script file or apply it to the Direct Access Server.
The Wizard will guide you through each step in configuring Direct Access. You will not be able to move on to another step until the previous step is configured. In the first step you will identify the client computers by selecting their security groups. Which you should already have created.
During the next step you enter information about which server connects to the Internet and which one connects to the Intranet. There is also information about whether you are using native IPv6 or tunneling with IPv4. You also have the option of using smart cards for added remote client security.
The second part of Step 2 is selecting which certificates you will be using. Direct Access requires PKI so you will need to set up a root certificate which will be used by clients during IPsec authentication and certificate for HTTPS connectivity.
Step 3 is configuring the infrastructure servers. A network location needs to be configured so the clients will know if they are inside or outside the Intranet. A certificate also has to be associated with that server.
Another part of step 3 is configuring name resolution policy tables these are used to tell the client how to access certain infrastructure servers of the network according to the DNS of the servers.
An optional setting in step 3 is setting up remote client management but you will probably want to set it up because managing remote clients is one of the advantages of Direct Access.
Step 4 can add or limit connectivity to certain machines using authentication with IPsec.
Once you are done with your configuration you can save it and work on it later or save the settings in a script file. You will also get a report of your configuration settings that you can double check before you apply them. Once you hit Apply the wizard configures Direct Access and builds group policy objects.
Advantages of Using Direct Access
The advantages of using Direct Access are many. From improved management of remote users to IT simplification and cost reduction. This flexibility in remote user management enables you to keep security and health policies up to date.
Using IPv6 and IPsec makes authentication and encryption easier and faster. Access Control is also simplified because you can configure which Intranet resources users have access to. Also, control of whether Internet traffic goes through the Intranet or not, keeping the two separate can save on resources and increase speed.
If your network has the capability to run Direct Access, the effort of setting it up will save you valuable time in the long run.