2570 directaccesswsg external

8/22/2019 2570 DirectAccessWSG External

1/7

More Work Smart Content: http://microsoft.com/itshowcaseThis guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS

DOCUMENT. 2012 Microsoft Corporation. All rights reserved.

Page 1 of 7

Work Smart: Setting Up DirectAccessGet Started

About DirectAccessDirectAccess is a new feature in Windows

7 and Windows Server

2008

R2 that enables you to seamlessly connect to the corporate network from

any Internet-equipped remote location without having to establish a

Virtual Private Network (VPN) connection. DirectAccess provides increased

productivity for a mobile workforce by offering the same connectivity

experience both inside and outside of the office.

DirectAccess deployed at and is the preferred

and primary remote access solution.

Topics in this guide include:

About DirectAccess Prerequisites for DirectAccess Setting Up DirectAccess Troubleshooting DirectAccess Disabling DirectAccess

Customization note: This document contains guidance and/or step-by-step

installation instructions that can be reused, customized, or deleted entirely if

they do not apply to your organizations environment or installation

scenarios. The text marked in red indicates either customization guidance or

organization-specific variables. All of the red text in this document should

either be deleted or replaced prior to distribution.

About DirectAccessThe internal implementation of DirectAccess at, uses

your computers Trusted Platform Module (TPM) chip for strong

authentication. This means that you only have to use your smart card once

during the setup process. After setting up, you will not need your smart card

for remote access using DirectAccess.

Prerequisites for DirectAccessBefore you can configure and use DirectAccess:

Your computer must be running Windows 7 (Enterprise or Ultimate) You must have a smart card and a smart card reader. You must have RAS access. Your computer must be joined to a corporate domain. Your computer must have a Trusted Platform Module (TPM) chip. BitLocker Drive Encryption must be enabled on your computer. Your computer must be in compliance with Network Access Protection

(NAP).

Customization note: The above bullets represent the prerequisites currently

referenced in this guide; this list should be updated based on requirements

specific to your organization.


2/7



Page 2 of 7


Use a Smart Card with DirectAccess

You will need a smart card (identification badge with RAS access) to do the

initial certificate enrollment for DirectAccess. After DirectAccess is configured

successfully on your computer, you will not need your smart card when you

want to log in remotely.

You will also need a smart card reader to use your smart card. If your

computer does not have a built-in reader, contact your groups administrative

assistant to order one.

Check Your Computer for a TPM Chip

DirectAccess leverages a computers TPM chip for strong authentication. Ifyour computer does not have a TPM chip, you cannot use DirectAccess.

To check for a TPM chip:

1 Click Start, click Run, type tpm.msc, and then press ENTER.2 In the Trusted Platform Module (TPM) Management on Local

Computer window, check to see if a TPM chip is installed.

If the information in the TPM Management window indicates that your

computer does not have a TPM chip, you cannot use DirectAccess.

Enable BitLocker Drive Encryption

To use DirectAccess, you must enable BitLocker Drive Encryption with a

personal identification number (PIN) on all of your portable computers

(notebooks, laptops, netbooks, and so on). For non-portable computers, such

as desktop systems, BitLocker is mandatory, but setting up a PIN is optional.

If you do not have BitLocker enabled on your computer, you must enable it

while connected to the corporate network.

The process to enable BitLocker can take from one to five hours, depending

on your computers hard-disk size and the amount of free space. Its a good

idea to enable BitLocker ahead of time, independent of the DirectAccess

setup. However, if you run the DirectAccess Setup wizard without configuringBitLocker first, the Setup wizard will automatically configure your BitLocker

settings.

If your computer has multiple drives, requires that

you have BitLocker only on your System drive. It is highly encouraged that

you enable BitLocker on all drives as a security best practice, however.

To enable BitLocker:

1 Check to see if your portable computer is BitLocker-capable >.

2 If it is BitLocker-capable, enable BitLocker >.

If you have BitLocker enabled but without a PIN, the DirectAccess Setup

wizard will help you configure a PIN during the setup process.
http://itweb/v7/Pageshttp://itweb/v7/Pages


3/7



Page 3 of 7


About NAP for DirectAccess

DirectAccess uses NAP for client health validation and enforcement. If your

computer is not compliant, you will receive a NAP pop-up message. However,

you will only be blocked from corporate network access while physically

outside of the corporate network. You will be able to access local and Internet

resources even if your computer is non-compliant.

Your computer must meet basic computer health requirements such as:

You must install the latest security patches on your computer. Toconfirm that your computer has the most current updates, click Start,

click All Programs, and then click Windows Update. In the Windows

Update window, click Check for Updates in the left pane. Check alsofor updates managed by your system administrator (as shown in the

following graphic) and install all Important/Critical updates.

Your computer must have Forefront EndPoint Protection 2010installed.

Once your computer has been configured for DirectAccess, BitLockerDrive Encryption must be enabled at all times. If you disable or

suspend BitLocker, NAP will identify your computer as non-compliant

for DirectAccess.

Setting Up DirectAccessTo set up DirectAccess on your computer, your computer must be connectedto the corporate network using a wired or wireless LAN connection or

through VPN.

1 Click Start, click All Programs, and then click DirectAccess Setup. Ifyou do not see the Setup wizard under All Programs:

a. Click Start, click All Programs, click Accessories, right-clickCommand Prompt, and then click Run as administrator.

b. In the Command Prompt window, type gpupdate/force, andthen press ENTER. (You must be connected to the corporatenetwork over a wired or wireless LAN connection, or over a VPN

connection to run this command.)

c. Once the command executes successfully, wait approximately 15minutes for your computer to receive the latest policy settings.

d. You will receive a pop-up notification to install DirectAccess. Ifyou do not receive this notification, click Start, click All

Programs, and then click DirectAccess Setup to manually

launch the Setup wizard.

Alternatively, when the group policy on your PC refreshes, you

will see a pop-up notification to enable DirectAccess in case it is

not already installed. Click the pop-up notification to launch the

DirectAccess Setup wizard.

2 Click Continue.The Privacy Notification is displayed.
http://itweb/v7/Pages/DA_Enable-BitLocker-Drive-Encryption-with-a-PIN.aspxhttp://itweb/v7/Pages/DA_Enable-BitLocker-Drive-Encryption-with-a-PIN.aspxhttp://itweb/v7/Pages/DA_Enable-BitLocker-Drive-Encryption-with-a-PIN.aspxhttp://itweb/v7/Pages/DA_Enable-BitLocker-Drive-Encryption-with-a-PIN.aspx


4/7



Page 4 of 7


Customization note: The following screen capture represents a

customizable installation wizard for example purposes, you maychoose to replace this image with one specific to your organization.

3 Read the instructions carefully to ensure that your computer meets alllisted requirements, and then click Continue to proceed with the

installation.

NoteIf you accidentally click Disable, re-launch the Setup wizard.

The DirectAccess Setup wizard checks to see if the TPM chip on your

computer has the latest firmware. If it does, the wizard will skip the

next step. If not, the wizard displays the TPM Firmware dialog box.


customizable installation wizard for example purposes, you maychoose to replace this image with one specific to your organization.

4 Click Fix to upgrade your firmware.The following dialog box is displayed to inform you that a reboot is

required for the TPM firmware upgrade to continue.
http://itweb/v7/dogfood/Windows7/directaccess/pages/beforeyoujoin.aspxhttp://itweb/v7/dogfood/Windows7/directaccess/pages/beforeyoujoin.aspx


5/7



Page 5 of 7


5 Click OKto reboot your computer, and then log in after your computerreboots.

A pop-up notification appears and asks you to launch the DirectAccess

Setup wizard again. Click this notification to launch the wizard. The

Setup wizard checks to see if you have configured BitLocker correctly

on your computer. If so, the wizard skips the next step. If BitLocker is

not configured correctly, the BitLocker Configuration dialog box is

displayed.


customizable installation wizard for example purposes, you may choose to

replace this image with one specific to your organization.

The BitLocker Configuration dialog box is displayed for any of the

following reasons:

BitLocker is not configured correctly or is not enabled. BitLocker is enabled, but it is not using the TPM chip. Your portable computer does not have a BitLocker PIN established. BitLocker is suspended. The BitLocker encryption process is not complete.

6 Click Fix to repair the BitLocker configuration.When the BitLocker configuration is complete, the DirectAccess Setup

wizard begins the certificate enrollment process.

7 When prompted by the wizard, insert your smart card into yourcomputers smart card reader and enter your smart card PIN.

8 Click Finish in the DirectAccess Setup Complete dialog box tocomplete the installation.

Notes

The DirectAccess Connectivity Assistant (DCA) can show you the status ofyour connection and help you troubleshoot problems. For more

information, see Troubleshooting DirectAccess later in this guide.

Once DirectAccess is set up on your computer, the computer willhibernate if it is running on battery power and inactive for over

minutes. However, if the computer is connected to a power outlet, it will

not hibernate during extended periods of inactivity. Likewise, if your

computer is put in sleep mode for more than minutes on

battery power, the DirectAccess policy will resume your computer and

hibernate it.

If you run into technical issues with DirectAccess, contact >.


6/7



Page 6 of 7


Troubleshooting DirectAccessThe DirectAccess Connectivity Assistant (DCA) gives you the ability to monitorconnectivity status to the corporate network over DirectAccess. The DCA is

automatically installed when you set up DirectAccess on your computer.

The DCA provides one of the three following status icons at all times.

Icon Description

Your connectivity to the corporate network over DirectAccess is

working correctly.

DirectAccess has malfunctioned, and your connection to the

corporate network is not working correctly. Contact >. for resolution. The Helpdesk

technician may ask you to generate DCA diagnostics logs and email

those logs to the Helpdesk (see procedure below).

There is an issue with your DirectAccess connectivity. If you click the

DCA icon, it will provide steps to resolve the issue.

Note

If the DCA icon does not appear in your notification area, in the Show hidden

icons portion of your notification area, click the up arrow. In the menu that

appears, click Customize. In the Notification Area Icons dialog box, in the

drop-down list to the right ofDirectAccess Connectivity Assistant, select

Show icon and notifications, and then click OK.

Generate a DCA Diagnostics Log for a Helpdesk

Technician

1 Right-click the DCA icon in the notification area, and then clickAdvanced Diagnostics.

2 In the Advanced Diagnostics dialog box, under Advanced Log File,click the link to the log file.

Windows Explorer opens and lists the logs.

3 Open Microsoft Office Outlook, compose a new email message, andthen attach the log file. The Helpdesk technician will provide an

address to send the log file to. Enter the Service Request number (SR#)in the subject line so the technician can associate your log file to your

issue.

Disabling DirectAccessBy default, all domain-joined Windows 7 clients will process DirectAccess

policies. If DirectAccess does not meet your needs, you can disable it

(preferred) or you can opt out completely.

To disable DirectAccess:

1 To disable a computer already provisioned with DirectAccess, clickStart, click All Programs, and then click DirectAccess Setup to run

the DirectAccess Setup wizard.
http://itweb/v7/Pageshttp://itweb/v7/Pages


7/7



Page 7 of 7


2 In the first screen of the wizard, click the Disable button.Customization note: The following screen capture represents a

customizable installation wizard for example purposes, you may

choose to replace this image with one specific to your organization.

If you want to use DirectAccess in the future, re-run the Setup wizard.

After disabling DirectAccess with this method, your computer will continue toprocess all DirectAccess group policies and will detect whether it is inside or

outside the corporate network. The DirectAccess Connectivity Assistant (DCA)

will show while your computer is on the corporate network and

when it is not on the corporate network. This is by design.

Opt Out of DirectAccess Completely

There are very few scenarios where a computer may need to completely opt

out of DirectAccess. If you have questions or if you require a security group

added to opt out, please contact > directly.

For More Information Microsoft DirectAccess

http://www.microsoft.com/en-us/windows/enterprise/products-and-

technologies/windows-7/features.aspx#directaccess
http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-7/features.aspx#directaccesshttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-7/features.aspx#directaccesshttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-7/features.aspx#directaccesshttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-7/features.aspx#directaccesshttp://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/windows-7/features.aspx#directaccess

2570 directaccesswsg external

Documents