Slide 1

DIRECT ACCESS, DOS AND DONTS KIERAN JACOBSEN HP ENTERPRISE SERVICES

Slide 2

PLAN FOR THE NIGHT Pre-deployment design considerations Deploying your first server Diagnosing Issues

Slide 3

WINDOWS 7 OR 8/8.1 Windows 7: Requires certificate based computer authentication Doesnt support the use of NULL ciphers when IPHTTPS is used Will require connectivity assistant to be installed Has limited support for multi site deployments

Slide 4

HIGH AVAILABILITY OPTIONS Load Balancing NLB External Load Balancer Multi Site Clients can select entry points automatically or can specify them manually Global load balanced IP support Limited Windows 7 support Cannot deploy DirectAccess load balancing or multi-site on 2012 R2 when Web Proxy Server installed

Slide 5

3 RD PARTLY LOAD BALANCERS F5 & Riverbed support various different deployment types Ensure you enable NULL SSL Ciphers Can provide SSL offload support (if supporting Windows 7)

Slide 6

DIRECTACCESS AND PKI CRL and Strong CRL validation IPSEC will fail to establish a connection if using certificate based computer authentication with computer certificates that use SHA512 hashing algorithm

Slide 7

LETS DEPLOY

Slide 8

DONT USE THE GETTING STARTED WIZARD

Slide 9

DIRECTACCESS WITH OR WITHOUT VPN

Slide 10

JUST 4 SIMPLE STEPS

Slide 11

STEP1: FULL ACCESS OR MANAGE OUT?

Slide 12

STEP 1: GROUPS

Slide 13

STEP 1: NETWORK CONNECTIVITY

Slide 14

STEP 2: NETWORK PLACEMENT

Slide 15

STEP 2: NETWORK ADAPTERS

Slide 16

STEP 2: AUTHENTICATION

Slide 17

STEP 3: NETWORK LOCATION SERVICE

Slide 18

Slide 19

STEP 3: DNS AND NRPT

Slide 20

NRPT RESOLUTION: EXCHANGE.CITADEL.UMBRELLACORP.INFO Whilst connected to DirectAccess, Users Outlook client needs to connect to exchange.citadel.umbrellacorp.info 1.FQDN will be compared to the NRPT only matches first entry in table, which direct it to DNS proxy on DirectAccess Server 2.Users computer will send a DNS request to the DirectAccess server 3.DirectAccess server uses locally configured network interfaces to resolve request, if response from corporate DNS servers is an IPv4 address, DirectAccess server will substitute a IPv6 address. 4.Response is sent to the DirectAccess client

Slide 21

NRPT RESOLUTION: INSIDE.CITADEL.UMBRELLACORP.INFO (NLS ADDRESS) Whilst connected to DirectAccess, DirectAccess performs a connectivity test to see if it is connected to the corporate network 1.FQDN will be compared to the NRPT matches second entry in table, which is the NRPT exemption. 2.Users computer will send a DNS request directly to the DNS server configured on the clients NIC 3.Public DNS unable to resolve the address, DirectAccess determines it is still externally connected.

Slide 22

NRPT RESOLUTION: MICROSOFT.COM Whilst connected to DirectAccess, User opens Internet Explorer and attempts to open up the Microsoft web page 1.FQDN will be compared to the NRPT no matching entries are found 2.If Split Tunnelling (Default) : Users computer will send a DNS request directly to the DNS server configured on the clients NIC, Public DNS will then resolve the address and respond to the client. OR If Force Tunnelling: Users computer will send DNS request to DirectAccess server, and the DirectAccess server will use locally configured network interfaces to resolve request, if response from corporate DNS servers is an IPv4 address, DirectAccess server will substitute a IPv6 address. The address is then sent to the client.

Slide 23

NRPT RESOLUTION: INTRANET (SINGLE LABEL) Whilst connected to DirectAccess, User opens Internet Explorer, types intranet in the box, hits enter: 1.Single-label is in use, append DNS suffix to request to form an FQDN 2.FQDN will be compared to the NRPT only matches first entry in table, which direct it to DNS proxy on DirectAccess Server 3.Users computer will send a DNS request to the DirectAccess server 4.DirectAccess server uses locally configured network interfaces to resolve request, if response from corporate DNS servers is an IPv4 address, DirectAccess server will substitute a IPv6 address. 5.Response is sent to the DirectAccess client Either 1) resolved address or 2) Name not found 6.If name has been resolved, process completed all is done, if name not found, return to step 2 and try the next entry in the DNS suffix search order. If all suffix search entries have been exhausted, continue to 7. 7.Attempt to use LLMNR, NetBIOS or WINS * Special Warning *

Slide 24

NRPT RESOLUTION: INTRANET (SINGLE LABEL) LOCAL NAME RESOLUTION

Slide 25

STEP 3: DNS AND NRPT (FORCE TUNNEL)

Slide 26

STEP 3: DNS SUFFIXES

Slide 27

STEP 3: MANAGEMENT SERVERS

Slide 28

STEP 4: APPLICATION SERVERS

Slide 29

FINISHING YOUR DEPLOYMENT

Slide 30

DEPLOYMENT DONE

Slide 31

DIRECTACCESS DIAGNOSTICS Check Operation Status in Remote Access Management Console DirectAccess diagnostic log available from client Access steps changed in 8.1 from 8 Information Logged: NCA Connection Status (Probes List) IP-HTTPs Configuration (Get-NetIPHttpsConfiguration) and IP-HTTPs State (Get-NetIPHttpsState) NRPT Policy (Get-DnsClientNrptPolicy) IPsec Main Mode SA's (Get-NetIPsecMainModeSA) IPsec Quick Mode SA's (Get-NetIPsecQuickModeSA) And more

Slide 32

DIRECTACCESS DIAGNOSTICS EXTRA COMMANDS Custom Commands group policy Computer Configuration -> Admin Templates -> Network -> DirectAccess Client Experience Settings -> Custom Commands Can be any PowerShell Command/Cmdlet/Function/Script Recommended: $wc=new-object net.webclient; $wc.downloadstring(