microsoft directaccess & work folders nicholas a. hay monroe county isd...
TRANSCRIPT
Microsoft DirectAccess & Work FoldersNICHOLAS A. HAYMONROE COUNTY [email protected]
What is DirectAccess?• The VPN that doesn’t require any configuration or user interaction to use.
Once a internet connection is initiated, the DirectAccess connects on the device.
• DirectAccess establishes IPsec tunnels from the client to the DirectAccess server, and uses IPv6 to reach intranet resources or other DirectAccess clients. This technology encapsulates the IPv6 traffic over IPv4 to be able to reach the intranet over the Internet, which still (mostly) relies on IPv4 traffic. - Wikipedia
• Uses IPv6 to route traffic through the Direct Access connection. Don’t worry, you don’t need to be an expert at IPv6.
• Requires Windows Server 2008R2 or newer
• Client Requirements• Windows 7 Enterprise or Ultimate
• Windows 8 Enterprise
• This works based on DNS entries and servers you specify during setup.
What is DirectAccess?• Windows 2008 R2 Server required IPv6 to be used end to end.
This was resolved with Windows 2012 with NAT64 to allow this to work through an IPv4 network.
• A DirectAccess client can use one of several tunneling technologies, depending on the configuration of the network the client is connected to. The client can use 6to4, Teredo tunneling, or IP-HTTPS, provided the server is configured correctly to be able to use them. For example, a client that is connected to the Internet directly will use 6to4, but if it is inside a NATed network, it will use Teredo instead. In addition, Windows Server 2012 provides two backward compatibility services DNS64 and NAT64, which allows DirectAccess clients to communicate with servers inside the corporate network even if those servers are only capable of IPv4 networking. - Wikipedia
Why use DirectAccess?• If a device leaves the network, you can give them an on
premise experience as long as they have a reliable network connection.
• Users can get mapped drives.
• Ability to push out GPO’s/policies at all times.
• Ability to give users applications that you don’t want to open up on the outside world.
DirectAccess and Firewall• IP-HTTPS is the default protocol of the “simple”
DirectAccess wizard in Windows Server 2012 if you choose the topology “behind an edge device”.
• If you are doing an Edge deployment with a single server, like I did, you can create a firewall rule to allow TCP/443 to this server. That is all that is needed to get this to work in this deployment. There are 2 other deployment options you can select from when configuring.
Direct AccessServer Installation• This guide below is what you can use to install
DirectAccess. Many of the slides about installation and configuring has been taken from this resource.
• http://jackstromberg.com/2013/12/tutorial-configuring-direct-access-on-server-2012-r2/
• In Server Manager on 2012 R2, you need to click on Manage and Add Role or Feature.
DirectAccess Server Installation• Add Remote Access Role.
DirectAccess Server Installation• Add Remote Access Role Configuration. Click on
DirectAccess and VPN (RAS) and follow through with defaults on the wizard.
DirectAccess Server Configuration• In server Manager under Tools, click on Remote Access
Management. You can configure the warning on the quick deployment in Server Manager.
DirectAccess Server Configuration• Click on Run the Remote Access Setup Wizard.
DirectAccess Server Configuration• Click Deploy DirectAccess Only.
DirectAccess Server Configuration• Go through the steps in the wizard.
DirectAccess Server Configuration• During Step 1, select Deploy full DirectAccess and you
will need to have an AD group that you will add computers to that will use the DirectAccess feature.
DirectAccess Server Configuration• There are two checkboxes you can check on step 1. If
you check the first option, it will restrict access to laptops based on a WMI query. The other option to force tunneling will tunnel all traffic through the DA connection, which I would not recommend.
DirectAccess Server Configuration• You don’t need to put in a lot of resources to validate if
the internal network is online since this is only used to determine if you are online with DirectAccess on the client. The connection name is what is shown to users when they are or are not connected.
DirectAccess Server Configuration• Step 2: configure Remote Access Server
• There are 3 options. I deployedbehind an edge device (with asingle network adapter). Selectthe appropriate option for yourconfiguration.
• Follow the link in an earlier slideabout setting up a certificate onthis device for remote access.
DirectAccess Server Configuration• Step 3: Infrastructure Servers
The network location serveris a internal only web serverthat the client can connectto and ensure it is reachable.I did the second option and used my wildcard certificatefor SSL on the IIS server.
DirectAccess Server Configuration• Step 3: Infrastructure Servers
Use local name resolution if thename does not exist in DNS or DNS servers are unreachable when the client computer is ona private network (recommended).
DirectAccess Server Configuration• If you would like to remove a device from connecting via
direct access, you can add a name suffix of the hostname.domain.com and under DNS Server Address, leave it blank. You can also add other domain names here that youwant to go through the DAconnection by supply a DNSIP address.
• Direct access works using DNS servers. If you don’t have a DNS entry for a server, you won’t be ableto connect to the device using DA, i.e. network switches.
DirectAccess Server Configuration• Step 3: Infrastructure Servers
Ensure all your local domain’ssuffixes are listed.
DirectAccess Server Configuration• Step 4: See link from earlier
slide.
• When done, clickfinish and applythe remote accessconfiguration.
DirectAccess Server Configuration• Next step on a computer in your domain that is running
Windows 7 or 8 Enterprise, add the computer object to your DirectAccess group and do a gpupdate and reboot. You should see if you are connected in the network connections.
DA Client Network• There are some tunnel adapters
created when you have a direct accessconnection. With the options weconfigured earlier in this presentationit will only route traffic through the DAthat we specify and the other trafficwill go out the internet connection.
Direct Access Questions?
What are Work Folders?• Think of Work Folders like OneDrive, Google Drive, or Dropbox besides the
data resides on your local file servers.
• Data can be encrypted, forcibly by IT. If you copy files from your Work Folder to another location, the file is still encrypted and policies are enforced. See this link on how to de-encrypt files (http://windows.microsoft.com/en-us/windows-8/work-folders-faq).
• Staff and students can connect to corporate files from their home computers that run Windows 7 or 8. Windows 7 requires an installation to enable this feature. iPad and other devices support is coming in the future.
• Can enforce policies, such as lock screen on devices before user is able to use Work Folders.
• This can integrate with existing Folder Redirection file server structure so you can do both this and Work folders side by side.
Work Folders Compared to Other Products
Configuring Work Folders• Installation Guide• http://
blogs.technet.com/b/canitpro/archive/2013/11/13/step-by-step-creating-a-work-folders-test-lab-deployment-in-windows-server-2012-r2.aspx
• Requirements• AD Server on network
• File Server running Windows 2012 R2 Server
• IIS server on Fire Server with SSL certificate
• Firewall TCP/443 opened with DNS entry on firewall if you open this up on the outside world.
Configuring Work Folders• In Server Manager, click on Add and Remove Roles and
Features.
• Under Roles > File and Storage Services, check Work Folders or to do this via Powershell, type Add-WindowsFeature FS-SyncShareService
Configuring Work Folders• In Server Manager for File and Storage Services, click on
New Sync Share Wizard.
• There are 2 path options. The first option is for an existing file share thatyou may be already using with FolderRedirection. Select the local pathoption if this is a new one. See linkearlier about the permissions neededfor the root folder.
Configuring Work Folders• Now you will need to
configure the folder structure.• User Alias will work with existing
folder redirection or home folders.
• Sync only the following subfolder: By default, all the folders/files under the user folder will be synced to the devices. This checkbox allows the admin to specify a single subfolder to be synced to the devices. For example, the user folder might contain the following folders as part of a Folder Redirection deployment:
Configuring Work Folders• Towards the end is where you
can tell it to encrypt WorkFolders and require a lockscreen and require a password.
The password policy enforces the following configuration on user PCs and devices:
• Minimum password length of 6
• Autolock screen set to be 15 minutesor less
• Maximum password retry of 10 or less
• If the device doesn’t meet the policy, user will not be able to configure the Work Folders
Configuring Work Folders• By default, server will check for data changes every 5
minutes. You can decrease this time by running this command (1 min in the example below). This will increase server load time.• Set-SyncServerSetting -MinimumChangeDetectionMins 1
• Also, be sure to set up DNS entries and firewall settings for TCP/443 to make this work if you are opening this outside your network.
Work Folders Client Configuration• In Control Panel > System and Security > Work Folders
click on Set up Work Folders.
Work Folders Client Configuration• User would type in their email
address and AD credentials. If client computer is domain joined, it will not prompt them to login.
Work Folders Client Configuration• Before it is set up, the user
will have to consent to any security policies you configured during the server setup.
Work Folders Client Configuration• When done, users will see a Work Folders icon in their File
Manager window.
• When encryption is on, the file/folder will be colored green.
Work Folder Status• If you go to Work Folders
in Control Panel, you can view any errors and sync status of this.
What we did with Direct Access and Work Folders• We implemented these two features and are currently in
the testing phase.
• We have users that are not on campus and are in the local districts the majority of the time.
• Enabling these two items will allow us to backup their files to the server to handle any hardware failure on the computers and it will allow us to protect the data by encrypting work related files.
• We did not open up the Work Folders on the firewall and the devices will connect to these with the DirectAccess connection we configured on the devices.
What we did with Direct Access and Work Folders• We set up folder redirection for Staff Desktop, My
Documents, Downloads, and IE Favorites folders to point to their user profile\Work Folders\{Desktop,Docs,Downloads,IEFavs}
What we did with Direct Access and Work Folders• We set up folder redirection for Staff Desktop, My
Documents, Downloads, and IE Favorites folders to point to their user profile\Work Folders\{Desktop,Docs,Downloads,IEFavs}
What we did with Direct Access and Work Folders• Even if you don’t implement Direct Access and you don’t
want to open up the File Server TCP/443 on the firewall, if users come back to campus, the files will sync to the servers and this may still be useful.
• Files are copied to the local device and can be accessed even without connecting to the server.
Work Folder Questions?