Network Interface Configuration for Multihomed Windows Server 2012 DirectAccess Servers

When preparing a Windows Server 2012 DirectAccess server with two network interfaces, proper configuration of the network interfaces is vital to the operation and security of the remote access solution, especially in edge-facing scenarios. Preparing a server with two network interfaces might seem trivial, but there are some important and often overlooked settings that may lead to trouble. In this post I’d like to outline the proper network interface configuration for a Windows Server 2012 DirectAccess server in an edge-facing deployment scenario. It is important to note that you should configure your network interfaces prior to installing and configuring DirectAccess.

The first step is to rename the network interfaces with intuitive names that identify their role. Typically I use Internal and External. This will make DirectAccess configuration much easier, as you will see when you are configuring DirectAccess using the deployment wizards. To rename the network interfaces, open the Networking and Sharing Center from the Control Panel and choose the option to Change adapter settings. Optionally you can simply highlight the network interface you wish to rename and hit F2. Assign new names to the network interfaces as appropriate.

direct_access_multihome_01

Next, right-click the Internal network interface and choose Properties. Enter an IPv4 address, subnet mask, and DNS servers as required. Notice that I have not entered a default gateway here. This is absolutely critical and one of the most common mistakes made when configuring a multihomed DirectAccess server. On a server with multilple network interfaces there can be only one default gateway, and the gateway must reside on the External network interface.

direct_access_multihome_02

In the absence of a default gateway on the Internal network interface, static routes will be required to reach any remote internal subnets. To add a static route, open an elevated PowerShell command prompt and add any necessary routes using the following syntax:

New-NetRoute -InterfaceAlias <Interface_Name> -DestinationPrefix <SubnetID/Mask> -NextHop <Gateway_Address>

For example, my lab network has a remote subnet of 172.16.2.0/24 that is reachable through a router interface of 172.16.1.254.

New-NetRoute -InterfaceAlias Internal -DestinationPrefix 172.16.2.0/24 -NextHop 172.16.1.254

It’s also a good idea to unbind any protocols that are not required. For example, in my implementation I will not be leveraging QoS or NIC teaming, nor will I require the Link-Layer Topology Discovery services so I’ve unchecked those boxes accordingly.

direct_access_multihome_03

Perform this same exercise for the External network interface. Enter an IPv4 address and subnet mask, and this time be sure to include the default gateway for the External network. Notice that I have not entered any DNS servers here. Resist the urge to enter the DNS servers provided by your ISP. They are not required here.

direct_access_multihome_04

Since this DirectAccess server will be edge-facing and connected directly to the public Internet, it is a good idea to unbind all protocols from the network interface with the exception of IPv4 and IPv6.

direct_access_multihome_05

One last change that needs to be made, and perhaps the most critical and often overlooked setting, is the network interface binding order. This change can be made by pressing the Alt key on the keyboard to display the drop-down menu and choosing Advanced Settings.

direct_access_multihome_06

Make certain that the Internal network interface is listed first in the list of connections.

direct_access_multihome_07

So that’s it! You can now proceed with installing and configuring DirectAccess in full confidence that your network interfaces are configured properly!

Leave a Comment
by Richard Hicks on June 19, 2013  •  Permalink
Posted in DirectAccess, Remote Access, Windows Server 2012
Tagged , , , , , , ,

Posted by Richard Hicks on June 19, 2013

http://directaccess.richardhicks.com/2013/06/19/network-interface-configuration-for-multihomed-windows-server-2012-directaccess-servers/

DirectAccess on the Microsoft Surface Pro

At Microsoft TechEd North America 2013 I had the privilege of (finally!) acquiring both a Microsoft Surface RT and a Surface Pro. I’d been wavering back and forth on which one to purchase for many months. As it turned out, my indecision (and admittedly some procrastination!) paid off. As you are probably aware, Microsoft was offering the Surface RT 64GB for $99.00 USD and the Surface Pro 128GB for $399.00 USD to TechEd attendees and third-party speakers. Needless to say I purchased both! I love the Surface RT for general Internet use like web browsing, e-mail, etc. The battery life is great and having Office apps is tremendously productive. However, as a technology geek I really like the power and flexibility that the Surface Pro offers. Since it is a full-fledged PC, I can install whatever software I like on it.

Being able to join a domain and enable DirectAccess would, of course, be the icing on the cake. The Surface Pro comes pre-installed with Windows 8 Professional, which means I can join a domain but unfortunately it doesn’t support DirectAccess. My plan was to wipe the device and reload Windows 8 Enterprise when I returned from the conference. As luck would have it, I ran in to my good friend and fellow Microsoft MVP Jordan Krause, and I was surprised to find that he had already upgraded his Surface Pro to Windows 8 Enterprise, joined it to his domain, and had enabled DirectAccess right there at TechEd! How did he do this so quickly? It turns out that it is as simple as mounting the Windows 8 Enterprise ISO and performing an in-place upgrade by launching setup.exe. And no, contrary to what some have said, you can’t simply input your Windows 8 Enterprise license key and magically turn Windows 8 Professional in to Windows 8 Enterprise. It will of course activate, but it will still be Windows 8 Professional unless and until you perform the actual upgrade to Windows 8 Enterprise using the installation media.

So, upon returning home from TechEd I promptly upgraded my Surface Pro to Windows 8 Enterprise using the steps Jordan outlined here. Worked like a charm! I was able to join my lab domain and successfully establish DirectAccess connectivity on the Surface Pro. I did encounter a few issues when I attempted to refresh the device, however. To reset the device, I clicked Settings on the charms menu (swipe-in on the right or Window Key+C) and clicked Change PC Settings. Next I selected General and chose the option to Refresh your PC without affecting your files and received the following error message:

Insert media. Some files are missing. Your Windows installation or
recovery media will provide these files.

Insert Media on the Surface Pro

Selecting the option to Remove everything and reinstall Windows yielded the same error. Fortunately it was easy enough to resolve. To begin, I created a folder on the C: drive called WinRec. Next, I mounted the Windows 8 Enterprise ISO, navigated to the \Sources folder and copied install.wim to C:\WinRec. Finally, I opened an elevated command prompt and executed the following command to register this file as a recovery image:

reagentc.exe /setosimage /path C:\WinRec /target C:\Windows /index 1

Now when I select the option to Refresh your PC without affecting your files or Remove everything and reinstall Windows the process continues normally. Once the process is complete, there will be a few drivers missing which you can download here. After that everything was good to go! Obviously the solution I’ve described here is only really effective for one-off deployments of Windows 8 Enterprise on the Surface Pro. If you’re considering an enterprise-wide deployment, have a look at the Surface Pro Enterprise Deployment Guide [PDF], which includes detailed, prescriptive guidance for deploying Windows 8 Enterprise on the Surface Pro.

Leave a Comment
by Richard Hicks on June 14, 2013  •  Permalink
Posted in DirectAccess, Remote Access, Surface Pro, Windows 8
Tagged , , , , , , , ,

Posted by Richard Hicks on June 14, 2013

http://directaccess.richardhicks.com/2013/06/14/directaccess-on-the-microsoft-surface-pro/

Disconnecting DirectAccess Clients on Windows Server 2012

DirectAccess provides seamless and transparent, always-on remote network connectivity. It does this without requiring action from the user. While this is an important feature and benefit of a DirectAccess remote access solution, it can also present a challenge for security administrators when a DirectAccess client device is lost or stolen.

To prevent a DirectAccess device from establishing remote network connectivity, simply disable or delete the device’s computer account in Active Directory. This will prevent the establishment of the IPsec tunnels, which are authenticated in part using the computer account and Kerberos. The caveat here is that this will not terminate a session that is already established. In this scenario it will be necessary to also proactively disconnect the already established IPsec tunnels from the client in question. To accomplish this, open an elevated PowerShell prompt on the DirectAccess server and execute the following command:

Get-NetIPsecMainModeSA | where {$_.RemoteFirstId.Identity –like “*computer_name*”} | Remove-NetIPsecMainModeSA

For example, to terminate established IPsec tunnels for a computer name CLIENT1 the command would look like this:

Get-NetIPsecMainModeSA | where {$_.RemoteFirstId.Identity –like “*client1*”} | Remove-NetIPsecMainModeSA

When the client attempts to reestablish its connection it will fail to authenticate because its computer account is no longer valid in Active Directory. Now the trick is to get those users to tell us immediately when they’ve lost their laptops. That’s an entirely different problem, however. ;)

Special thanks for my good friend Jason Jones for his input on this solution. Thanks JJ!

Leave a Comment
by Richard Hicks on June 11, 2013  •  Permalink
Posted in DirectAccess, Remote Access, Windows Server 2012
Tagged , , ,

Posted by Richard Hicks on June 11, 2013

http://directaccess.richardhicks.com/2013/06/11/disconnecting-directaccess-clients-on-windows-server-2012/

The Drawbacks of Supporting Windows 7 Clients with Windows Server 2012 DirectAccess

Windows Server 2012 DirectAccess includes many new features to enhance scalability and performance. To take full advantage of many of these capabilities you must use Windows 8 Enterprise edition for your DirectAccess clients. Windows 7 Enterprise and Ultimate clients are supported, but there are a few important features that can’t be leveraged. Here are some examples:

IP-HTTPS Improvements – Windows Server 2012 supports NULL encryption for the IP-HTTPS IPv6 transition protocol. This eliminates the performance penalty and negative scalability caused by needlessly redundant encryption of DirectAccess client communication (IPsec encrypted traffic encrypted again with SSL/TLS). Windows 8 clients only request these NULL encryption cipher suites when establishing DirectAccess connectivity. However, Windows 7 clients do not support NULL encryption and will instead request an encrypted cipher suite when performing SSL/TLS negotiations.

Automatic Site Selection for Multi-Site – With Windows Server 2012 the administrator can configure multiple DirectAccess gateways to provide geographic redundancy for DirectAccess clients. Windows 8 clients are configured to intelligently select the nearest entry point and automatically reconnect to another gateway if the connection to the originally selected entry point fails. In contrast, Windows 7 clients can be configured for only a single entry point. The Windows 7 client is unaware of any other entry points and if the original connection becomes unavailable for any reason it will not have corporate network access until that entry point is back online.

Public Key Infrastructure (PKI) – The removal of the requirement to have an internal PKI to support DirectAccess clients is a popular feature for many organizations wanting to deploy DirectAccess (I don’t necessarily agree with this, but that’s the subject of another post!). Although Windows Server 2012 DirectAccess can be configured to use self-signed certificates, this deployment model is only supported for Windows 8 clients. If you plan to provide support for Windows 7 clients you will need a working internal PKI.

DirectAccess Connectivity Assistant – The Windows 8 client includes native functionality to indicate the status of DirectAccess connectivity and also includes a facility with which to quickly gather detailed log data for troubleshooting. Windows 8 clients can also establish DirectAccess connectivity when they are located behind an authenticating web proxy. For Windows 7 clients, the DirectAccess Connectivity Assistant (DCA) provides some of this functionality, but it is an optional component that must be deployed separately. Even with the DCA installed, Windows 7 clients cannot establish DirectAccess connections when a web proxy server requires authentication.

Although Windows 7 Enterprise and Ultimate editions are supported for DirectAccess when connecting to a Windows Server 2012 DirectAccess server, Windows 8 Enterprise clients should be deployed whenever possible to ensure the best and most complete experience.

4 Comments
by Richard Hicks on June 6, 2013  •  Permalink
Posted in DirectAccess, Windows 7, Windows 8, Windows Server 2012
Tagged , , , , ,

Posted by Richard Hicks on June 6, 2013

http://directaccess.richardhicks.com/2013/06/06/the-drawbacks-of-supporting-windows-7-clients-with-windows-server-2012-directaccess/

Win a Copy of Windows Server 2012 Security from End to Edge and Beyond

As many of you know, I recently joined the team at Iron Networks to work more closely with DirectAccess and to be involved with some of their exciting new solutions for enabling the Microsoft private cloud. I was noticing that they don’t have much of a following on Twitter yet, so in an effort to change that I’m announcing a Twitter contest! This Friday, May 31, I will select one individual who is following both me and Iron Networks on Twitter and send you a free copy of Tom and Deb Shinder and Yuri Diogenes’ latest book entitled “Windows Server 2012 Security from End to Edge and Beyond”. I had the privilege of serving as the book’s technical reviewer and I can tell you it is an excellent reference that you’ll want to have in your library. So go out and follow me and Iron Networks for a chance to win!

Iron Networks

Windows Server 2012 Security from End to Edge and Beyond

1 Comment
by Richard Hicks on May 28, 2013  •  Permalink
Posted in DirectAccess, Windows Server 2012
Tagged , , , , ,

Posted by Richard Hicks on May 28, 2013

http://directaccess.richardhicks.com/2013/05/28/win-a-copy-of-windows-server-2012-security-from-end-to-edge-and-beyond/

Forefront UAG 2010 Video Training Course Now Available

I’m happy to announce that my latest Trainsignal video training course is now available! This new video training course is on Forefront Unified Access Gateway (UAG) 2010. It is an introductory course on Forefront UAG designed to teach network engineers and security administrators the basic essentials of planning, preparing, installing, configuring, monitoring, and maintain a Forefront UAG 2010 remote access solution. In the course I demonstrate how to publish popular Microsoft on-premises applications like SharePoint and Exchange Outlook Web App (OWA). In addition I cover publishing Remote Desktop Services and VPN remote access. I also provide a high level explanation of endpoint detection and endpoint policy enforcement and demonstrate how to provide high availability for the solution. Here is the entire course outline:

Lesson 1 – Introduction and Course Outline
Lesson 2 – Forefront UAG 2010 Overview
Lesson 3 – Planning to Deploy Forefront UAG 2010
Lesson 4 – Installing and Configuring Forefront UAG 2010
Lesson 5 – Configuring a Portal
Lesson 6 – Publishing Exchange Outlook Web App
Lesson 7 – Publishing SharePoint
Lesson 8 – Publishing Remote Desktop Services
Lesson 9 – Configuring VPN Remote Access
Lesson 10 – Enabling Endpoint Detection
Lesson 11 – Configuring High Availability
Lesson 12 – Web Monitor Overview
Lesson 13 – Forefront UAG Backups

Once again I had the opportunity to work with my good friend and fellow Microsoft MVP Jordan Krause on this course. As he did in my previous Trainsignal video training course on Windows Server 2012 DirectAccess, Jordan served as the technical reviewer and provided valuable insight that ultimately made the course better. If you’re planning to implement Forefront UAG 2010 to provide secure remote access to both managed and non-managed systems and devices, be sure to sign up for a subscription at Trainsignal.com today! Not only will you have access to this video training course on Forefront UAG 2010, you will gain access to the entire Trainsignal library of content, including my course on Windows Server 2012 DirectAccess, all for just $49.00 per month!

TrainSignal Windows Server 2012 DirectAcess Video Training Course

Leave a Comment
by Richard Hicks on May 20, 2013  •  Permalink
Posted in Forefront UAG 2010, Remote Access, Training, VPN, Windows Server 2008 R2
Tagged , , , , , , , , , , , , , , ,

Posted by Richard Hicks on May 20, 2013

http://directaccess.richardhicks.com/2013/05/20/forefront-uag-2010-video-training-course-now-available/

Richard Hicks Joins Iron Networks

It is with great pleasure that I announce I have recently joined the team at Iron Networks. Iron Networks (formerly nAppliance) is a division of Iron Systems based in San Jose, CA. Iron Networks is a Microsoft OEM partner specializing in turn-key cloud security and access solutions and converged infrastructure platforms. I’ll be intimately involved with many familiar Microsoft technologies like Forefront UAG 2010, DirectAccess, Hyper-V, and System Center 2012. Iron Networks has some compelling solutions for secure remote access, including a comprehensive remote access appliance that includes both Windows Server 2012 DirectAccess and Forefront UAG 2010. The Unified Remote Access (URA) platform effectively addresses remote access needs for both managed and non-managed clients. In addition, Iron Networks has an interesting new solution aimed at simplifying private cloud deployment and public cloud integration. The Iron Networks MNV Cloud Gateway Appliance, using System Center 2012 Virtual Machine Manager SP1 and Hyper-V network virtualization technologies, is designed to ease the pain of migrating virtual workloads across subnets between on-premises datacenters or to hosted, public cloud datacenters. Finally, Iron Networks has a complete, ready to deploy private cloud solution that was recently featured in the keynote address at the Microsoft Management Summit 2013. After working for many years with niche technologies like ISA server and Forefront TMG 2010, I’m really excited about the opportunity to be more closely involved with mainstream technologies like Hyper-V, System Center 2012, and private, hybrid, and public cloud solutions. Of course I’ll be sharing my experiences with you here and across my various social media channels, so be sure to connect with me to stay in touch!

Iron Networks

Leave a Comment
by Richard Hicks on May 14, 2013  •  Permalink
Posted in General
Tagged

Posted by Richard Hicks on May 14, 2013

http://directaccess.richardhicks.com/2013/05/14/richard-hicks-joins-iron-networks/

Microsoft System Center Virtual Machine Manager 2012 Cookbook

Recently I had the opportunity to read Microsoft System Center Virtual Machine Manager 2012 Cookbook by Edvaldo Cardoso published by Packt Publishing. I really enjoy their “cookbook” series as they take complex concepts like virtual machine management and break it down in to detailed, step-by-step guidance that can be consumed in easily digestible chunks. The style lends itself well to following along in a virtual lab, working through the steps outlined in each chapter to configure a component or enable a specific feature. My specific goal with this title was to learn how to implement the Hyper-V network virtualization features of Hyper-V with System Center 2012. The book met my needs perfectly. Of course the entire book will be helpful to datacenter administrators interested in leveraging the power of server and network virtualization in their organizations. If you working with System Center Virtual Machine Manager 2012 today, or are planning to deploy it in the future, you’ll definitely want to have this book in your reference library.
Microsoft System Center Virtual Machine Manager 2012 Cookbook

Leave a Comment
by Richard Hicks on May 11, 2013  •  Permalink
Posted in System Center 2012, Windows Server 2012
Tagged , , , , , , , , ,

Posted by Richard Hicks on May 11, 2013

http://directaccess.richardhicks.com/2013/05/11/microsoft-system-center-virtual-machine-manager-2012-cookbook/

Windows Server 2012 DirectAccess Session at TechEd 2013

Are you planning to attend Microsoft TechEd this year? If so, I’m happy to announce that I’ll be delivering a session entitled “The Future Is Now! Next Generation Remote Access Today with Windows Server 2012 DirectAccess”. I’ll be presenting at both TechEd North America in New Orleans, LA, and at TechEd Europe in Madrid, Spain. Looking forward to seeing you there!

Microsoft TechEd North America 2013

Microsoft TechEd Europe 2013

Leave a Comment
by Richard Hicks on May 9, 2013  •  Permalink
Posted in DirectAccess, Windows Server 2012
Tagged , , , , , , , , ,

Posted by Richard Hicks on May 9, 2013

http://directaccess.richardhicks.com/2013/05/09/windows-server-2012-directaccess-session-at-teched-2013/

TechDays San Francisco 2013

It’s that time again. TechDays San Francisco 2013 is fast approaching! The event will be held on May 2-3, 2013. This is an excellent event for IT professionals and developers alike to learn from some of the best and brightest. The speaker list includes industry experts Richard Campbell, Jeff Hicks, Laura Hunter, Mark Minasi, and more! I will be delivering a session on (you guessed it!) DirectAccess in Windows Server 2012. Registration is open now, so register today. Hope to see you there!

TechDays San Francisco 2012

Leave a Comment
by Richard Hicks on April 10, 2013  •  Permalink
Posted in DirectAccess, Windows Server 2012
Tagged , ,

Posted by Richard Hicks on April 10, 2013

http://directaccess.richardhicks.com/2013/04/10/techdays-san-francisco-2013/

« Older Posts
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: