DirectAccess Load Balancing Tips and Tricks Webinar

KEMP Technologies LoadMaster Load BalancerEnabling load balancing for DirectAccess deployments is crucial for eliminating single points of failure and ensuring the highest levels of availability for the remote access solution. In addition, enabling load balancing allows DirectAccess administrators to quickly and efficiently add capacity in the event more processing power is required.

DirectAccess includes support for load balancing using integrated Windows Network Load Balancing (NLB) and external load balancers (physical or virtual). External load balancers are the recommended choice as they provide superior throughput, more granular traffic distribution, and greater visibility. External load balancers also more scalable, with support for much larger DirectAccess server clusters, up to 32 nodes. NLB is formally limited to 8 nodes, but because it operates at layer 2 in the OSI model and relies on broadcast heartbeat messages, it is effectively limited to 4 nodes.

The KEMP Technologies LoadMaster load balancer is an excellent choice for load balancing the DirectAccess workload. To learn more about configuring the LoadMaster with DirectAccess, join me for a free live webinar on Tuesday, August 16 at 10:00AM PDT where I’ll discuss DirectAccess load balancing in detail. I will also be sharing valuable tips, tricks, and best practices for load balancing DirectAccess.

DirectAccess Load Balancing Tips and Tricks Webinar

Don’t miss out. Register today!

Additional Resources

DirectAccess Load Balancing Overview

Load Balancing DirectAccess with the KEMP Loadmaster Load Balancer

Maximize your investment in Windows 10 with DirectAccess and the KEMP LoadMaster Load Balancer

KEMP LoadMaster DirectAccess Deployment Guide

DirectAccess and Windows 10 in Education

DirectAccess and Windows 10 in EducationIntroduction

DirectAccess provides seamless and transparent, always on remote network connectivity for managed Windows clients. It is commonly installed in large enterprises to provide better management for field-based assets, and to streamline the remote access experience for end users. Today, DirectAccess is a mature technology that is widely deployed across many verticals, but education is one that is often overlooked.

Benefits of DirectAccess

For commercial enterprises, the benefits of DirectAccess are many. Windows 10 DirectAccess clients have ubiquitous access to on-premises applications and data without requiring user interaction. This streamlined user access improves productivity and reduces helpdesk costs. DirectAccess is always on, allowing client machines to stay in contact with domain controllers and systems management servers, ensuring they are always managed.

DirectAccess in Education

Many of the same benefits DirectAccess provides for the enterprise are also important in the education sector. Often administrators for schools and colleges have many Windows-based machines that they must both manage and provide secure remote access for. In addition, they struggle with the same issues that enterprises do, such as maintaining configuration and security posture for devices that are predominantly remote.

Windows 10 and Education

Windows 10 November Update Available TodayThe Windows 10 Education SKU is a supported client operating system for DirectAccess, enabling educational institutions using this license to implement a remote access solution with DirectAccess using Windows Server 2012 R2 or Windows Server 2016. Implementing a DirectAccess remote access solution can result in significant cost savings, as DirectAccess requires no investments in proprietary hardware and has no associated per-user licensing.

Windows 10 Anniversary Update

Microsoft is making a concerted effort to address the education sector with new and compelling features to be included in the Windows 10 Anniversary Update, released earlier this week. For example, they have introduced apps that simplify the setup of school PCs. App discovery and purchasing are easier, and stylus support is improved. Native integration with Office 365 is another important factor. There are also a number of significant new security features that will make migrating to Windows 10 a worthy investment.

DirectAccess and Windows 10 in Education

Summary

If you are an administrator working for any educational institution and are struggling with maintaining and supporting your field-based Windows devices, consider a DirectAccess remote access solution today. With DirectAccess implemented, users will be more productive and remote machines better managed. DirectAccess can also be deployed using existing infrastructure, and it supports flexible network deployment along with many scalability features that will ensure the highest levels of availability.

Additional Resources

Video: DirectAccess and Windows 10 in Action
3 Important Things about Windows 10 and DirectAccess
DirectAccess and Windows 10 Better Together
DirectAccess Consulting Services
Book: Implementing DirectAccess with Windows Server 2016

Implementing DirectAccess with Windows Server 2016 Pre-Order

I am pleased to announce that my new book, Implementing DirectAccess with Windows Server 2016 from Apress Media, is now available for pre-order on Amazon.com!

Implementing DirectAccess with Windows Server 2016

This book contains detailed and prescriptive guidance for the planning, design, implementation, and support of a DirectAccess remote access solution on Windows Server 2016. It also includes valuable insight, tips, tricks, and best practice recommendations gained from my many years of deploying DirectAccess for some of the largest organizations in the world.

Current DirectAccess administrators will also find this book helpful, as the majority of content is still applicable to DirectAccess in Windows Server 2012 and Windows Server 2012 R2. In addition, the book also includes essential information on the design and deployment of highly available and geographically redundant DirectAccess deployments.

Troubleshooting DirectAccess can be a daunting task, so I’ve dedicated an entire chapter in the book to this topic. For those responsible for the maintenance and support of DirectAccess in their organization, this chapter alone will be worth the investment.

Be sure to reserve your copy today!

DirectAccess Now a Supported Workload in Microsoft Azure

DirectAccess Now a Supported Workload in Microsoft AzureThis is great news for organizations moving their infrastructure to the Microsoft Azure public cloud! Microsoft recently made some important changes to their published support statement for server software running on Azure virtual machines. Although no formal announcement was made, they quietly removed DirectAccess from the list of unsupported roles for Windows Server 2012 R2.

DirectAccess Now a Supported Workload in Microsoft Azure

I’ve performed some limited testing with DirectAccess using Resource Manager VMs in Microsoft Azure and it appears to be stable. In addition, some of the challenges I encountered previously when implementing DirectAccess in Azure using Classic VMs have now been resolved. I’ll be publishing some guidance for deploying DirectAccess in Azure soon.

Stay tuned!

DirectAccess and OTP with PointSharp ID Webinar

Integrating multifactor authentication is essential for providing the highest level of security and assurance for DirectAccess clients. Smart cards work well for this, but they impose a heavy burden in terms of expense and administrative overhead. A more effective alternative is to use a One-Time Password (OTP) solution such as PointSharp ID.

DirectAccess and PointSharp ID Webinar

To learn more about the PointSharp ID OTP solution and how it integrates with DirectAccess, join me for a live webinar on Tuesday, July 27, 2106 at 10:00AM PDT where I’ll discuss the following topics.

  • What DirectAccess security risks can be mitigated with OTP?
  • What are the supporting infrastructure requirements for OTP authentication?
  • How to integrate the PointSharp IP solution with DirectAccess

You can register for this free live webinar here.

DirectAccess Load Balancing Video

DirectAccess Load Balancing VideoConfiguring load balancing in DirectAccess is essential for eliminating single points of failure and ensuring the highest level of availability for the solution. The process of enabling load balancing for DirectAccess can be confusing though, as it involves the reassignment of IP addresses from the first server to the virtual IP address (VIP) for the cluster.

In this video I demonstrate how to enable DirectAccess load balancing and explain in detail how IP address assignment works for both Network Load Balancing (NLB) and external load balancers (ELB).

Windows 10 Multisite DirectAccess with GSLB Webinar

Kemp Technologies LoadMaster Load BalancerWindows 10 clients include full support for all enterprise DirectAccess scalability and redundancy features, including automatic site selection and transparent failover for multisite deployments. However, the native site selection process is limited in functionality and often yields unexpected results.

To provide better client support for multisite DirectAccess, a Global Server Load Balancer (GSLB) solution such as the Kemp Technologies LoadMaster GEO can be deployed. Using the LoadMaster’s GSLB functionality can significantly enhance multisite site selection for Windows 10 clients. In addition, it can be used to enable new scenarios not supported natively such as weighted distribution and active/passive failover.

Kemp Technologies LoadMaster Load Balancer

To learn more about how address the shortcomings of DirectAccess multisite using the Kemp LoadMaster GEO, join me for a live webinar on Thursday, July 14, 2106 at 10:00AM EDT where I’ll discuss the following topics.

  • How Global Server Load Balancing (GSLB) works
  • How Windows 10 clients choose an entry point
  • Understand the limitations of the native site selection process for Windows 10 clients
  • How to use the Kemp LoadMaster GEO to provide true geographic redundancy
  • How to enable active/passive failover for disaster recovery

You can register for this free live webinar here.

DirectAccess IP-HTTPS Preauthentication


Introduction

DirectAccess IP-HTTPS PreauthenticationRecently I’ve written about the security challenges with DirectAccess, specifically around the use of the IP-HTTPS IPv6 transition technology. In its default configuration, the DirectAccess server does not authenticate the client when an IP-HTTPS transition tunnel is established. This opens up the possibility of an unauthorized user launching Denial-of-Service (DoS) attacks and potentially performing network reconnaissance using ICMPv6. More details on this can be found here.

Mitigation

The best way to mitigate these security risks is to implement an Application Delivery Controller (ADC) such as the F5 BIG-IP Local Traffic Manager or the Citrix NetScaler. I’ve documented how to configure those platforms here and here.

No ADC?

For those organizations that do not have a capable ADC deployed, it is possible to configure the IP-HTTPS listener on the Windows Server 2012 R2 server itself to perform preauthentication.

Important Note: Making the following changes on the DirectAccess server is not formally supported. Also, this change is incompatible with one-time passwords (OTP)  and should not be performed if strong user authentication is enabled. In addition, null cipher suites will be disabled, resulting in reduced scalability and degraded performance for Windows 8.x and Windows 10 clients. Making this change should only be done if a suitable ADC is not available.

Configure IP-HTTPS Preauthentication

To configure the DirectAccess server to perform preauthentication for IP-HTTPS connections, open an elevated PowerShell command window and enter the following command.

ls Cert:\LocalMachine\My

DirectAccess IP-HTTPS Preauthentication

Copy the thumbprint that belongs to the SSL certificate assigned to the IP-HTTPS listener. Open an elevated command prompt window (not a PowerShell window!) and enter the following commands.

netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=[thumbprint]
appid={5d8e2743-ef20-4d38-8751-7e400f200e65}
dsmapperusage=enable clientcertnegotiation=enable

DirectAccess IP-HTTPS Preauthentication

For load-balanced clusters and multisite deployments, repeat these steps on each DirectAccess server in the cluster and/or enterprise.

Summary

Once these changes have been made, only DirectAccess clients that have a computer certificate with a subject name that matches the name of its computer account in Active Directory will be allowed to establish an IP-HTTPS transition tunnel connection.

Configure Citrix NetScaler for DirectAccess NLS

DirectAccess and Citrix NetScaler WebinarIntroduction

The Network Location Server (NLS) is a crucial DirectAccess supporting infrastructure component. It is secure web server that DirectAccess clients use to determine if they are inside or outside of the corporate network.

NLS Availability

The NLS should be highly available. If this service is not available, DirectAccess clients on the internal network will think they are outside and attempt to establish a DirectAccess connection. Typically, this results in the DirectAccess client not being able to reach internal resources by hostname. Full connectivity for DirectAccess clients on the internal network will not be restored until the NLS is online.

It is recommended that the NLS be deployed in a load-balanced cluster for high availability. However, this requires deploying multiple servers, adding more cost, complexity, and management overhead to the solution.

NLS and Citrix NetScaler

Configuring the Citrix NetScaler to serve as the NLS is an attractive alternative to deploying additional servers for this role. Using the NetScaler for the NLS reduces costs by leveraging existing infrastructure. In addition, the NetScaler requires less servicing than a typical Windows server, and is often itself already highly available.

Configure Citrix NetScaler

To configure the NetScaler to serve as a DirectAccess NLS, open the NetScaler management console, expand AppExpert, and then select Actions. Click Add, provide a descriptive name for the responder action, and then enter the following in the Expression field and click Create.

"HTTP/1.0 200 OK" +"\r\n\r\n" + "DirectAccess Network Location Server (NLS)" + "\r\n"

Configure Citrix NetScaler for DirectAccess NLS

Select Policies, click Add, and then provide a descriptive name for the responder policy. Enter HTTP.REQ.IS_VALID in the Expression field and click Create.

Configure Citrix NetScaler for DirectAccess NLS

Expand Traffic Management, expand Load Balancing and select Services. Click Add, provide a descriptive name for the service, choose New Server, and enter the IPv4 loopback address 127.0.0.1. Select SSL for the Protocol, enter a random port number for the Port and then click More.

Configure Citrix NetScaler for DirectAccess NLS

Uncheck the box next to Health Monitoring and click Ok and Done.

Configure Citrix NetScaler for DirectAccess NLS

Select Virtual Servers and click Add. Provide a descriptive name for the virtual server, select SSL for the Protocol, enter an IP address for the virtual server and click Ok.

Configure Citrix NetScaler for DirectAccess NLS

Under Services and Service Groups click No Load Balancing Virtual Server Service Binding.

Configure Citrix NetScaler for DirectAccess NLS

Click to select a service, choose the service created previously and click Ok, Bind and Ok.

Configure Citrix NetScaler for DirectAccess NLS

Under Certificates click No Server Certificate.

Configure Citrix NetScaler for DirectAccess NLS

Click to select a server certificate, choose the SSL certificate to be used by the NLS and click Ok, Bind, and Ok.

Configure Citrix NetScaler for DirectAccess NLS

Under Advanced click Policies, and then click the + icon. From the Choose Policy drown-list choose Responder and click Continue. Click to select a Policy Binding and choose the responder policy created previously. Click Ok, Bind, and Done.

Configure Citrix NetScaler for DirectAccess NLS

Testing NLS Functionality

Open a web browser on a client connected to the internal network and browse to the NLS URL. Ensure that there are no certificate errors and that the NetScaler is responding with the configured web page.

Configure Citrix NetScaler for DirectAccess NLS

Summary

The Network Location Server (NLS) is an important, and often overlooked, supporting infrastructure component for DirectAccess. It is used by DirectAccess clients to determine their network location. If it is unavailable for any reason it can be very disruptive. Ensuring that the NLS is highly available is critical. Configuring the NLS on the Citrix NetScaler can be a cost-effective alternative to deploying additional servers, while at the same time reducing the chance of an outage due to NLS failure.

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IP

Note: For information about configuring the Citrix NetScaler to perform IP-HTTPS preauthentication, click here. For information about configuring Windows Server 2012 R2 to perform IP-HTTPS preauthentication natively, click here.

Introduction

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IPRecently I wrote about security challenges with DirectAccess and the IP-HTTPS IPv6 transition technology. Specifically, IP-HTTPS transition tunnel connections are not authenticated by the DirectAccess server, only the client. This allows an unauthorized device to obtain an IPv6 address on the DirectAccess client network. With it, an attacker can perform network reconnaissance using ICMPv6 and potentially launch a variety of Denial-of-Service (DoS) attacks. For more details, click here.

Note: DirectAccess IPsec data connections not at risk. Data is never exposed at any time with the default configuration.

Mitigation

To mitigate these issues, it is recommended that an Application Delivery Controller (ADC) be used to terminate SSL connections and enforce client certificate authentication. Doing this will ensure that only authorized connections will be accepted by the DirectAccess server. In addition, there are some scalability and performance benefits to implementing this configuration when supporting Windows 7 clients.

Important Considerations

Performing IP-HTTPS preauthentication on the F5 BIG-IP is formally unsupported by Microsoft. In addition, terminating IP-HTTPS on the F5 appliance breaks OTP authentication.

F5 BIG-IP Configuration

To configure the F5 BIG-IP to perform SSL offload for DirectAccess IP-HTTPS, follow the guidance documented here. In addition, to configure the F5 BIG-IP to perform preauthentication for DirectAccess clients, when creating the client SSL profile, click Custom above the Client Authentication section and choose Require from the Client Certificate drop-down list and Always from the Frequency drop-down list. In addition, choose your internal PKI’s root Certification Authority (CA) certificate from the Trusted Certificate Authorities drop-down list and from the Advertised Certificate Authorities drop-down list.

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IP

Summary

Enabling client certificate authentication for IP-HTTPS connections ensures that only authorized DirectAccess clients can establish a connection to the DirectAccess server and obtain an IPv6 address. It also prevents an unauthorized user from performing network reconnaissance or launching IPv6 Denial-of-Service (DoS) attacks.

Follow

Get every new post delivered to your Inbox.

Join 149 other followers

%d bloggers like this: