World IPv6 Launch Day

It’s coming…and this time it’s for real. That’s right; World IPv6 Launch Day is set for June 6, 2012. Building on the successful World IPv6 Day, major Internet Service Providers (ISPs), home networking equipment manufacturers, and web companies from around the world are coming together to permanently enable IPv6 for their products and services. Sadly, my ISP, Cox Communications, does not appear to be participating. That means I’ll continue using Hurricane Electric’s IPv6 tunnel broker to provide me with native IPv6 access to the Internet. The world is moving to IPv6, so it’s time to get on board!

World IPv6 Launch Day - June 6, 2012

Manage Out Fails for Non-ICMP Traffic with UAG DirectAccess

You may encounter a scenario in which the ability to manage out fails for DirectAccess clients using Forefront UAG 2010. You may also receive the following error:

4984 “An IPsec extended mode negotiation failed”

This can happen when custom security policies are applied to the DirectAccess client, specifically altering the settings for “Access this computer from the network“.

For more information regarding this error and how to resolve it, please refer to Microsoft Knowledge Base article 2663354.

Discussing DirectAccess on Security Talk

Recently I had the pleasure of sitting down with my good friends Yuri Diogenes and Tom Shinder to talk about DirectAccess on their video series “Security Talk – From End to Edge and Beyond“. We discussed the current state of DirectAccess in Windows Server 2008 R2, and then we talked in detail about some of the compelling new features of DirectAccess coming in Windows Server 2012. You can watch the video interview here. Enjoy!

Discussing DirectAccess on Security Talk with Yuri Diogenes and Tom Shinder

Discussing Windows Server 2012 DirectAccess on RunAs Radio

Recently I had the privilege to join Richard Campbell on the popular technology podcast RunAs Radio to discuss Windows Server 2012 DirectAccess. Richard and I talked about the challenges network architects and system engineers face deploying DirectAccess with Windows Server 2008 R2 and how Forefront Unified Access Gateway (UAG) 2010 can resolve some of those issues. We also discussed at length the features and capabilities of the new unified remote access role with Windows Server 2012, including the simplified DirectAccess deployment. You can download the podcast here.

Richard Hicks talks DirectAccess on RunAs Radio

Learning IPv6

IPv6 is one of the main underpinnings of DirectAccess. All communication between the DirectAccess client and the DirectAccess server and corporate network resources takes place using IPv6 only. DNS64 and NAT64, the protocol translators for DNS and NAT, address these concerns by translating native IPv6 traffic to IPv4, allowing the DirectAccess client to communicate with systems on the corporate network that are running only IPv4. This significantly reduces the barrier to entry for the adoption of DirectAccess as a remote access solution, but it doesn’t eliminate the requirement for IPv6 altogether. When DNS64 and NAT64 are leveraged, either as part of UAG DirectAccess or the unified remote access role in Windows Server 2012, it is important to remember that the DirectAccess client still communicates with the DirectAccess server using IPv6. It is for this reason that I strongly recommend and encourage systems and network engineers to start learning IPv6 today! I realize that IPv6 looks a bit scary from the outside. The address space is 128-bit and IPv6 addresses are written in hexadecimal, which can be quite daunting for many, me included. There are some new acronyms to learn as well. However, do you recall a time when you didn’t know IPv4? I certainly do! I remember first learning it and thinking I would never get it. Subnet masks? Dotted decimal notation? CIDR? They were completely foreign concepts. Eventually you learn it, gain experience deploying and troubleshooting it, and soon thereafter it becomes second nature. That is most people’s experience with IPv4, and it will be no different with IPv6. It will just take time to learn this new technology.

So, don’t be overwhelmed by IPv6! It’s not like you have to learn an entire new networking model top to bottom. After all, the bottom line is that it is just layer 3 – IP. Begin reading books on the subject and more importantly start deploying it in a lab environment. Soon you’ll have valuable knowledge and experience with the IPv6 protocol which will make you a more complete engineer. To get started, here are a few resources I’d recommend as you begin your quest for IPv6 knowledge and experience:

Understanding IPv6 – This is an excellent book to read to start learning about IPv6. Joe Davies is an outstanding writer and the third edition of this book is due out this summer. Ed Horley, a preeminent expert in the field of IPv6 and co-chair of the California IPv6 Task Force is serving as the technical reviewer so it is sure to be outstanding.

IPv6 Essentials – Another great book about IPv6 written by Silvia Hagen.

IPv6 test lab guide – Test lab guides are essential for learning new features of the Microsoft operating system and applications. The IPv6 test lab guide provides detailed and prescriptive guidance for deploying IPv6 on a Microsoft network.

Good luck!

Microsoft Windows DirectAccess Overview

I thought that it would be fitting for my first real blog post here on directaccess.richardhicks.com to provide a high level overview of what DirectAccess is all about. DirectAccess is an always-on remote access solution for Microsoft managed systems. DirectAccess is not a protocol; rather it is a collection of technologies used to provide network connectivity to users who are located outside of the corporate office. Some of these technologies include IPsec, IPv6, certificates, and Active Directory and group policy. On the client side, DirectAccess leverages the Windows Firewall with Advanced Security (WFAS) and the Name Resolution Policy Table (NRPT).

DirectAccess is a paradigm shift in remote access technology. Traditional (legacy?) client-based remote access is user-initiated, requiring the user to establish a Virtual Private Network (VPN) connection any time they need access to the corporate network. By contrast, DirectAccess is completely transparent to the user. The corporate network connection is established in the background automatically whenever the user has access to the Internet. Fundamentally, DirectAccess isn’t really a VPN at all. There’s nothing virtual about this network – it is the private network!

DirectAccess is a feature of the Windows Server 2008 R2 operating system. Often I’ll refer to this as native DirectAccess. However, there is a serious limitation that comes with native DirectAccess. Since DirectAccess clients communicate using only IPv6, this requires that any systems on the internal private network that the DirectAccess client communicates with be configured with IPv6. Sadly, very few organizations have IPv6 deployed today. Obviously this is a barrier to entry for many companies. To address this limitation, the Forefront Unified Access Gateway (UAG) 2010 can be deployed as a DirectAccess server. I typically refer to this as UAG DirectAccess. UAG includes protocol translators for DNS and NAT (DNS64 and NAT64) that allow the DirectAccess client to communicate with native IPv4 only networks, eliminating the requirement to deploy IPv6 on your internal network (for now).

So what are the benefits to deploying DirectAccess for remote access? Well, here are a few things to consider:

User experience – Seamless and transparent! Since DirectAccess is an always-on connection it requires no action from the user to establish remote network connectivity. When a user travels outside of the corporate office they can access data and applications from their mobile computer in exactly the same way as they do when they are in the office.

Systems management – Since corporate network connectivity with the DirectAccess client is established any time it has access to the Internet, management agents running on the DirectAccess client will be able to communicate with management servers to receive updates and report compliance. This also means that DirectAccess clients regularly receive group policy updates. In addition, the DirectAccess communication channel is bi-directional, which allows hosts on the corporate network to initiate communication outbound to DirectAccess clients whenever they are connected to the Internet. For example, if a remote user calls the help desk for assistance, the help desk engineer can initiate a remote desktop session to the DirectAccess client to assist the user.

Authentication – The DirectAccess communication channel is fully authenticated and encrypted. Initial remote connectivity is established to infrastructure services such as domain controllers, DNS servers, and systems management servers. When the user presses CTRL-ALT-DELETE to log on to their system they are authenticated against a domain controller and not using cached credentials (as long as they have Internet access prior to logging on). This means password changes can be done using CTRL-ALT-DELETE and password lockouts due to out of sync passwords are virtually a thing of the past.

As wonderful as DirectAccess is, it does have some potential drawbacks and limitations. First, DirectAccess is only for managed Windows clients running Windows 7 Ultimate or Enterprise, or Windows 8 Enterprise. The DirectAccess server and clients must be members of an Active Directory domain. DirectAccess is not supported for non-domain joined systems, non-Microsoft operating systems, or mobile devices of any type. Some applications many not work over a DirectAccess connection due to the requirement for DirectAccess clients to use IPv6. If an application has hard-coded references to IPv4 resources, or if the protocol itself has IPv4 addresses embedded in it, communication over a DirectAccess connection will fail. These scenarios will require the use of another VPN technology such as SSL VPN or traditional network-layer VPN.

Looking ahead, Windows Server 2012 will bring some very exciting changes to DirectAccess and remote access in general. I’ll be writing about those things in more detail soon. Stay tuned!

%d bloggers like this: