All posts in category SSL and TLS

DirectAccess IP-HTTPS Discovery Script for Nmap

DirectAccess IP-HTTPS Discovery Script for NmapWhen troubleshooting DirectAccess connectivity issues, the popular Nmap network mapping and discovery tool is an invaluable resource for verifying the communication path to the DirectAccess server from outside the network. However, just verifying that ports are open and listening often isn’t sufficient. In the case of IP-HTTPS, for example, the tried and true method of using telnet to verify that the port is open might be misleading. For instance, telnet might indicate that TCP port 443 is open and responding, but DirectAccess connectivity can still fail. This often happens as a result of a network configuration error that allows another network device other than the DirectAccess server to respond to HTTPS requests, which results in a false positive.

In an effort to conclusively determine that the DirectAccess server is responding, I’ve often relied on the SSL Labs Server Test site. Here I will enter the DirectAccess server’s public hostname and run the test, and from the results I can easily determine if indeed the DirectAccess server is responding by verifying that the HTTP server signature is Microsoft-HTTPAPI/2.0.

DirectAccess IP-HTTPS Discovery Script for NMAP

This usually works well, but it takes a few minutes to run the test, and there are a few scenarios in which it doesn’t work. For example, I might be working with a customer to perform some initial testing by using a local HOSTS file entry for the public name before the DNS record has been created. Also, if the SSL certificate on the DirectAccess server uses an IP address instead of a hostname (not recommended, but it is supported!) the SSL Labs server test won’t work.

Fortunately, the latest release Nmap (v7.00) now includes a script that enables the detection of Microsoft DirectAccess responding on TCP port 443. With the IP-HTTPS discovery script, it is now possible to determine not only if the port is open, but if the DirectAccess server is actually the service responding. The syntax for conducting a port scan using the IP-HTTPS discovery script for NMAP is as follows:

nmap.exe –n –Pn –p443 [directaccess_public_fqdn] –script [path_to_nmap_iphttps_discovery_script]

Here’s an example:

nmap.exe –n –Pn –p443 da.richardhicks.net –script c:\tools\nmap\scripts\ip-https-discover.nse

DirectAccess IP-HTTPS Discovery Script for NMAP

Now it is possible, using just Nmap, to not only determine if the IP-HTTPS communication path is functioning, but to definitively determine that the DirectAccess server is the device responding.

Happy troubleshooting!

7 Comments
by Richard M. Hicks on November 30, 2015  •  Permalink
Posted in DirectAccess, Encryption, IP-HTTPS, IPv6, IPv6 Transition, Remote Access, SSL and TLS, Windows Server 2012 R2
Tagged , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 30, 2015

https://directaccess.richardhicks.com/2015/11/30/directaccess-ip-https-discovery-script-for-nmap/

3 Important Things You Need to Know about Windows 10 and DirectAccess

DirectAccess and Windows 10 - Better TogetherDirectAccess has been with us for quite some time know, having been originally introduced with Windows Server 2008 R2, later enhanced with Forefront Unified Access Gateway (UAG) 2010, and finally integrated in to the base operating system in Windows Server 2012 R2. Client support for DirectAccess begins with Windows 7 (Enterprise or Ultimate), and also includes Windows 8.x (Enterprise) and Windows 10 (Enterprise or Education).

Although Windows 7 clients are supported for DirectAccess, Windows 10 is highly preferred. Here are three important things you need to know about using Windows 10 with DirectAccess.

  1. Windows 10 Provides Improved Performance and Scalability – Windows 10 includes support for null encryption when using the IP-HTTPS IPv6 transition protocol. This eliminates the needless double-encryption performed by Windows 7 clients, and dramatically reduces the protocol overhead for clients connecting behind port-restricted firewalls. DirectAccess servers can support many more concurrent IP-HTTPS sessions with Windows 10, and it has the added benefit of making the more secure perimeter/DMZ deployment behind an edge security device performing NAT much more attractive.
  2. Windows 10 Supports Geographic Redundancy – Windows 10 includes full support for DirectAccess multisite deployments. Where Windows 7 clients had to be assigned to a single entry point, Windows 10 clients are aware of all entry points in the organization. They are able to automatically select the nearest entry point on startup, and transparently failover to another site if the current site becomes unavailable.
  3. Windows 10 Features an Enhanced Management Experience – From a troubleshooting and support perspective, Windows 10 makes things much easier. The DirectAccess connectivity assistant, an optional component for Windows 7, is now fully integrated with the Windows 10 UI. PowerShell is greatly improved and now includes many native DirectAccess configuration and troubleshooting commands.

As you can see, there are a number of significant advantages for using Windows 10 with DirectAccess. Windows 10 now supports all of the enterprise features of DirectAccess, including geographic redundancy and performance and scalability improvements. Windows 10 is also easier to troubleshoot and manage. If you’re still supporting Windows 7, DirectAccess in Windows Server 2012 R2 can certainly support them. However, without a doubt the best experience, both from an administrator’s and the end user’s perspective, is with Windows 10. Just one more reason to begin planning your migration to Windows 10 with DirectAccess today!

Need assistance with implementing  DirectAccess with Windows 10? I can help! More details here.

16 Comments
by Richard M. Hicks on November 11, 2015  •  Permalink
Posted in Consulting Services, DirectAccess, Enterprise, Forefront UAG 2010, High Availability, IP-HTTPS, IPv6, IPv6 Transition, PowerShell, Professional Services, Remote Access, Security, SSL and TLS, Windows 10, Windows Server 2012 R2
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 11, 2015

https://directaccess.richardhicks.com/2015/11/11/3-important-things-you-need-to-know-about-windows-10-and-directaccess/

WEBINAR: Maximize Your Investment in Windows 10 with DirectAccess and the Kemp LoadMaster

Kemp Technologies LoadMaster Load BalancerWith the recent release of Microsoft’s Windows 10 client operating system, many organizations are now planning their migration to Windows 10 from previous versions. For those organizations looking to maximize their investment in Windows 10, many are considering the deployment of DirectAccess with Windows Server 2012 R2.

DirectAccess and Windows 10 - Better TogetherDirectAccess and Windows 10 are much better together. Windows 10 includes full support for all of the important enterprise features of DirectAccess in Windows Server 2012 R2, including geographic redundancy, transparent site selection, and IP-HTTPS performance improvements. The Kemp LoadMaster load balancer can be used to extend and enhance the native high availability features of DirectAccess, and it can be used to reduce supporting infrastructure requirements.

To learn more about maximizing your investment in Windows 10 with DirectAccess and the Kemp LoadMaster load balancer, be sure to attend our upcoming webinar on Thursday, October 15 when I’ll discuss in detail and demonstrate the advantages of Windows 10 and the Kemp LoadMaster load balancer.

You can register for the Windows Server 2012 R2 DirectAccess and Kemp Technologies LoadMaster webinar here.

Kemp Technologies LoadMaster Load Balancer

2 Comments
by Richard M. Hicks on October 5, 2015  •  Permalink
Posted in ADC, application delivery controller, DirectAccess, High Availability, IP-HTTPS, IPv6 Transition, Kemp, Load Balancing, LoadMaster, MVP, Remote Access, SSL and TLS, Training, troubleshooting, Windows 10, Windows Server 2012 R2
Tagged , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 5, 2015

https://directaccess.richardhicks.com/2015/10/05/webinar-maximize-your-investment-in-windows-10-with-directaccess-and-the-kemp-loadmaster/

« Older Posts
Newer Posts »