All posts tagged application delivery controller

Deployment Considerations for DirectAccess on Amazon Web Services (AWS)

Organizations are rapidly deploying Windows server infrastructure with public cloud providers such as Amazon Web Services (AWS) and Microsoft Azure. With traditional on-premises infrastructure now hosted in the cloud, DirectAccess is also being deployed there more commonly.

Supportability

Interestingly, Microsoft has expressly stated that DirectAccess is not formally supported on their own public cloud platform, Azure. However, there is no formal statement of non-support for DirectAccess hosted on other non-Microsoft public cloud platforms. With supportability for DirectAccess on AWS unclear, many companies are taking the approach that if it isn’t unsupported, then it must be supported. I’d suggest proceeding with caution, as Microsoft could issue formal guidance to the contrary in the future.

DirectAccess on AWS

Deploying DirectAccess on AWS is similar to deploying on premises, with a few notable exceptions, outlined below.

IP Addressing

It is recommended that an IP address be exclusively assigned to the DirectAccess server in AWS, as shown here.

Prerequisites Check

When first configuring DirectAccess, the administrator will encounter the following warning message.

“The server does not comply with some DirectAccess prerequisites. Resolve all issues before proceed with DirectAccess deployment.”

The warning message itself states that “One or more network adapters should be configured with a static IP address. Obtain a static address and assign it to the adapter.”

IP addressing for virtual machines are managed entirely by AWS. This means the DirectAccess server will have a DHCP-assigned address, even when an IP address is specified in AWS. Assigning static IP addresses in the guest virtual machine itself is also not supported. However, this warning message can safely be ignored.

No Support for Load Balancing

It is not possible to create load-balanced clusters of DirectAccess servers for redundancy or scalability on AWS. This is because enabling load balancing for DirectAccess requires the IP address of the DirectAccess server be changed in the operating system, which is not supported on AWS. To eliminate single points of failure in the DirectAccess architecture or to add additional capacity, multisite must be enabled. Each additional DirectAccess server must be provisioned as an individual entry point.

Network Topology

DirectAccess servers on AWS can be provisioned with one or two network interfaces. Using two network interfaces is recommended, with the external network interface of the DirectAccess server residing in a dedicated perimeter/DMZ network. The external network interface must use either the Public or Private Windows firewall profile. DirectAccess will not work if the external interface uses the Domain profile. For the Public and Private profile to be enabled, domain controllers must not be reachable from the perimeter/DMZ network. Ensure the perimeter/DMZ network cannot access the internal network by restricting network access in EC2 using a Security Group, or on the VPC using a Network Access Control List (ACL) or custom route table settings.

External Connectivity

A public IPv4 address must be associated with the DirectAccess server in AWS. There are several ways to accomplish this. The simplest way is to assign a public IPv4 address to the virtual machine (VM). However, a public IP address can only be assigned to the VM when it is deployed initially and cannot be added later. Alternatively, an Elastic IP can be provisioned and assigned to the DirectAccess server at any time.

An ACL must also be configured for the public IP that restricts access from the Internet to only inbound TCP port 443. To provide additional protection, consider deploying an Application Delivery Controller (ADC) appliance like the Citrix NetScaler or F5 BIG-IP to enforce client certificate authentication for DirectAccess clients.

Network Location Server (NLS)

If an organization is hosting all of its Windows infrastructure in AWS and all clients will be remote, Network Location Server (NLS) availability becomes much less critical than with traditional on-premises deployments. For cloud-only deployments, hosting the NLS on the DirectAccess server is a viable option. It eliminates the need for dedicated NLS, reducing costs and administrative overhead. If multisite is configured, ensure that the NLS is not using a self-signed certificate, as this is unsupported.

However, for hybrid cloud deployments where on-premises DirectAccess clients share the same internal network with cloud-hosted DirectAccess servers, it is recommended that the NLS be deployed on dedicated, highly available servers following the guidance outlined here and here.

Client Provisioning

All supported DirectAccess clients will work with DirectAccess on AWS. If the domain infrastructure is hosted exclusively in AWS, provisioning clients can be performed using Offline Domain Join (ODJ). Provisioning DirectAccess clients using ODJ is only supported in Windows 8.x/10. Windows 7 clients cannot be provisioned using ODJ and must be joined to the domain using another form of remote network connectivity such as VPN.

Additional Resources

DirectAccess No Longer Supported in Microsoft Azure

Microsoft Server Software Support for Azure Virtual Machines

DirectAccess Network Location Server (NLS) Guidance

DirectAccess Network Location Server (NLS) Deployment Considerations for Large Enterprises

Provisioning DirectAccess Clients using Offline Domain Join (ODJ)

DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

DirectAccess SSL Offload and IP-HTTPS Preauthentication with F5 BIG-IP

Planning and Implementing DirectAccess with Windows Server 2016 Video Training Course

Implementing DirectAccess with Windows Server 2016 Book

3 Comments

by Richard M. Hicks on April 24, 2017 • Permalink

Posted by Richard M. Hicks on April 24, 2017

https://directaccess.richardhicks.com/2017/04/24/deployment-considerations-for-directaccess-on-amazon-web-services-aws/

DirectAccess Troubleshooting with Nmap

DirectAccess troubleshooting can be made much easier using open source tools such as Nmap. Nmap can be used to perform many essential network connectivity and configuration checks, including validating network paths, confirming DirectAccess server response, and viewing SSL configuration. Nmap can also be used to ensure that the attack surface of the DirectAccess server is properly minimized. Some tests can be performed using only native Nmap functionality, while others require the use of specialized Nmap scripts that are included with the tool.

Installation

Nmap can be installed on a wide variety of operating systems, including Windows. If you plan to install Nmap on Windows, be sure to also install WinPcap and the Microsoft Visual C++ 2013 Redistributable. The Visual C++ component is included with the Nmap download. WinPcap must be downloaded separately here.

Testing External Connectivity

Validating external connectivity is often one of the first DirectAccess troubleshooting steps I take. Confirm that the DirectAccess public hostname resolves to the correct IP address, then run the following Nmap command to validate network connectivity from the Internet to the DirectAccess server.

nmap -n -Pn -p443 <da_public_hostname>

If the hostname resolves correctly and the network path is complete, the server should respond and Nmap will show the port as open. However, this doesn’t necessarily mean that the DirectAccess server is the device that replied! Due to misconfiguration, it is possible that another server or network device listening on TCP port 443 responded, so this is not a conclusive test.

DirectAccess Server Response

To confirm the DirectAccess server is responding to HTTPS requests and not some other server or device, run the following Nmap command with the ip-https-discover script.

nmap -n -Pn -p443 <da_public_hostname> –script ip-https-discover

If the DirectAccess server responds to the request, Nmap will return the following message:

IP-HTTPS is supported. This indicates that this host supports Microsoft DirectAccess.

If the port is open but the script does not return this message, it is likely that another server or device is responding on TCP port 443, not the DirectAccess server.

Note: If an Application Delivery Controller (ADC) is configured to perform IP-HTTPS preauthentication, the Nmap IP-HTTPS discovery script will not return this result. This is expected and by design.

SSL Certificate Validation

It is not uncommon for DirectAccess clients to fail to connect via IP-HTTPS because of SSL certificate issues. Specifically, an SSL certificate that is not trusted, is expired, or its subject field does not match the public hostname will prevent DirectAccess clients from connecting. To view the SSL certificate configuration of a DirectAccess server, run the following Nmap command with the ssl-cert script.

nmap -n -Pn -p443 <da_public_hostname> –script ssl-cert

SSL Cipher Suite Configuration

Occasionally there can be issues with the SSL configuration on the DirectAccess server that prevent some clients from connecting, or result in poor performance. This commonly occurs when administrators perform SSL hardening on the DirectAccess server and remove support for null cipher suites. Null cipher suites should never be disabled on the DirectAccess server. They are important to ensure the highest levels of performance for Windows 8.x and Windows 10 clients. Also, if an Application Delivery Controller (ADC) or load balancer is performing SSL offload, lack of support for null cipher suites will prevent Windows 8.x and Windows 10 clients from connecting. To determine if the DirectAccess server supports null cipher suites, run the following Nmap command with the ssl-enum-ciphers script.

nmap -n -Pn -p443 <da_public_hostname> –script ssl-enum-ciphers

Attack Surface Audit

If DirectAccess implementation and security best practices are followed, the DirectAccess server will be behind an edge firewall. The only port required to be allowed inbound for DirectAccess is TCP port 443. It is recommended that a full port scan be performed against the DirectAccess server’s public IPv4 address to identify any unnecessary ports that may be open externally. To perform a full port scan, run the following Nmap command.

nmap -n -Pn -p- <da_public_hostname>

Ideally it should look like this.

If it looks something like this, you’re in serious trouble!

The DirectAccess server should never be listening for requests other that HTTPS on the public Internet. Exposing services such as SMB (TCP port 445), RDP (TCP port 3389), and others presents a significant security risk. It is recommended that edge firewalls be configured to allow inbound TCP port 443 only. If the DirectAccess server is connected directly to the public Internet (not recommended!) then the Windows Firewall should be configured to restrict access to inbound TCP port 443 only.

Additional Resources

DirectAccess IP-HTTPS Discovery Script for Nmap
Planning and Implementing DirectAccess with Windows Server 2016 on Pluralsight
Implementing DirectAccess with Windows Server 2016 Book
DirectAccess Troubleshooting and Consulting Services

3 Comments

by Richard M. Hicks on April 20, 2017 • Permalink

Posted in DirectAccess, IP-HTTPS, IPv6 Transition, nmap, Remote Access, Security, SSL and TLS, troubleshooting, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on April 20, 2017

https://directaccess.richardhicks.com/2017/04/20/directaccess-troubleshooting-with-nmap/

Troubleshooting DirectAccess IP-HTTPS Error Code 0x90320

A Windows 7 or Windows 8.x/10 client may fail to establish a DirectAccess connection using the IP-HTTPS IPv6 transition technology. When troubleshooting this issue, running ipconfig.exe shows that the media state for the tunnel adapter iphttpsinterface is Media disconnected.

Running the Get-NetIPHttpsState PowerShell command on Windows 8.x/10 clients or the netsh interface httpstunnel show interface command on Windows 7 clients returns an error code of 0x90320, with an interface status Failed to connect to the IPHTTPS server; waiting to reconnect.

Error code 0x90320 translates to SEC_I_INCOMPLETE_CREDENTIALS, indicating the client was unable to authenticate to the DirectAccess server during the TLS handshake when establishing the IP-HTTPS IPv6 transition tunnel. This occurs when the DirectAccess server or an Application Delivery Controller (ADC) is configured to perform client certificate authentication for IP-HTTPS connections. The client may fail to authenticate if it does not have a valid certificate issued by the organization’s internal certification authority (CA) or if the DirectAccess server or ADC is configured to perform IP-HTTPS client authentication incorrectly.

To resolve this issue, ensure that a valid certificate is installed on the DirectAccess client. In addition, ensure that the DirectAccess server or ADC is configured to use the correct CA when authenticating clients establishing IP-HTTPS connections.

Additional Information

DirectAccess IP-HTTPS Preauthentication

DirectAccess IP-HTTPS Preauthentication using Citrix NetScaler

DirectAccess SSL Offload and IP-HTTPS preauthentication using Citrix NetScaler

DirectAccess IP-HTTPS preauthentication using F5 BIG-IP

SSL Certificate Considerations for DirectAccess IP-HTTPS

3 Comments

by Richard M. Hicks on March 20, 2017 • Permalink

Posted in ADC, application delivery controller, DirectAccess, IP-HTTPS, IPv6, IPv6 Transition, Netscaler, PowerShell, Remote Access, Security, SSL and TLS, troubleshooting, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on March 20, 2017

https://directaccess.richardhicks.com/2017/03/20/troubleshooting-directaccess-ip-https-error-code-0x90320/

DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

Introduction

Communication between the DirectAccess client and server takes place exclusively over IPv6. When DirectAccess servers and/or clients are on the IPv4 Internet, an IPv6 transition technology must be employed to allow those clients to connect to the DirectAccess server. DirectAccess deployment best practices dictate that only the IP-HTTPS IPv6 transition technology be used. IP-HTTPS uses SSL/TLS for server authentication and optionally encryption. To improve security and performance for IP-HTTPS, an Application Delivery Controller (ADC) like the Citrix NetScaler can be configured to perform SSL offloading and client preauthentication for DirectAccess IP-HTTPS connections.

Please note that the following caveats apply when enabling SSL offload for DirectAccess clients:

Enabling SSL offload and IP-HTTPS preauthentication on an ADC for DirectAccess is formally unsupported by Microsoft.
SSL offload should not be enabled with DirectAccess is configured to use one-time password (OTP) authentication. Offloading SSL will break OTP functionality.

IP-HTTPS Challenges

The IP-HTTPS IPv6 transition technology is a simple and effective way to allow DirectAccess clients and servers to communicate by encapsulating IPv6 traffic in HTTP and routing it over the public IPv4 Internet. However, there are two critical issues with the default implementation of IP-HTTPS in DirectAccess. One is a security issue, the other affects performance.

Security

The DirectAccess server does not authenticate clients establishing IP-HTTPS connections. This could allow an unauthorized client to obtain an IPv6 address from the DirectAccess server using the IPv6 Neighbor Discovery (ND) process. With a valid IPv6 address, the unauthorized user could perform internal network reconnaissance or launch a variety of Denial of Service (DoS) attacks on the DirectAccess infrastructure and connected clients. More details here.

Performance

Windows 7 DirectAccess clients use encrypted cipher suites when establishing IP-HTTPS connections. However, the payload being transported is already encrypted using IPsec. This double encryption increases resource utilization on the DirectAccess server, reducing performance and limiting scalability. More details here.

Note: Beginning with Windows Server 2012 and Windows 8, Microsoft introduced support for null encryption for IP-HTTPS connections. This eliminates the needless double encryption, greatly improving scalability and performance for DirectAccess clients using IP-HTTPS.

SSL Offload for DirectAccess IP-HTTPS

The Citrix NetScaler can be configured to perform SSL offload to improve performance for Windows 7 DirectAccess clients using IP-HTTPS. Since DirectAccess does not natively support SSL offload, the NetScaler must be configured in a non-traditional way. While the NetScaler will be configured to terminate incoming IP-HTTPS SSL connections, it must also use SSL for the back-end connection to the DirectAccess server. However, the NetScaler will be configured only to use null cipher suites when connecting to the DirectAccess server. Even though Windows 7 clients will still perform double encryption to the NetScaler, this configuration effectively offloads from the server the heavy burden of double encrypting every IP-HTTPS connection for all connected DirectAccess clients. This results in reduced CPU utilization on the DirectAccess server, yielding better scalability and performance.

SSL Offload and Windows 8.x/10 Clients

Offloading SSL for Windows 8.x/10 clients will not improve performance because they already use null cipher suites for IP-HTTPS when connecting to a Windows Server 2012 or later DirectAccess server. However, terminating SSL on the NetScaler is still required to perform IP-HTTPS preauthentication.

Supported NetScaler Platforms for DirectAccess SSL Offloading

The following configuration for Citrix NetScaler can be performed on any release of the VPX virtual ADC platform. However, be advised that there is a known issue with older releases on the MDX and SDX hardware platforms that will prevent this from working. For MDX and SDX deployments, upgrading to release 11.1 build 50.10 or later will be required.

Configure Citrix NetScaler for IP-HTTPS SSL Offload

To enable SSL offloading for DirectAccess IP-HTTPS on the Citrix NetScaler, open the NetScaler management console, expand Traffic Management and Load Balancing, and then perform the following procedures in order.

Add Servers

Click Servers.
Click Add.
In the Name field enter a descriptive name for the first DirectAccess server.
Select IP Address.
In the IP Address field enter the IP address of the first DirectAccess server.
Click Create.
Repeat these steps for any additional servers in the load-balanced cluster.

Add Services

Click Services.
Click Add.
In the Service Name field enter a descriptive name for the service.
Select Existing Server from the Server drop-down list.
Choose the first DirectAccess server in the cluster.
Choose SSL from the Protocol drop-down list.
Click Ok.
Edit SSL Parameters.
1. In the Protocol section uncheck SSLv3.
2. Click Ok.
Edit SSL Ciphers.
1. Click Remove All.
2. Click Add.
3. Type NULL in the Search Ciphers box.
4. Check the box next to the first entry for SSL3-NULL-SHA.
5. Click the right arrow to add the cipher to the list.
6. Click Ok.
7. Click Done.
8. Repeat these steps for any additional servers in the load-balanced cluster.

A warning message may be displayed indicating that no usable ciphers are configured on the SSL vserver/service. This message can be safely ignored.

Add Virtual Server

Click Virtual Servers.
1. Click Add.
2. In the Name field enter a descriptive name for the virtual server.
3. Choose SSL from the Protocol drop-down list.
4. In the IP Address field enter the IP address for the virtual server.
5. Click Ok.
  
  Note: When enabling load balancing in DirectAccess, the IP address assigned to the first DirectAccess server is reallocated for use as the load balancing Virtual IP Address (VIP). Ideally this IP address will be assigned to the load balancing virtual server on the NetScaler. However, this is not a hard requirement. It is possible to configure the VIP on the NetScaler to reside on any subnet that the load balancer has an interface to. More details here.
In the Services and Groups section click No Load Balancing Virtual Server Service Binding.
1. Click on the Select Service field.
2. Check all DirectAccess server services and click Select.
3. Click Bind.
4. Click Continue.
In the Certificate section click No Server Certificate.
1. Click on the Select Server Certificate field.
2. Choose the certificate to be used for DirectAccess IP-HTTPS.
3. Click Select.
4. Click Bind.
5. Click Continue.
Edit SSL Ciphers.
1. Click Remove All.
2. Click Add.
3. Type ECDHE in to the Search Ciphers box.
4. Check the box next to TLS1-ECDHE-RSA-AES128-SHA.
5. Click the right arrow to add the cipher to the list.
6. Type NULL in to the Search Ciphers box.
7. Check the box next to SSL3-NULL-SHA.
8. Click the right arrow to add the cipher to the list.
9. Click Ok.
10. Click Done.
  
  Note: If Windows 8.x/10 clients are supported exclusively, SSL3-NULL-SHA is the only cipher suite required to be configured on the virtual server. If Windows 7 client support is required, the TLS1-ECDHE-RSA-AES128-SHA cipher suite should also be configured on the virtual server.
Edit SSL Parameters.
1. Uncheck SSLv3.
2. Click Ok.
  
  Note: If Windows 8.x/10 clients are supported exclusively, TLSv1 can also be unchecked on the virtual server. If Windows 7 client support is required, TLSv1 must be enabled.
In the Advanced Settings section click Persistence.
1. Choose SSLSESSION.
2. Enter 10 minutes for the Time-out (mins) value.
3. Click Ok.
4. Click Done.

Optional IP-HTTPS Preauthentication

To enable IP-HTTPS preauthentication to prevent unauthorized network access, perform the following procedures on the Citrix NetScaler appliance.

Expand Traffic Management, Load Balancing, and then click Virtual Servers.
Select the DirectAccess virtual server and click Edit.
1. In the Certificate section click No CA Certificate.
2. Click the Select CA Certificate field.
3. Choose the certificate for the CA that issues certificates to DirectAccess clients and servers.
  
  Note: The CA certificate used for DirectAccess can be found by opening the Remote Access Management console, clicking Edit on Step 2, and then clicking Authentication. Alternatively, the CA certificate can be found by running the following PowerShell command.
  
  (Get-RemoteAccess).IPsecRootCertificate | Format-Table Thumbprint
4. Click Select.
5. Choose CRL Optional from the CRL and OCSP Check drop-down list.
6. Click Bind.
Edit SSL Parameters.
1. Check the box next to Client Authentication.
2. Choose Mandatory from the Client Certificate drop-down list.
3. Click Ok.
4. Click Done.

Summary

Leveraging the advanced capabilities of the Citrix NetScaler ADC can improve performance when supporting Windows 7 clients and enhance security for all DirectAccess clients using IP-HTTPS. In terms of supportability, all of the changes described in this article are completely transparent and do not alter the native DirectAccess client or server configuration. If a Microsoft support engineer declines support due to this configuration, switching from SSL offload to SSL bridge is all that’s required to restore full supportability.

Additional Resources

NetScaler release 11.1 build 50.10 (requires login) – https://www.citrix.com/downloads/netscaler-adc/firmware/release-111-build-5010

Release notes for build 50.10 of NetScaler 11.1 release – https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/NS_11_1_50_10.html

VIDEO: Enable Load Balancing for DirectAccess – https://www.youtube.com/watch?v=3tdqgY9Y-uo

DirectAccess IP-HTTPS preauthentication using F5 BIG-IP – https://directaccess.richardhicks.com/2016/05/23/directaccess-ip-https-preauthentication-using-f5-big-ip/

DirectAccess SSL offload for IP-HTTPS using F5 BIG-IP – https://directaccess.richardhicks.com/2013/07/10/ssl-offload-for-ip-https-directaccess-traffic-from-windows-7-clients-using-f5-big-ip/

Implementing DirectAccess with Windows Server 2016 book – http://directaccessbook.com/

7 Comments

by Richard M. Hicks on January 17, 2017 • Permalink

Posted in ADC, application delivery controller, DirectAccess, High Availability, IP-HTTPS, IPv6, IPv6 Transition, Load Balancing, Netscaler, Remote Access, Security, SSL and TLS, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on January 17, 2017

https://directaccess.richardhicks.com/2017/01/17/directaccess-ssl-offload-and-ip-https-preauthentication-with-citrix-netscaler/

Windows 10 Multisite DirectAccess with GSLB Webinar

Windows 10 clients include full support for all enterprise DirectAccess scalability and redundancy features, including automatic site selection and transparent failover for multisite deployments. However, the native site selection process is limited in functionality and often yields unexpected results.

To provide better client support for multisite DirectAccess, a Global Server Load Balancer (GSLB) solution such as the Kemp Technologies LoadMaster GEO can be deployed. Using the LoadMaster’s GSLB functionality can significantly enhance multisite site selection for Windows 10 clients. In addition, it can be used to enable new scenarios not supported natively such as weighted distribution and active/passive failover.

To learn more about how address the shortcomings of DirectAccess multisite using the Kemp LoadMaster GEO, join me for a live webinar on Thursday, July 14, 2106 at 10:00AM EDT where I’ll discuss the following topics.

How Global Server Load Balancing (GSLB) works
How Windows 10 clients choose an entry point
Understand the limitations of the native site selection process for Windows 10 clients
How to use the Kemp LoadMaster GEO to provide true geographic redundancy
How to enable active/passive failover for disaster recovery

You can register for this free live webinar here.

1 Comment

by Richard M. Hicks on June 20, 2016 • Permalink

Posted in ADC, application delivery controller, DirectAccess, Geographic Redundnacy, High Availability, Load Balancing, Remote Access, Windows 10, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on June 20, 2016

https://directaccess.richardhicks.com/2016/06/20/windows-10-multisite-directaccess-with-gslb-webinar/

DirectAccess IP-HTTPS Preauthentication

Introduction

Recently I’ve written about the security challenges with DirectAccess, specifically around the use of the IP-HTTPS IPv6 transition technology. In its default configuration, the DirectAccess server does not authenticate the client when an IP-HTTPS transition tunnel is established. This opens up the possibility of an unauthorized user launching Denial-of-Service (DoS) attacks and potentially performing network reconnaissance using ICMPv6. More details on this can be found here.

Mitigation

The best way to mitigate these security risks is to implement an Application Delivery Controller (ADC) such as the F5 BIG-IP Local Traffic Manager or the Citrix NetScaler. I’ve documented how to configure those platforms here and here.

No ADC?

For those organizations that do not have a capable ADC deployed, it is possible to configure the IP-HTTPS listener on the Windows Server 2012 R2 server itself to perform preauthentication.

Important Note: Making the following changes on the DirectAccess server is not formally supported. Also, this change is incompatible with one-time passwords (OTP) and should not be performed if strong user authentication is enabled. In addition, null cipher suites will be disabled, resulting in reduced scalability and degraded performance for Windows 8.x and Windows 10 clients. Making this change should only be done if a suitable ADC is not available.

Configure IP-HTTPS Preauthentication

To configure the DirectAccess server to perform preauthentication for IP-HTTPS connections, open an elevated PowerShell command window and enter the following command.

ls Cert:\LocalMachine\My

Copy the thumbprint that belongs to the SSL certificate assigned to the IP-HTTPS listener. Open an elevated command prompt window (not a PowerShell window!) and enter the following commands.

netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=[thumbprint]
appid={5d8e2743-ef20-4d38-8751-7e400f200e65}
dsmapperusage=enable clientcertnegotiation=enable

For load-balanced clusters and multisite deployments, repeat these steps on each DirectAccess server in the cluster and/or enterprise.

Summary

Once these changes have been made, only DirectAccess clients that have a computer certificate with a subject name that matches the name of its computer account in Active Directory will be allowed to establish an IP-HTTPS transition tunnel connection.

26 Comments

by Richard M. Hicks on June 13, 2016 • Permalink

Posted in ADC, application delivery controller, DirectAccess, Encryption, F5, IP-HTTPS, IPv6 Transition, Load Balancing, Netscaler, Remote Access, Security, SSL and TLS, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on June 13, 2016

https://directaccess.richardhicks.com/2016/06/13/directaccess-ip-https-preauthentication/

Configure Citrix NetScaler for DirectAccess NLS

Introduction

The Network Location Server (NLS) is a crucial DirectAccess supporting infrastructure component. It is secure web server that DirectAccess clients use to determine if they are inside or outside of the corporate network.

NLS Availability

The NLS should be highly available. If this service is not available, DirectAccess clients on the internal network will think they are outside and attempt to establish a DirectAccess connection. Typically, this results in the DirectAccess client not being able to reach internal resources by hostname. Full connectivity for DirectAccess clients on the internal network will not be restored until the NLS is online.

It is recommended that the NLS be deployed in a load-balanced cluster for high availability. However, this requires deploying multiple servers, adding more cost, complexity, and management overhead to the solution.

NLS and Citrix NetScaler

Configuring the Citrix NetScaler to serve as the NLS is an attractive alternative to deploying additional servers for this role. Using the NetScaler for the NLS reduces costs by leveraging existing infrastructure. In addition, the NetScaler requires less servicing than a typical Windows server, and is often itself already highly available.

Configure Citrix NetScaler

To configure the NetScaler to serve as a DirectAccess NLS, open the NetScaler management console, expand AppExpert, and then select Actions. Click Add, provide a descriptive name for the responder action, and then enter the following in the Expression field and click Create.

"HTTP/1.0 200 OK" +"\r\n\r\n" + "DirectAccess Network Location Server (NLS)" + "\r\n"

Select Policies, click Add, and then provide a descriptive name for the responder policy. Enter HTTP.REQ.IS_VALID in the Expression field and click Create.

Expand Traffic Management, expand Load Balancing and select Services. Click Add, provide a descriptive name for the service, choose New Server, and enter the IPv4 loopback address 127.0.0.1. Select SSL for the Protocol, enter a random port number for the Port and then click More.

Uncheck the box next to Health Monitoring and click Ok and Done.

Select Virtual Servers and click Add. Provide a descriptive name for the virtual server, select SSL for the Protocol, enter an IP address for the virtual server and click Ok.

Under Services and Service Groups click No Load Balancing Virtual Server Service Binding.

Click to select a service, choose the service created previously and click Ok, Bind and Ok.

Under Certificates click No Server Certificate.

Click to select a server certificate, choose the SSL certificate to be used by the NLS and click Ok, Bind, and Ok.

Under Advanced click Policies, and then click the + icon. From the Choose Policy drown-list choose Responder and click Continue. Click to select a Policy Binding and choose the responder policy created previously. Click Ok, Bind, and Done.

Testing NLS Functionality

Open a web browser on a client connected to the internal network and browse to the NLS URL. Ensure that there are no certificate errors and that the NetScaler is responding with the configured web page.

Summary

The Network Location Server (NLS) is an important, and often overlooked, supporting infrastructure component for DirectAccess. It is used by DirectAccess clients to determine their network location. If it is unavailable for any reason it can be very disruptive. Ensuring that the NLS is highly available is critical. Configuring the NLS on the Citrix NetScaler can be a cost-effective alternative to deploying additional servers, while at the same time reducing the chance of an outage due to NLS failure.

8 Comments

by Richard M. Hicks on May 31, 2016 • Permalink

Posted in ADC, application delivery controller, DirectAccess, High Availability, Load Balancing, Netscaler

Tagged ADC, application delivery controller, Citrix, Citrix NetScaler, DirectAccess, high availability, infrastructure, load balancer, Netscaler, network location server, redundancy, Remote Access, virtual server, vserver

Posted by Richard M. Hicks on May 31, 2016

https://directaccess.richardhicks.com/2016/05/31/configure-citrix-netscaler-for-directaccess-nls/

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IP

Note: For information about configuring the Citrix NetScaler to perform IP-HTTPS preauthentication, click here. For information about configuring Windows Server 2012 R2 to perform IP-HTTPS preauthentication natively, click here.

Introduction

Recently I wrote about security challenges with DirectAccess and the IP-HTTPS IPv6 transition technology. Specifically, IP-HTTPS transition tunnel connections are not authenticated by the DirectAccess server, only the client. This allows an unauthorized device to obtain an IPv6 address on the DirectAccess client network. With it, an attacker can perform network reconnaissance using ICMPv6 and potentially launch a variety of Denial-of-Service (DoS) attacks. For more details, click here.

Note: DirectAccess IPsec data connections not at risk. Data is never exposed at any time with the default configuration.

Mitigation

To mitigate these issues, it is recommended that an Application Delivery Controller (ADC) be used to terminate SSL connections and enforce client certificate authentication. Doing this will ensure that only authorized connections will be accepted by the DirectAccess server. In addition, there are some scalability and performance benefits to implementing this configuration when supporting Windows 7 clients.

Important Considerations

Performing IP-HTTPS preauthentication on the F5 BIG-IP is formally unsupported by Microsoft. In addition, terminating IP-HTTPS on the F5 appliance breaks OTP authentication.

F5 BIG-IP Configuration

To configure the F5 BIG-IP to perform SSL offload for DirectAccess IP-HTTPS, follow the guidance documented here. In addition, to configure the F5 BIG-IP to perform preauthentication for DirectAccess clients, when creating the client SSL profile, click Custom above the Client Authentication section and choose Require from the Client Certificate drop-down list and Always from the Frequency drop-down list. In addition, choose your internal PKI’s root Certification Authority (CA) certificate from the Trusted Certificate Authorities drop-down list and from the Advertised Certificate Authorities drop-down list.

Summary

Enabling client certificate authentication for IP-HTTPS connections ensures that only authorized DirectAccess clients can establish a connection to the DirectAccess server and obtain an IPv6 address. It also prevents an unauthorized user from performing network reconnaissance or launching IPv6 Denial-of-Service (DoS) attacks.

13 Comments

by Richard M. Hicks on May 23, 2016 • Permalink

Posted in ADC, application delivery controller, DirectAccess, Encryption, F5, IP-HTTPS, IPv6, IPv6 Transition, Load Balancing, Remote Access, Security, SSL and TLS, Windows 7, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on May 23, 2016

https://directaccess.richardhicks.com/2016/05/23/directaccess-ip-https-preauthentication-using-f5-big-ip/

DirectAccess IP-HTTPS Preauthentication using Citrix NetScaler

Note: For information about configuring the F5 BIG-IP to perform IP-HTTPS preauthentication, click here. For information about configuring Windows Server 2012 R2 or Windows Server 2016 to perform IP-HTTPS preauthentication natively, click here.

Introduction

IP-HTTPS is an IPv6 transition technology used by DirectAccess. It enables DirectAccess clients to communicate with the DirectAccess server using IPv6 over the public IPv4 Internet by encapsulating IPv6 packets in HTTP and authenticating (and optionally encrypting) them using SSL/TLS. IP-HTTPS is supported for all DirectAccess network deployment configurations and is enabled by default.

When a DirectAccess client connection is established, only the server is authenticated by the client. The client is not authenticated by the server. The DirectAccess server will thus accept IP-HTTPS connections from any client, valid or not.

IP-HTTPS Connection

Once a client has established an IP-HTTPS transition tunnel, it will go through the standard IPv6 neighbor discovery process to identify routers and obtain an IPv6 prefix for the link. It will use this information to build its own IPv6 address, which it uses to communicate with the DirectAccess server and begin establishing IPsec security associations for DirectAccess.

ICMP and IPsec

By design, ICMP is exempt from DirectAccess IPsec policy processing. If an unauthorized client were to establish an IP-HTTPS transition tunnel, even without authentication (Kerberos Proxy or certificate) it would be able to ping the DirectAccess server tunnel endpoint IPv6 addresses, the DNS64 IPv6 address, and any intranet hosts (assuming host firewalls allow this access).

Security Risk

This default posture opens up the DirectAccess server and intranet to unauthorized remote network reconnaissance and some IPv6-related Denial-of-Service (DoS) attacks. These were demonstrated by security researcher Ali Hardudi at the recent Troopers16 security conference. You can view his very informative session here.

Note: DirectAccess IPsec data connections are unaffected and are completely secure. Data is never exposed at any time with the default configuration.

IP-HTTPS Preauthentication

To mitigate these risks, it is recommended that an Application Delivery Controller (ADC) such as the Citrix NetScaler be configured to preauthenticate DirectAccess clients prior to establishing the IP-HTTPS transition tunnel.

Note: To configure the F5 BIG-IP to perform IP-HTTPS preauthentication, click here.

Citrix NetScaler Configuration

To perform DirectAccess preauthentication, it will be necessary to configure the Citrix NetScaler to perform SSL termination for IP-HTTPS. The virtual server on the NetScaler must use the SSL protocol. In addition, a CA certificate must be bound to the virtual server. Also, Client Authentication must be enabled under SSL Parameters and be set to Mandatory.

Once configured, the NetScaler appliance will ensure that the DirectAccess IPsec certificate is present on the client before establishing the IP-HTTPS IPv6 transition tunnel. This will prevent unauthorized connections to the DirectAccess server.

Important Considerations

Performing IP-HTTPS preauthentication on the Citrix NetScaler is formally unsupported by Microsoft. In addition, terminating IP-HTTPS on the NetScaler appliance breaks OTP authentication.

Summary

The default security posture of DirectAccess leaves the internal network open to unauthorized network reconnaissance, and exposes the DirectAccess infrastructure to potential denial-of-service (DoS) attacks. To mitigate these security risks, implement the Citrix NetScaler ADC and enable client certificate authentication.

References

Security Assessment of Microsoft DirectAccess [Overview] – https://www.insinuator.net/2016/04/security-assessment-of-microsoft-directaccess/

Security Assessment of Microsoft DirectAccess [Full Document] – https://www.ernw.de/newsfeed/newsletter-53-may-2016-security-assessment-of-microsoft-directaccess/index.html

Security Assessment of Microsoft DirectAccess Troopers16 Presentation by Ali Hardudi [Video] – https://www.youtube.com/watch?v=wW1x7ow0V9w

Chiron IPv6 Penetration Testing Framework – https://www.insinuator.net/2014/10/chiron-an-all-in-one-ipv6-penetration-testing-framework/

IP-HTTPS specification on MSDN – https://msdn.microsoft.com/en-us/library/dd358571.aspx

Configure F5 BIG-IP to Perform IP-HTTPS Preauthentication – https://directaccess.richardhicks.com/2016/05/23/directaccess-ip-https-preauthentication-using-f5-big-ip/

Configure Windows Server 2012 R2 and Windows Server 2016 to Perform IP-HTTPS Preauthentication – https://directaccess.richardhicks.com/2016/06/13/directaccess-ip-https-preauthentication/

23 Comments

by Richard M. Hicks on May 10, 2016 • Permalink

Posted in ADC, application delivery controller, DirectAccess, IP-HTTPS, IPv6, IPv6 Transition, Load Balancing, Netscaler, Remote Access, Security, SSL and TLS, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on May 10, 2016

https://directaccess.richardhicks.com/2016/05/10/directaccess-ip-https-preauthentication-using-citrix-netscaler/

DirectAccess and Citrix NetScaler Webinar

Updated 5/2/2016: The webinar recording is now available online here.

Join me on Tuesday, April 26 at 11:00AM EDT for a live webinar to learn more about integrating the Citrix NetScaler Application Delivery Controller (ADC) with Microsoft DirectAccess. During the webinar, which will be hosted by Petri IT Knowledgebase, you will learn how to leverage the NetScaler to enhance and extend native high availability and redundancy capabilities included with DirectAccess.

Eliminating single points of failure is crucial for enterprise DirectAccess deployments. DirectAccess includes technologies such as load balancing for high availability and multisite for geographic redundancy, but they are somewhat limited. DirectAccess supports integration with third-party solutions like NetScaler to address these fundamental limitations.

NetScaler is an excellent platform that can be configured to improve upon native DirectAccess high availability and redundancy features. It provides superior load balancing compared to native Windows Network Load Balancing (NLB), with more throughput and better traffic visibility, while at the same time reducing resource utilization on the DirectAccess server.

For multisite DirectAccess deployments, the NetScaler can be configured to provide enhanced geographic redundancy, providing more intelligent entry point selection for Windows 8.x and Windows 10 clients and granular traffic control such as weighted request distribution and active/passive site failover.

In addition, the NetScaler can be configured to serve as the DirectAccess Network Location Server (NLS), providing essential high availability for this critical service and reducing supporting infrastructure requirements.

Click here to view the recorded webinar.

12 Comments

by Richard M. Hicks on April 11, 2016 • Permalink

Posted in DirectAccess, Enterprise, High Availability, Load Balancing, multisite, Netscaler, Remote Access, webinar

Posted by Richard M. Hicks on April 11, 2016

https://directaccess.richardhicks.com/2016/04/11/directaccess-and-citrix-netscaler-webinar/

Search for:
DirectAccess Book
NetMotion Mobility

DirectAccess-like Remote Access for Windows, Mac, iPhone, iPad, and Android

Learn More!
Recent Posts
Always On VPN Resources
DirectAccess Resources

Richard M. Hicks Consulting, Inc.

Awards

Consulting

Connect

Mailing List

RSS Feed

Archives

Categories

All posts tagged application delivery controller

DirectAccess Troubleshooting with Nmap

Like this:

Troubleshooting DirectAccess IP-HTTPS Error Code 0x90320

Like this:

DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

Like this:

Windows 10 Multisite DirectAccess with GSLB Webinar

Like this:

DirectAccess IP-HTTPS Preauthentication

Like this:

Configure Citrix NetScaler for DirectAccess NLS

Like this:

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IP

Like this:

DirectAccess IP-HTTPS Preauthentication using Citrix NetScaler

Like this:

DirectAccess and Citrix NetScaler Webinar

Like this:

DirectAccess Book

NetMotion Mobility

Recent Posts

Always On VPN Resources

DirectAccess Resources

Awards

Consulting

Connect

Mailing List

RSS Feed

Archives

Categories

Tag Cloud

All posts tagged application delivery controller

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

DirectAccess Book

NetMotion Mobility

Recent Posts

Always On VPN Resources

DirectAccess Resources