MVP Profile
DirectAccess Training

TechMentor Redmond 2017
Connect
Mailing List

Sign Up Now!
Richard M. Hicks Consulting Newsletter
Buy This!

Amazon Tap
Alexa-Enabled Bluetooth Speaker!
@richardhicks
- Configuring SSL offload for Windows 7 #DirectAccess client using @f5networks BIG-IP. rmhci.co/2pS3NVb:: 12 hours ago
- RT @KEMP_apac: Enhanced Multisite Site Selection for Windows 10 and #DirectAccess with #KEMP LoadMaster - @richardhicks - https://t.co/A2t3…:: 13 hours ago
- RT @KEMP_apac: #DirectAccess Load Balancing Tips and Tricks - @richardhicks kempte.ch/2o6Iopq:: 13 hours ago
- #DirectAccess null encryption and SSTP VPN. rmhci.co/2oy5VNT:: 14 hours ago
- Uninstalling and removing #DirectAccess. rmhci.co/2p0Ii4q:: 16 hours ago
Follow @richardhicks
Facebook

Facebook
RSS Feed
- RSS - Posts
- RSS - Comments
Archives
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- December 2016
- November 2016
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- November 2014
- October 2014
- September 2014
- August 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- July 2012
- June 2012
- May 2012
- April 2012
Categories
- 6to4
- ADC
- Amazon EC2
- Amazon Web Services
- application delivery controller
- AWS
- Azure
- cloud
- Consulting Services
- DirectAccess
- DirectAccess Book
- DNS
- EC2
- education
- Encryption
- Enterprise
- F5
- Forefront TMG 2010
- Forefront UAG 2010
- Geographic Redundnacy
- High Availability
- Hotfix
- iManage
- Important Links
- IP-HTTPS
- IPv6
- IPv6 Transition
- ISATAP
- Kemp
- learning
- Load Balancing
- LoadMaster
- Manage Out
- multisite
- MVP
- NAP
- NCA
- Netscaler
- network connectivity assistant
- nmap
- Offline Domain Join
- OTP
- Pluralsight
- PowerShell
- Professional Services
- public cloud
- Recommended Reading
- Remote Access
- Security
- SSL and TLS
- Surface Pro
- Surface Pro 4
- System Center 2012
- Teredo
- Training
- troubleshooting
- Uncategorized
- Update
- video
- VPN
- Web Application Proxy
- webinar
- Windows 10
- Windows 7
- Windows 8
- Windows 8.1
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- WorkSite
Tag Cloud
6to4 Active Directory ADC application delivery controller authentication Azure book certificate certificates conference configuration DirectAccess DirectAccess 2012 DNS education error F5 Forefront Forefront UAG Forefront UAG 2010 geographic redundancy GPO group policy high availability hotfix Important Links IP-HTTPS IPsec IPv6 IPv6 transition protocol IPv6 transition technology ISATAP Kemp Kemp Technologies load balancer load balancing LoadMaster management Manage Out Microsoft multisite Networking network load balancing network location server NLB NLS OTP performance PKI PowerShell redundancy Remote Access scalability security Server 2012 SSL Teredo TLS training troubleshooting UAG UAG 2010 update VPN Windows Windows 7 Windows 8 Windows 8.1 Windows 8.x Windows 10 Windows Server Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016

All posts tagged Microsoft

Deployment Considerations for DirectAccess on Amazon Web Services (AWS)

Organizations are rapidly deploying Windows server infrastructure with public cloud providers such as Amazon Web Services (AWS) and Microsoft Azure. With traditional on-premises infrastructure now hosted in the cloud, DirectAccess is also being deployed there more commonly.

Supportability

Interestingly, Microsoft has expressly stated that DirectAccess is not formally supported on their own public cloud platform, Azure. However, there is no formal statement of non-support for DirectAccess hosted on other non-Microsoft public cloud platforms. With supportability for DirectAccess on AWS unclear, many companies are taking the approach that if it isn’t unsupported, then it must be supported. I’d suggest proceeding with caution, as Microsoft could issue formal guidance to the contrary in the future.

DirectAccess on AWS

Deploying DirectAccess on AWS is similar to deploying on premises, with a few notable exceptions, outlined below.

IP Addressing

It is recommended that an IP address be exclusively assigned to the DirectAccess server in AWS, as shown here.

Prerequisites Check

When first configuring DirectAccess, the administrator will encounter the following warning message.

“The server does not comply with some DirectAccess prerequisites. Resolve all issues before proceed with DirectAccess deployment.”

The warning message itself states that “One or more network adapters should be configured with a static IP address. Obtain a static address and assign it to the adapter.”

IP addressing for virtual machines are managed entirely by AWS. This means the DirectAccess server will have a DHCP-assigned address, even when an IP address is specified in AWS. Assigning static IP addresses in the guest virtual machine itself is also not supported. However, this warning message can safely be ignored.

No Support for Load Balancing

It is not possible to create load-balanced clusters of DirectAccess servers for redundancy or scalability on AWS. This is because enabling load balancing for DirectAccess requires the IP address of the DirectAccess server be changed in the operating system, which is not supported on AWS. To eliminate single points of failure in the DirectAccess architecture or to add additional capacity, multisite must be enabled. Each additional DirectAccess server must be provisioned as an individual entry point.

Network Topology

DirectAccess servers on AWS can be provisioned with one or two network interfaces. Using two network interfaces is recommended, with the external network interface of the DirectAccess server residing in a dedicated perimeter/DMZ network. The external network interface must use either the Public or Private Windows firewall profile. DirectAccess will not work if the external interface uses the Domain profile. For the Public and Private profile to be enabled, domain controllers must not be reachable from the perimeter/DMZ network. Ensure the perimeter/DMZ network cannot access the internal network by restricting network access in EC2 using a Security Group, or on the VPC using a Network Access Control List (ACL) or custom route table settings.

External Connectivity

A public IPv4 address must be associated with the DirectAccess server in AWS. There are several ways to accomplish this. The simplest way is to assign a public IPv4 address to the virtual machine (VM). However, a public IP address can only be assigned to the VM when it is deployed initially and cannot be added later. Alternatively, an Elastic IP can be provisioned and assigned to the DirectAccess server at any time.

An ACL must also be configured for the public IP that restricts access from the Internet to only inbound TCP port 443. To provide additional protection, consider deploying an Application Delivery Controller (ADC) appliance like the Citrix NetScaler or F5 BIG-IP to enforce client certificate authentication for DirectAccess clients.

Network Location Server (NLS)

If an organization is hosting all of its Windows infrastructure in AWS and all clients will be remote, Network Location Server (NLS) availability becomes much less critical than with traditional on-premises deployments. For cloud-only deployments, hosting the NLS on the DirectAccess server is a viable option. It eliminates the need for dedicated NLS, reducing costs and administrative overhead. If multisite is configured, ensure that the NLS is not using a self-signed certificate, as this is unsupported.

However, for hybrid cloud deployments where on-premises DirectAccess clients share the same internal network with cloud-hosted DirectAccess servers, it is recommended that the NLS be deployed on dedicated, highly available servers following the guidance outlined here and here.

Client Provisioning

All supported DirectAccess clients will work with DirectAccess on AWS. If the domain infrastructure is hosted exclusively in AWS, provisioning clients can be performed using Offline Domain Join (ODJ). Provisioning DirectAccess clients using ODJ is only supported in Windows 8.x/10. Windows 7 clients cannot be provisioned using ODJ and must be joined to the domain using another form of remote network connectivity such as VPN.

Additional Resources

DirectAccess No Longer Supported in Microsoft Azure

Microsoft Server Software Support for Azure Virtual Machines

DirectAccess Network Location Server (NLS) Guidance

DirectAccess Network Location Server (NLS) Deployment Considerations for Large Enterprises

Provisioning DirectAccess Clients using Offline Domain Join (ODJ)

DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

DirectAccess SSL Offload and IP-HTTPS Preauthentication with F5 BIG-IP

Planning and Implementing DirectAccess with Windows Server 2016 Video Training Course

Implementing DirectAccess with Windows Server 2016 Book

1 Comment

by Richard M. Hicks on April 24, 2017 • Permalink

Posted by Richard M. Hicks on April 24, 2017

https://directaccess.richardhicks.com/2017/04/24/deployment-considerations-for-directaccess-on-amazon-web-services-aws/

DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

Introduction

Communication between the DirectAccess client and server takes place exclusively over IPv6. When DirectAccess servers and/or clients are on the IPv4 Internet, an IPv6 transition technology must be employed to allow those clients to connect to the DirectAccess server. DirectAccess deployment best practices dictate that only the IP-HTTPS IPv6 transition technology be used. IP-HTTPS uses SSL/TLS for server authentication and optionally encryption. To improve security and performance for IP-HTTPS, an Application Delivery Controller (ADC) like the Citrix NetScaler can be configured to perform SSL offloading and client preauthentication for DirectAccess IP-HTTPS connections.

Please note that the following caveats apply when enabling SSL offload for DirectAccess clients:

Enabling SSL offload and IP-HTTPS preauthentication on an ADC for DirectAccess is formally unsupported by Microsoft.
SSL offload should not be enabled with DirectAccess is configured to use one-time password (OTP) authentication. Offloading SSL will break OTP functionality.

IP-HTTPS Challenges

The IP-HTTPS IPv6 transition technology is a simple and effective way to allow DirectAccess clients and servers to communicate by encapsulating IPv6 traffic in HTTP and routing it over the public IPv4 Internet. However, there are two critical issues with the default implementation of IP-HTTPS in DirectAccess. One is a security issue, the other affects performance.

Security

The DirectAccess server does not authenticate clients establishing IP-HTTPS connections. This could allow an unauthorized client to obtain an IPv6 address from the DirectAccess server using the IPv6 Neighbor Discovery (ND) process. With a valid IPv6 address, the unauthorized user could perform internal network reconnaissance or launch a variety of Denial of Service (DoS) attacks on the DirectAccess infrastructure and connected clients. More details here.

Performance

Windows 7 DirectAccess clients use encrypted cipher suites when establishing IP-HTTPS connections. However, the payload being transported is already encrypted using IPsec. This double encryption increases resource utilization on the DirectAccess server, reducing performance and limiting scalability. More details here.

Note: Beginning with Windows Server 2012 and Windows 8, Microsoft introduced support for null encryption for IP-HTTPS connections. This eliminates the needless double encryption, greatly improving scalability and performance for DirectAccess clients using IP-HTTPS.

SSL Offload for DirectAccess IP-HTTPS

The Citrix NetScaler can be configured to perform SSL offload to improve performance for Windows 7 DirectAccess clients using IP-HTTPS. Since DirectAccess does not natively support SSL offload, the NetScaler must be configured in a non-traditional way. While the NetScaler will be configured to terminate incoming IP-HTTPS SSL connections, it must also use SSL for the back-end connection to the DirectAccess server. However, the NetScaler will be configured only to use null cipher suites when connecting to the DirectAccess server. Even though Windows 7 clients will still perform double encryption to the NetScaler, this configuration effectively offloads from the server the heavy burden of double encrypting every IP-HTTPS connection for all connected DirectAccess clients. This results in reduced CPU utilization on the DirectAccess server, yielding better scalability and performance.

SSL Offload and Windows 8.x/10 Clients

Offloading SSL for Windows 8.x/10 clients will not improve performance because they already use null cipher suites for IP-HTTPS when connecting to a Windows Server 2012 or later DirectAccess server. However, terminating SSL on the NetScaler is still required to perform IP-HTTPS preauthentication.

Supported NetScaler Platforms for DirectAccess SSL Offloading

The following configuration for Citrix NetScaler can be performed on any release of the VPX virtual ADC platform. However, be advised that there is a known issue with older releases on the MDX and SDX hardware platforms that will prevent this from working. For MDX and SDX deployments, upgrading to release 11.1 build 50.10 or later will be required.

Configure Citrix NetScaler for IP-HTTPS SSL Offload

To enable SSL offloading for DirectAccess IP-HTTPS on the Citrix NetScaler, open the NetScaler management console, expand Traffic Management and Load Balancing, and then perform the following procedures in order.

Add Servers

Click Servers.
Click Add.
In the Name field enter a descriptive name for the first DirectAccess server.
Select IP Address.
In the IP Address field enter the IP address of the first DirectAccess server.
Click Create.
Repeat these steps for any additional servers in the load-balanced cluster.

DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

Add Services

Click Services.
Click Add.
In the Service Name field enter a descriptive name for the service.
Select Existing Server from the Server drop-down list.
Choose the first DirectAccess server in the cluster.
Choose SSL from the Protocol drop-down list.
Click Ok.
Edit SSL Parameters.
1. In the Protocol section uncheck SSLv3.
2. Click Ok.
Edit SSL Ciphers.
1. Click Remove All.
2. Click Add.
3. Type NULL in the Search Ciphers box.
4. Check the box next to the first entry for SSL3-NULL-SHA.
5. Click the right arrow to add the cipher to the list.
6. Click Ok.
7. Click Done.
8. Repeat these steps for any additional servers in the load-balanced cluster.

A warning message may be displayed indicating that no usable ciphers are configured on the SSL vserver/service. This message can be safely ignored.

DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

Add Virtual Server

Click Virtual Servers.
1. Click Add.
2. In the Name field enter a descriptive name for the virtual server.
3. Choose SSL from the Protocol drop-down list.
4. In the IP Address field enter the IP address for the virtual server.
5. Click Ok.
  
  Note: When enabling load balancing in DirectAccess, the IP address assigned to the first DirectAccess server is reallocated for use as the load balancing Virtual IP Address (VIP). Ideally this IP address will be assigned to the load balancing virtual server on the NetScaler. However, this is not a hard requirement. It is possible to configure the VIP on the NetScaler to reside on any subnet that the load balancer has an interface to. More details here.
In the Services and Groups section click No Load Balancing Virtual Server Service Binding.
1. Click on the Select Service field.
2. Check all DirectAccess server services and click Select.
3. Click Bind.
4. Click Continue.
In the Certificate section click No Server Certificate.
1. Click on the Select Server Certificate field.
2. Choose the certificate to be used for DirectAccess IP-HTTPS.
3. Click Select.
4. Click Bind.
5. Click Continue.
Edit SSL Ciphers.
1. Click Remove All.
2. Click Add.
3. Type ECDHE in to the Search Ciphers box.
4. Check the box next to TLS1-ECDHE-RSA-AES128-SHA.
5. Click the right arrow to add the cipher to the list.
6. Type NULL in to the Search Ciphers box.
7. Check the box next to SSL3-NULL-SHA.
8. Click the right arrow to add the cipher to the list.
9. Click Ok.
10. Click Done.
  
  Note: If Windows 8.x/10 clients are supported exclusively, SSL3-NULL-SHA is the only cipher suite required to be configured on the virtual server. If Windows 7 client support is required, the TLS1-ECDHE-RSA-AES128-SHA cipher suite should also be configured on the virtual server.
Edit SSL Parameters.
1. Uncheck SSLv3.
2. Click Ok.
  
  Note: If Windows 8.x/10 clients are supported exclusively, TLSv1 can also be unchecked on the virtual server. If Windows 7 client support is required, TLSv1 must be enabled.
In the Advanced Settings section click Persistence.
1. Choose SSLSESSION.
2. Enter 10 minutes for the Time-out (mins) value.
3. Click Ok.
4. Click Done.

Optional IP-HTTPS Preauthentication

To enable IP-HTTPS preauthentication to prevent unauthorized network access, perform the following procedures on the Citrix NetScaler appliance.

Expand Traffic Management, Load Balancing, and then click Virtual Servers.
Select the DirectAccess virtual server and click Edit.
1. In the Certificate section click No CA Certificate.
2. Click the Select CA Certificate field.
3. Choose the certificate for the CA that issues certificates to DirectAccess clients and servers.
  
  Note: The CA certificate used for DirectAccess can be found by opening the Remote Access Management console, clicking Edit on Step 2, and then clicking Authentication. Alternatively, the CA certificate can be found by running the following PowerShell command.
  
  (Get-RemoteAccess).IPsecRootCertificate | Format-Table Thumbprint
4. Click Select.
5. Choose CRL Optional from the CRL and OCSP Check drop-down list.
6. Click Bind.
Edit SSL Parameters.
1. Check the box next to Client Authentication.
2. Choose Mandatory from the Client Certificate drop-down list.
3. Click Ok.
4. Click Done.

Summary

Leveraging the advanced capabilities of the Citrix NetScaler ADC can improve performance when supporting Windows 7 clients and enhance security for all DirectAccess clients using IP-HTTPS. In terms of supportability, all of the changes described in this article are completely transparent and do not alter the native DirectAccess client or server configuration. If a Microsoft support engineer declines support due to this configuration, switching from SSL offload to SSL bridge is all that’s required to restore full supportability.

Additional Resources

NetScaler release 11.1 build 50.10 (requires login) – https://www.citrix.com/downloads/netscaler-adc/firmware/release-111-build-5010

Release notes for build 50.10 of NetScaler 11.1 release – https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/NS_11_1_50_10.html

VIDEO: Enable Load Balancing for DirectAccess – https://www.youtube.com/watch?v=3tdqgY9Y-uo

DirectAccess IP-HTTPS preauthentication using F5 BIG-IP – https://directaccess.richardhicks.com/2016/05/23/directaccess-ip-https-preauthentication-using-f5-big-ip/

DirectAccess SSL offload for IP-HTTPS using F5 BIG-IP – https://directaccess.richardhicks.com/2013/07/10/ssl-offload-for-ip-https-directaccess-traffic-from-windows-7-clients-using-f5-big-ip/

Implementing DirectAccess with Windows Server 2016 book – http://directaccessbook.com/

7 Comments

by Richard M. Hicks on January 17, 2017 • Permalink

Posted in ADC, application delivery controller, DirectAccess, High Availability, IP-HTTPS, IPv6, IPv6 Transition, Load Balancing, Netscaler, Remote Access, Security, SSL and TLS, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on January 17, 2017

https://directaccess.richardhicks.com/2017/01/17/directaccess-ssl-offload-and-ip-https-preauthentication-with-citrix-netscaler/

Deploying DirectAccess in Microsoft Azure

Introduction

DirectAccess Now a Supported Workload in Microsoft Azure Many organizations are preparing to implement DirectAccess on Microsoft’s public cloud infrastructure. Deploying DirectAccess in Azure is fundamentally no different than implementing it on premises, with a few important exceptions (see below). This article provides essential guidance for administrators to configure this unique workload in Azure.

Important Note: There has been much confusion regarding the supportability of DirectAccess in Azure. Historically it has not been supported. Recently, it appeared briefly that Microsoft reversed their earlier decision and was in fact going to support it. However, the Microsoft Server Software Suport for Microsoft Azure Virtual Machines document has once again been revised to indicate that DirectAccess is indeed no longer formally supported on Azure. More details can be found here.

Azure Configuration

The following is guidance for configuring network interfaces, IP address assignments, public DNS, and network security groups for deploying DirectAccess in Azure.

Virtual Machine

Deploy a virtual machine in Azure with sufficient resources to meet expected demand. A minimum of two CPU cores should be provisioned. A VM with 4 cores is recommended. Premium storage on SSD is optional, as DirectAccess is not a disk intensive workload.

Network Interfaces

It is recommended that an Azure VM with a single network interface be provisioned for the DirectAccess role. This differs from on-premises deployments where two network interfaces are preferred because deploying VMs in Azure with two NICs is prohibitively difficult. At the time of this writing, Azure VMs with multiple network interfaces can only be provisioned using PowerShell, Azure CLI, or resource manager templates. In addition, Azure VMs with multiple NICs cannot belong to the same resource group as other VMs. Finally, and perhaps most importantly, not all Azure VMs support multiple NICs.

Internal IP Address

Static IP address assignment is recommended for the DirectAccess VM in Azure. By default, Azure VMs are initially provisioned using dynamic IP addresses, so this change must be made after the VM has been provisioned. To assign a static internal IP address to an Azure VM, open the Azure management portal and perform the following steps:

Click Virtual machines.
Select the DirectAccess server VM.
Click Network Interfaces.
Click on the network interface assigned to the VM.
Under Settings click IP configurations.
Click Ipconfig1.
In the Private IP address settings section choose Static for the assignment method.
Enter an IP address for the VM.
Click Save.

Deploying DirectAccess in Microsoft Azure

Public IP Address

The DirectAccess VM in Azure must have a public IP address assigned to it to allow remote client connectivity. To assign a public IP address to an Azure VM, open the Azure management portal and perform the following steps:

Click Virtual machines.
Select the DirectAccess server VM.
Click Network Interfaces.
Click on the network interface assigned to the VM.
Under Settings click IP configurations.
Click Ipconfig1.
In the Public IP address settings section click Enabled.
Click Configure required settings.
Click Create New and provide a descriptive name for the public IP address.
Choose an address assignment method.
Click Ok and Save.

Deploying DirectAccess in Microsoft Azure

Public DNS

If the static IP address assignment method was chosen for the public IP address, create an A resource record in public DNS that resolves to this address. If the dynamic IP address assignment method was chosen, create a CNAME record in public DNS that maps to the public hostname for the DirectAccess server. To assign a public hostname to the VM in Azure, open the Azure management portal and perform the following steps:

Click Virtual machines.
Select the DirectAccess server VM.
Click Overview.
Click Public IP address/DNS name label.
Under Settings click Configuration.
Choose an assignment method (static or dynamic).
Enter a DNS name label.
Click Save.

Deploying DirectAccess in Microsoft Azure

Note: The subject of the SSL certificate used for the DirectAccess IP-HTTPS listener must match the name of the public DNS record (A or CNAME) entered previously. The SSL certificate does not need to match the Azure DNS name label entered here.

Network Security Group

A network security group must be configured to allow IP-HTTPS traffic inbound to the DirectAccess server on the public IP address. To make the required changes to the network security group, open the Azure management portal and perform the following steps:

Click Virtual machines.
Select the DirectAccess server VM.
Click Network interfaces.
Click on the network interface assigned to the VM.
Under Settings click Network security group.
Click the network security group assigned to the network interface.
Click Inbound security rules.
Click Add and provide a descriptive name for the new rule.
Click Any for Source.
From the Service drop-down list choose HTTPS.
Click Allow for Action.
Click Ok.

Deploying DirectAccess in Microsoft Azure

Note: It is recommended that the default-allow-rdp rule be removed if it is not needed. At a minimum, scope the rule to allow RDP only from trusted hosts and/or networks.

DirectAccess Configuration

When performing the initial configuration of DirectAccess using the Remote Access Management console, the administrator will encounter the following warning message.

“One or more network adapters should be configured with a static IP address. Obtain a static address and assign it to the adapter.”

Deploying DirectAccess in Microsoft Azure

This message can safely be ignored because Azure infrastructure handles all IP address assignment for hosted VMs.

The public name of the DirectAccess server entered in the Remote Access Management console must resolve to the public IP address assigned to the Azure VM, as described previously.

Deploying DirectAccess in Microsoft Azure

Additional Considerations

When deploying DirectAccess in Azure, the following limitations should be considered.

Load Balancing

It is not possible to enable load balancing using Windows Network Load Balancing (NLB) or an external load balancer. Enabling load balancing for DirectAccess requires changing static IP address assignments in the Windows operating system directly, which is not supported in Azure. This is because IP addresses are assigned dynamically in Azure, even when the option to use static IP address assignment is chosen in the Azure management portal. Static IP address assignment for Azure virtual machines are functionally similar to using DHCP reservations on premises.

Deploying DirectAccess in Microsoft Azure

Note: Technically speaking, the DirectAccess server in Azure could be placed behind a third-party external load balancer for the purposes of performing SSL offload or IP-HTTPS preauthentication, as outlined here and here. However, load balancing cannot be enabled in the Remote Access Management console and only a single DirectAccess server per entry point can be deployed.

Manage Out

DirectAccess manage out using native IPv6 or ISATAP is not supported in Azure. At the time of this writing, Azure does not support IPv6 addressing for Azure VMs. In addition, ISATAP does not work due to limitations imposed by the underlying Azure network infrastructure.

Summary

For organizations moving infrastructure to Microsoft’s public cloud, formal support for the DirectAccess workload in Azure is welcome news. Implementing DirectAccess in Azure is similar to on-premises with a few crucial limitations. By following the guidelines outlined in this article, administrators can configure DirectAccess in Azure to meet their secure remote access needs with a minimum of trouble.

Additional Resources

Implementing DirectAccess in Windows Server 2016
Fundamentals of Microsoft Azure 2nd Edition
Microsoft Azure Security Infrastructure
DirectAccess Multisite with Azure Traffic Manager
DirectAccess Consulting Services

21 Comments

by Richard M. Hicks on September 19, 2016 • Permalink

Posted by Richard M. Hicks on September 19, 2016

https://directaccess.richardhicks.com/2016/09/19/deploying-directaccess-in-microsoft-azure/

DirectAccess in Windows Server 2016 at Microsoft Ignite 2016

I’m pleased to announce that I will be delivering a community theater session at this year’s Microsoft ignite conference in Atlanta, GA. The session, THR2136 in the session catalog, is scheduled for Thursday, September 29 at 12:40PM. This is a level 200 talk where I’ll be providing a high-level overview of all remote access technologies in Windows Server 2016, including DirectAccess, client-based VPN, and Web Application Proxy (WAP). I’ll be focusing on what’s new in each of these technologies and demonstrating how each solution applies in different use cases.

In addition to the session, I’ll be spending time with the folks from PointSharp and Pluralsight in their respective booths too, answering questions and providing demonstrations. I hope to have copies of my new DirectAccess book to sign as well. Be sure to follow me on Twitter for up-do-date details. Hope to see you at the conference!

6 Comments

by Richard M. Hicks on August 29, 2016 • Permalink

Posted in DirectAccess, DirectAccess Book, education, Remote Access, Training, VPN, Web Application Proxy, Windows 10, Windows Server 2016

Tagged conference, DirectAccess, education, Ignite, Ignite conference, Microsoft, Microsoft Ignite, Microsoft Ignite conference, Pluralsight, PointSharp, Remote Access, training, VPN, WAP, web application proxy, Windows, Windows 10, Windows Server, Windows Server 2016

Posted by Richard M. Hicks on August 29, 2016

https://directaccess.richardhicks.com/2016/08/29/directaccess-in-windows-server-2016-at-microsoft-ignite-2016/

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IP

Note: For information about configuring the Citrix NetScaler to perform IP-HTTPS preauthentication, click here. For information about configuring Windows Server 2012 R2 to perform IP-HTTPS preauthentication natively, click here.

Introduction

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IP Recently I wrote about security challenges with DirectAccess and the IP-HTTPS IPv6 transition technology. Specifically, IP-HTTPS transition tunnel connections are not authenticated by the DirectAccess server, only the client. This allows an unauthorized device to obtain an IPv6 address on the DirectAccess client network. With it, an attacker can perform network reconnaissance using ICMPv6 and potentially launch a variety of Denial-of-Service (DoS) attacks. For more details, click here.

Note: DirectAccess IPsec data connections not at risk. Data is never exposed at any time with the default configuration.

Mitigation

To mitigate these issues, it is recommended that an Application Delivery Controller (ADC) be used to terminate SSL connections and enforce client certificate authentication. Doing this will ensure that only authorized connections will be accepted by the DirectAccess server. In addition, there are some scalability and performance benefits to implementing this configuration when supporting Windows 7 clients.

Important Considerations

Performing IP-HTTPS preauthentication on the F5 BIG-IP is formally unsupported by Microsoft. In addition, terminating IP-HTTPS on the F5 appliance breaks OTP authentication.

F5 BIG-IP Configuration

To configure the F5 BIG-IP to perform SSL offload for DirectAccess IP-HTTPS, follow the guidance documented here. In addition, to configure the F5 BIG-IP to perform preauthentication for DirectAccess clients, when creating the client SSL profile, click Custom above the Client Authentication section and choose Require from the Client Certificate drop-down list and Always from the Frequency drop-down list. In addition, choose your internal PKI’s root Certification Authority (CA) certificate from the Trusted Certificate Authorities drop-down list and from the Advertised Certificate Authorities drop-down list.

Summary

Enabling client certificate authentication for IP-HTTPS connections ensures that only authorized DirectAccess clients can establish a connection to the DirectAccess server and obtain an IPv6 address. It also prevents an unauthorized user from performing network reconnaissance or launching IPv6 Denial-of-Service (DoS) attacks.

7 Comments

by Richard M. Hicks on May 23, 2016 • Permalink

Posted in ADC, application delivery controller, DirectAccess, Encryption, F5, IP-HTTPS, IPv6, IPv6 Transition, Load Balancing, Remote Access, Security, SSL and TLS, Windows 7, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016

Posted by Richard M. Hicks on May 23, 2016

https://directaccess.richardhicks.com/2016/05/23/directaccess-ip-https-preauthentication-using-f5-big-ip/

DirectAccess vs. VPN

Introduction

DirectAccess vs. VPN Many IT professionals mistakenly believe that DirectAccess is just another VPN solution. While there are some similarities between these technologies, both in terms of the underlying technology and function, there are some significant differences between the two. If you’re comparing DirectAccess to VPN, here are some essential points to consider.

VPN

Virtual Private Networking (VPN) has been around for ages. VPN is a mature, well understood technology that has been widely deployed, and today remains the de facto standard for providing secure remote access. VPN has broad client support, on both traditional computing platforms and mobile operating systems. VPNs today include support for modern protocols and integrate with numerous multifactor authentication platforms.

VPN Challenges

There are some serious drawbacks to implementing traditional client-based VPN. VPN connections are user initiated and therefore optional. It is up to the user to decide if and when they connect to the corporate network. Many VPNs require additional software to work, which must be deployed and maintained. Establishing connections is potentially problematic too, as some VPN protocols aren’t firewall friendly and don’t work in many locations.

DirectAccess vs. VPN From a security perspective, because anyone can attempt a connection to the VPN from any client, strong authentication becomes an essential requirement. Integrating multifactor authentication makes the implementation more complex and difficult to support. It often requires additional hardware, licensing, and support costs.

VPNs can be costly to implement and support. They typically require expensive proprietary hardware and dedicated management skill sets. Many VPN solutions also have additional licensing costs associated with them. Scaling a VPN solution requires additional investments in hardware devices, adding to the overall cost of the solution.

DirectAccess

DirectAccess is a relative newcomer to the world of secure remote access. First introduced with Windows Server 2008 R2, DirectAccess differs fundamentally from VPN by virtue of its seamless and transparent, always-on connection. DirectAccess connections are established by the machine, not the user. They are secure and authenticated, and are established automatically whenever the DirectAccess client has an active Internet connection. DirectAccess connections are also bidirectional, which is an important distinction. The ability to “manage out” to remote connected DirectAccess clients enables compelling new uses cases for IT administrators.

Addressing VPN Pain Points with DirectAccess

DirectAccess vs. VPN DirectAccess connections are inherently more secure than VPN. Unlike VPN, DirectAccess clients must be joined to the domain and, in most configurations, they must also have a certificate issued by the organization’s private, internal Public Key Infrastructure (PKI). This essentially serves as a type of multifactor authentication for the connecting device, resulting in a much higher level of assurance for remote connections. DirectAccess can also support integration with many existing multifactor authentication providers to provide strong authentication for the user, if desired.

DirectAccess is very firewall friendly and works anywhere the user has an active Internet connection. It requires no additional software to be installed, and the seamless and transparent nature of DirectAccess makes it much easier to use than VPN. All of this improves end user productivity and reduces associated management overhead for the solution.

DirectAccess is a more cost-effective alternative to VPN. DirectAccess can be deployed on existing infrastructure (physical or virtual) and does not require proprietary hardware. This makes it much easier and far less expensive to add additional capacity, if required. DirectAccess can also be managed using existing systems management tools and Windows administration skills and does not have any per-user licensing requirements, which results in additional cost savings over VPN.

DirectAccess Limitations and Drawbacks

DirectAccess is not a comprehensive remote access solution. It is designed for managed (domain-joined) Windows clients only. In addition, DirectAccess clients must be provisioned with the Enterprise edition SKU. Also, there are a few cases in which applications may not be compatible with DirectAccess. In addition, there is no support for DirectAccess on non-managed Windows machines, non-Enterprise SKUs, or any devices using non-Windows operating systems, so a VPN might still be required.

DirectAccess vs. VPN

DirectAccess or VPN?

You might be asking yourself, “DirectAccess or VPN?” Why not both? After all, DirectAccess and VPN aren’t mutually exclusive. They are, in fact, quite complimentary. DirectAccess can be used to provide secure remote access and enhanced management for Windows laptops managed by IT, while VPN can be deployed for non-managed devices. While you may not be able to entirely eliminate VPN with DirectAccess, it will certainly allow you to decrease the number of existing VPN licenses and reduce your investment in proprietary hardware, management tools, and dedicated administrators, all of which translates in to reduced capital investment and operational costs.

Summary

DirectAccess is not simply another VPN solution. While it does provide secure remote corporate network connectivity, it does so more securely and more cost effectively than traditional VPN does. DirectAccess is unrivaled in its security and ease of use, dramatically improving end user productivity and reducing associated infrastructure and support costs. DirectAccess can be deployed on current physical and virtual infrastructure, and can be managed using existing Windows systems management tools and skill sets.

If you’d like to learn more about how DirectAccess can benefit your organization, or you would like some assistance with a DirectAccess proof of concept implementation, consider a DirectAccess consulting engagement today. I’m here to help plan, design, implement, and support DirectAccess and ensure the best chance of success for your deployment.

Additional Information

Have a question about DirectAccess? Fill out the form below and I’ll get in touch with you.

24 Comments

by Richard M. Hicks on February 8, 2016 • Permalink

Posted in Consulting Services, DirectAccess, Professional Services, Remote Access, Security, Windows 10, Windows Server 2012 R2

Tagged DirectAccess, Microsoft, Remote Access, VPN, Windows, Windows 10

Posted by Richard M. Hicks on February 8, 2016

https://directaccess.richardhicks.com/2016/02/08/directaccess-vs-vpn/

DirectAccess and Windows 10 Professional

Does Windows 10 Professional Support DirectAccess?

This is a question I’ve received on more than one occasion. For some reason there seems to be a persistent rumor on the Internet that Windows 10 Professional is now a supported client for DirectAccess. I’m not sure where this rumor got started, but I’ll put it to rest right now – Windows 10 Professional is NOT a supported DirectAccess client! DirectAccess still requires Enterprise edition (with two exceptions) to take advantage of DirectAccess for secure remote access.

Supported DirectAccess Clients

The following is a complete list (as of this writing) of client operating systems that support DirectAccess.

Windows 10 Enterprise
Windows 10 Education
Windows 8.1 Enterprise
Windows 7 Enterprise
Windows 7 Ultimate

DirectAccess and Windows 10 Professional

If you are running a version of Windows that is not Enterprise edition (with the exception of Windows 7 Ultimate and Windows 10 Education) DirectAccess will not work. Be careful, because you can still provision non-Enterprise SKUs such as Windows 10 Professional for DirectAccess. All of the DirectAccess settings will be applied without issue and everything will look perfectly normal, but DirectAccess won’t work. The telltale sign on Windows 8.x and Windows 10 clients is that you won’t be able to start the Network Connectivity Assistant (NCA) service (NcaSvc). When you attempt to do so you will receive the following error message:

Failed to start service 'Network Connectivity Assistant (NcaSvc)'

Identify OS Version

You can verify the operating system SKU by looking at the output of systeminfo.exe or by going to the control panel under System and Security and clicking System.

Upgrade from Windows 10 Professional to Enterprise

A new feature introduced in Windows 10 allows you to easily upgrade the product SKU without having to perform an in place upgrade or reinstall the entire operating system from scratch. So, if you have Windows 10 Enterprise licenses and you want to upgrade a Windows 10 Professional device to Enterprise (for example you want to enable your new Surface Pro 4 to use DirectAccess!) you can simply provide the enterprise product license key in Windows 10 to upgrade. You can provide a new product key by navigating to Start | Settings | Update & Security | Activation | Change Product Key, or run changepk.exe from the Run dialog box or the command line.

DirectAccess and Windows 10 Professional

Enter your Windows 10 Enterprise product key and then click Start Upgrade.

DirectAccess and Windows 10 Professional

After the system reboots it will have been upgraded to Enterprise edition and now work as a DirectAccess client.

Summary

With Windows 10, it’s easy to upgrade from Professional to Enterprise edition by simply providing the Enterprise edition product key. This works great if you have just a few machines to upgrade, but if you are planning to upgrade many machines I would recommend creating a deployment package using the Windows Imaging and Configuration Designer (ICD), which is included with the Windows 10 Assessment and Deployment Kit (ADK) and can be downloaded here. Once you’ve upgraded your Windows 10 Professional devices to Windows 10 Enterprise you can begin provisioning them for DirectAccess!

DirectAccess consulting services now available! Click here for more details!

16 Comments

by Richard M. Hicks on December 14, 2015 • Permalink

Posted in DirectAccess, Enterprise, Remote Access, Surface Pro, Surface Pro 4, Windows 10

Tagged DirectAccess, Microsoft, NCA, network connectivity assistant, operating system, Remote Access, Surface, Surface Pro, Surface Pro 4, systeminfo, upgrade, Windows 10, Windows 10 Enterprise, Windows 10 Professional, Windows10

Posted by Richard M. Hicks on December 14, 2015

https://directaccess.richardhicks.com/2015/12/14/directaccess-and-windows-10-professional/

Enterprise Nirvana with Surface Pro 4, Windows 10, and DirectAccess

Introduction

DirectAccess and Windows 10 - Better Together

The Microsoft Surface Pro 4 was made available for sale to the public on October 26, 2015. The latest in a line of powerful and flexible tablets from Microsoft, the Surface Pro 4 features a full version of the Windows 10 desktop client operating system and includes more available power, memory, and storage than previous editions. Significant improvements were also made to the keyboard and pen. The Surface Pro 4 is designed to be an all-in-one laptop replacement, enabling users to carry a single device for all of their needs.

Surface Pro 4 and the Enterprise

Microsoft is pushing the Surface Pro 4 heavily to large enterprise organizations by expanding the resale business channel and offering the device through companies like Dell and HP. In fact, Microsoft has made the Surface Pro 4 available through more than 5000 business resellers in 30 global markets. This new enterprise sales initiative strives to deliver world class service and support for enterprise customers adopting the new Surface Pro 4, and includes a new warranty offer and a business device trade-in program designed to promote the adoption of Surface and Windows 10 in the enterprise.

Enterprise Nirvana with Surface Pro 4, Windows 10, and DirectAccess

In addition, Microsoft will have a training program for IT management and support professionals as well as new Windows users that will help streamline the deployment of the Surface Pro 4 and Windows 10. Organizations are rapidly adopting the Surface Pro 4 and Windows 10, as Microsoft has already signed on a number of high-profile companies in the retail, financial services, education, and public sector verticals. Today, Microsoft has deployed Windows 10 to over 110 million devices since it was released in late October 2015, making it the most rapidly adopted operating system in their history.

Enterprise Requirements

One of the primary motivating factors for enterprise organizations migrating to the Surface Pro 4 is cost reduction. The Surface Pro 4 functions as both a full PC and a tablet, eliminating the need for users to carry two devices. More importantly, it eliminates the need for IT to procure, manage, and support two different hardware and software platforms (for example a Windows-based laptop and an iPad). Additionally, IT organizations can leverage their existing Windows systems management infrastructure and expertise to deploy and maintain their Surface devices.

DirectAccess and the Surface Pro 4

For organizations seeking to maximize their investment in the Surface Pro 4 with Windows 10, implementing a secure remote access solution using Windows Server 2012 R2 DirectAccess is essential. DirectAccess provides seamless and transparent, always on secure remote corporate network connectivity for managed (domain-joined) Windows clients. DirectAccess enables streamlined access to on-premises application and data, improving end user productivity and reducing help desk costs. DirectAccess connectivity is bi-directional, making possible new and compelling management scenarios for field-based assets. DirectAccess clients can be managed the same way, regardless if they are inside or outside of the corporate network. DirectAccess ensures that clients are better managed, consistently maintained, and fully monitored.

Enterprise Nirvana with Surface Pro 4, Windows 10, and DirectAccess

Windows 10 and DirectAccess

The Surface Pro 4 with Windows 10 provides full support for all enterprise features of DirectAccess in Windows Server 2012 R2, including automatic site selection and transparent fail over for multisite deployments, as well as scalability and performance improvements. In addition, supportability for Windows 10 clients is much improved with DirectAccess GUI integration and full PowerShell support. Additional information about how DirectAccess and Windows 10 are better together, click here.

Additional Cost Savings

Enterprise Nirvana with Surface Pro 4, Windows 10, and DirectAccess

DirectAccess does not require any additional software to be installed on the client, and does not incur per user licensing to implement. Another benefit is that DirectAccess can easily be deployed on most popular hypervisors such as Hyper-V and VMware, eliminating the need for expensive proprietary hardware-based remote access solutions and taking full advantage of current investments in virtual infrastructure. Additionally, existing Windows systems management skill sets can be leveraged to support a DirectAccess implementation, eliminating the need for expensive dedicated administrators.

Note: Windows 10 Enterprise edition is required to support DirectAccess, and it is assumed that large organizations will be deploying Surface Pro 4 with Windows 10 Enterprise.

Summary

The Surface Pro 4 is the thinnest, lightest, and most powerful Surface tablet ever. It features Windows 10, and it can run the full version of Office and any other applications you need. The Surface Pro 4 is aimed squarely at large enterprises, governments, and schools. Not coincidentally, these verticals are also excellent uses cases for DirectAccess. DirectAccess is the perfect complement to the Surface Pro 4 and Windows 10 in the enterprise, as it helps organizations address the unique pain points of large scale enterprise adoption of Windows devices. DirectAccess allows the Surface Pro 4 to be much more effectively managed, while at the same time significantly improving the end user experience.

To realize the full potential of your Windows 10 and Surface Pro 4 deployment, consider a DirectAccess consulting engagement. By leveraging our experience you’ll have the peace of mind knowing that you have deployed DirectAccess in the most optimal, flexible, secure, and highly available manner possible. For more information about a DirectAccess consulting engagement, click here.

2 Comments

by Richard M. Hicks on November 2, 2015 • Permalink

Posted in Consulting Services, DirectAccess, Enterprise, Professional Services, Remote Access, Security, Surface Pro, VPN, Windows 10, Windows Server 2012 R2

Posted by Richard M. Hicks on November 2, 2015

https://directaccess.richardhicks.com/2015/11/02/enterprise-nirvana-with-surface-pro-4-windows-10-and-directaccess/

DirectAccess, Windows 10, and Network Access Protection (NAP)

First introduced with Windows Server 2008, Microsoft Network Access Protection (NAP) is a technology that allows IT administrators to create and enforce system health requirements that must be met before a computer can connect to the network. Common NAP enforcement points include Ethernet switches (802.1x), DHCP, IPsec, remote access VPN, and Terminal Services Gateway (TS Gateway) connections. DirectAccess also supports NAP integration, which allows administrators to extend this solution to include their DirectAccess clients.

Unfortunately, NAP has proven not to be very popular, and the adoption rate for this technology has been quite minimal. With that, Microsoft formally deprecated NAP in Windows Server 2012 R2, and removed it completely from Windows Server 2016.

Crucially the plumbing for NAP integration in the Windows 10 client operating system has also been removed. For DirectAccess deployments that have been configured to use NAP, this obviously presents a problem. In this scenario, Windows 7/8 clients will function normally. However, Windows 10 clients will not be able to connect. Since NAP integration with DirectAccess is a global setting, all clients must conform to NAP. There is no option to exclude only Windows 10 clients from NAP.

There are two ways in which to resolve this problem. The first is simply to disable NAP integration. However, if you still want to enforce NAP requirements for Windows 7/8 clients, but at the same time also want to allow Windows 10 clients to use DirectAccess, a separate dedicated DirectAccess deployment without NAP integration configured will have to be deployed to support Windows 10 DirectAccess clients.

4 Comments

by Richard M. Hicks on October 13, 2015 • Permalink

Posted in DirectAccess, NAP, Remote Access, VPN, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2012 R2, Windows Server 2016

Tagged deprecated, deprecated feature, DirectAccess, Microsoft, NAP, Network Access Protection, Remote Access, VPN, Windows, Windows 10

Posted by Richard M. Hicks on October 13, 2015

https://directaccess.richardhicks.com/2015/10/13/directaccess-windows-10-and-network-access-protection-nap/

Microsoft Most Valuable Professional (MVP) 2015

Once again I’m very pleased to announce that I have been awarded the Microsoft Most Valuable Professional (MVP) award for 2015! This marks my 7th consecutive year receiving this prestigious award from Microsoft. It is a tremendous honor to be recognized for my technical expertise and community contributions over the last year. I thoroughly enjoy working with Microsoft technologies and helping organizations implement secure remote access and Azure virtual networking solutions. I look forward to engaging with customers and the community even more over the next year. And to all of my fellow MVPs, I look forward to seeing you at the summit in November!

3 Comments

by Richard M. Hicks on October 1, 2015 • Permalink

Posted in DirectAccess, MVP, Remote Access, VPN

Tagged award, DirectAccess, Microsoft, Microsoft MVP, MVP, Remote Access, virtual networking, VPN

Posted by Richard M. Hicks on October 1, 2015

https://directaccess.richardhicks.com/2015/10/01/microsoft-most-valuable-professional-mvp-2015/

Search for:
DirectAccess Book

DirectAccess Book

Available Now!
Consulting

DirectAccess Consulting Services

Now Available!
KEMP Technologies

LoadMaster Load Balancers

Download a free trial!
PointSharp ID

Multifactor Authentication

for DirectAccess!
Recent Posts
DirectAccess Resources

MVP Profile

Connect

Mailing List

Buy This!

RSS Feed

Archives

Categories

Tag Cloud

All posts tagged Microsoft

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

DirectAccess Book

Consulting

KEMP Technologies

PointSharp ID

Recent Posts

DirectAccess Resources