Always On VPN Device Tunnel Configuration Guidance Now Available

Always On VPN Device Tunnel Configuration Guidance Now AvailableWhen Always On VPN is configured for Windows 10, the VPN connection is established automatically when the user logs on to their device. This differs fundamentally from DirectAccess, where the connection is established by the machine, before the user logs on. This subtle but important difference has some important ramifications. For example, it means that a user cannot use Always On VPN until they’ve logged on to their device at least once while connected to the corporate network. DirectAccess doesn’t have this limitation, as a connection to an on-premises domain controller is available to authenticate a new user upon first logon.

Device Tunnel Support

To address this shortcoming with Always On VPN, and to provide better feature parity with DirectAccess, Microsoft introduced an update to Windows 10 in the recent Fall Creators update (v1709) that allows for the configuration of a device tunnel for Windows 10 Always On VPN. Once enabled, the device itself can automatically establish a secure remote connection before the user logs on. This enables scenarios such as device provisioning for new remote users without cached credentials. It also enables support for password reset using CTRL+ALT+DEL.

Manage Out

Device tunnel for Windows 10 Always On VPN also enables important manage out scenarios that DirectAccess administrators have come to rely upon. With a device tunnel configured, administrators can initiate connections to remote connected Always On VPN clients to provide remote management and support, without requiring a user to be logged on at the time.

Requirements

To support an Always On VPN device tunnel, the client must be running Windows 10 Enterprise or Education v1709 or later. The computer must be domain-joined and have a machine certificate installed. Device tunnel can only be configured using the built-in Windows 10 VPN client (no support for third-party clients) and the IKEv2 protocol must be used.

Caveat

When configuring a device tunnel, traffic filters can be implemented to restrict communication to only those internal resources required, such as domain controllers, Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) servers. However, when traffic filters are used, no inbound traffic to the client is allowed. If manage out is required over the device tunnel, traffic filters cannot be configured. Microsoft expects to remove this limitation in a future update.

Provisioning and Documentation

Configuring and provisioning a Windows 10 Always On VPN device tunnel is similar to the process for the Always On VPN connection itself. A VPN profileXML file is created and then deployed via a Mobile Device Management (MDM) solution such as Microsoft Intune. Optionally, the VPN profileXML can be deployed using SCCM or PowerShell. Additional information about Windows 10 Always On VPN device tunnel configuration, including a sample profileXML and PowerShell script, can be found here.

Additional Resources

Configure a VPN Device Tunnel in Windows 10

Always On VPN and the Future of DirectAccess

5 Things DirectAccess Administrators Should Know about Always On VPN

PowerShell Recommended Reading for DirectAccess and Always On VPN Administrators

PowerShell Recommended Reading for DirectAccess and Always On VPN AdministratorsPowerShell is an important skill for administrators supporting Microsoft workloads including DirectAccess and Always On VPN. Using PowerShell to install required roles and features is much simpler and quicker than using the Graphical User Interface (GUI), with only a single command required to accomplish this task. Some settings aren’t exposed in the GUI and can only be configured using PowerShell. In addition, PowerShell makes the task of troubleshooting DirectAccess and Always On VPN much easier.

Learn PowerShell

One of the best resources for learning PowerShell is the book Learn PowerShell in a Month of Lunches authored by Microsoft MVPs and recognized PowerShell experts Don Jones and Jeff Hicks. This book, now in its third edition, should be considered essential reading for all Microsoft administrators. Click here for more details.

PowerShell Recommended Reading for DirectAccess and Always On VPN Administrators

Learn PowerShell Scripting

Recently Don and Jeff released a new book entitled Learn PowerShell Scripting in a Month of Lunches. This new book builds upon the skills learned in their first title by focusing on the development of PowerShell scripts to automate many common administrative tasks. PowerShell scripts can also be used to build custom, reusable tools to more effectively manage and monitor Microsoft workloads. Click here for more details.

PowerShell Recommended Reading for DirectAccess and Always On VPN Administrators

PowerShell for the Future

In my experience, far too many administrators today lack crucial PowerShell abilities. Don’t get left behind! PowerShell is rapidly becoming a required skill, so get these books and start learning PowerShell today!

Additional Resources

Top 5 DirectAccess Troubleshooting PowerShell Commands

Configure Windows Server Core to use PowerShell by Default

 

Microsoft Ignite Conference 2017

Will you be attending the Microsoft Ignite conference in Orlando, FL next week? Let’s connect! I’m not giving any talks this year, so I will be spending most of my time with the folks at Pointsharp in their booth in the expo hall. Want to talk security, remote access, multifactor authentication, load balancing/application delivery, PKI, or anything else? Stop by and say hi! Follow me on Twitter @richardhicks for live updates. In addition, I’ll be hosting a happy hour event with NetMotion on Tuesday, September 26 at 6PM at the Rocks lounge in the Hyatt Regency hotel just across the street from the conference center. Be sure to drop in and say hello! Hope to see you there!

Microsoft Ignite 2017

NetMotion Mobility as an Alternative to DirectAccess

Learn more about NetMotion Mobility by registering for my free live webinar here!

NetMotion Mobility as an Alternative to DirectAccessAs I outlined in a recent blog post, there has been much speculation surrounding the end of life for Microsoft DirectAccess. This is not surprising, as Microsoft has not made any investments in DirectAccess since the introduction of Windows Server 2012. Recently, Microsoft began promoting its Always On VPN solution as an alternative for DirectAccess. While DirectAccess has not been formally deprecated, Microsoft is actively encouraging organizations considering DirectAccess to deploy Always On VPN instead, as indicated here.

NetMotion Mobility as an Alternative to Microsoft DirectAccess

Source: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-top#advanced-vpn-connectivity

DirectAccess Alternatives

It’s important to state that, at the time of this writing, DirectAccess is still fully supported in Windows 10 and Windows Server 2016 and will be for quite some time. However, the future for DirectAccess is definitely limited, and customers should start considering alternative remote access solutions.

Always On VPN

Microsoft is positioning Always On VPN as the replacement for DirectAccess. Always On VPN offers some important new capabilities missing from DirectAccess. For example, Always On VPN supports all Windows 10 client SKUs, not just Enterprise and Education as DirectAccess does. Always On VPN includes important security enhancements such as conditional access with system health checks, access control list (ACL) enforcement per device and per application, and more.

Always On VPN Limitations

But Always On VPN has some serious limitations too. For example, Always On VPN works only with Windows 10. Windows 7 is not supported at all. Managing and supporting Always On VPN has its own challenges. It cannot be managed using Active Directory and group policy in the traditional way. You must use System Center Configuration Manager (SCCM), Intune, or PowerShell to configure and manage VPN clients.

NetMotion Mobility

I’m excited to announce I’ve recently partnered with NetMotion to provide their secure remote access solutions to organizations looking for alternatives to DirectAccess and Always On VPN. NetMotion Mobility provides the same seamless and transparent, always on remote access with some additional important features not included in DirectAccess and Always On VPN.

Broad Client Support – NetMotion Mobility can provide DirectAccess-like remote access for all versions and SKUs of Windows as well as Mac, iOS (iPhone and iPad), and Android.

Enhanced Security – NetMotion Mobility includes fine-grained policy enforcement to restrict network access based on a wide range of parameters including IP address, protocol, port, application, time of day, location, and type of network (e.g. wired, Wi-Fi, wireless, etc.). NetMotion Mobility also includes integrated Network Access Control (NAC) to validate device configuration prior to connecting, ensuring the highest level of security for remote endpoints. More details here and here.

Improved Performance – NetMotion Mobility client to server communication is optimized to improve reliability and performance. Network traffic is compressed and prioritized to ensure optimum performance for critical applications. Session persistence allows mobile workers to remain connected during times of poor connectivity or when roaming between different networks. More details here.

Greater Visibility – NetMotion Mobility provides a wealth of detailed information to perform analysis and troubleshooting for remote connections. Performance and diagnostic information is logged in real-time and provides administrators with crucial data and insight to quickly identify and resolve connectivity issues. More details here.

Better Supportability – NetMotion Mobility is supported by dedicated, highly trained support engineers with deep product experience. NetMotion support is not tiered. The support engineer who answers the phone will handle the case until resolution.

Learn More about NetMotion

NetMotion Mobility is a truly comprehensive remote access solution and an excellent alternative to DirectAccess. To learn more about NetMotion Mobility and to see it in action, fill out the form below and I’ll get in touch with you. You can also register for my upcoming free live webinar here.

Additional Information

Webinar: Comparing DirectAccess and NetMotion Mobility

Always On VPN and the Future of DirectAccess

NetMotion and DirectAccess Comparison Whitepaper

NetMotion and Skype for Business demonstration video

NetMotion Website

Deployment Considerations for DirectAccess on Amazon Web Services (AWS)

Organizations are rapidly deploying Windows server infrastructure with public cloud providers such as Amazon Web Services (AWS) and Microsoft Azure. With traditional on-premises infrastructure now hosted in the cloud, DirectAccess is also being deployed there more commonly.

Supportability

Interestingly, Microsoft has expressly stated that DirectAccess is not formally supported on their own public cloud platform, Azure. However, there is no formal statement of non-support for DirectAccess hosted on other non-Microsoft public cloud platforms. With supportability for DirectAccess on AWS unclear, many companies are taking the approach that if it isn’t unsupported, then it must be supported. I’d suggest proceeding with caution, as Microsoft could issue formal guidance to the contrary in the future.

DirectAccess on AWS

Deploying DirectAccess on AWS is similar to deploying on premises, with a few notable exceptions, outlined below.

IP Addressing

It is recommended that an IP address be exclusively assigned to the DirectAccess server in AWS, as shown here.

Deployment Considerations for DirectAccess on Amazon Web Services (AWS)

Prerequisites Check

When first configuring DirectAccess, the administrator will encounter the following warning message.

“The server does not comply with some DirectAccess prerequisites. Resolve all issues before proceed with DirectAccess deployment.”

The warning message itself states that “One or more network adapters should be configured with a static IP address. Obtain a static address and assign it to the adapter.

Deployment Considerations for DirectAccess on Amazon Web Services (AWS)

IP addressing for virtual machines are managed entirely by AWS. This means the DirectAccess server will have a DHCP-assigned address, even when an IP address is specified in AWS. Assigning static IP addresses in the guest virtual machine itself is also not supported. However, this warning message can safely be ignored.

No Support for Load Balancing

It is not possible to create load-balanced clusters of DirectAccess servers for redundancy or scalability on AWS. This is because enabling load balancing for DirectAccess requires the IP address of the DirectAccess server be changed in the operating system, which is not supported on AWS. To eliminate single points of failure in the DirectAccess architecture or to add additional capacity, multisite must be enabled. Each additional DirectAccess server must be provisioned as an individual entry point.

Network Topology

DirectAccess servers on AWS can be provisioned with one or two network interfaces. Using two network interfaces is recommended, with the external network interface of the DirectAccess server residing in a dedicated perimeter/DMZ network. The external network interface must use either the Public or Private Windows firewall profile. DirectAccess will not work if the external interface uses the Domain profile. For the Public and Private profile to be enabled, domain controllers must not be reachable from the perimeter/DMZ network. Ensure the perimeter/DMZ network cannot access the internal network by restricting network access in EC2 using a Security Group, or on the VPC using a Network Access Control List (ACL) or custom route table settings.

External Connectivity

A public IPv4 address must be associated with the DirectAccess server in AWS. There are several ways to accomplish this. The simplest way is to assign a public IPv4 address to the virtual machine (VM). However, a public IP address can only be assigned to the VM when it is deployed initially and cannot be added later. Alternatively, an Elastic IP can be provisioned and assigned to the DirectAccess server at any time.

An ACL must also be configured for the public IP that restricts access from the Internet to only inbound TCP port 443. To provide additional protection, consider deploying an Application Delivery Controller (ADC) appliance like the Citrix NetScaler or F5 BIG-IP to enforce client certificate authentication for DirectAccess clients.

Network Location Server (NLS)

If an organization is hosting all of its Windows infrastructure in AWS and all clients will be remote, Network Location Server (NLS) availability becomes much less critical than with traditional on-premises deployments. For cloud-only deployments, hosting the NLS on the DirectAccess server is a viable option. It eliminates the need for dedicated NLS, reducing costs and administrative overhead. If multisite is configured, ensure that the NLS is not using a self-signed certificate, as this is unsupported.

Deployment Considerations for DirectAccess on Amazon Web Services (AWS)

However, for hybrid cloud deployments where on-premises DirectAccess clients share the same internal network with cloud-hosted DirectAccess servers, it is recommended that the NLS be deployed on dedicated, highly available servers following the guidance outlined here and here.

Client Provisioning

All supported DirectAccess clients will work with DirectAccess on AWS. If the domain infrastructure is hosted exclusively in AWS, provisioning clients can be performed using Offline Domain Join (ODJ). Provisioning DirectAccess clients using ODJ is only supported in Windows 8.x/10. Windows 7 clients cannot be provisioned using ODJ and must be joined to the domain using another form of remote network connectivity such as VPN.

Additional Resources

DirectAccess No Longer Supported in Microsoft Azure

Microsoft Server Software Support for Azure Virtual Machines

DirectAccess Network Location Server (NLS) Guidance

DirectAccess Network Location Server (NLS) Deployment Considerations for Large Enterprises

Provisioning DirectAccess Clients using Offline Domain Join (ODJ)

DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

DirectAccess SSL Offload and IP-HTTPS Preauthentication with F5 BIG-IP

Planning and Implementing DirectAccess with Windows Server 2016 Video Training Course

Implementing DirectAccess with Windows Server 2016 Book

DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

Introduction

Communication between the DirectAccess client and server takes place exclusively over IPv6. When DirectAccess servers and/or clients are on the IPv4 Internet, an IPv6 transition technology must be employed to allow those clients to connect to the DirectAccess server. DirectAccess deployment best practices dictate that only the IP-HTTPS IPv6 transition technology be used. IP-HTTPS uses SSL/TLS for server authentication and optionally encryption. To improve security and performance for IP-HTTPS, an Application Delivery Controller (ADC) like the Citrix NetScaler can be configured to perform SSL offloading and client preauthentication for DirectAccess IP-HTTPS connections.

Please note that the following caveats apply when enabling SSL offload for DirectAccess clients:

  • Enabling SSL offload and IP-HTTPS preauthentication on an ADC for DirectAccess is formally unsupported by Microsoft.
  • SSL offload should not be enabled with DirectAccess is configured to use one-time password (OTP) authentication. Offloading SSL will break OTP functionality.

IP-HTTPS Challenges

The IP-HTTPS IPv6 transition technology is a simple and effective way to allow DirectAccess clients and servers to communicate by encapsulating IPv6 traffic in HTTP and routing it over the public IPv4 Internet. However, there are two critical issues with the default implementation of IP-HTTPS in DirectAccess. One is a security issue, the other affects performance.

Security

The DirectAccess server does not authenticate clients establishing IP-HTTPS connections. This could allow an unauthorized client to obtain an IPv6 address from the DirectAccess server using the IPv6 Neighbor Discovery (ND) process. With a valid IPv6 address, the unauthorized user could perform internal network reconnaissance or launch a variety of Denial of Service (DoS) attacks on the DirectAccess infrastructure and connected clients. More details here.

Performance

Windows 7 DirectAccess clients use encrypted cipher suites when establishing IP-HTTPS connections. However, the payload being transported is already encrypted using IPsec. This double encryption increases resource utilization on the DirectAccess server, reducing performance and limiting scalability. More details here.


Note: Beginning with Windows Server 2012 and Windows 8, Microsoft introduced support for null encryption for IP-HTTPS connections. This eliminates the needless double encryption, greatly improving scalability and performance for DirectAccess clients using IP-HTTPS.


SSL Offload for DirectAccess IP-HTTPS

The Citrix NetScaler can be configured to perform SSL offload to improve performance for Windows 7 DirectAccess clients using IP-HTTPS. Since DirectAccess does not natively support SSL offload, the NetScaler must be configured in a non-traditional way. While the NetScaler will be configured to terminate incoming IP-HTTPS SSL connections, it must also use SSL for the back-end connection to the DirectAccess server. However, the NetScaler will be configured only to use null cipher suites when connecting to the DirectAccess server. Even though Windows 7 clients will still perform double encryption to the NetScaler, this configuration effectively offloads from the server the heavy burden of double encrypting every IP-HTTPS connection for all connected DirectAccess clients. This results in reduced CPU utilization on the DirectAccess server, yielding better scalability and performance.

SSL Offload and Windows 8.x/10 Clients

Offloading SSL for Windows 8.x/10 clients will not improve performance because they already use null cipher suites for IP-HTTPS when connecting to a Windows Server 2012 or later DirectAccess server. However, terminating SSL on the NetScaler is still required to perform IP-HTTPS preauthentication.

Supported NetScaler Platforms for DirectAccess SSL Offloading

The following configuration for Citrix NetScaler can be performed on any release of the VPX virtual ADC platform. However, be advised that there is a known issue with older releases on the MDX and SDX hardware platforms that will prevent this from working. For MDX and SDX deployments, upgrading to release 11.1 build 50.10 or later will be required.

Configure Citrix NetScaler for IP-HTTPS SSL Offload

To enable SSL offloading for DirectAccess IP-HTTPS on the Citrix NetScaler, open the NetScaler management console, expand Traffic Management and Load Balancing, and then perform the following procedures in order.

Add Servers

  1. Click Servers.
  2. Click Add.
  3. In the Name field enter a descriptive name for the first DirectAccess server.
  4. Select IP Address.
  5. In the IP Address field enter the IP address of the first DirectAccess server.
  6. Click Create.
  7. Repeat these steps for any additional servers in the load-balanced cluster.

DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

Add Services

  1. Click Services.
  2. Click Add.
  3. In the Service Name field enter a descriptive name for the service.
  4. Select Existing Server from the Server drop-down list.
  5. Choose the first DirectAccess server in the cluster.
  6. Choose SSL from the Protocol drop-down list.
  7. Click Ok.DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler
  8. Edit SSL Parameters.
    1. In the Protocol section uncheck SSLv3.
    2. Click Ok.
  9. Edit SSL Ciphers.
    1. Click Remove All.
    2. Click Add.
    3. Type NULL in the Search Ciphers box.
    4. Check the box next to the first entry for SSL3-NULL-SHA.
    5.  Click the right arrow to add the cipher to the list.
    6. Click Ok.
    7. Click Done.
    8. Repeat these steps for any additional servers in the load-balanced cluster.DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

A warning message may be displayed indicating that no usable ciphers are configured on the SSL vserver/service. This message can be safely ignored.

DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

Add Virtual Server

  1. Click Virtual Servers.
    1. Click Add.
    2. In the Name field enter a descriptive name for the virtual server.
    3. Choose SSL from the Protocol drop-down list.
    4. In the IP Address field enter the IP address for the virtual server.
    5. Click Ok.DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

      Note: When enabling load balancing in DirectAccess, the IP address assigned to the first DirectAccess server is reallocated for use as the load balancing Virtual IP Address (VIP). Ideally this IP address will be assigned to the load balancing virtual server on the NetScaler. However, this is not a hard requirement. It is possible to configure the VIP on the NetScaler to reside on any subnet that the load balancer has an interface to. More details here.


  2. In the Services and Groups section click No Load Balancing Virtual Server Service Binding.
    1. Click on the Select Service field.
    2. Check all DirectAccess server services and click Select.
    3. Click Bind.
    4. Click Continue.
  3. In the Certificate section click No Server Certificate.
    1. Click on the Select Server Certificate field.
    2. Choose the certificate to be used for DirectAccess IP-HTTPS.
    3. Click Select.
    4. Click Bind.
    5. Click Continue.
  4. Edit SSL Ciphers.
    1. Click Remove All.
    2. Click Add.
    3. Type ECDHE in to the Search Ciphers box.
    4. Check the box next to TLS1-ECDHE-RSA-AES128-SHA.
    5. Click the right arrow to add the cipher to the list.
    6. Type NULL in to the Search Ciphers box.
    7. Check the box next to SSL3-NULL-SHA.
    8. Click the right arrow to add the cipher to the list.
    9. Click Ok.
    10. Click Done.DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

      Note: If Windows 8.x/10 clients are supported exclusively, SSL3-NULL-SHA is the only cipher suite required to be configured on the virtual server. If Windows 7 client support is required, the TLS1-ECDHE-RSA-AES128-SHA cipher suite should also be configured on the virtual server.


  5. Edit SSL Parameters.
    1. Uncheck SSLv3.
    2. Click Ok.

      Note: If Windows 8.x/10 clients are supported exclusively, TLSv1 can also be unchecked on the virtual server. If Windows 7 client support is required, TLSv1 must be enabled.


  6. In the Advanced Settings section click Persistence.
    1. Choose SSLSESSION.
    2. Enter 10 minutes for the Time-out (mins) value.
    3. Click Ok.
    4. Click Done.

Optional IP-HTTPS Preauthentication

To enable IP-HTTPS preauthentication to prevent unauthorized network access, perform the following procedures on the Citrix NetScaler appliance.

  1. Expand Traffic Management, Load Balancing, and then click Virtual Servers.
  2. Select the DirectAccess virtual server and click Edit.
    1. In the Certificate section click No CA Certificate.
    2. Click the Select CA Certificate field.
    3. Choose the certificate for the CA that issues certificates to DirectAccess clients and servers.

      Note: The CA certificate used for DirectAccess can be found by opening the Remote Access Management console, clicking Edit on Step 2, and then clicking Authentication. Alternatively, the CA certificate can be found by running the following PowerShell command.

      (Get-RemoteAccess).IPsecRootCertificate | Format-Table Thumbprint


    4. Click Select.
    5. Choose CRL Optional from the CRL and OCSP Check drop-down list.
    6. Click Bind.
  3. Edit SSL Parameters.
    1. Check the box next to Client Authentication.
    2. Choose Mandatory from the Client Certificate drop-down list.
    3. Click Ok.
    4. Click Done.
      DirectAccess SSL Offload and IP-HTTPS Preauthentication with Citrix NetScaler

Summary

Leveraging the advanced capabilities of the Citrix NetScaler ADC can improve performance when supporting Windows 7 clients and enhance security for all DirectAccess clients using IP-HTTPS. In terms of supportability, all of the changes described in this article are completely transparent and do not alter the native DirectAccess client or server configuration. If a Microsoft support engineer declines support due to this configuration, switching from SSL offload to SSL bridge is all that’s required to restore full supportability.

Additional Resources

NetScaler release 11.1 build 50.10 (requires login) – https://www.citrix.com/downloads/netscaler-adc/firmware/release-111-build-5010

Release notes for build 50.10 of NetScaler 11.1 release – https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/NS_11_1_50_10.html

VIDEO: Enable Load Balancing for DirectAccess – https://www.youtube.com/watch?v=3tdqgY9Y-uo

DirectAccess IP-HTTPS preauthentication using F5 BIG-IP – https://directaccess.richardhicks.com/2016/05/23/directaccess-ip-https-preauthentication-using-f5-big-ip/

DirectAccess SSL offload for IP-HTTPS using F5 BIG-IP – https://directaccess.richardhicks.com/2013/07/10/ssl-offload-for-ip-https-directaccess-traffic-from-windows-7-clients-using-f5-big-ip/

Implementing DirectAccess with Windows Server 2016 book – http://directaccessbook.com/

Deploying DirectAccess in Microsoft Azure

Introduction

DirectAccess Now a Supported Workload in Microsoft AzureMany organizations are preparing to implement DirectAccess on Microsoft’s public cloud infrastructure. Deploying DirectAccess in Azure is fundamentally no different than implementing it on premises, with a few important exceptions (see below). This article provides essential guidance for administrators to configure this unique workload in Azure.

Important Note: There has been much confusion regarding the supportability of DirectAccess in Azure. Historically it has not been supported. Recently, it appeared briefly that Microsoft reversed their earlier decision and was in fact going to support it. However, the Microsoft Server Software Suport for Microsoft Azure Virtual Machines document has once again been revised to indicate that DirectAccess is indeed no longer formally supported on Azure. More details can be found here.

Azure Configuration

The following is guidance for configuring network interfaces, IP address assignments, public DNS, and network security groups for deploying DirectAccess in Azure.

Virtual Machine

Deploy a virtual machine in Azure with sufficient resources to meet expected demand. A minimum of two CPU cores should be provisioned. A VM with 4 cores is recommended. Premium storage on SSD is optional, as DirectAccess is not a disk intensive workload.

Network Interfaces

It is recommended that an Azure VM with a single network interface be provisioned for the DirectAccess role. This differs from on-premises deployments where two network interfaces are preferred because deploying VMs in Azure with two NICs is prohibitively difficult. At the time of this writing, Azure VMs with multiple network interfaces can only be provisioned using PowerShell, Azure CLI, or resource manager templates. In addition, Azure VMs with multiple NICs cannot belong to the same resource group as other VMs. Finally, and perhaps most importantly, not all Azure VMs support multiple NICs.

Internal IP Address

Static IP address assignment is recommended for the DirectAccess VM in Azure. By default, Azure VMs are initially provisioned using dynamic IP addresses, so this change must be made after the VM has been provisioned. To assign a static internal IP address to an Azure VM, open the Azure management portal and perform the following steps:

  1. Click Virtual machines.
  2. Select the DirectAccess server VM.
  3. Click Network Interfaces.
  4. Click on the network interface assigned to the VM.
  5. Under Settings click IP configurations.
  6. Click Ipconfig1.
  7. In the Private IP address settings section choose Static for the assignment method.
  8. Enter an IP address for the VM.
  9. Click Save.

Deploying DirectAccess in Microsoft Azure

Public IP Address

The DirectAccess VM in Azure must have a public IP address assigned to it to allow remote client connectivity. To assign a public IP address to an Azure VM, open the Azure management portal and perform the following steps:

  1. Click Virtual machines.
  2. Select the DirectAccess server VM.
  3. Click Network Interfaces.
  4. Click on the network interface assigned to the VM.
  5. Under Settings click IP configurations.
  6. Click Ipconfig1.
  7. In the Public IP address settings section click Enabled.
  8. Click Configure required settings.
  9. Click Create New and provide a descriptive name for the public IP address.
  10. Choose an address assignment method.
  11. Click Ok and Save.

Deploying DirectAccess in Microsoft Azure

Deploying DirectAccess in Microsoft Azure

Public DNS

If the static IP address assignment method was chosen for the public IP address, create an A resource record in public DNS that resolves to this address. If the dynamic IP address assignment method was chosen, create a CNAME record in public DNS that maps to the public hostname for the DirectAccess server. To assign a public hostname to the VM in Azure, open the Azure management portal and perform the following steps:

  1. Click Virtual machines.
  2. Select the DirectAccess server VM.
  3. Click Overview.
  4. Click Public IP address/DNS name label.Deploying DirectAccess in Microsoft Azure
  5. Under Settings click Configuration.
  6. Choose an assignment method (static or dynamic).
  7. Enter a DNS name label.
  8. Click Save.

Deploying DirectAccess in Microsoft Azure

Note: The subject of the SSL certificate used for the DirectAccess IP-HTTPS listener must match the name of the public DNS record (A or CNAME) entered previously. The SSL certificate does not need to match the Azure DNS name label entered here.

Network Security Group

A network security group must be configured to allow IP-HTTPS traffic inbound to the DirectAccess server on the public IP address. To make the required changes to the network security group, open the Azure management portal and perform the following steps:

  1. Click Virtual machines.
  2. Select the DirectAccess server VM.
  3. Click Network interfaces.
  4. Click on the network interface assigned to the VM.
  5. Under Settings click Network security group.
  6. Click the network security group assigned to the network interface.
  7. Click Inbound security rules.
  8. Click Add and provide a descriptive name for the new rule.
  9. Click Any for Source.
  10. From the Service drop-down list choose HTTPS.
  11. Click Allow for Action.
  12. Click Ok.

Deploying DirectAccess in Microsoft Azure

Note: It is recommended that the default-allow-rdp rule be removed if it is not needed. At a minimum, scope the rule to allow RDP only from trusted hosts and/or networks.

DirectAccess Configuration

When performing the initial configuration of DirectAccess using the Remote Access Management console, the administrator will encounter the following warning message.

“One or more network adapters should be configured with a static IP address. Obtain a static address and assign it to the adapter.”

Deploying DirectAccess in Microsoft Azure

This message can safely be ignored because Azure infrastructure handles all IP address assignment for hosted VMs.

The public name of the DirectAccess server entered in the Remote Access Management console must resolve to the public IP address assigned to the Azure VM, as described previously.

Deploying DirectAccess in Microsoft Azure

Additional Considerations

When deploying DirectAccess in Azure, the following limitations should be considered.

Load Balancing

It is not possible to enable load balancing using Windows Network Load Balancing (NLB) or an external load balancer. Enabling load balancing for DirectAccess requires changing static IP address assignments in the Windows operating system directly, which is not supported in Azure. This is because IP addresses are assigned dynamically in Azure, even when the option to use static IP address assignment is chosen in the Azure management portal. Static IP address assignment for Azure virtual machines are functionally similar to using DHCP reservations on premises.

Deploying DirectAccess in Microsoft Azure

Note: Technically speaking, the DirectAccess server in Azure could be placed behind a third-party external load balancer for the purposes of performing SSL offload or IP-HTTPS preauthentication, as outlined here and here. However, load balancing cannot be enabled in the Remote Access Management console and only a single DirectAccess server per entry point can be deployed.

Manage Out

DirectAccess manage out using native IPv6 or ISATAP is not supported in Azure. At the time of this writing, Azure does not support IPv6 addressing for Azure VMs. In addition, ISATAP does not work due to limitations imposed by the underlying Azure network infrastructure.

Summary

For organizations moving infrastructure to Microsoft’s public cloud, formal support for the DirectAccess workload in Azure is welcome news. Implementing DirectAccess in Azure is similar to on-premises with a few crucial limitations. By following the guidelines outlined in this article, administrators can configure DirectAccess in Azure to meet their secure remote access needs with a minimum of trouble.

Additional Resources

Implementing DirectAccess in Windows Server 2016
Fundamentals of Microsoft Azure 2nd Edition
Microsoft Azure Security Infrastructure
DirectAccess Multisite with Azure Traffic Manager
DirectAccess Consulting Services

DirectAccess in Windows Server 2016 at Microsoft Ignite 2016

I’m pleased to announce that I will be delivering a community theater session at this year’s Microsoft ignite conference in Atlanta, GA. The session, THR2136 in the session catalog, is scheduled for Thursday, September 29 at 12:40PM. This is a level 200 talk where I’ll be providing a high-level overview of all remote access technologies in Windows Server 2016, including DirectAccess, client-based VPN, and Web Application Proxy (WAP). I’ll be focusing on what’s new in each of these technologies and demonstrating how each solution applies in different use cases.

DirectAccess in Windows Server 2016 at Microsoft Ignite 2016

In addition to the session, I’ll be spending time with the folks from PointSharp and Pluralsight in their respective booths too, answering questions and providing demonstrations. I hope to have copies of my new DirectAccess book to sign as well. Be sure to follow me on Twitter for up-do-date details. Hope to see you at the conference!

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IP

Note: For information about configuring the Citrix NetScaler to perform IP-HTTPS preauthentication, click here. For information about configuring Windows Server 2012 R2 to perform IP-HTTPS preauthentication natively, click here.

Introduction

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IPRecently I wrote about security challenges with DirectAccess and the IP-HTTPS IPv6 transition technology. Specifically, IP-HTTPS transition tunnel connections are not authenticated by the DirectAccess server, only the client. This allows an unauthorized device to obtain an IPv6 address on the DirectAccess client network. With it, an attacker can perform network reconnaissance using ICMPv6 and potentially launch a variety of Denial-of-Service (DoS) attacks. For more details, click here.

Note: DirectAccess IPsec data connections not at risk. Data is never exposed at any time with the default configuration.

Mitigation

To mitigate these issues, it is recommended that an Application Delivery Controller (ADC) be used to terminate SSL connections and enforce client certificate authentication. Doing this will ensure that only authorized connections will be accepted by the DirectAccess server. In addition, there are some scalability and performance benefits to implementing this configuration when supporting Windows 7 clients.

Important Considerations

Performing IP-HTTPS preauthentication on the F5 BIG-IP is formally unsupported by Microsoft. In addition, terminating IP-HTTPS on the F5 appliance breaks OTP authentication.

F5 BIG-IP Configuration

To configure the F5 BIG-IP to perform SSL offload for DirectAccess IP-HTTPS, follow the guidance documented here. In addition, to configure the F5 BIG-IP to perform preauthentication for DirectAccess clients, when creating the client SSL profile, click Custom above the Client Authentication section and choose Require from the Client Certificate drop-down list and Always from the Frequency drop-down list. In addition, choose your internal PKI’s root Certification Authority (CA) certificate from the Trusted Certificate Authorities drop-down list and from the Advertised Certificate Authorities drop-down list.

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IP

Summary

Enabling client certificate authentication for IP-HTTPS connections ensures that only authorized DirectAccess clients can establish a connection to the DirectAccess server and obtain an IPv6 address. It also prevents an unauthorized user from performing network reconnaissance or launching IPv6 Denial-of-Service (DoS) attacks.

DirectAccess vs. VPN

DirectAccess vs. VPNMany IT professionals mistakenly believe that DirectAccess is just another VPN solution. While there are some similarities between these technologies, both in terms of the underlying technology and function, there are some significant differences between the two. If you’re comparing DirectAccess to VPN, here are some essential points to consider.

VPN

Virtual Private Networking (VPN) has been around for ages. VPN is a mature, well understood technology that has been widely deployed, and today remains the de facto standard for providing secure remote access. VPN has broad client support, on both traditional computing platforms and mobile operating systems. VPNs today include support for modern protocols and integrate with numerous multifactor authentication platforms.

VPN Challenges

There are some serious drawbacks to implementing traditional client-based VPN. VPN connections are user initiated and therefore optional. It is up to the user to decide if and when they connect to the corporate network. Many VPNs require additional software to work, which must be deployed and maintained. Establishing connections is potentially problematic too, as some VPN protocols aren’t firewall friendly and don’t work in many locations.

DirectAccess vs. VPNFrom a security perspective, because anyone can attempt a connection to the VPN from any client, strong authentication becomes an essential requirement. Integrating multifactor authentication makes the implementation more complex and difficult to support. It often requires additional hardware, licensing, and support costs.

VPNs can be costly to implement and support. They typically require expensive proprietary hardware and dedicated management skill sets. Many VPN solutions also have additional licensing costs associated with them. Scaling a VPN solution requires additional investments in hardware devices, adding to the overall cost of the solution.

DirectAccess

DirectAccess is a relative newcomer to the world of secure remote access. First introduced with Windows Server 2008 R2, DirectAccess differs fundamentally from VPN by virtue of its seamless and transparent, always-on connection. DirectAccess connections are established by the machine, not the user. They are secure and authenticated, and are established automatically whenever the DirectAccess client has an active Internet connection. DirectAccess connections are also bidirectional, which is an important distinction. The ability to “manage out” to remote connected DirectAccess clients enables compelling new uses cases for IT administrators.

Addressing VPN Pain Points with DirectAccess

DirectAccess vs. VPNDirectAccess connections are inherently more secure than VPN. Unlike VPN, DirectAccess clients must be joined to the domain and, in most configurations, they must also have a certificate issued by the organization’s private, internal Public Key Infrastructure (PKI). This essentially serves as a type of multifactor authentication for the connecting device, resulting in a much higher level of assurance for remote connections. DirectAccess can also support integration with many existing multifactor authentication providers to provide strong authentication for the user, if desired.

DirectAccess is very firewall friendly and works anywhere the user has an active Internet connection. It requires no additional software to be installed, and the seamless and transparent nature of DirectAccess makes it much easier to use than VPN. All of this improves end user productivity and reduces associated management overhead for the solution.

DirectAccess is a more cost-effective alternative to VPN. DirectAccess can be deployed on existing infrastructure (physical or virtual) and does not require proprietary hardware. This makes it much easier and far less expensive to add additional capacity, if required. DirectAccess can also be managed using existing systems management tools and Windows administration skills and does not have any per-user licensing requirements, which results in additional cost savings over VPN.

DirectAccess Limitations and Drawbacks

DirectAccess is not a comprehensive remote access solution. It is designed for managed (domain-joined) Windows clients only. In addition, DirectAccess clients must be provisioned with the Enterprise edition SKU. Also, there are a few cases in which applications may not be compatible with DirectAccess. In addition, there is no support for DirectAccess on non-managed Windows machines, non-Enterprise SKUs, or any devices using non-Windows operating systems, so a VPN might still be required.

DirectAccess vs. VPN

DirectAccess or VPN?

You might be asking yourself, “DirectAccess or VPN?” Why not both? After all, DirectAccess and VPN aren’t mutually exclusive. They are, in fact, quite complimentary. DirectAccess can be used to provide secure remote access and enhanced management for Windows laptops managed by IT, while VPN can be deployed for non-managed devices. While you may not be able to entirely eliminate VPN with DirectAccess, it will certainly allow you to decrease the number of existing VPN licenses and reduce your investment in proprietary hardware, management tools, and dedicated administrators, all of which translates in to reduced capital investment and operational costs.

Always On VPN

To extend DirectAccess-like functionality to non-managed Windows 10 clients, Microsoft recently introduced Always On VPN. Always On VPN provides the same seamless and transparent remote access that DirectAccess does, although under the hood it uses traditional client-based VPN protocols such as IKEv2 and SSTP. You can learn more about Windows 10 Always On VPN here.

Summary

DirectAccess is not simply another VPN solution. While it does provide secure remote corporate network connectivity, it does so more securely and more cost effectively than traditional VPN does. DirectAccess is unrivaled in its security and ease of use, dramatically improving end user productivity and reducing associated infrastructure and support costs. DirectAccess can be deployed on current physical and virtual infrastructure, and can be managed using existing Windows systems management tools and skill sets.

Additional Information

If you’d like to learn more about how DirectAccess and Windows 10 Always On VPN can benefit your organization, or you would like some assistance with a DirectAccess or Always On VPN proof of concept implementation, consider a consulting services engagement today. I’m here to help plan, design, implement, and support DirectAccess and Always On VPN and ensure the best chance of success for your deployment.

Have a question about DirectAccess or Always On VPN? Fill out the form below and I’ll get in touch with you.

%d bloggers like this: