Deploying DirectAccess in Microsoft Azure

Introduction

DirectAccess Now a Supported Workload in Microsoft AzureMany organizations are preparing to implement DirectAccess on Microsoft’s public cloud infrastructure. Deploying DirectAccess in Azure is fundamentally no different than implementing it on premises, with a few important exceptions (see below). This article provides essential guidance for administrators to configure this unique workload in Azure.

Important Note: There has been much confusion regarding the supportability of DirectAccess in Azure. Historically it has not been supported. Recently, it appeared briefly that Microsoft reversed their earlier decision and was in fact going to support it. However, the Microsoft Server Software Suport for Microsoft Azure Virtual Machines document has once again been revised to indicate that DirectAccess is indeed no longer formally supported on Azure. More details can be found here.

Azure Configuration

The following is guidance for configuring network interfaces, IP address assignments, public DNS, and network security groups for deploying DirectAccess in Azure.

Virtual Machine

Deploy a virtual machine in Azure with sufficient resources to meet expected demand. A minimum of two CPU cores should be provisioned. A VM with 4 cores is recommended. Premium storage on SSD is optional, as DirectAccess is not a disk intensive workload.

Network Interfaces

It is recommended that an Azure VM with a single network interface be provisioned for the DirectAccess role. This differs from on-premises deployments where two network interfaces are preferred because deploying VMs in Azure with two NICs is prohibitively difficult. At the time of this writing, Azure VMs with multiple network interfaces can only be provisioned using PowerShell, Azure CLI, or resource manager templates. In addition, Azure VMs with multiple NICs cannot belong to the same resource group as other VMs. Finally, and perhaps most importantly, not all Azure VMs support multiple NICs.

Internal IP Address

Static IP address assignment is recommended for the DirectAccess VM in Azure. By default, Azure VMs are initially provisioned using dynamic IP addresses, so this change must be made after the VM has been provisioned. To assign a static internal IP address to an Azure VM, open the Azure management portal and perform the following steps:

  1. Click Virtual machines.
  2. Select the DirectAccess server VM.
  3. Click Network Interfaces.
  4. Click on the network interface assigned to the VM.
  5. Under Settings click IP configurations.
  6. Click Ipconfig1.
  7. In the Private IP address settings section choose Static for the assignment method.
  8. Enter an IP address for the VM.
  9. Click Save.

Deploying DirectAccess in Microsoft Azure

Public IP Address

The DirectAccess VM in Azure must have a public IP address assigned to it to allow remote client connectivity. To assign a public IP address to an Azure VM, open the Azure management portal and perform the following steps:

  1. Click Virtual machines.
  2. Select the DirectAccess server VM.
  3. Click Network Interfaces.
  4. Click on the network interface assigned to the VM.
  5. Under Settings click IP configurations.
  6. Click Ipconfig1.
  7. In the Public IP address settings section click Enabled.
  8. Click Configure required settings.
  9. Click Create New and provide a descriptive name for the public IP address.
  10. Choose an address assignment method.
  11. Click Ok and Save.

Deploying DirectAccess in Microsoft Azure

Deploying DirectAccess in Microsoft Azure

Public DNS

If the static IP address assignment method was chosen for the public IP address, create an A resource record in public DNS that resolves to this address. If the dynamic IP address assignment method was chosen, create a CNAME record in public DNS that maps to the public hostname for the DirectAccess server. To assign a public hostname to the VM in Azure, open the Azure management portal and perform the following steps:

  1. Click Virtual machines.
  2. Select the DirectAccess server VM.
  3. Click Overview.
  4. Click Public IP address/DNS name label.Deploying DirectAccess in Microsoft Azure
  5. Under Settings click Configuration.
  6. Choose an assignment method (static or dynamic).
  7. Enter a DNS name label.
  8. Click Save.

Deploying DirectAccess in Microsoft Azure

Note: The subject of the SSL certificate used for the DirectAccess IP-HTTPS listener must match the name of the public DNS record (A or CNAME) entered previously. The SSL certificate does not need to match the Azure DNS name label entered here.

Network Security Group

A network security group must be configured to allow IP-HTTPS traffic inbound to the DirectAccess server on the public IP address. To make the required changes to the network security group, open the Azure management portal and perform the following steps:

  1. Click Virtual machines.
  2. Select the DirectAccess server VM.
  3. Click Network interfaces.
  4. Click on the network interface assigned to the VM.
  5. Under Settings click Network security group.
  6. Click the network security group assigned to the network interface.
  7. Click Inbound security rules.
  8. Click Add and provide a descriptive name for the new rule.
  9. Click Any for Source.
  10. From the Service drop-down list choose HTTPS.
  11. Click Allow for Action.
  12. Click Ok.

Deploying DirectAccess in Microsoft Azure

Note: It is recommended that the default-allow-rdp rule be removed if it is not needed. At a minimum, scope the rule to allow RDP only from trusted hosts and/or networks.

DirectAccess Configuration

When performing the initial configuration of DirectAccess using the Remote Access Management console, the administrator will encounter the following warning message.

“One or more network adapters should be configured with a static IP address. Obtain a static address and assign it to the adapter.”

Deploying DirectAccess in Microsoft Azure

This message can safely be ignored because Azure infrastructure handles all IP address assignment for hosted VMs.

The public name of the DirectAccess server entered in the Remote Access Management console must resolve to the public IP address assigned to the Azure VM, as described previously.

Deploying DirectAccess in Microsoft Azure

Additional Considerations

When deploying DirectAccess in Azure, the following limitations should be considered.

Load Balancing

It is not possible to enable load balancing using Windows Network Load Balancing (NLB) or an external load balancer. Enabling load balancing for DirectAccess requires changing static IP address assignments in the Windows operating system directly, which is not supported in Azure. This is because IP addresses are assigned dynamically in Azure, even when the option to use static IP address assignment is chosen in the Azure management portal. Static IP address assignment for Azure virtual machines are functionally similar to using DHCP reservations on premises.

Deploying DirectAccess in Microsoft Azure

Note: Technically speaking, the DirectAccess server in Azure could be placed behind a third-party external load balancer for the purposes of performing SSL offload or IP-HTTPS preauthentication, as outlined here and here. However, load balancing cannot be enabled in the Remote Access Management console and only a single DirectAccess server per entry point can be deployed.

Manage Out

DirectAccess manage out using native IPv6 or ISATAP is not supported in Azure. At the time of this writing, Azure does not support IPv6 addressing for Azure VMs. In addition, ISATAP does not work due to limitations imposed by the underlying Azure network infrastructure.

Summary

For organizations moving infrastructure to Microsoft’s public cloud, formal support for the DirectAccess workload in Azure is welcome news. Implementing DirectAccess in Azure is similar to on-premises with a few crucial limitations. By following the guidelines outlined in this article, administrators can configure DirectAccess in Azure to meet their secure remote access needs with a minimum of trouble.

Additional Resources

Implementing DirectAccess in Windows Server 2016
Fundamentals of Microsoft Azure 2nd Edition
Microsoft Azure Security Infrastructure
DirectAccess Multisite with Azure Traffic Manager
DirectAccess Consulting Services

DirectAccess IP-HTTPS Discovery Script for Nmap

DirectAccess IP-HTTPS Discovery Script for NmapWhen troubleshooting DirectAccess connectivity issues, the popular Nmap network mapping and discovery tool is an invaluable resource for verifying the communication path to the DirectAccess server from outside the network. However, just verifying that ports are open and listening often isn’t sufficient. In the case of IP-HTTPS, for example, the tried and true method of using telnet to verify that the port is open might be misleading. For instance, telnet might indicate that TCP port 443 is open and responding, but DirectAccess connectivity can still fail. This often happens as a result of a network configuration error that allows another network device other than the DirectAccess server to respond to HTTPS requests, which results in a false positive.

In an effort to conclusively determine that the DirectAccess server is responding, I’ve often relied on the SSL Labs Server Test site. Here I will enter the DirectAccess server’s public hostname and run the test, and from the results I can easily determine if indeed the DirectAccess server is responding by verifying that the HTTP server signature is Microsoft-HTTPAPI/2.0.

DirectAccess IP-HTTPS Discovery Script for NMAP

This usually works well, but it takes a few minutes to run the test, and there are a few scenarios in which it doesn’t work. For example, I might be working with a customer to perform some initial testing by using a local HOSTS file entry for the public name before the DNS record has been created. Also, if the SSL certificate on the DirectAccess server uses an IP address instead of a hostname (not recommended, but it is supported!) the SSL Labs server test won’t work.

Fortunately, the latest release Nmap (v7.00) now includes a script that enables the detection of Microsoft DirectAccess responding on TCP port 443. With the IP-HTTPS discovery script, it is now possible to determine not only if the port is open, but if the DirectAccess server is actually the service responding. The syntax for conducting a port scan using the IP-HTTPS discovery script for NMAP is as follows:

nmap.exe –n –Pn –p443 [directaccess_public_fqdn] –script [path_to_nmap_iphttps_discovery_script]

Here’s an example:

nmap.exe –n –Pn –p443 da.richardhicks.net –script c:\tools\nmap\scripts\ip-https-discover.nse

DirectAccess IP-HTTPS Discovery Script for NMAP

Now it is possible, using just Nmap, to not only determine if the IP-HTTPS communication path is functioning, but to definitively determine that the DirectAccess server is the device responding.

Happy troubleshooting!

DirectAccess and VPN on RunAs Radio

DirectAccess and Windows Server 2012 R2 on RunAs RadioRecently I had the opportunity to once again join Richard Campbell on his popular RunAs Radio podcast to chat about all things remote access in Windows Server 2012 R2. The conversation starts out with DirectAccess, but we also touch upon important topics like client-based VPN and BYOD access. We also talk a little bit about DirectAccess in Windows Server 2016 and what the future might look like for DirectAccess in Windows.RunAs Radio

You can listen to the podcast here.

Enjoy!

DirectAccess and Windows 10 Technical Preview Build 9926

Looking for more information on Windows 10 and DirectAccess? Click here!

Microsoft recently announced the availability of build 9926 of Windows 10 Technical Preview. This new update includes changes to the user interface that make it easier to view DirectAccess connection status and properties. In this latest build, using the Window Key + I keystroke combination now brings up the Settings menu.

DirectAccess and Windows 10 Technical Preview Build 9926

Figure 1 – Settings Window

To view the DirectAccess connection status, click Network & Internet and then click Show available connections.

DirectAccess and Windows 10 Technical Preview Build 9926

Figure 2 – Network & Internet (Show Available Connections)

Here you’ll find status information for all network connections including DirectAccess. Right-clicking the Workplace Connection will allow the user to disconnect their session, if that option is enabled on the DirectAccess server.

DirectAccess and Windows 10 Technical Preview Build 9926

Figure 3 – DirectAccess Connectivity Status Indicator

Selecting the DirectAccess submenu reveals detailed information about DirectAccess connectivity, including current entry point connection and optional entry point selection, if manual entry point selection is enabled on the DirectAccess server.

DirectAccess and Windows 10 Technical Preview Build 9926

Figure 4 – Network & Internet (DirectAccess Advanced Connection Properties)

Windows Server 2012 Unified Remote Access Book Coming Soon

My good friends Ben Ben-Ari and Bala Natarajan are putting the finishing touches on their latest book entitled Windows Server 2012 Unified Remote Access Planning and Deployment. This book will cover in detail how to plan and deploy remote access solutions using Windows Server 2012 including VPN (remote access and site-to-site) as well as DirectAccess. The authors are both highly qualified to write about this subject, as Ben has been supporting Forefront UAG 2010 and DirectAccess for many years, and Bala is the Program Manager for the Windows Core Networking team. The book is due to be released in January 2013 and it is sure to be an essential reference for all things remote access in Windows Server 2012. Pre-order your copy of Windows Server 2012 Remote Access today!

Windows Server 2012 Unified Remote Access Planning and Deployment

Win a Copy of Understanding IPv6 Third Edition

Recently I announced that Joe Davies’ third edition of Understanding IPv6 was available for purchase. The latest release is fully updated to cover IPv6 technologies up to and including Windows Server 2012 and Windows 8. This new edition also includes coverage of DirectAccess in Windows Server 2008 R2 and Windows Server 2012. This book will be a valuable resource for network and systems administrators implementing IPv6 on their corporate network or deploying DirectAccess to provide secure remote access. The good news is that I will be giving away several copies of this essential reference over the coming weeks and months! Stay tuned to this blog and follow me on Twitter and Facebook for details on how to win. I’ll be giving away my first copy of the book before the end of the month!

Networking and DirectAccess Sessions at TechEd 2012

This year I had the privilege of attending both TechEd North America and TechEd Europe, and presenting a session on Forefront TMG and UAG at both events. With the release of Windows 8 and Windows Server 2012 due later this year, there were many sessions about the technologies included in the new client and server operating systems. When I wasn’t delivering my session or spending time with the Microsoft team in the learning center, I attended a number of sessions on security and networking. If you were unable to attend, or perhaps missed any of these sessions, they are now all available online on MSDN Channel 9. [ North America | Europe ] Here is a list of my favorite sessions:

  • IPv6 Bootcamp: Get Up to Speed Quickly
  • Windows Server 2012 DirectAccess: How to Quickly and Easily Deploy Your Next Generation Remote Access Solution
  • Overview of Hyper-V Networking in Windows Server 2012
  • Windows Server 2012 NIC Teaming and Multichannel Solutions
  • Networking for Hybrid Cloud: BranchCache and Cross Premise Connectivity
  • Hyper-V Network Virtualization for Scalable Multi-Tenancy in Windows
  • Extending Enterprise Networks to Windows Azure using Windows Azure Virtual Networks
  • Demystifying Microsoft Forefront Edge Security Technologies: TMG and UAG
  • Ok, I have to admit that I’m somewhat biased about that last session on the list. 😉 However, Windows Server 2012 does have a lot of new networking features and capabilities that make it a compelling solution for remote access and hybrid cloud connectivity. Have a look at some of these sessions and start evaluating Windows 8 and Windows Server 2012 today!

    World IPv6 Launch Day

    It’s coming…and this time it’s for real. That’s right; World IPv6 Launch Day is set for June 6, 2012. Building on the successful World IPv6 Day, major Internet Service Providers (ISPs), home networking equipment manufacturers, and web companies from around the world are coming together to permanently enable IPv6 for their products and services. Sadly, my ISP, Cox Communications, does not appear to be participating. That means I’ll continue using Hurricane Electric’s IPv6 tunnel broker to provide me with native IPv6 access to the Internet. The world is moving to IPv6, so it’s time to get on board!

    World IPv6 Launch Day - June 6, 2012

    %d bloggers like this: