DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS

Introduction

When preparing a DirectAccess server, an SSL certificate is required for the IP-HTTPS IPv6 transition technology. This certificate is often issued by a public Certification Authority (CA), but it can also be issued an organization’s internal Public Key Infrastructure (PKI).

SSL Certificate

Commonly an SSL certificate is issued for a single hostname, or subject. As long as the hostname matches the subject, everything works fine.

DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS

Multi-SAN SSL Certificate

To ease the management burden of using multiple certificates, or reduce the expense associated with using a wildcard certificate, organizations can request a multi-SAN (Subject Alternative Name) certificate, which matches more than one subject. The additional subjects are included in the Subject Alternative Name field on the SSL certificate.

DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS
A single multi-SAN certificate can be installed on multiple hosts and will work without issue as long as the hostname matches one of the SAN entries.

DirectAccess and Multi-SAN Certificates

When implementing DirectAccess in a multisite configuration, each entry point in the organization will have a unique public hostname. Instinctively, using a multi-SAN SSL certificate in this scenario would seem ideal.

Unfortunately, support for multi-SAN SSL certificates with DirectAccess is limited. To use a multi-SAN certificate for DirectAccess IP-HTTPS, the public hostname must match the name listed in the Subject field. In the example above, the subject is da.richardhicks.net, with SAN entries for da-west.richardhicks.net and da-east.richardhicks.net.

In this scenario, only the public name da.richardhicks.net is supported for use with DirectAccess. It will not work for any of the SAN entries. For example, attempting to configure DirectAccess to use this certificate with the public hostname da-west.richardhicks.net will fail with the following error message.

The subject name of certificate CN=[certificate subject name] is invalid.
Select a certificate with a valid subject name.

DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS

Attempting to work around this issue by using the Set-DAServer PowerShell cmdlet also fails to recognize the SSL certificate correctly.

DirectAccess and Multi-SAN SSL Certificates for IP-HTTPS

Summary

Using a multi-SAN SSL certificate for the DirectAccess IP-HTTPS IPv6 transition technology is only supported when the public hostname matches the subject name of the certificate. Configuring DirectAccess with a public hostname listed in the SAN list is not supported. For multisite DirectAccess deployments, individual certificates must be issued for each entry point. Alternatively, a wildcard certificate can be used.

Configuring Multiple Windows Server 2012 R2 DirectAccess Instances

DirectAccess in Windows Server 2012 R2 supports many different deployment configurations. It can be deployed with a single server, multiple servers in a single location, multiple servers in multiple locations, edge facing, in a perimeter or DMZ network, etc.

Global Settings

There are a number of important DirectAccess settings that are global in scope and apply to all DirectAccess clients, such as certificate authentication, force tunneling, one-time password, and many more. For example, if you configure DirectAccess to use Kerberos Proxy instead of certificates for authentication, Windows 7 clients are not supported. In this scenario it is advantageous to have a second parallel DirectAccess deployment configured specifically for Windows 7 clients. This allows Windows 8 clients to take advantage of the performance gains afforded by Kerberos Proxy, while at the same time providing an avenue of support for Windows 7 clients.

Parallel Deployments

To the surprise of many, it is indeed possible to deploy DirectAccess more than once in an organization. I’ve been helping customers deploy DirectAccess for nearly five years now, and I’ve done this on more than a few occasions. In fact, there are some additional important uses cases that having more than one DirectAccess deployment can address.

Common Use Cases

QA and Testing – Having a separate DirectAccess deployment to perform testing and quality assurance can be quite helpful. Here you can validate configuration changes and verify updates without potential negative impact on the production deployment.

Delegated Administration – DirectAccess provides support for geographic redundancy, allowing administrators to create DirectAccess entry points in many different locations. DirectAccess in Windows Server 2012 R2 lacks support for delegated administration though, and in some cases it may make more sense to have multiple separate deployments as opposed to a single, multisite deployment. For example, many organizations are divided in to different business units internally and may operate autonomously. They may also have different configuration requirements, which can be better addressed using individual DirectAccess implementations.

Migration – If you have currently deployed DirectAccess using Windows Server 2008 R2 with or without Forefront UAG 2010, migrating to Windows Server 2012 R2 can be challenging because a direct, in-place upgrade is not supported. You can, however, deploy DirectAccess using Windows Server 2012 R2 in parallel to your existing deployment and simply migrate users to the new solution by moving the DirectAccess client computer accounts to a new security group assigned to the new deployment.

Major Configuration Changes – This strategy is also useful for scenarios where implementing changes to the DirectAccess configuration would be disruptive for remote users. For example, changing from a single site to a multisite configuration would typically require that all DirectAccess clients be on the LAN or connect remotely out-of-band to receive group policy settings changes after multisite is first configured. In addition, parallel deployments can significantly ease the pain of transitioning to a new root CA if required.

Unique Client Requirements – Having a separate deployment may be required to take advantage of the unique capabilities of each client operating system. For example, Windows 10 clients do not support Microsoft Network Access Protection (NAP) integration. NAP is a global setting in DirectAccess and applies to all clients. If you still require NAP integration and endpoint validation using NAP for Windows 7 and Windows 8.x, another DirectAccess deployment will be required to support Windows 10 clients.

Requirements

To support multiple Windows Server 2012 R2 DirectAccess deployments in the same organization, the following is required:

Unique IP Addresses – It probably goes without saying, but each DirectAccess deployment must have unique internal and external IPv4 addresses.

Distinct Public Hostname – The public hostname used for each deployment must also be unique. Multi-SAN certificates have limited support for DirectAccess IP-HTTPS (public hostname must be the first entry in the list), so consider using a wildcard certificate or obtain certificates individually for each deployment.

Group Policy Objects – You must use unique Active Directory Group Policy Objects (GPOs) to support multiple DirectAccess deployments in a single organization. You have the option to specify a unique GPO when you configure DirectAccess for the first time by clicking the Change link next to GPO Settings on the Remote Access Review screen.

Configuring Multiple Windows Server 2012 R2 DirectAccess Instances

Enter a distinct name for both the client and server GPOs. Click Ok and then click Apply to apply the DirectAccess settings for this deployment.

Configuring Multiple Windows Server 2012 R2 DirectAccess Instances

Windows 7 DirectAccess Connectivity Assistant (DCA) GPOs – If the DirectAccess Connectivity Assistant (DCA) v2.0 has been deployed for Windows 7 clients, separate GPOs containing the DCA client settings for each individual deployment will have to be configured. Each DirectAccess deployment will have unique Dynamic Tunnel Endpoint (DTE) IPv6 addresses which are used by the DCA to confirm corporate network connectivity. The rest of the DCA settings can be the same, if desired.

Supporting Infrastructure

The rest of the supporting infrastructure (AD DS, PKI, NLS, etc.) can be shared between the individual DirectAccess deployments without issue. Once you’ve deployed multiple DirectAccess deployments, make sure that DirectAccess clients DO NOT belong to more than one DirectAccess client security group to prevent connectivity issues.

Summary

DirectAccess with Windows Server 2012 R2 supports many different deployment models. For a given DirectAccess deployment model, some settings are global in scope and may not provide the flexibility required by some organizations. To address these challenges, consider a parallel deployment of DirectAccess. This will enable you to take advantage of the unique capabilities of each client operating system, or allow you to meet the often disparate configuration requirements that a single deployment cannot support.

DirectAccess and Windows 10 Better Together

With last week’s release of Windows 10, many organizations who chose to skip Windows 8 are now beginning to deploy Windows 10. To maximize investment in Windows 10, DirectAccess can be leveraged to provide employees with seamless and transparent, always on, secure remote corporate network connectivity. DirectAccess has been around for many years, and today the most popular DirectAccess client is Windows 7. However, Windows 10 provides better support for DirectAccess features that enhance performance and availability, while at the same making it easier to implement and support. Windows 10 opens up many new and compelling deployment scenarios for small businesses to large scale enterprises.

Full Support for Geographic Redundancy

Without a doubt the most important DirectAccess feature Windows 10 supports is automatic entry point selection and transparent failover for multisite deployments. DirectAccess multisite deployment provides essential geographic redundancy for organizations with multiple physical locations. Windows 7 has only minimal support for multisite deployment, with clients required to be assigned to a single entry point. Windows 10 clients are aware of all entry points and will intelligently select the closest entry point when establishing a DirectAccess connection. If the entry point becomes unavailable during the connection, Windows 10 clients will transparently connect to another entry point automatically.

Better Scalability and Performance

Windows 10, like Windows 8 before it, includes support for IP-HTTPS null encryption. This feature greatly improves scalability on the DirectAccess server by eliminating the needless double encryption that Windows 7 clients perform. This reduces resource consumption on the server and enables the server to support many more DirectAccess client connections.

DirectAccess and Windows 10 Better Together

Enhanced Supportability

Many will also appreciate Windows 10’s built-in DirectAccess connectivity status indicator. No longer will administrators have to deploy, manage, and maintain additional software to provide this essential functionality.

To access DirectAccess information in Windows 10, press Window Key + I, click Network & Internet, and then click the DirectAccess tab. Here you will find vital details about DirectAccess configuration and status such as connection state, currently connected entry point, and a site selection drop down box (if manual site selection is enabled by an administrator). In addition you can generate and collect log information for troubleshooting purposes.

DirectAccess and Windows 10 Better Together

Native PowerShell Support

Anyone tasked with troubleshooting DirectAccess configuration and connectivity issues will appreciate the native PowerShell integration with DirectAccess in Windows 10. With just a few commands a wealth of information about DirectAccess configuration and connectivity status can be obtained.

Need to quickly determine if a Windows 10 client has been provisioned for DirectAccess successfully?

Get-DAClientExperienceConfiguration

DirectAccess and Windows 10 Better Together

Has the Windows 10 client connected successfully? If not, why?

Get-DAConnectionStatus

DirectAccess and Windows 10 Better Together

Need to identify the Network Location Server (NLS) the client is configured to use?

Get-NCSIPolicyConfiguration

DirectAccess and Windows 10 Better Together

Looking for DirectAccess multisite entry point details and connection status?

Get-DAEntryPointTableItem

DirectAccess and Windows 10 Better Together

PKI Optional (But Recommended)

Finally, when Windows 10 (and Windows 8.x) clients are supported exclusively a Public Key Infrastructure (PKI) is optional. Here instead the Kerberos Proxy is leveraged to perform DirectAccess client authentication, which reduces infrastructure requirements by eliminating the need for a PKI. However, this configuration offers only limited support for DirectAccess features. For example, a PKI is still required if any Windows 7 clients are deployed. Also, PKI is required to support features such as one-time password (OTP) authentication, Microsoft Network Access Protection (NAP) integration, load balancing (integrated or external), force tunneling, and multisite configuration.

DirectAccess and Windows 10 Better Together

For optimum security and maximum deployment flexibility it is recommended that PKI be used to manage certificates for all DirectAccess deployments including those supporting only Windows 8.x and Windows 10 clients.

Summary

DirectAccess and Windows 10 are much better together. Windows 10 provides full support for the geographic load balancing features of DirectAccess and at the same time offers improved scalability and performance. Windows 10 also makes supporting and troubleshooting DirectAccess clients much easier. And for smaller deployments, Windows 10 can lower the barrier to entry for organizations considering DirectAccess by eliminating the need for a full PKI deployment.

Additional Resources

Video: DirectAccess and Windows 10 in Action
DirectAccess and Windows 10 in Education
Implementing DirectAccess with Windows Server 2016 Book
Implementing DirectAccess with Windows Server 2012 R2 Video Training Course
DirectAccess Consulting Services

Configure DirectAccess with OTP Authentication

Updated 6/10/2015: This post was revised to include instructions for enabling OTP support for Windows 7 clients and for configuring OTP on the DirectAccess server using the Remote Access Management console.

Introduction

DirectAccess in Windows Server 2012 R2 provides significantly improved authentication over traditional client-based VPN solutions. When configured to use certificate authentication (a recommended best practice) the DirectAccess client is authenticated using its machine certificate and its Active Directory computer account. Once the client machine has been authenticated, the user is also authenticated via Kerberos against a live domain controller over the existing DirectAccess connection. These multiple authentication steps provide a high level of assurance for DirectAccess-connected clients. If that’s not enough to meet your needs, additional strong user authentication is supported using dynamic One-Time Passwords (OTP).

Drawbacks for DirectAccess with OTP

While OTP provides an additional level of assurance, it does come with a few drawbacks. OTP adds additional complexity and makes troubleshooting more difficult. OTP cannot be configured with force tunneling; the two security features are mutually exclusive. DirectAccess OTP does not support RADIUS challenge-response. For Windows 7 clients, the DirectAccess Connectivity Assistant (DCA) v2.0 must be deployed. In addition, enabling OTP with DirectAccess disables the use of null cipher suites for IP-HTTPS. This can potentially have a negative effect on performance and scalability (more details here). Also, OTP fundamentally breaks the seamless and transparent nature of DirectAccess.

Configuring DirectAccess OTP

OTP for DirectAccess makes use of short-lived certificates for user authentication. Thus, enabling OTP for DirectAccess requires making changes to the internal Public Key Infrastructure (PKI). DirectAccess in Windows Server 2012 R2 can be configured to use the same Certificate Authority (CA) that is used to issue computer certificates to the DirectAccess clients and servers. This differs from DirectAccess with Forefront Unified Access Gateway (UAG) 2010, where a separate, dedicated CA was required.

To configure DirectAccess OTP, follow the instructions below.

OTP Certificate Request Signing Template

Open the Certification Authority management console, right-click Certificate Templates, and then choose Manage. Alternatively you can enter certtmpl.msc in the Start/Run box or search from the Windows Start menu. Right-click the Computer template and choose Duplicate Template. On a Windows Server 2008 or 2008 R2 CA, select Windows Server 2008 Enterprise when prompted for the duplicate certificate template version.

Configure DirectAccess with OTP Authentication

On a Windows Server 2012 or 2012 R2 CA, select Compatibility tab and then select Windows Server 2008 R2 for the Certification Authority and Windows 7/Windows Server 2008 R2 for the Certificate recipient.

Configure DirectAccess with OTP Authentication

Select the General tab and provide a descriptive name for the Template Display Name. Specify a validity period of 2 days and a renewal period of 1 day.

Configure DirectAccess with OTP Authentication

Select the Security tab and click Add. Click Object Types and then select Computers and click Ok. Enter the names of each DirectAccess server separated by semicolons and click Check Names. Click Ok when finished. For each DirectAccess server, grant Read, Enroll, and Autoenroll permissions. Select Authenticated Users and remove any permissions other than Read. Select Domain Computers and remove the Enroll permission. Select Domain Admins and grant Full Control permission. Do the same for Enterprise Admins.

Configure DirectAccess with OTP Authentication

Select the Subject Name tab and choose the option to Build from this Active Directory information. Select DNS name in the Subject name format drop-down list and confirm that DNS name is checked under Include this information in alternate subject name.

Configure DirectAccess with OTP Authentication

Select the Extensions tab, highlight Application Policies and click Edit.

Configure DirectAccess with OTP Authentication

Remove all existing application policies and then click Add and then New. Provide a descriptive name for the new application policy and enter 1.3.6.1.4.1.311.81.1.1 for the Object Identifier. Click Ok for all remaining dialog boxes.

Configure DirectAccess with OTP Authentication

OTP Certificate Template

In the Certificate Templates Console, right-click the Smartcard Logon certificate template and choose Duplicate Template. On a Windows Server 2008 or 2008 R2 CA, select Windows Server 2008 Enterprise when prompted for the duplicate certificate template version.

Configure DirectAccess with OTP Authentication

On a Windows Server 2012 or 2012 R2 CA, select the Compatibility tab and then select Windows Server 2008 R2 for the Certification Authority and Windows 7/Windows Server 2008 R2 for the Certificate recipient.

Configure DirectAccess with OTP Authentication

Select the General tab and provide a descriptive name for the Template Display Name. Specify a validity period of 1 hour and a renewal period of 0 hours.

Configure DirectAccess with OTP Authentication

Note: It is not possible to set the validity period to hours on a Windows Server 2003 Certificate Authority (CA). As a workaround, use the Certificate Templates snap-in on another system running Windows 7/Windows Server 2008 R2 or later. Also, if the CA is running Windows Server 2008 R2, the template must be configured to use a Renewal Period of 1 or 2 hours and a Validity Period that is longer but no more than 4 hours.

Select the Security tab, then highlight Authenticated Users and grant Read and Enroll permissions. Select Domain Admins and grant Full Control permission. Do the same for Enterprise Admins.

Configure DirectAccess with OTP Authentication

Select the Subject Name tab and choose the option to Build from this Active Directory information. Select Fully distinguished name in the Subject name format drop-down list and confirm that User principal name (UPN) is checked under Include this information in alternate subject name.

Configure DirectAccess with OTP Authentication

Select the Server tab and choose the option Do not store certificates and requests in the CA database. Clear the checkbox next to Do not include revocation information issued in certificates.

Configure DirectAccess with OTP Authentication

Select the Issuance Requirements tab and set the value for This number of authorized signatures to 1. Confirm that Application Policy is selected from the Policy type required in signature drop-down list and choose the OTP certificate request signing template created previously.

Configure DirectAccess with OTP Authentication

Select the Extensions tab, highlight Application Policies and click Edit. Highlight Client Authentication and click Remove. Ensure that the only application policy listed is Smart Card Logon.

Configure DirectAccess with OTP Authentication

Certificate Authority Configuration

In the Certificate Authority management console, right-click Certificate Templates, choose New, and then Certificate Template to Issue. Highlight both of the certificate templates created previously and click Ok.

Configure DirectAccess with OTP Authentication

Open an elevated command prompt and enter the following command:

certutil.exe -setreg dbflags +DBFLAGS_ENABLEVOLATILEREQUESTS

Configure DirectAccess with OTP Authentication

Restart the Certificate Authority service by right-clicking the CA in the Certificate Authority management console and choosing All Tasks and then Stop Service. Once complete, repeat these steps and choose Start Service.

DirectAccess Server Configuration

In the Remote Access Management console, select DirectAccess and VPN under Configuration in the navigate pane and then click Edit on Step 2 – Remote Access Server. Select Authentication, choose Two-factor authentication (smart card or one-time password (OTP)), and then check the option to Use OTP.

Configure DirectAccess with OTP Authentication

Click Next and then add the RADIUS servers that will be used for OTP authentication. Provide the hostname, FQDN, or IP address of the server, the shared secret, and specify the service port.

Configure DirectAccess with OTP Authentication

Click Next, select the CA server that will be used to issue certificates to DirectAccess clients for OTP authentication, and then click Add.

Click Next, select the CA server that will be used to issue certificates to DirectAccess clients for OTP authentication, and then click Add.

Note: When performing this step you may receive the following error.

No CA servers can be detected, and OTP cannot be configured. Ensure that
servers added to the list are available on each domain controller in the
corporate network.

Configure DirectAccess with OTP Authentication

If this occurs, close out of the Remote Access Management console and install this hotfix.

Click Next and select the certificate templates to be used for the enrollment of certificates that are issued for OTP authentication. Also select a certificate template used to enroll the certificate used by the DirectAccess server to sign OTP certificate enrollment requests.

Configure DirectAccess with OTP Authentication

Click Next and specify whether selected DirectAccess users can authenticate with a user name and password when OTP authentication is disabled. If some users need to be exempted from using OTP, specify the security group as required and click Finish.

Configure DirectAccess with OTP Authentication

Click Edit on Step 3 – Infrastructure Servers. Select Management and add the CA server used for OTP authentication to the list of management servers.

Configure DirectAccess with OTP Authentication

Click Ok and then Finish. Click Finish once more and then apply the changes.

DirectAccess OTP Client Experience

When a DirectAccess client is outside of the corporate network and has established DirectAccess connectivity, users can log on to their machine and access their desktop, but they will not be able to access corporate resources without first providing their OTP.

For Windows 8 clients, swipe in from the right side of the screen or press Window Key + I and click on the active network connection. The DirectAccess Workplace Connection will indicate that action is needed. Clicking on the Workplace Connection will indicate that credentials are needed. Clicking Continue will prompt the user to press Ctrl+Alt+Delete and provide their OTP.

Configure DirectAccess with OTP Authentication

For Windows 7 clients, an alert from the DirectAccess Connectivity Assistant (DCA) in the system tray will indicate that Windows needs your smart card credentials. Clicking on the notification Window will prompt the user to provide their OTP.

Configure DirectAccess with OTP Authentication

Alternatively the user can click on the DCA icon in the system tray and then click Lock and unlock your computer with a smartcard or a one-time password. The user will then press CTRL+ALT+DELETE, choose Other Credentials, select One-time password (OTP), and then provide their OTP.

Configure DirectAccess with OTP Authentication

Summary

Using dynamic, one-time passwords is an effective way to provide the highest level of assurance for remote DirectAccess clients. It does come with some potential drawbacks, so be sure to consider those before implementing OTP.

DirectAccess Network Location Server Guidance

Introduction

The Network Location Server (NLS) is a critical component in a DirectAccess deployment. The NLS is used by DirectAccess clients to determine if they are inside or outside of the corporate network. If a DirectAccess client can connect to the NLS, it must be inside the corporate network. If it cannot, it must be outside of the corporate network. It is for this reason that the NLS must not be reachable from the public Internet. A client configured for DirectAccess will probe the NLS when it first starts, and on subsequent network interface status changes.

What is the NLS?

The NLS itself is nothing more than a web server with an SSL certificate installed. Beginning with Windows Server 2012, the NLS can be collocated on the DirectAccess server itself. Although there may be scenarios in which this is acceptable, it is generally recommended that NLS be configured on a server dedicated to this role.

NLS Configuration

Any web server can be used, including IIS, Apache, Nginx, Lighttpd, and others. You can also use an Application Delivery Controller (ADC) like the F5 BIG-IP Local Traffic Manager (LTM), as described here. The web server must have a valid SSL certificate installed that includes a subject name that matches the NLS FQDN (e.g. nls.corp.example.com). The DNS record for the NLS must configured using an A host record. A CNAME DNS entry will not work. In addition, the NLS must also respond to ICMP echo requests.

DirectAccess Network Location Server Guidance

DirectAccess Network Location Server Guidance

The certificate can be issued by an internal PKI or a public third-party Certificate Authority (CA). A self-signed certificate can be used if the certificate is distributed to all DirectAccess clients and servers, but this is not advisable. To avoid possible service disruptions, the NLS should be made highly available by deploying at least two NLS in a load balanced configuration.

What Happens if the NLS is Offline?

If the NLS is offline for any reason, remote DirectAccess clients will be unaffected. However, DirectAccess clients on the internal network will mistakenly believe they are outside of the corporate network and attempt to establish a DirectAccess connection. If the DirectAccess server is not accessible from the internal network, the client will be unable to connect to any local network resources by name until the NLS is brought online or other actions are taken.

Collocation Issues

As mentioned previously, it is possible in some scenarios to collocate the NLS on the DirectAccess server. This is probably acceptable for proof-of-concept deployments, but any production deployment should have the NLS configured on a server dedicated to this role. If the NLS is located on the DirectAccess server and the server is offline for any reason, DirectAccess clients on the internal network will be unable to access local resources by name until the DirectAccess server is back online.

Don’t Use Existing Web Application Servers

Occasionally I will encounter a scenario in which an administrator who wants to avoid implementing additional infrastructure will use an existing internal web application server for the NLS, such as a SharePoint server. Although this will work, it quickly becomes an issue when remote DirectAccess clients need to access the server. Since the NLS is not resolvable or reachable externally, connectivity will fail, preventing DirectAccess clients from reaching the internal application.

Summary

The NLS is a vitally important piece of the DirectAccess architecture. DirectAccess clients use the NLS to determine their location, and if the service is unavailable for any reason (planned or unplanned) internal DirectAccess clients will be negatively affected. The NLS isn’t necessarily complicated, as it is nothing more than a web server with an SSL certificate installed. However, don’t overlook the importance of this service, and make sure it is highly available to avoid any potential network connectivity issues.

DirectAccess Computer Certificate Auto-enrollment

DirectAccess requires computer certificates to be installed on the DirectAccess server and DirectAccess clients. These certificates are used for IPsec, which provides a secure, encrypted communication channel between the DirectAccess client and the DirectAccess server. IPsec ensures the necessary integrity, confidentiality, and non-repudiation required for secure remote access. When using a Public Key Infrastructure (PKI) to issue computer certificates to DirectAccess clients, it can be helpful to automate this process by configuring certificate auto-enrollment using Active Directory group policy.

To begin, open the Group Policy Management Console and expand Domains. Next, expand your domain, right-click Group Policy Objects and choose New. Enter a descriptive name for the new GPO and click Ok. Right-click the GPO you just created and choose Edit. Expand Computer Configuration, Windows Settings, Security Settings, and Public Key Policies. Highlight Public Key Policies, and then double-click Certificate Services Client – Auto-Enrollment. For the Configuration Model choose Enabled. It is recommended that you also choose to Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates.

DirectAccess Certificate Auto-enrollment

Close out of the Group Policy Editor and then link this computer certificate auto-enrollment GPO to your domain. Target only DirectAccess client and server security groups with this GPO instead of all domain computers by configuring Security Filtering to apply this GPO only to DirectAccess client and server machines.

DirectAccess Certificate Auto-enrollment

Finally, make certain the Enroll and Autoenroll permissions are set to Allow for all DirectAccess client and server security groups.

DirectAccess Certificate Auto-enrollment

 

Overview of New DirectAccess Features in Windows Server 2012

Microsoft recently announced the Release to Manufacturing (RTM) for Windows Server 2012. Windows Server 2012 includes a new Unified Remote Access role that provides many new and exciting features. Along with significant enhancements to DirectAccess, the Routing and Remote Access Service (RRAS) can now be co-located with DirectAccess server to provide legacy remote access VPN client connectivity (PPTP, L2TP/IPsec, and SSTP) as well as site-to-site VPN. Windows Server 2012 can now serve as your consolidated remote access solution and can be managed from a single management console. Here’s an overview of some of the compelling new features found in Windows Server 2012 DirectAccess.

Simplified and Flexible Deployment

Windows Server 2012 DirectAccess includes a new simplified deployment model makes implementing DirectAccess incredibly simple. After adding the Remote Access role, configuring DirectAccess can be done, quite literally, in just three mouse clicks. The new simplified deployment model does have some limitations, so the deployment wizard includes the flexibility to fully customize the implementation according to your specific requirements. Also, DirectAccess in Windows Server 2012 now supports deployment behind an existing edge firewall or border router/NAT device. Previous versions of DirectAccess had a hard requirement to be placed directly on the network edge and have two public IPv4 addresses assigned to it. In addition, Windows Server 2012 DirectAccess now also supports a single network adapter configuration, allowing the remote access gateway to be deployed inside of an existing perimeter network or DMZ. Another significant improvement with DirectAccess in Windows Server 2012 is support for multiple network entry points for DirectAccess clients. This feature is essential for large organizations with a requirement for automatic and transparent redundancy and intelligent client roaming. To simplify deployment and management, PowerShell 3.0 included with Windows Server 2012 can be used to fully automate and manage all aspects of the Unified Remote Access and DirectAccess gateway role. Finally, Windows Server 2012 also supports Offline Domain Join which allows administrators to join computers to the domain without having corporate network connectivity.

Reduced Infrastructure Requirements

A major limitation to DirectAccess in Windows Server 2008 R2 was the requirement for running IPv6 on the internal corporate network. As a workaround, Forefront Unified Access Gateway (UAG) 2010 could be deployed in the DirectAccess gateway role as it included protocol translators (DNS64 and NAT64) which allowed DirectAccess clients to communicate with intranet resources that were running only IPv4. However, deploying Forefront UAG added expense and complexity to the solution. Forefront UAG 2010 is no longer required to support this scenario, as the DNS64 and NAT64 protocol translators are now included in Windows Server 2012 DirectAccess. The new simplified deployment model eliminates the requirement for a Public Key Infrastructure (PKI), although certificates are still required for authentication so self-signed certificates are employed. A PKI is still the recommended and preferred way to implement certificates, and in fact a PKI is a requirement in certain deployment scenarios, such as when forced tunneling is configured, or when strong authentication or Network Access Protection integration is required.

Performance, Scalability and High Availability Improvements

The Microsoft core networking team did a tremendous job addressing the performance and scalability limitations of previous iterations of DirectAccess. A common complaint from those who have deployed earlier versions of DirectAccess was the performance of the IP-HTTPS transition protocol. In a nutshell, a DirectAccess client would fall back to using IP-HTTPS for DirectAccess communication when it was located behind a NAT device that was also preventing outbound UDP 3544. When this occurred, IPsec encrypted tunnels would then be encrypted again with SSL/TLS. This placed heavy demands on both the client and server side of the tunnel and severely reduced performance and limited scalability. In Windows Server 2012 DirectAccess, IP-HTTPS performance is on par with that of Teredo, as IP-HTTPS now uses null encryption for DirectAccess communication, eliminating the redundant and needless double encryption. With the simplified deployment scenario, only a single IPsec tunnel is required for DirectAccess corporate network connectivity. Requiring just one IPsec tunnel for each client reduces the processing load on the DirectAccess gateway significantly in large scale deployments. In terms of reliability, true high availability is now included with DirectAccess in Windows Server 2012 with the inclusion of Network Load Balancing (NLB) support for DirectAccess gateways. NLB provides efficient active/active clustering capabilities that offer more flexible scalability than using failover clustering in previous DirectAccess releases.

Security

DirectAccess in Windows Server 2012 includes additional security options. DirectAccess now natively supports strong authentication using RADIUS One-Time Passwords (OTP), and also supports Virtual Smart Cards hosted on the mobile computer’s Trusted Platform Module (TPM). The Unified Remote Access role can be deployed on Server Core, which substantially improves the overall security of the solution by reducing the attack surface, while at the same time decreasing system downtime by reducing the number of updates required by the operating system. In addition, a new feature of the Windows 8 client prompts the user for network credentials, if necessary, to facilitate remote corporate network connectivity when the DirectAccess client is located behind an authenticating proxy.

As you can see, there are many new and exciting features and capabilities included in the new Unified Remote Access role on Windows Server 2012. Many of these features will greatly simplify the configuration, deployment, and management of remote access and DirectAccess. Also, many of the new capabilities provided with Windows Server 2012 DirectAccess effectively eliminate the need to deploy Forefront Unified Access Gateway (UAG) 2010, making the overall solution less complex and more cost effective. Windows Server 2012 DirectAccess will provide support for Windows 7 Enterprise and Ultimate clients. However, Windows 8 Enterprise clients will be required to take full advantage of many of the new advanced features of Windows Server 2012 DirectAccess.

%d bloggers like this: