3 Important Things You Need to Know about Windows 10 and DirectAccess

DirectAccess and Windows 10 - Better TogetherDirectAccess has been with us for quite some time know, having been originally introduced with Windows Server 2008 R2, later enhanced with Forefront Unified Access Gateway (UAG) 2010, and finally integrated in to the base operating system in Windows Server 2012 R2. Client support for DirectAccess begins with Windows 7 (Enterprise or Ultimate), and also includes Windows 8.x (Enterprise) and Windows 10 (Enterprise or Education).

Although Windows 7 clients are supported for DirectAccess, Windows 10 is highly preferred. Here are three important things you need to know about using Windows 10 with DirectAccess.

  1. Windows 10 Provides Improved Performance and Scalability – Windows 10 includes support for null encryption when using the IP-HTTPS IPv6 transition protocol. This eliminates the needless double-encryption performed by Windows 7 clients, and dramatically reduces the protocol overhead for clients connecting behind port-restricted firewalls. DirectAccess servers can support many more concurrent IP-HTTPS sessions with Windows 10, and it has the added benefit of making the more secure perimeter/DMZ deployment behind an edge security device performing NAT much more attractive.
  2. Windows 10 Supports Geographic Redundancy – Windows 10 includes full support for DirectAccess multisite deployments. Where Windows 7 clients had to be assigned to a single entry point, Windows 10 clients are aware of all entry points in the organization. They are able to automatically select the nearest entry point on startup, and transparently failover to another site if the current site becomes unavailable.
  3. Windows 10 Features an Enhanced Management Experience – From a troubleshooting and support perspective, Windows 10 makes things much easier. The DirectAccess connectivity assistant, an optional component for Windows 7, is now fully integrated with the Windows 10 UI. PowerShell is greatly improved and now includes many native DirectAccess configuration and troubleshooting commands.

As you can see, there are a number of significant advantages for using Windows 10 with DirectAccess. Windows 10 now supports all of the enterprise features of DirectAccess, including geographic redundancy and performance and scalability improvements. Windows 10 is also easier to troubleshoot and manage. If you’re still supporting Windows 7, DirectAccess in Windows Server 2012 R2 can certainly support them. However, without a doubt the best experience, both from an administrator’s and the end user’s perspective, is with Windows 10. Just one more reason to begin planning your migration to Windows 10 with DirectAccess today!

Need assistance with implementing  DirectAccess with Windows 10? I can help! More details here.

Forefront UAG 2010 End of Life Statement

Today, Microsoft announced the end of life for the Forefront UAG 2010 product. Microsoft will continue to provide mainstream support for UAG until April 14, 2015, and extended support until April 14, 2020. Existing customers with active Software Assurance on their existing UAG licenses as of December 1, 2013, may add new UAG server instances, users, and devices without having to purchase additional UAG licenses. In addition, existing customers who have purchased Forefront UAG server licenses will be given upgrade rights to Windows Server 2012 R2, which provides some of the remote access features found in Forefront UAG. For example, Windows Server 2012 R2 supports DirectAccess, client-based VPN, and reverse web proxy with new Web Application Proxy role.

With regard to license upgrade rights, users are entitled to a Windows Server 2012 R2 license for each Forefront UAG server license (or External Connector license) they currently own. Software Assurance for UAG can still be purchased until January 1, 2014. Forefront UAG 2010 will be removed from the pricelist on July 1, 2014. Forefront UAG 2010 will continue to be available from Microsoft OEM hardware partners like Iron Networks for the foreseeable future, however.

Forefront UAG Service Pack 4 Now Available for Download

Good news! Service Pack 4 (SP4) for Forefront Unified Access Gateway (UAG) 2010 is now available for download. This latest service pack for UAG includes updates to support Windows 8.1 client devices using Internet Explorer 11, the native mail app, and Remote Desktop Connection (RDC) 8.1 client. In addition, SP4 for Forefront UAG 2010 also includes support for publishing RemoteApps from a Remote Desktop Session Host running on Windows Server 2012 or 2012 R2. The service pack also includes fixes for various reported issues.

KB2907776 – The UserMgrCom service crashes intermittently in Forefront UAG 2010

KB2909151 – Trunk authentication fails when the global catalog server is unavailable in Forefront UAG 2010

KB2909168 – The W3wp.exe process randomly stops and causes all sessions to disconnect in Forefront UAG 2010

KB2909182 – “The URL contains an invalid path” error occurs when you try to access an Exchange 2013 OWA website

KB2909191 – You cannot connect to corporate IPv4 resources by using DirectAccess after Forefront UAG 2010 Service Pack 3 is installed

KB2909350 – An SSL VPN application that has the Socket Forwarding mode set to Disabled uses 100 percent of the CPU’s time in Forefront UAG 2010

KB2909353 – You have to authenticate again to the ADFS server when the published server is configured for single sign-on in Forefront UAG 2010

KB2909356 – A detailed HTTP 403.14 error message occurs when you go to a specific InternalSite URL in a Forefront UAG 2010 environment

KB2909365 – A memory leak in W3wp.exe occurs when Outlook Anywhere is published through a Forefront UAG 2010 trunk

KB2909367 – Intermittent HTTP 500 error codes when you access a Forefront UAG 2010 portal

KB2909376 – File uploads do not occur to SharePoint Server 2013 or SkyDrive Pro through Forefront UAG 2010

KB2910407 – An internal 500 error occurs if a custom URL logoff page is configured in Forefront UAG 2010

KB2910413 – Multiple 4625 event IDs are logged when a user logs on in Forefront UAG 2010

KB2910467 – Configuration activation fails on some servers in a large array in Forefront UAG 2010

KB2910498 – A handle leak occurs in Lsass.exe in Forefront UAG 2010

KB2910506 – An authentication prompt is received even though a user is successfully authenticated in Forefront UAG 2010

KB2910517 – An incorrect domain password policy may be used if Active Directory integrated authentication is configured in Forefront UAG 2010

You must have Forefront UAG 2010 SP3 hotfix rollup 1 installed prior to installing SP4. You can download SP3 rollup 1 here. You can download Forefront UAG 2010 SP4 here. Once the update is installed the new Forefront UAG 2010 build number will be 4.0.4083.10000.

Forefront UAG 2010 Video Training Course Now Available

I’m happy to announce that my latest Trainsignal video training course is now available! This new video training course is on Forefront Unified Access Gateway (UAG) 2010. It is an introductory course on Forefront UAG designed to teach network engineers and security administrators the basic essentials of planning, preparing, installing, configuring, monitoring, and maintain a Forefront UAG 2010 remote access solution. In the course I demonstrate how to publish popular Microsoft on-premises applications like SharePoint and Exchange Outlook Web App (OWA). In addition I cover publishing Remote Desktop Services and VPN remote access. I also provide a high level explanation of endpoint detection and endpoint policy enforcement and demonstrate how to provide high availability for the solution. Here is the entire course outline:

Lesson 1 – Introduction and Course Outline
Lesson 2 – Forefront UAG 2010 Overview
Lesson 3 – Planning to Deploy Forefront UAG 2010
Lesson 4 – Installing and Configuring Forefront UAG 2010
Lesson 5 – Configuring a Portal
Lesson 6 – Publishing Exchange Outlook Web App
Lesson 7 – Publishing SharePoint
Lesson 8 – Publishing Remote Desktop Services
Lesson 9 – Configuring VPN Remote Access
Lesson 10 – Enabling Endpoint Detection
Lesson 11 – Configuring High Availability
Lesson 12 – Web Monitor Overview
Lesson 13 – Forefront UAG Backups

Once again I had the opportunity to work with my good friend and fellow Microsoft MVP Jordan Krause on this course. As he did in my previous Trainsignal video training course on Windows Server 2012 DirectAccess, Jordan served as the technical reviewer and provided valuable insight that ultimately made the course better. If you’re planning to implement Forefront UAG 2010 to provide secure remote access to both managed and non-managed systems and devices, be sure to sign up for a subscription at Trainsignal.com today! Not only will you have access to this video training course on Forefront UAG 2010, you will gain access to the entire Trainsignal library of content, including my course on Windows Server 2012 DirectAccess, all for just $49.00 per month!

TrainSignal Windows Server 2012 DirectAcess Video Training Course

Forefront UAG 2010 Service Pack 3 Hotfix Rollup 1 Now Available

Hotfix rollup 1 for Forefront Unified Access Gateway (UAG) 2010 Service Pack 3 is now available for download. Hotfix rollup 1 for Forefront UAG SP3 addresses the following issues:

KB2810229 – You cannot redirect local computer resources in remote desktop session after you disable the client endpoint components in Forefront UAG 2010 SP3

KB2831570 The URL you requested cannot be accessed error message may be returned when a client sends an HTTP POST request to a portal in Forefront UAG 2010 SP3

KB2831573 – Traffic is not forwarded or you receive an error message about ADVAPI32.dll when you use a Windows XP client to start an application from a Forefront UAG 2010 SP3 portal

KB2831865 – The endpoint policy expression Any Personal Firewall (Windows) is incorrect for Windows 7 and Windows 8 in Forefront UAG 2010 SP3

KB2831868 – Endpoint policies for existing trunks are not updated after you install service pack 3 for Forefront UAG 2010

KB2832679 – You receive a 500 Internal Server error when you run the File Access application from the Forefront UAG 2010 SP3 portal trunk

KB2832681 – You receive a script error that prevents file access configuration in the Management Console in Forefront UAG 2010 SP3

KB2832685 – The Forefront UAG 2010 portal may intermittently become unresponsive to clients after Service Pack 2 is installed

You can download hotfix rollup 1 for Forefront UAG 2010 SP3 here. After installation the Forefront UAG 2010 build number will be 4.0.3206.10100.

Forefront UAG 2010 DirectAccess Clients and Repeated OTP Prompts

In a very specific DirectAccess deployment scenario it is possible that users may be prompted repeatedly for One-Time Password (OTP) credentials. Specifically this may occur when you have Windows 7 clients accessing a Forefront UAG 2010 DirectAccess server with two-factor authentication enabled with OTP, along with forced tunneling required and the client configured to use a corporate web proxy server. The root cause of the issue has to do with Network Connectivity Status Indicator (NCSI) probes and security permissions on the private key of the certificate used for OTP authentication. To resolve the issue will require creating a custom certificate template for use with two-factor authentication and setting key permissions for the NETWORK SERVICE on the certificate template. You can also workaround this issue by disabling forced tunneling or disabling the 6to4 and Teredo adapters, which will stop the NCSI probes from occurring. For more detailed information read Microsoft KB article 2797301.

Forefront UAG 2010 SP3 Now Available

Service Pack 3 for Microsoft Forefront UAG 2010 is now available for download. SP3 for Forefront UAG 2010 includes several important new features and enhanced functionality, including:

Support for Internet Explorer 10 on Windows 8 – Full support is provided only for Internet Explorer 10 in desktop mode. The modern UI version of Internet Explorer 10 does not provide support for browser add-ons. If a user accesses the Forefront UAG 2010 portal and the trunk is configured to install and launch the UAG client components, the user will receive a message indicating that the site requires add-ons which will require the desktop version of Internet Explorer 10.

Support for the Native Windows 8 Mail App – Windows 8 users can now connect to published Exchange servers using the built-in Windows 8 modern UI mail app

Remote Desktop Connection (RDC) 8.0 client support – Windows 8 users and Windows 7 users who have upgraded to the RDC client v8.0 can now access remote desktop resources published by Forefront UAG 2010 SP3

Exchange Server 2013 – Application publishing wizards in Forefront UAG 2010 SP3 now include native support for Exchange Server 2013

SharePoint Server 2013 – Application publishing wizards in Forefront UAG 2010 SP3 now include native support for SharePoint Server 2013

Support for Office 2013 applications – Publishing Office 2013 applications such as Outlook, PowerPoint, Word, and Excel is now natively supported in Forefront UAG 2010 SP3

You can download SP3 for Forefront UAG 2010 here. After installation the Forefront UAG 2010 build number will be 4.0.3206.10100.

PAL v2.3.3 Now with Forefront UAG 2010 Support

Recently the Performance Analysis of Logs (PAL) tool was updated and now includes a threshold file for Forefront UAG 2010. PAL is an essential utility that can make troubleshooting performance issues or capacity planning dramatically easier. I’ve written about using PAL on Forefront TMG 2010 in the past, and using PAL with Forefront UAG 2010 will be very similar. You can download the latest release of PAL at pal.codeplex.com.

Microsoft DirectAccess Connectivity Assistant 2.0 Now Available

Recently Microsoft announced the availability of the DirectAccess Connectivity Assistant (DCA) v2.0. DCA v2.0 is required to be installed on Windows 7 DirectAccess clients when they are connecting to a DirectAccess Server running Windows Server 2012. It is important to note that DCA v2.0 is not required (and should not be installed) on Windows 8 DirectAccess clients. In addition, DCA v2.0 should not be installed on Windows 7 DirectAccess clients when they are connecting to a Windows Server 2008 R2/Forefront UAG 2010 DirectAccess server. For Windows 7 DirectAccess clients accessing corporate network resources over Windows Server 2008 R2/Forefront UAG 2010, install DCA v1.5. DCA v1.5 can be found on the Forefront UAG server at C:\Program Files\Microsoft Forefront Unified Access Gateway\common\bin\da\dca.

The DCA provides DirectAccess users with connectivity status information, detailed diagnostics and troubleshooting, and is required to support One-Time Password (OTP) authentication. You can download DCA v2.0 here.

Overview of New DirectAccess Features in Windows Server 2012

Microsoft recently announced the Release to Manufacturing (RTM) for Windows Server 2012. Windows Server 2012 includes a new Unified Remote Access role that provides many new and exciting features. Along with significant enhancements to DirectAccess, the Routing and Remote Access Service (RRAS) can now be co-located with DirectAccess server to provide legacy remote access VPN client connectivity (PPTP, L2TP/IPsec, and SSTP) as well as site-to-site VPN. Windows Server 2012 can now serve as your consolidated remote access solution and can be managed from a single management console. Here’s an overview of some of the compelling new features found in Windows Server 2012 DirectAccess.

Simplified and Flexible Deployment

Windows Server 2012 DirectAccess includes a new simplified deployment model makes implementing DirectAccess incredibly simple. After adding the Remote Access role, configuring DirectAccess can be done, quite literally, in just three mouse clicks. The new simplified deployment model does have some limitations, so the deployment wizard includes the flexibility to fully customize the implementation according to your specific requirements. Also, DirectAccess in Windows Server 2012 now supports deployment behind an existing edge firewall or border router/NAT device. Previous versions of DirectAccess had a hard requirement to be placed directly on the network edge and have two public IPv4 addresses assigned to it. In addition, Windows Server 2012 DirectAccess now also supports a single network adapter configuration, allowing the remote access gateway to be deployed inside of an existing perimeter network or DMZ. Another significant improvement with DirectAccess in Windows Server 2012 is support for multiple network entry points for DirectAccess clients. This feature is essential for large organizations with a requirement for automatic and transparent redundancy and intelligent client roaming. To simplify deployment and management, PowerShell 3.0 included with Windows Server 2012 can be used to fully automate and manage all aspects of the Unified Remote Access and DirectAccess gateway role. Finally, Windows Server 2012 also supports Offline Domain Join which allows administrators to join computers to the domain without having corporate network connectivity.

Reduced Infrastructure Requirements

A major limitation to DirectAccess in Windows Server 2008 R2 was the requirement for running IPv6 on the internal corporate network. As a workaround, Forefront Unified Access Gateway (UAG) 2010 could be deployed in the DirectAccess gateway role as it included protocol translators (DNS64 and NAT64) which allowed DirectAccess clients to communicate with intranet resources that were running only IPv4. However, deploying Forefront UAG added expense and complexity to the solution. Forefront UAG 2010 is no longer required to support this scenario, as the DNS64 and NAT64 protocol translators are now included in Windows Server 2012 DirectAccess. The new simplified deployment model eliminates the requirement for a Public Key Infrastructure (PKI), although certificates are still required for authentication so self-signed certificates are employed. A PKI is still the recommended and preferred way to implement certificates, and in fact a PKI is a requirement in certain deployment scenarios, such as when forced tunneling is configured, or when strong authentication or Network Access Protection integration is required.

Performance, Scalability and High Availability Improvements

The Microsoft core networking team did a tremendous job addressing the performance and scalability limitations of previous iterations of DirectAccess. A common complaint from those who have deployed earlier versions of DirectAccess was the performance of the IP-HTTPS transition protocol. In a nutshell, a DirectAccess client would fall back to using IP-HTTPS for DirectAccess communication when it was located behind a NAT device that was also preventing outbound UDP 3544. When this occurred, IPsec encrypted tunnels would then be encrypted again with SSL/TLS. This placed heavy demands on both the client and server side of the tunnel and severely reduced performance and limited scalability. In Windows Server 2012 DirectAccess, IP-HTTPS performance is on par with that of Teredo, as IP-HTTPS now uses null encryption for DirectAccess communication, eliminating the redundant and needless double encryption. With the simplified deployment scenario, only a single IPsec tunnel is required for DirectAccess corporate network connectivity. Requiring just one IPsec tunnel for each client reduces the processing load on the DirectAccess gateway significantly in large scale deployments. In terms of reliability, true high availability is now included with DirectAccess in Windows Server 2012 with the inclusion of Network Load Balancing (NLB) support for DirectAccess gateways. NLB provides efficient active/active clustering capabilities that offer more flexible scalability than using failover clustering in previous DirectAccess releases.

Security

DirectAccess in Windows Server 2012 includes additional security options. DirectAccess now natively supports strong authentication using RADIUS One-Time Passwords (OTP), and also supports Virtual Smart Cards hosted on the mobile computer’s Trusted Platform Module (TPM). The Unified Remote Access role can be deployed on Server Core, which substantially improves the overall security of the solution by reducing the attack surface, while at the same time decreasing system downtime by reducing the number of updates required by the operating system. In addition, a new feature of the Windows 8 client prompts the user for network credentials, if necessary, to facilitate remote corporate network connectivity when the DirectAccess client is located behind an authenticating proxy.

As you can see, there are many new and exciting features and capabilities included in the new Unified Remote Access role on Windows Server 2012. Many of these features will greatly simplify the configuration, deployment, and management of remote access and DirectAccess. Also, many of the new capabilities provided with Windows Server 2012 DirectAccess effectively eliminate the need to deploy Forefront Unified Access Gateway (UAG) 2010, making the overall solution less complex and more cost effective. Windows Server 2012 DirectAccess will provide support for Windows 7 Enterprise and Ultimate clients. However, Windows 8 Enterprise clients will be required to take full advantage of many of the new advanced features of Windows Server 2012 DirectAccess.

%d bloggers like this: