Planning and Implementing DirectAccess with Windows Server 2016 Video Training Course on Pluralsight

Planning and Implementing DirectAccess with Windows Server 2016I’m excited to announce my latest video training course, Planning and Implementing DirectAccess with Windows Server 2016, is now available on Pluralsight! In this course, I’ll provide a high-level overview of DirectAccess, compare it with VPN, and outline supporting infrastructure requirements. In addition, you’ll learn how to choose the best network topology for a DirectAccess deployment, how to prepare Active Directory and Public Key Infrastructure (PKI) for DirectAccess, and how to install and configure DirectAccess in Windows Server 2016 using the latest implementation and security best practices. You’ll also learn how to provision Windows 10 clients and understand the unique requirements for supporting Windows 7.

The course includes the following training modules:

Overview of DirectAccess
Planning for DirectAccess
Configuring DirectAccess with the Getting Started Wizard
Configuring DirectAccess with the Remote Access Setup Wizard
Provisioning DirectAccess Clients
Supporting Windows 7 Clients

Throughout the course, I share valuable knowledge and insight gained from more than 5 years of experience deploying DirectAccess for some of the largest organizations in the world. Pluralsight offers a free trial subscription if you don’t already have one, so watch my DirectAccess video training course today!

Additional Resources

Planning and Implementing DirectAccess with Windows Server 2016 on Pluralsight
Implementing DirectAccess with Windows Server 2016

DirectAccess Troubleshooting and Configuration Training at TechMentor Redmond 2017

DirectAccess and Windows 10 in EducationI’m really excited to announce that I have once again been invited to speak at the upcoming TechMentor event in Redmond, WA August 7-11, 2017! This year I’ll be presenting two important deep-dive training sessions on DirectAccess. The first is a three-hour course on implementing DirectAccess using Windows Server 2016. This session will cover infrastructure prerequisites as well as tips, tricks, and best practices for implementing DirectAccess using Windows Server 2016. In addition I will also be delivering a three-hour deep dive on DirectAccess troubleshooting. In this session, I’ll share valuable insight, tools, and techniques for quickly identifying and resolving many common DirectAccess connectivity and performance issues. In addition I will also be giving a short talk on getting started with Azure site-to-site networking. If you want to take advantage of the power and flexibility that the Azure public cloud has to offer, extending your on-premises datacenter using site-to-site VPN is essential.

Register today using code TMSPK05 and save!

M01: Implementing DirectAccess with Windows Server 2016
T03: DirectAccess Troubleshooting Deep Dive
T07: Getting Started with Azure Site-to-Site Networking

TechMentor Redmond 2017

DirectAccess Training at TechMentor Conference Orlando 2016

Live! 360 Orlando 2016I am pleased to announce that I’ll be participating in the upcoming TechMentor conference in Orlando, FL in December. The TechMentor conference is part of the larger Live!360 event and offers a compelling agenda of training for IT professionals. I’ll be delivering the following sessions that are focused on providing secure remote access using Windows Server 2016.

TMT01 – Implementing DirectAccess in Windows Server 2016
TMT04 – DirectAccess Troubleshooting Deep Dive
TMT11 – Client-based VPN in Azure with Windows Server 2016

Don’t miss out on this outstanding conference. Register today and save $500.00!

Implementing DirectAccess with Windows Server 2016 Book Now Available

I am very excited to announce that my new DirectAccess book, Implementing DirectAccess with Windows Server 2016 from Apress media, is now shipping! The book is available on popular online sites like Amazon.com, Barnes & Noble, Springer.com, Apress.com, and others. The book is also available in electronic formats such as Amazon Kindle and Barnes & Noble Nook, as well as a variety of subscription formats including Safari, Books24x7, and SpringerLink.

Implementing DirectAccess with Windows Server 2016

This book contains detailed and prescriptive guidance for the planning, design, implementation, and support of a DirectAccess remote access solution on Windows Server 2016. It also includes valuable insight, tips, tricks, and best practice recommendations gained from my many years of deploying DirectAccess for some of the largest organizations in the world.

Current DirectAccess administrators will also find this book helpful, as the majority of content is still applicable to DirectAccess in Windows Server 2012 and Windows Server 2012 R2. In addition, the book also includes essential information on the design and deployment of highly available and geographically redundant DirectAccess deployments.

Troubleshooting DirectAccess can be a daunting task, so I’ve dedicated an entire chapter in the book to this topic. For those responsible for the maintenance and support of DirectAccess in their organization, this chapter alone will be worth the investment.

Be sure to order your copy today!

DirectAccess in Windows Server 2016 at Microsoft Ignite 2016

I’m pleased to announce that I will be delivering a community theater session at this year’s Microsoft ignite conference in Atlanta, GA. The session, THR2136 in the session catalog, is scheduled for Thursday, September 29 at 12:40PM. This is a level 200 talk where I’ll be providing a high-level overview of all remote access technologies in Windows Server 2016, including DirectAccess, client-based VPN, and Web Application Proxy (WAP). I’ll be focusing on what’s new in each of these technologies and demonstrating how each solution applies in different use cases.

DirectAccess in Windows Server 2016 at Microsoft Ignite 2016

In addition to the session, I’ll be spending time with the folks from PointSharp and Pluralsight in their respective booths too, answering questions and providing demonstrations. I hope to have copies of my new DirectAccess book to sign as well. Be sure to follow me on Twitter for up-do-date details. Hope to see you at the conference!

DirectAccess Load Balancing Tips and Tricks Webinar

KEMP Technologies LoadMaster Load BalancerEnabling load balancing for DirectAccess deployments is crucial for eliminating single points of failure and ensuring the highest levels of availability for the remote access solution. In addition, enabling load balancing allows DirectAccess administrators to quickly and efficiently add capacity in the event more processing power is required.

DirectAccess includes support for load balancing using integrated Windows Network Load Balancing (NLB) and external load balancers (physical or virtual). External load balancers are the recommended choice as they provide superior throughput, more granular traffic distribution, and greater visibility. External load balancers also more scalable, with support for much larger DirectAccess server clusters, up to 32 nodes. NLB is formally limited to 8 nodes, but because it operates at layer 2 in the OSI model and relies on broadcast heartbeat messages, it is effectively limited to 4 nodes.

The KEMP Technologies LoadMaster load balancer is an excellent choice for load balancing the DirectAccess workload. To learn more about configuring the LoadMaster with DirectAccess, join me for a free live webinar on Tuesday, August 16 at 10:00AM PDT where I’ll discuss DirectAccess load balancing in detail. I will also be sharing valuable tips, tricks, and best practices for load balancing DirectAccess.

DirectAccess Load Balancing Tips and Tricks Webinar

Don’t miss out. Register today!

Additional Resources

DirectAccess Load Balancing Overview

Load Balancing DirectAccess with the KEMP Loadmaster Load Balancer

Maximize your investment in Windows 10 with DirectAccess and the KEMP LoadMaster Load Balancer

KEMP LoadMaster DirectAccess Deployment Guide

DirectAccess and Windows 10 in Education

DirectAccess and Windows 10 in EducationIntroduction

DirectAccess provides seamless and transparent, always on remote network connectivity for managed Windows clients. It is commonly installed in large enterprises to provide better management for field-based assets, and to streamline the remote access experience for end users. Today, DirectAccess is a mature technology that is widely deployed across many verticals, but education is one that is often overlooked.

Benefits of DirectAccess

For commercial enterprises, the benefits of DirectAccess are many. Windows 10 DirectAccess clients have ubiquitous access to on-premises applications and data without requiring user interaction. This streamlined user access improves productivity and reduces helpdesk costs. DirectAccess is always on, allowing client machines to stay in contact with domain controllers and systems management servers, ensuring they are always managed.

DirectAccess in Education

Many of the same benefits DirectAccess provides for the enterprise are also important in the education sector. Often administrators for schools and colleges have many Windows-based machines that they must both manage and provide secure remote access for. In addition, they struggle with the same issues that enterprises do, such as maintaining configuration and security posture for devices that are predominantly remote.

Windows 10 and Education

Windows 10 November Update Available TodayThe Windows 10 Education SKU is a supported client operating system for DirectAccess, enabling educational institutions using this license to implement a remote access solution with DirectAccess using Windows Server 2012 R2 or Windows Server 2016. Implementing a DirectAccess remote access solution can result in significant cost savings, as DirectAccess requires no investments in proprietary hardware and has no associated per-user licensing.

Windows 10 Anniversary Update

Microsoft is making a concerted effort to address the education sector with new and compelling features to be included in the Windows 10 Anniversary Update, released earlier this week. For example, they have introduced apps that simplify the setup of school PCs. App discovery and purchasing are easier, and stylus support is improved. Native integration with Office 365 is another important factor. There are also a number of significant new security features that will make migrating to Windows 10 a worthy investment.

DirectAccess and Windows 10 in Education

Summary

If you are an administrator working for any educational institution and are struggling with maintaining and supporting your field-based Windows devices, consider a DirectAccess remote access solution today. With DirectAccess implemented, users will be more productive and remote machines better managed. DirectAccess can also be deployed using existing infrastructure, and it supports flexible network deployment along with many scalability features that will ensure the highest levels of availability.

Additional Resources

Video: DirectAccess and Windows 10 in Action
3 Important Things about Windows 10 and DirectAccess
DirectAccess and Windows 10 Better Together
DirectAccess Consulting Services
Book: Implementing DirectAccess with Windows Server 2016

DirectAccess IP-HTTPS Preauthentication


Introduction

DirectAccess IP-HTTPS PreauthenticationRecently I’ve written about the security challenges with DirectAccess, specifically around the use of the IP-HTTPS IPv6 transition technology. In its default configuration, the DirectAccess server does not authenticate the client when an IP-HTTPS transition tunnel is established. This opens up the possibility of an unauthorized user launching Denial-of-Service (DoS) attacks and potentially performing network reconnaissance using ICMPv6. More details on this can be found here.

Mitigation

The best way to mitigate these security risks is to implement an Application Delivery Controller (ADC) such as the F5 BIG-IP Local Traffic Manager or the Citrix NetScaler. I’ve documented how to configure those platforms here and here.

No ADC?

For those organizations that do not have a capable ADC deployed, it is possible to configure the IP-HTTPS listener on the Windows Server 2012 R2 server itself to perform preauthentication.

Important Note: Making the following changes on the DirectAccess server is not formally supported. Also, this change is incompatible with one-time passwords (OTP)  and should not be performed if strong user authentication is enabled. In addition, null cipher suites will be disabled, resulting in reduced scalability and degraded performance for Windows 8.x and Windows 10 clients. Making this change should only be done if a suitable ADC is not available.

Configure IP-HTTPS Preauthentication

To configure the DirectAccess server to perform preauthentication for IP-HTTPS connections, open an elevated PowerShell command window and enter the following command.

ls Cert:\LocalMachine\My

DirectAccess IP-HTTPS Preauthentication

Copy the thumbprint that belongs to the SSL certificate assigned to the IP-HTTPS listener. Open an elevated command prompt window (not a PowerShell window!) and enter the following commands.

netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=[thumbprint]
appid={5d8e2743-ef20-4d38-8751-7e400f200e65}
dsmapperusage=enable clientcertnegotiation=enable

DirectAccess IP-HTTPS Preauthentication

For load-balanced clusters and multisite deployments, repeat these steps on each DirectAccess server in the cluster and/or enterprise.

Summary

Once these changes have been made, only DirectAccess clients that have a computer certificate with a subject name that matches the name of its computer account in Active Directory will be allowed to establish an IP-HTTPS transition tunnel connection.

DirectAccess vs. VPN

Introduction

DirectAccess vs. VPNMany IT professionals mistakenly believe that DirectAccess is just another VPN solution. While there are some similarities between these technologies, both in terms of the underlying technology and function, there are some significant differences between the two. If you’re comparing DirectAccess to VPN, here are some essential points to consider.

VPN

Virtual Private Networking (VPN) has been around for ages. VPN is a mature, well understood technology that has been widely deployed, and today remains the de facto standard for providing secure remote access. VPN has broad client support, on both traditional computing platforms and mobile operating systems. VPNs today include support for modern protocols and integrate with numerous multifactor authentication platforms.

VPN Challenges

There are some serious drawbacks to implementing traditional client-based VPN. VPN connections are user initiated and therefore optional. It is up to the user to decide if and when they connect to the corporate network. Many VPNs require additional software to work, which must be deployed and maintained. Establishing connections is potentially problematic too, as some VPN protocols aren’t firewall friendly and don’t work in many locations.

DirectAccess vs. VPNFrom a security perspective, because anyone can attempt a connection to the VPN from any client, strong authentication becomes an essential requirement. Integrating multifactor authentication makes the implementation more complex and difficult to support. It often requires additional hardware, licensing, and support costs.

VPNs can be costly to implement and support. They typically require expensive proprietary hardware and dedicated management skill sets. Many VPN solutions also have additional licensing costs associated with them. Scaling a VPN solution requires additional investments in hardware devices, adding to the overall cost of the solution.

DirectAccess

DirectAccess is a relative newcomer to the world of secure remote access. First introduced with Windows Server 2008 R2, DirectAccess differs fundamentally from VPN by virtue of its seamless and transparent, always-on connection. DirectAccess connections are established by the machine, not the user. They are secure and authenticated, and are established automatically whenever the DirectAccess client has an active Internet connection. DirectAccess connections are also bidirectional, which is an important distinction. The ability to “manage out” to remote connected DirectAccess clients enables compelling new uses cases for IT administrators.

Addressing VPN Pain Points with DirectAccess

DirectAccess vs. VPNDirectAccess connections are inherently more secure than VPN. Unlike VPN, DirectAccess clients must be joined to the domain and, in most configurations, they must also have a certificate issued by the organization’s private, internal Public Key Infrastructure (PKI). This essentially serves as a type of multifactor authentication for the connecting device, resulting in a much higher level of assurance for remote connections. DirectAccess can also support integration with many existing multifactor authentication providers to provide strong authentication for the user, if desired.

DirectAccess is very firewall friendly and works anywhere the user has an active Internet connection. It requires no additional software to be installed, and the seamless and transparent nature of DirectAccess makes it much easier to use than VPN. All of this improves end user productivity and reduces associated management overhead for the solution.

DirectAccess is a more cost-effective alternative to VPN. DirectAccess can be deployed on existing infrastructure (physical or virtual) and does not require proprietary hardware. This makes it much easier and far less expensive to add additional capacity, if required. DirectAccess can also be managed using existing systems management tools and Windows administration skills and does not have any per-user licensing requirements, which results in additional cost savings over VPN.

DirectAccess Limitations and Drawbacks

DirectAccess is not a comprehensive remote access solution. It is designed for managed (domain-joined) Windows clients only. In addition, DirectAccess clients must be provisioned with the Enterprise edition SKU. Also, there are a few cases in which applications may not be compatible with DirectAccess. In addition, there is no support for DirectAccess on non-managed Windows machines, non-Enterprise SKUs, or any devices using non-Windows operating systems, so a VPN might still be required.

DirectAccess vs. VPN

DirectAccess or VPN?

You might be asking yourself, “DirectAccess or VPN?” Why not both? After all, DirectAccess and VPN aren’t mutually exclusive. They are, in fact, quite complimentary. DirectAccess can be used to provide secure remote access and enhanced management for Windows laptops managed by IT, while VPN can be deployed for non-managed devices. While you may not be able to entirely eliminate VPN with DirectAccess, it will certainly allow you to decrease the number of existing VPN licenses and reduce your investment in proprietary hardware, management tools, and dedicated administrators, all of which translates in to reduced capital investment and operational costs.

Summary

DirectAccess is not simply another VPN solution. While it does provide secure remote corporate network connectivity, it does so more securely and more cost effectively than traditional VPN does. DirectAccess is unrivaled in its security and ease of use, dramatically improving end user productivity and reducing associated infrastructure and support costs. DirectAccess can be deployed on current physical and virtual infrastructure, and can be managed using existing Windows systems management tools and skill sets.

DirectAccess Consulting ServicesIf you’d like to learn more about how DirectAccess can benefit your organization, or you would like some assistance with a DirectAccess proof of concept implementation, consider a DirectAccess consulting engagement today. I’m here to help plan, design, implement, and support DirectAccess and ensure the best chance of success for your deployment.

Additional Information

Have a question about DirectAccess? Fill out the form below and I’ll get in touch with you.

DirectAccess SQL Server High CPU Usage

UPDATE – March 14, 2016: Microsoft has published official guidance for implementing the changes outlined in this article using PowerShell. Details here.

Introduction

DirectAccess SQL Server High CPU UsageRADIUS and Inbox accounting are the two supported logging options for DirectAccess in Windows Server 2012 R2. When Inbox accounting is selected, a Windows Internal Database (WID) is provisioned. Part of the base operating system, WID is functionally similar to SQL Server Express.

SQL Server Utilization Issues

Over the last few months I’ve had a few customers reach out to me with a peculiar performance issue. For customers with very busy DirectAccess servers, where those servers have also been configured to use Inbox accounting, they’ve reported observing unusually high CPU utilization on the sqlservr.exe process.

DirectAccess SQL Server High CPU Usage
Image courtesy Thomas Vuylsteke. Used with permission. – setspn.blogspot.com

As luck would have it, Thomas Vuylsteke, a Microsoft Platforms Premiere Field Engineer (PFE), had already identified the issue and a workaround. Thomas traced the source of high CPU utilization on the sqlservr.exe process to a missing index on a session state table in the DirectAccess accounting database. If you are interested in learning how he performed the troubleshooting to identify and resolve this problem, you can read his entire blog post here.

Resolution

To resolve this issue, create an index on the Session Table in the DirectAccess database. Changes to WID must be made locally, as it is not remotely manageable. WID does not include a management interface, which means the SQL Server management tools would normally have to be installed. However, I’m not a fan of installing any extraneous software on the DirectAccess server, so thankfully one of the readers of Thomas’ excellent article on this subject, Fredrik Elmqvist, provided a very helpful alternative. Fredrik suggesting using the HeidiSQL tool, for which a fully portable version exists. This allows for changes to be made to the WID database without having to install any additional software.

Changes to WID

Begin by downloading the portable version of HeidiSQL here. Next, log on to the DirectAccess server as the local administrator. It is crucial that you must be the local administrator, not just a local or domain user with local administrator privileges. Extract the files from the download and copy them to the DirectAccess server, then follow these steps:

  1. Double-click heideisql.exe to launch the management tool.
  2. Click on New and then for the Network Type select Microsoft SQL Server (named pipe).
  3. For the Hostname / IP: enter \\.\pipe\MICROSOFT##WID\tsql\query.
  4. Select the option to Use Windows Authentication.
  5. Click Open to continue.DirectAccess SQL Server High CPU Usage
  6. Click the Query tab in the center console window and enter the following commands:
    Use RaAcctDb
    Create NonClustered Index IdxSessionTblSessionState on SessionTable (SessionState,ConnectionID)
  7. Click the Run icon in the tool bar or press F9. This will execute the code and create the missing index on the Session Table in the DirectAccess database.DirectAccess SQL Server High CPU Usage
  8. Confirm the index was created by clearing the previous query or creating a new query and then entering the following commands:
    select * from sys.indexes
    where name like ‘idx%’
    order by name ascDirectAccess SQL Server High CPU Usage

Summary
Once the change has been made, sqlservr.exe CPU utilization should return to normal. If you have multiple DirectAccess servers configured in a load-balanced array or in a multisite configuration, be sure to repeat these steps on each DirectAccess server in the organization.

%d bloggers like this: