All companies that have a Windows Server server on their intranet also have at least one Active Directory.
Thanks to their Active Directory server, they can manage user accounts, access rights to network resources, manage client computer security, ...
However, by default, the client computer must be in the corporate network (intranet) so that it can receive group (and security) policies, as well as allow the user to login with its Active Directory account.
If you use the client machine outside the corporate network, you will not be able to :
- to use your user account defined in the Active Directory
- you will not have access to the resources available in your company's network
- and your computer will not be protected by group policies defined by the network administrator
To access corporate resources, you could create a VPN server in your organization's network, but group policies and privileges will not be passed through this VPN connection.
To resolve this issue, Microsoft has created a new technology : DirectAccess.
DirectAccess is a technology that enables a client workstation to securely and transparently access corporate resources.
Thanks to DirectAccess, your client workstation will always be in the network of your company.
- if you are in the company, nothing changes.
- if you are outside the company, the client workstation will make a secure connection (a secure VPN tunnel via IPsec) in a totally transparent way, and it will virtually be in the network of your company.
Since you will be virtually in your corporate network, you can connect with your Active Directory account and access your company resources as if you were there.
- Important informations
- Required configuration
- Configuration used
- Installing and configuring the Active Directory
- Joining machines to the Active Directory
- Configuring client-server authentication
- DirectAccess installation
- DirectAccess configuration
- Verify Windows client configuration
- Testing the DirectAccess connection from Windows 8
- Testing the DirectAccess connection from Windows 7
- Testing the DirectAccess connection from Windows 10
Before setting up your DirectAccess server, here is a lot of information that will help you better understand how DirectAccess works and how to set up DirectAccess in the best possible conditions.
To allow your DirectAccess clients to know whether they are inside or outside the corporate network, they will connect to a Network Location Server (NLS).
In summary, this NLS server is simply a web server accessible in the corporate network. Nevertheless, it's very important that this one can always be accessible in the local network, otherwise, customers will think that they are on the Internet. This will automatically and cause unnecessarily DirectAccess connections in your corporate's network, whereas these DirectAccess connections were not required for the PCs in the corporate's network.
In short, the NLS server must always be highly available.
DirectAccess can be deployed on a server with one or two network cards.
First, DirectAccess only works with IPv6.
If your routers, switches, operating systems and applications are compatible with IPv6, the native IPv6 will be used.
Otherwise, IPv4 to IPv6 transition technologies will be used : IP-HTTPS, Teredo tunneling, 6to4, ...
You should also be aware that the DirectAccess server is able to use ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) to transfer IPv6 packets in IPv4 headers. This allows you to take advantage of the IPv4 routing offered by your router (for example) to move IPv6 packets on your network.
Since the connection between the clients and the DirectAccess server is made over the Internet, it's very important to secure this connection.
This prevents the interception of data (including passwords) and the modification of data transferred via the Internet.
To secure this connection, DirectAccess clients establish 2 IPSec tunnels :
- an infrastructure tunnel to securely access the various network services and obtain the necessary information : connection to the Active Directory domain, authentication, receive group policy objects, etc.
This tunnel is created before the user logs in and is made through computer certificates and NTLMv2 authentication that authenticates a computer through its computer account in the Active Directory.
- an intranet tunnel allowing secure access to company resources (web servers, network shares, ...). This tunnel is established after the user logs on and authentication is performed with a combination of methods : authentication through the computer certificate and Kerberos authentication based on the user account.
Digital certificates are used at 3 locations when using DirectAccess technology.
- DirectAccess clients : each DirectAccess client must have a computer certificate to be able to establish an IPsec connection with the DirectAccess server.
To generate these certificates, it's best to use a certification authority under Windows Server and the group policy to create them automatically. (As you will see in step 6. Configuring client-server authentication in this tutorial.)
- the IP-HTTPS protocol used by the DirectAccess server : IP-HTTPS is a transition mechanism from IPv4 to IPv6 and allows you to create an IPv6 tunnel through the IPv4 Internet.
IP-HTTPS requires a web server certificate and the DirectAccess client must be able to contact the issuing CA server to verify that the certificate has not been revoked in the meantime (via CRLs).
It's therefore recommended that you use a certificate issued by a commercial CA to enable the client to verify the CRLs from the issuing certificate authority of the certificate used for IP-HTTPS.
- the DirectAccess server : in addition to the certificate used for IP-HTTPS, the DirectAccess server will also need a computer certificate to establish the IPsec connection with DirectAccess clients.
To access your organization's network resources, DirectAccess clients will use the NRPT (Name Resolution Policy Table).
This table allows DirectAccess clients to know the addresses of the DNS servers to be used according to their position :
- if the client is within the company's network, the NRPT table will not be used.
- if the client is outside (on the Internet) then the DirectAccess client will activate the NRPT table and use the DNS servers specified in this NRPT table to resolve the domain names specified in the NRPT table.
By default, this will also allow clients to resolve local domain names in your company's network, even though the DirectAccess client is actually outside of your network.
When the NRPT table is enabled on the DirectAccess client, the client will resolve :
- domains specified in the NRPT table using the DNS servers specified in it. This allows, for example, to resolve local domains using the local DNS server of your company's network.
- other domains through the DNS servers specified in the settings of its network adapter (NIC).
Note : by default, the DirectAccess server address is also included in the NRPT table, but it's included as an exception. This means that no DNS servers will be required to resolve its domain name (FQDN) and that the DirectAccess client will never be able to resolve the FQDN name of the DirectAccess server from the Internet.
Since the IPsec infrastructure tunnel established by the DirectAccess client is a bidirectional tunnel, DirectAccess will also allow you to access DirectAccess clients from machines that are physically present in your organization's network.
It also allows you to manage DirectAccess clients using System Center Configuration Manager (SCCM).
Nevertheless, this requires some additional configurations and in particular :
- the adaptation of some rules in firewalls
- the deployment of IPv6 (preferably native) in the network of your company.
Note: This feature is not covered by our tutorial.
DirectAccess requires an IPv6 connectivity.
DirectAccess is supported (as a server and as a client) by Windows Server 2008 R2, 2012, and 2012 R2.
DirectAccess is also supported on client versions of Windows :
- Windows 7 Enterprise or Ultimate
- Windows 8 Enterprise
- Windows 10 Enterprise or Enterprise 2015 Long term maintenance branch (LTSB)
In addition, for a client to be able to access the corporate network via DirectAccess, he must be linked to the Active Directory.
Important : Windows 10 Professional is not supported by DirectAccess despite some rumors found on the Internet.
Because DirectAccess allows you to access the corporate network from outside, you will need a real domain name that will point to your company's external IP address.
- 10.0.0.101 : a Windows Server 2012 server with roles : Active Directory et Certification Authority (CA)
- 10.0.0.102 : a Windows Server 2012 server where the technology will be installed : DirectAccess
- 10.0.0.x : 3 Windows clients to test their compatibility with DirectAccess : Windows 7 Ultimate, Windows 8 Enterprise and Windows 10 Enterprise