Now that all prerequisites have been set up, we will finally get to the heart of the matter by installing the "DirectAccess" technology on our 2nd server.
DirectAccess technology is in the "Remote Access" role.
Windows Server introduces you to the DirectAccess feature.
Check the "DirectAccess and VPN (RAS)" box.
Because the DirectAccess server can be accessed over an IP-HTTPS connection, the IIS role will be required for the installation of DirectAccess.
When the installation is complete, click on "Close" or on the "Open the Getting Started Wizard" link to start directly the getting started wizard.
If you did not click the "Open the Getting Started Wizard" link, open the Windows Server 2012 home screen and click on "Remote Access".
The "Remote Access" program starts.
Click the "Run the Getting Started Wizard" link.
The "Configure Remote Access" window appears.
Click "Deploy DirectAccess only".
The wizard tests the configuration of your server.
In our case, our server has only one network card.
Click "Finish" to complete the basic configuration of DirectAccess.
The wizard deploys the remote access server behind NAT (a router).
And performs some configurations.
Among all settings made, it's possible that you receive a warning about the NRPT table : The NRPT entry for the DNS Suffix ... contains the public name used by client Computers to connect to the Remote Access Server. Add the name ... as an exemtion in the NRPT
Note : we will fix this detail a little later.
In the "Step 1 : Remote Clients" section, click Edit.
Note : if you are running Windows Server 2012, you must go to "Configuration -> DirectAccess and VPN" to get to this step.
Choose the "Deploy full DirectAccess for client access and remote administration management" option.
Then, remove the "Domain Computers" group present by default in the list.
Uncheck the "Enable DirectAccess for mobile computers only" box to also allow fixed PCs to connect from outside via DirectAccess.
Then, click "Add".
Specify the name of the previously created group in the Active Directory.
In our case : DAclients.
To connect to the DirectAccess server, client PCs will use a Windows service named "Network Connectivity Assistant" (as explained below).
By default, the DirectAccess connection will appear on the client PCs under this name : Workspace Connection.
In the "Step 2 : Remote Access Server" section, click Edit.
As you can see, the wizard shows you again the options for the network topology and the public name to use to connect to the DirectAccess server.
However, the network topology is no longer editable.
The wizard allows you to choose the network card and the SSL certificate to use for IP-HTTPS connections.
For client authentication, select "User authentication : Active Directory credentials (username/password)".
Then, check the "Use computer certificates" box and click on the "Browse" button.
Select the certificate of your Certificate Authority (CA).
Finally, to also support Windows 7 clients, check the "Enable Windows 7 client computers to connect via DirectAccess" box.
Note : although the option for NAP is available on Windows Server 2012 and 2012 R2, please note that this option will no longer be available on Windows Server 2016.
Click "Finish" to apply the new configuration.
The wizard displays a summary of the configuration.
Our remote access server is configured.
At the beginning of the DirectAccess configuration, the Getting Started wizard displayed a warning about a NRPT entry.
To fix this, go to the "Step 3 : Infrastructure Servers" section and click on Edit.
To correct this warning, we were asked to add an exemption for the name of our DirectAccess server.
This was done automatically by the assistant.
Indeed, if you read the text mentioned above the list, name suffixes for which no DNS server is specified are treated as exemptions.
You can then click Cancel to exit this wizard.
Finally, restart the server where DirectAccess was installed.
Start the "Remote Access Management" program again and wait for 1 minute.
Then, click on "Refresh" in the "Tasks" menu on the right.
Normally, all services should be running.
As you can see, DirectAccess offers different components :
For those who would like to know what are 6to4 and Teredo tunneling, here is a quick description :
Because clients will access the DirectAccess server through an IP-HTTPS connection, they will connect to port 443 (HTTPS).
If your DirectAccess server is behind a router (which is our case), you will need to redirect port 443 TCP to your DirectAccess server.
Note that the installation of the DirectAccess server will also have created 2 new elements for group policy management.
With these, you can also add policies that will be applied only to clients or the DirectAccess server.
Windows Server 10/15/2017
Windows Server 10/3/2017
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.