All companies that have a Windows Server server on their intranet also have at least one Active Directory.
Thanks to their Active Directory server, they can manage user accounts, access rights to network resources, manage client computer security, ...
However, by default, the client computer must be in the corporate network (intranet) so that it can receive group (and security) policies, as well as allow the user to login with its Active Directory account.
If you use the client machine outside the corporate network, you will not be able to :
To access corporate resources, you could create a VPN server in your organization's network, but group policies and privileges will not be passed through this VPN connection.
To resolve this issue, Microsoft has created a new technology : DirectAccess.
DirectAccess is a technology that enables a client workstation to securely and transparently access corporate resources.
Thanks to DirectAccess, your client workstation will always be in the network of your company.
Since you will be virtually in your corporate network, you can connect with your Active Directory account and access your company resources as if you were there.
Before setting up your DirectAccess server, here is a lot of information that will help you better understand how DirectAccess works and how to set up DirectAccess in the best possible conditions.
To allow your DirectAccess clients to know whether they are inside or outside the corporate network, they will connect to a Network Location Server (NLS).
In summary, this NLS server is simply a web server accessible in the corporate network. Nevertheless, it's very important that this one can always be accessible in the local network, otherwise, customers will think that they are on the Internet. This will automatically and cause unnecessarily DirectAccess connections in your corporate's network, whereas these DirectAccess connections were not required for the PCs in the corporate's network.
In short, the NLS server must always be highly available.
DirectAccess can be deployed on a server with one or two network cards.
First, DirectAccess only works with IPv6.
If your routers, switches, operating systems and applications are compatible with IPv6, the native IPv6 will be used.
Otherwise, IPv4 to IPv6 transition technologies will be used : IP-HTTPS,
Teredo tunneling, 6to4, ...
Warning : the Microsoft Teredo servers which are used by default by the different versions of Windows no longer exist.
You can check this by typing the "netsh interface teredo show state" command in a command prompt (cmd.exe).
On Windows 7 and 8, the Teredo server used was : teredo.ipv6.microsoft.com.
On Windows 8.1, the Teredo server used was : win8.ipv6.microsoft.com.
If you try to get the IP address of one of these domain names using the "nslookup" command, you will get this error "*** .... can't find teredo.ipv6.microsoft.com: Non-existent domain".
Important : now, it's therefore necessary to use native IPv6 (whether in your company's network or on the Internet, which depends in particular on the ISP).
Additionally, an IPv6 address may be present without allowing access to the Internet. For more information on IPv6, see the "IPv6 address - Wikipedia" page.
You should also be aware that the DirectAccess server is able to use ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) to transfer IPv6 packets in IPv4 headers. This allows you to take advantage of the IPv4 routing offered by your router (for example) to move IPv6 packets on your network.
Since the connection between the clients and the DirectAccess server is made over the Internet, it's very important to secure this connection.
This prevents the interception of data (including passwords) and the modification of data transferred via the Internet.
To secure this connection, DirectAccess clients establish 2 IPSec tunnels :
Source : Microsoft Technet (DirectAccess and IPSec Tunnel Establishment)
Digital certificates are used at 3 locations when using DirectAccess technology.
To access your organization's network resources, DirectAccess clients will use the NRPT (Name Resolution Policy Table).
This table allows DirectAccess clients to know the addresses of the DNS servers to be used according to their position :
When the NRPT table is enabled on the DirectAccess client, the client will resolve :
Note : by default, the DirectAccess server address is also included in the NRPT table, but it's included as an exception. This means that no DNS servers will be required to resolve its domain name (FQDN) and that the DirectAccess client will never be able to resolve the FQDN name of the DirectAccess server from the Internet.
Since the IPsec infrastructure tunnel established by the DirectAccess client is a bidirectional tunnel, DirectAccess will also allow you to access DirectAccess clients from machines that are physically present in your organization's network.
It also allows you to manage DirectAccess clients using System Center Configuration Manager (SCCM).
Nevertheless, this requires some additional configurations and in particular :
To do this, then follow our tutorial : DirectAccess - Manage a remote client (manage out)
DirectAccess requires an IPv6 connectivity.
DirectAccess is supported (as a server and as a client) by Windows Server 2008 R2, 2012, and 2012 R2.
DirectAccess is also supported on client versions of Windows :
In addition, for a client to be able to access the corporate network via DirectAccess, he must be linked to the Active Directory.
Source : Microsoft (DirectAccess dans Windows Server)
Important : Windows 10 Professional is not supported by DirectAccess despite some rumors found on the Internet.
Because DirectAccess allows you to access the corporate network from outside, you will need a real domain name that will point to your company's external IP address.
Windows Server 10/15/2017
Windows Server 10/3/2017
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment