Search
Recent Posts
Common Tasks
Community Connections


Sharing of thoughts and information is what blogging is all about. This way we can learn from each other. Post A Comment!

These postings are provided "AS IS" with no warranties, and confers no rights. You assume all risk for your use.

Resident Bloggers


Chris Di Lullo
Sr. IT Pro Marketing Manager
Twitter | LinkedIn


Pierre Roman
Twitter | LinkedIn


Mitch Garvis
Twitter | LinkedIn


Anthony Bartolo
Twitter | LinkedIn

Step-By-Step: Enabling DirectAccess in Windows Server 2012

TechNet Blogs > Canadian IT Professionals > Step-By-Step: Enabling DirectAccess in Windows Server 2012

Step-By-Step: Enabling DirectAccess in Windows Server 2012

Rate This
19 Mar 2013 9:44 AM
  • Comments 6

Last week Pierre and I completed the last Windows Server 2012 #CANITPRO Camp in St. John's, Newfoundland.  The camp was a great showcase of virtualization capabilities for Windows Server 2012 and was well received by audiences across Canada.  So much so that Pierre, Mitch and I will be putting together a version 2 of Windows Server 2012 #CANITPRO Camp next week.  Agenda and dates of the camps will be posted soon but I wanted to incorporate one of the upcoming labs into a Step-By-Step post to allow everyone a preview of what to expect.

Direct Access

Direct access was introduced in Windows Server 2008 R2 as a new remote access feature allowing connectivity to corporate network resources without the requirement of Virtual Private Network (VPN) connections. DirectAccess at the time only supported domain-joined Windows 7 Enterprise and Windows 7 Ultimate edition clients. Windows Routing and Remote Access Server (RRAS) will continue to provide traditional VPN connectivity for legacy clients, non-domain joined clients, third party VPN clients and site-to-site server connections. RRAS in Windows Server 2008 R2 must be deployed and managed separately from DirectAccess as it cannot coexist on the same edge server.

In 2012, DirectAccess offered with Windows Server 2012 combines the feature and the RRAS role service into a new unified server role. This new Remote Access role allows for centralized configuration, administration, and monitoring of both VPN-based remote access services and DirectAccess.  Windows Server 2012 DirectAccess also provides multiple updates and improvements to address deployment blockers and provide simplified management.

These features include:

  • DirectAccess and RRAS coexistence
  • Simplified DirectAccess Deployment
  • Removal of PKI (Public Key Infrastructure) as prerequisite
  • Built in NAT64 and DNS64 support for IPv4 only resources
  • Support for DirectAccess behind a NAT device
  • Load Balancing Support
  • Multi Domain Support
  • NAP Integration
  • Manage-Out to clients support
  • User Monitoring / Server Status / Diagnostics
  • IP-HTTPS performance improvements
  • Server Core Support
  • Multisite Support

Windows 8 and Windows Server 2012, DirectAccess deployment is also now simplified with a working configuration deployed in a few clicks. However, options are also available to allow for DirectAccess accessibility through a multitude of deployment options should the standard configuration not meet your organizations requirements.  These deployment options include:

  • Single Site Remote Access
  • Remote Access in a Cluster
  • Multiple Remote Access Servers in a Multisite Deployment
  • Remote Access with OTP Authentication
  • Remote Access in a Multi-Forest Environment
  • Remote Access with Network Access Protection
  • Remote Access in the Cloud

 

Prerequisites

Download and install Windows Server 2012 in your lab to complete this exercise. Alternatively you can complete this lab in a virtual lab setup by downloading and installing Hyper-V Server 2012.

Direct Access Deployment Steps

  1. Install the remote access role:
    • In the Server Manager console, in the Dashboard, click add roles.
    • Click Next three times to get to the server role selection screen.
    • On the Select Server Roles dialog, select Remote Access, click Add Required Features, and then click Next.
    • On the Select features dialog, expand Remote Server Administration Tools, expand Role Administration Tools, and then select Remote Access Management Tools, and then click Next.
    • Click Next four times.
    • On the Confirm installation selections dialog, click Install.
    • On the Installation progress dialog, verify that the installation was successful, and then click Close.
  2. Obtain two consecutive public IPv4 IP addresses and configure them on the external adapter of the server. These addresses must be unique.
  3. Create a new DNS record for the server FQDN.
  4. Obtain a server certificate for IP-HTTPS connections, with a subject name that matches the FQDN of the server.
  5. Create client security groups.
  6. After Installing the Remote Access Role. Open up the Remote Access Management Console

  7. Click on the Deploy DirectAccess Only option


  8. If two network adapters are present, select the Edge topology and enter the FQDN or External IP address, if not, select the topology that meets your requirements

  9. Click Next and Finish with the default options or select to edit the settings (settings can be edited later)

  10. The wizard cycles through various processes and completes the task

Once completed successfully, the ability to look through all the configuration steps and edit as needed/necessary is made available.

           

 

To explore the new DirectAccess feature for yourself download the Windows Server 2012 installation kit.

 

 

 

, , , , ,
Comments
  • Tony
    20 Mar 2013 4:19 AM

    Nice write up but I would have highlighed how important the NLS server is here and that it's internal cert cannot and must not use a CN that is accessible or resolvable from the internet. This server is absolutely criticical so it should ideally be highly available.

    Also the cert it uses must have a matching entry in DNS - I recommend using the internal name of the server as I found if you try to replicate the name one it generates in DNS, the entry was being deleted by the wizard (bug?).

    Personally I also prefer to create a VPN too - but that's a matter of personal preference.

    And perhaps some reference on how to enable for Windows 7

    And the following command is extremely useful for the clients to check it's configured:

    netsh dns show state

    :-)

  • 20 Mar 2013 7:02 AM

    Tony,

    I agree and will be noted on the next blog post in regards to this subject.  I have also found this great resource that will provide further information on enabling DirectAccess in Windows 7(technet.microsoft.com/.../dd420463.aspx).  Thank you for your input and sharing your knowledge on the subject.

  • Tony
    20 Mar 2013 8:05 AM

    You're more than welcome - I wish I'd had this over the last week and bit where I was struggling to work out where I was going wrong. It's a great write-up and useful resources are all too scarce at the moment.

    Well there's seemingly a lot of information out there but a lot is of questionable use as it misses key information/glosses over critical areas unfortunately.

  • Tony
    20 Mar 2013 8:08 AM

    And actually your linked article is exactly what I mean - lots and lots of useful info from MS there, but I could only see one entry relating to 2012.

    Having done it with both 2008 R2 and 2012 I wouldn't want to go back to 2008 - the enhanced setup and configuration (and the dashboard) in 2012 knock 2008 into touch in a huge way.

  • Todd Lamothe
    2 Apr 2013 9:46 AM

    Yes, this is a great write up about DirectAccess in Server 2012. If you ever had to set it up in Windows 2008 R2 (especially in a cluster), you'll love Server 2012.

  • 2 Apr 2013 2:05 PM

    Thank you Todd.

Page 1 of 1 (6 items)