C’est Benoit Sautière (cf. son blog) qui m’a envoyé l’URL vers ce document qui devient LA référence des documents en terme de DirectAccess :
“DirectAccess for Windows Server 2008 R2 – Design and Deployment Guides”
165 pages de documentation technique pour tout savoir sur DirectAccess
Le sommaire est alléchant :
DirectAccess Design Guide.................................................................................................. 11
About this guide................................................................................................................ 11
Understanding the DirectAccess Design Process................................................................... 12
Identifying Your DirectAccess Deployment Goals.................................................................. 12
Transparent and Automatic Remote Access for DirectAccess Clients...................................... 13
Ongoing Management of Remote DirectAccess Clients.......................................................... 14
Efficient Routing of Intranet and Internet Traffic...................................................................... 14
Reduction of Remote Access-based Servers in your Edge Network........................................ 15
End-to-end Traffic Protection................................................................................................ 15
Multi-factor Credentials for Intranet Access............................................................................ 15
Mapping Your Deployment Goals to a DirectAccess Design................................................... 15
Evaluating DirectAccess Design Examples............................................................................ 16
Full Intranet Access Example................................................................................................ 16
Full Intranet Access with Smart Cards Example...................................................................... 17
Selected Server Access Example.......................................................................................... 18
Using authentication with null encapsulation for selected server access................................ 19
End-to-end Access Example................................................................................................. 20
Planning a DirectAccess Deployment Strategy....................................................................... 20
Resources Available to DirectAccess Clients......................................................................... 22
IPv6 resources on your intranet.......................................................................................... 22
IPv4-only resources on the intranet..................................................................................... 23
Limiting connectivity to selected resources......................................................................... 23
IPv6 resources on the IPv6 Internet..................................................................................... 24
Choose an Intranet IPv6 Connectivity Design......................................................................... 24
No existing IPv6 infrastructure............................................................................................ 25
Existing ISATAP infrastructure............................................................................................ 26
Existing native IPv6 infrastructure....................................................................................... 26
Choose Solutions for IPv4-only Intranet Resources................................................................ 27
Choose an Access Model..................................................................................................... 29
Full Intranet Access.............................................................................................................. 29
Selected Server Access........................................................................................................ 30
End-to-End Access.............................................................................................................. 30
Choose a Configuration Method............................................................................................ 31
DirectAccess Management Console................................................................................... 31
Custom configuration using the Network Shell (Netsh) command-line tool and Group Policy.. 32
Design for Remote Management........................................................................................... 32
Design Packet Filtering for DirectAccess............................................................................... 33
Packet Filters for Your Internet Firewall.................................................................................. 34
Packet Filters for Your Intranet Firewall.................................................................................. 35
Confining ICMPv6 Traffic to the Intranet................................................................................. 35
Packet filters for Teredo Connectivity.................................................................................... 37
Packet filters to allow inbound ICMPv6 Echo Requests on all computers............................. 37
Enable edge traversal on inbound management traffic......................................................... 37
Enable inbound ICMPv6 Echo Requests for management traffic.......................................... 37
Packet Filters for Management Computers............................................................................. 38
DirectAccess and Third-party Host Firewalls........................................................................... 39
Choose an Authentication and Authorization Scheme.............................................................. 40
Additional end-to-end peer authentication for selected server access................................... 40
Peer authentication for end-to-end access.......................................................................... 40
Smart cards for additional authorization.............................................................................. 41
Allowing access for users with unusable smart cards....................................................... 41
Prompts for smart card credentials while on the intranet................................................... 41
Under the covers: Smart card authorization...................................................................... 42
Design Addressing and Routing for the DirectAccess Server.................................................. 43
IPv4 address and routing configuration............................................................................... 43
IPv6 address and routing configuration............................................................................... 44
Design Active Directory for DirectAccess.............................................................................. 45
Active Directory and the DirectAccess server...................................................................... 45
DirectAccess and user profiles for remote users................................................................. 46
Design Your DNS Infrastructure for DirectAccess................................................................... 46
Split-brain DNS................................................................................................................. 46
DNS server requirements for ISATAP.................................................................................. 47
AAAA records for servers that do not perform DNS dynamic update................................... 48
Local name resolution behavior for DirectAccess clients...................................................... 48
NRPT rules........................................................................................................................ 49
Unqualified, single-label names and DNS search suffixes.................................................... 50
External DNS.................................................................................................................... 51
Design Your PKI for DirectAccess......................................................................................... 51
Autoenrollment for computer certificates............................................................................. 51
Manual enrollment for network location server and IP-HTTPS certificates.............................. 51
Certificate revocation checking and CRL distribution points................................................. 52
Enabling strong CRL checking for IPsec authentication....................................................... 53
Smart cards for additional authorization.............................................................................. 54
Design Your Web Servers for DirectAccess........................................................................... 54
Choose an Internet Traffic Separation Design......................................................................... 55
Design Protection for Traffic between DirectAccess Clients.................................................... 57
Design Your Intranet for Corporate Connectivity Detection...................................................... 59
Choose a DirectAccess and VPN Coexistence Design........................................................... 60
DirectAccess and third-party VPN clients............................................................................ 61
Planning the Placement of a DirectAccess Server.................................................................. 62
When to Install a DirectAccess Server.................................................................................... 62
Where to Place the DirectAccess Server................................................................................ 62
Planning Redundancy for a DirectAccess Server.................................................................... 63
Planning the Placement of a Network Location Server............................................................ 64
Where to Place the Network Location Server.......................................................................... 65
Highly available intranet Web server as the network location server...................................... 65
DirectAccess server as the network location server............................................................. 66
Planning Redundancy for a Network Location Server.............................................................. 67
Planning the Placement of CRL Distribution Points................................................................. 67
Where to Place the CRL Distribution Points............................................................................ 67
Intranet location for intranet detection................................................................................. 67
Internet location for IP-HTTPS connections......................................................................... 68
Planning Redundancy for CRL Distribution Points.................................................................. 68
Planning DirectAccess with Network Access Protection (NAP)................................................ 68
Configuration changes for the infrastructure tunnel.............................................................. 69
Configuration changes for the intranet tunnel....................................................................... 70
Planning DirectAccess with an Existing Server and Domain Isolation Deployment.................... 71
Planning DirectAccess with Microsoft Forefront Threat Management Gateway......................... 71
DirectAccess Capacity Planning............................................................................................ 72
Capacity Planning for DirectAccess Servers.......................................................................... 72
Increasing the number of concurrent authentications............................................................ 73
Moving the IPsec gateway function to a separate server...................................................... 73
Using DirectAccess with UAG............................................................................................ 75
Capacity Planning for Network Location Servers.................................................................... 75
Capacity Planning for CRL Distribution Points........................................................................ 75
Additional DirectAccess Resources....................................................................................... 76
Appendix A: DirectAccess Requirements............................................................................... 76
Appendix B: Reviewing Key DirectAccess Concepts.............................................................. 78
IPv6.................................................................................................................................. 78
IPv6 connectivity across the IPv4 Internet........................................................................ 78
6to4............................................................................................................................ 79
Teredo........................................................................................................................ 79
IP-HTTPS.................................................................................................................... 79
IPv6 connectivity across an IPv4-only intranet.................................................................. 79
IPsec................................................................................................................................ 79
Encryption..................................................................................................................... 80
Data integrity................................................................................................................. 81
Separation of DNS traffic.................................................................................................. 81
NRPT exemptions.......................................................................................................... 82
Network location servers.................................................................................................... 82
How intranet detection works.......................................................................................... 83
Appendix C: Documenting Your DirectAccess Design............................................................ 83
Concepts.......................................................................................................................... 83
Goals................................................................................................................................ 84
Infrastructure design plan................................................................................................... 84
Custom configuration plan................................................................................................. 84
Integration strategy............................................................................................................ 85
Staging strategy................................................................................................................ 85
Lessons learned................................................................................................................ 85
DirectAccess Deployment Guide........................................................................................... 85
About this guide................................................................................................................ 86
Planning Your DirectAccess Deployment............................................................................... 86
Reviewing your DirectAccess design.................................................................................. 87
Reviewing DirectAccess concepts...................................................................................... 87
Implementing Your DirectAccess Design Plan........................................................................ 88
How to implement your DirectAccess design using this guide.............................................. 88
Checklist: Staging a DirectAccess Deployment...................................................................... 90
Checklist: Preparing Your Infrastructure for DirectAccess....................................................... 91
Checklist: Preparing Your DirectAccess Server...................................................................... 93
Checklist: Implementing a DirectAccess Design for Full Intranet Access.................................. 95
Checklist: Implementing a DirectAccess Design for Selected Server Access........................... 97
Checklist: Implementing a DirectAccess Design for End-to-End Access.................................. 98
Checklist: Implementing a Redundant DirectAccess Design.................................................. 100
Checklist: Configuring Network Access Protection (NAP) with DirectAccess.......................... 101
Checklist: Moving the IPsec Gateway to Another Server........................................................ 102
Procedures Used in this Guide............................................................................................ 103
Configure a CRL Distribution Point for Certificates............................................................... 104
Configure a Custom Certificate Template............................................................................. 106
Configure Active Directory Certificate Services for CRL Locations......................................... 107
Configure Client Authentication and Certificate Mapping for IP-HTTPS Connections............... 108
Configure Computer Certificate Autoenrollment.................................................................... 109
Configure Connection Security Rules for End-to-end Access................................................ 110
Configure Connection Security Rules for Traffic Between DirectAccess Clients...................... 113
Configure Corporate Connectivity Detection Settings............................................................ 114
Configure DirectAccess Connection Security Rules for NAP................................................. 115
Configure Force Tunneling................................................................................................... 116
Configure IIS for Network Location...................................................................................... 117
Configure Packet Filters to Allow ICMP Traffic..................................................................... 119
Configure Packet Filters to Allow Management Traffic to DirectAccess Clients....................... 120
Configure Packet Filters to Block Access to Domain Controllers........................................... 121
Configure Settings to Confine ICMPv6 Traffic to the Intranet................................................. 122
Configure Strong Certificate Revocation Checking for IPsec Authentication........................... 124
Configure the DirectAccess IPsec Gateway on a Different Server.......................................... 125
Configure the Intra-Server Subnet........................................................................................ 125
Configure the IPv6 Connectivity Server................................................................................ 126
Configure the IPsec Gateway Server.................................................................................... 127
Configure the DirectAccess Server as the Network Location Server....................................... 129
Configure the DirectAccess Setup Wizard for End-to-End Access......................................... 129
Configure the DirectAccess Setup Wizard for Full Intranet Access......................................... 131
Configure the DirectAccess Setup Wizard for Selected Server Access.................................. 133
Configure the NRPT for an IPv6/IPv4 DNS Gateway.............................................................. 134
Configure the NRPT with Group Policy................................................................................. 135
Connect to the IPv6 Internet................................................................................................. 136
Create DirectAccess Groups in Active Directory................................................................... 137
Install a Network Location Server Certificate on the DirectAccess Server................................ 138
Install an IP-HTTPS Certificate............................................................................................. 139
Install and Configure IIS for a Network Location Server Certificate......................................... 140
Install the DirectAccess Feature........................................................................................... 142
Remove ISATAP from the DNS Global Query Block List....................................................... 142
Appendix A – Manual DirectAccess Server Configuration...................................................... 143
Configure Internet access components............................................................................. 143
Configure intranet access components............................................................................. 144
Configure IPsec DoSP..................................................................................................... 145
Configure connection security rules.................................................................................. 145
DirectAccess server configuration (full intranet access model)........................................ 145
Connection security rules for client configuration (full intranet access model)................... 146
Appendix B – Manual DirectAccess Client Configuration....................................................... 147
IPv6 transition technology settings................................................................................... 147
NRPT.............................................................................................................................. 148
Appendix C - DirectAccess User Interface Scripting.............................................................. 149
Script usage.................................................................................................................... 150
Log file........................................................................................................................... 150
Limitation of the script..................................................................................................... 150
Appendix D - DirectAccessConfig.xsd................................................................................. 151
Téléchargement à l’adresse suivante : http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=647222d1-a41e-4cdb-ba34-f057fbc7198f
Bonjour,
M'interessant a l'utilisation de DirectAccess, mais avec une infrasctucture relativement petite, j'aure voulu savoir s'il etait possible de n'avoir qu'une et une seule machine Windows server 2008R2 qui aure à la fois les rôles de serveur DNS/Contrôleur de domaine/DirectAccess.
Autant dire Mettre toute l'infrastructure necessaire à DirectAccess sur une seule machine.
(Aussi je m'interesse quand a l'utilisation des 2 adresses IP public necessaires, comment DirectAcces s'en sert, (en temps qu'adresse de redondance, une pour l'envoie une autre pour la reception...))
Si, l'infrastructure sur une et une seule machine n'est pas possible, est-il possible d'installer un Server DirectAccess puis un serveur Contrôleur de domaine avec plusieurs sous-domaine (ces sous-domaines seront distincts cependant).
Par exemple : comme domaine principal : dadomaine.com avec des sous-domaine toto1.dadomaine.com toto2.dadomaine.com etc.... mais que les utilisateurs des 2 sous-domaines soit distincts (ils ne doivent pas pouvoir communiquer/se voir/).
pS: Je sais que l'article date un petit peu maintenant et je ne sais pas si je poste au bon endroit mais merci d'avance.
Benjamin