Stanislas Quastana's blog on TechNet

Windows Server, Windows Client, Cloud Computing, DirectAccess, sécurité des Systèmes d Information

DirectAccess for Windows Server 2008 R2 - Design and Deployment Guides - LE document à avoir

DirectAccess for Windows Server 2008 R2 - Design and Deployment Guides - LE document à avoir

  • Comments 1
  • Likes

C’est Benoit Sautière (cf. son blog) qui m’a envoyé l’URL vers ce document qui devient LA référence des documents en terme de DirectAccess :

“DirectAccess for Windows Server 2008 R2 – Design and Deployment Guides”

165 pages de documentation technique pour tout savoir sur DirectAccess

Le sommaire est alléchant :

DirectAccess Design Guide.................................................................................................. 11

About this guide................................................................................................................ 11

Understanding the DirectAccess Design Process................................................................... 12

Identifying Your DirectAccess Deployment Goals.................................................................. 12

Transparent and Automatic Remote Access for DirectAccess Clients...................................... 13

Ongoing Management of Remote DirectAccess Clients.......................................................... 14

Efficient Routing of Intranet and Internet Traffic...................................................................... 14

Reduction of Remote Access-based Servers in your Edge Network........................................ 15

End-to-end Traffic Protection................................................................................................ 15

Multi-factor Credentials for Intranet Access............................................................................ 15

Mapping Your Deployment Goals to a DirectAccess Design................................................... 15

Evaluating DirectAccess Design Examples............................................................................ 16

Full Intranet Access Example................................................................................................ 16

Full Intranet Access with Smart Cards Example...................................................................... 17

Selected Server Access Example.......................................................................................... 18

Using authentication with null encapsulation for selected server access................................ 19

End-to-end Access Example................................................................................................. 20

Planning a DirectAccess Deployment Strategy....................................................................... 20

Resources Available to DirectAccess Clients......................................................................... 22

IPv6 resources on your intranet.......................................................................................... 22

IPv4-only resources on the intranet..................................................................................... 23

Limiting connectivity to selected resources......................................................................... 23

IPv6 resources on the IPv6 Internet..................................................................................... 24

Choose an Intranet IPv6 Connectivity Design......................................................................... 24

No existing IPv6 infrastructure............................................................................................ 25

Existing ISATAP infrastructure............................................................................................ 26

Existing native IPv6 infrastructure....................................................................................... 26

Choose Solutions for IPv4-only Intranet Resources................................................................ 27

Choose an Access Model..................................................................................................... 29

Full Intranet Access.............................................................................................................. 29

Selected Server Access........................................................................................................ 30

End-to-End Access.............................................................................................................. 30

Choose a Configuration Method............................................................................................ 31

DirectAccess Management Console................................................................................... 31

Custom configuration using the Network Shell (Netsh) command-line tool and Group Policy.. 32

Design for Remote Management........................................................................................... 32

Design Packet Filtering for DirectAccess............................................................................... 33

Packet Filters for Your Internet Firewall.................................................................................. 34

Packet Filters for Your Intranet Firewall.................................................................................. 35

Confining ICMPv6 Traffic to the Intranet................................................................................. 35

Packet filters for Teredo Connectivity.................................................................................... 37

Packet filters to allow inbound ICMPv6 Echo Requests on all computers............................. 37

Enable edge traversal on inbound management traffic......................................................... 37

Enable inbound ICMPv6 Echo Requests for management traffic.......................................... 37

Packet Filters for Management Computers............................................................................. 38

DirectAccess and Third-party Host Firewalls........................................................................... 39

Choose an Authentication and Authorization Scheme.............................................................. 40

Additional end-to-end peer authentication for selected server access................................... 40

Peer authentication for end-to-end access.......................................................................... 40

Smart cards for additional authorization.............................................................................. 41

Allowing access for users with unusable smart cards....................................................... 41

Prompts for smart card credentials while on the intranet................................................... 41

Under the covers: Smart card authorization...................................................................... 42

Design Addressing and Routing for the DirectAccess Server.................................................. 43

IPv4 address and routing configuration............................................................................... 43

IPv6 address and routing configuration............................................................................... 44

Design Active Directory for DirectAccess.............................................................................. 45

Active Directory and the DirectAccess server...................................................................... 45

DirectAccess and user profiles for remote users................................................................. 46

Design Your DNS Infrastructure for DirectAccess................................................................... 46

Split-brain DNS................................................................................................................. 46

DNS server requirements for ISATAP.................................................................................. 47

AAAA records for servers that do not perform DNS dynamic update................................... 48

Local name resolution behavior for DirectAccess clients...................................................... 48

NRPT rules........................................................................................................................ 49

Unqualified, single-label names and DNS search suffixes.................................................... 50

External DNS.................................................................................................................... 51

Design Your PKI for DirectAccess......................................................................................... 51

Autoenrollment for computer certificates............................................................................. 51

Manual enrollment for network location server and IP-HTTPS certificates.............................. 51

Certificate revocation checking and CRL distribution points................................................. 52

Enabling strong CRL checking for IPsec authentication....................................................... 53

Smart cards for additional authorization.............................................................................. 54

Design Your Web Servers for DirectAccess........................................................................... 54

Choose an Internet Traffic Separation Design......................................................................... 55

Design Protection for Traffic between DirectAccess Clients.................................................... 57

Design Your Intranet for Corporate Connectivity Detection...................................................... 59

Choose a DirectAccess and VPN Coexistence Design........................................................... 60

DirectAccess and third-party VPN clients............................................................................ 61

Planning the Placement of a DirectAccess Server.................................................................. 62

When to Install a DirectAccess Server.................................................................................... 62

Where to Place the DirectAccess Server................................................................................ 62

Planning Redundancy for a DirectAccess Server.................................................................... 63

Planning the Placement of a Network Location Server............................................................ 64

Where to Place the Network Location Server.......................................................................... 65

Highly available intranet Web server as the network location server...................................... 65

DirectAccess server as the network location server............................................................. 66

Planning Redundancy for a Network Location Server.............................................................. 67

Planning the Placement of CRL Distribution Points................................................................. 67

Where to Place the CRL Distribution Points............................................................................ 67

Intranet location for intranet detection................................................................................. 67

Internet location for IP-HTTPS connections......................................................................... 68

Planning Redundancy for CRL Distribution Points.................................................................. 68

Planning DirectAccess with Network Access Protection (NAP)................................................ 68

Configuration changes for the infrastructure tunnel.............................................................. 69

Configuration changes for the intranet tunnel....................................................................... 70

Planning DirectAccess with an Existing Server and Domain Isolation Deployment.................... 71

Planning DirectAccess with Microsoft Forefront Threat Management Gateway......................... 71

DirectAccess Capacity Planning............................................................................................ 72

Capacity Planning for DirectAccess Servers.......................................................................... 72

Increasing the number of concurrent authentications............................................................ 73

Moving the IPsec gateway function to a separate server...................................................... 73

Using DirectAccess with UAG............................................................................................ 75

Capacity Planning for Network Location Servers.................................................................... 75

Capacity Planning for CRL Distribution Points........................................................................ 75

Additional DirectAccess Resources....................................................................................... 76

Appendix A: DirectAccess Requirements............................................................................... 76

Appendix B: Reviewing Key DirectAccess Concepts.............................................................. 78

IPv6.................................................................................................................................. 78

IPv6 connectivity across the IPv4 Internet........................................................................ 78

6to4............................................................................................................................ 79

Teredo........................................................................................................................ 79

IP-HTTPS.................................................................................................................... 79

IPv6 connectivity across an IPv4-only intranet.................................................................. 79

IPsec................................................................................................................................ 79

Encryption..................................................................................................................... 80

Data integrity................................................................................................................. 81

Separation of DNS traffic.................................................................................................. 81

NRPT exemptions.......................................................................................................... 82

Network location servers.................................................................................................... 82

How intranet detection works.......................................................................................... 83

Appendix C: Documenting Your DirectAccess Design............................................................ 83

Concepts.......................................................................................................................... 83

Goals................................................................................................................................ 84

Infrastructure design plan................................................................................................... 84

Custom configuration plan................................................................................................. 84

Integration strategy............................................................................................................ 85

Staging strategy................................................................................................................ 85

Lessons learned................................................................................................................ 85

DirectAccess Deployment Guide........................................................................................... 85

About this guide................................................................................................................ 86

Planning Your DirectAccess Deployment............................................................................... 86

Reviewing your DirectAccess design.................................................................................. 87

Reviewing DirectAccess concepts...................................................................................... 87

Implementing Your DirectAccess Design Plan........................................................................ 88

How to implement your DirectAccess design using this guide.............................................. 88

Checklist: Staging a DirectAccess Deployment...................................................................... 90

Checklist: Preparing Your Infrastructure for DirectAccess....................................................... 91

Checklist: Preparing Your DirectAccess Server...................................................................... 93

Checklist: Implementing a DirectAccess Design for Full Intranet Access.................................. 95

Checklist: Implementing a DirectAccess Design for Selected Server Access........................... 97

Checklist: Implementing a DirectAccess Design for End-to-End Access.................................. 98

Checklist: Implementing a Redundant DirectAccess Design.................................................. 100

Checklist: Configuring Network Access Protection (NAP) with DirectAccess.......................... 101

Checklist: Moving the IPsec Gateway to Another Server........................................................ 102

Procedures Used in this Guide............................................................................................ 103

Configure a CRL Distribution Point for Certificates............................................................... 104

Configure a Custom Certificate Template............................................................................. 106

Configure Active Directory Certificate Services for CRL Locations......................................... 107

Configure Client Authentication and Certificate Mapping for IP-HTTPS Connections............... 108

Configure Computer Certificate Autoenrollment.................................................................... 109

Configure Connection Security Rules for End-to-end Access................................................ 110

Configure Connection Security Rules for Traffic Between DirectAccess Clients...................... 113

Configure Corporate Connectivity Detection Settings............................................................ 114

Configure DirectAccess Connection Security Rules for NAP................................................. 115

Configure Force Tunneling................................................................................................... 116

Configure IIS for Network Location...................................................................................... 117

Configure Packet Filters to Allow ICMP Traffic..................................................................... 119

Configure Packet Filters to Allow Management Traffic to DirectAccess Clients....................... 120

Configure Packet Filters to Block Access to Domain Controllers........................................... 121

Configure Settings to Confine ICMPv6 Traffic to the Intranet................................................. 122

Configure Strong Certificate Revocation Checking for IPsec Authentication........................... 124

Configure the DirectAccess IPsec Gateway on a Different Server.......................................... 125

Configure the Intra-Server Subnet........................................................................................ 125

Configure the IPv6 Connectivity Server................................................................................ 126

Configure the IPsec Gateway Server.................................................................................... 127

Configure the DirectAccess Server as the Network Location Server....................................... 129

Configure the DirectAccess Setup Wizard for End-to-End Access......................................... 129

Configure the DirectAccess Setup Wizard for Full Intranet Access......................................... 131

Configure the DirectAccess Setup Wizard for Selected Server Access.................................. 133

Configure the NRPT for an IPv6/IPv4 DNS Gateway.............................................................. 134

Configure the NRPT with Group Policy................................................................................. 135

Connect to the IPv6 Internet................................................................................................. 136

Create DirectAccess Groups in Active Directory................................................................... 137

Install a Network Location Server Certificate on the DirectAccess Server................................ 138

Install an IP-HTTPS Certificate............................................................................................. 139

Install and Configure IIS for a Network Location Server Certificate......................................... 140

Install the DirectAccess Feature........................................................................................... 142

Remove ISATAP from the DNS Global Query Block List....................................................... 142

Appendix A – Manual DirectAccess Server Configuration...................................................... 143

Configure Internet access components............................................................................. 143

Configure intranet access components............................................................................. 144

Configure IPsec DoSP..................................................................................................... 145

Configure connection security rules.................................................................................. 145

DirectAccess server configuration (full intranet access model)........................................ 145

Connection security rules for client configuration (full intranet access model)................... 146

Appendix B – Manual DirectAccess Client Configuration....................................................... 147

IPv6 transition technology settings................................................................................... 147

NRPT.............................................................................................................................. 148

Appendix C - DirectAccess User Interface Scripting.............................................................. 149

Script usage.................................................................................................................... 150

Log file........................................................................................................................... 150

Limitation of the script..................................................................................................... 150

Appendix D - DirectAccessConfig.xsd................................................................................. 151

Téléchargement à l’adresse suivante : http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=647222d1-a41e-4cdb-ba34-f057fbc7198f

Comments
  • Bonjour,

    M'interessant a l'utilisation de DirectAccess, mais avec une infrasctucture relativement petite, j'aure voulu savoir s'il etait possible de n'avoir qu'une et une seule machine Windows server 2008R2 qui aure à la fois les rôles de serveur DNS/Contrôleur de domaine/DirectAccess.

    Autant dire Mettre toute l'infrastructure necessaire à DirectAccess sur une seule machine.

    (Aussi je m'interesse quand a l'utilisation des 2 adresses IP public necessaires, comment DirectAcces s'en sert, (en temps qu'adresse de redondance, une pour l'envoie une autre pour la reception...))

    Si, l'infrastructure sur une et une seule machine n'est pas possible, est-il possible d'installer un Server DirectAccess puis un serveur Contrôleur de domaine avec plusieurs sous-domaine (ces sous-domaines seront distincts cependant).

    Par exemple : comme domaine principal : dadomaine.com avec des sous-domaine toto1.dadomaine.com toto2.dadomaine.com etc.... mais que les utilisateurs des 2 sous-domaines soit distincts (ils ne doivent pas pouvoir communiquer/se voir/).

    pS: Je sais que l'article date un petit peu maintenant et je ne sais pas si je poste au bon endroit mais merci d'avance.

    Benjamin

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment