I am happy to tell you that today I’ve released the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess with Secure Socket Tunneling (SSTP) Test Lab Guide. This is one that I was looking forward to doing because this is such an important deployment model.
As you might know, a single UAG server or UAG array can support all of the roles that are supported by UAG (with the exception that a UAG server or array that acts in the DirectAccess role cannot also host the Network Connector). In general, I recommend that you use different UAG servers or array based on their functional roles:
This is not a hard and fast rule, and I certainly wouldn’t fault anyone for taking a different approach. But I’ve found that if you separate the services provided on the server or array in this manner, it’s easier to “size” your deployment, given the high processing requirements for the DirectAccess server deployment.
Having SSTP on the DirectAccess server makes it easy to have a “fall back” solution for any applications that don’t work with DirectAccess. While we haven’t seen too many of them, there are still a few and SSTP makes it easy to access the corporate network for DirectAccess client when they need to use these applications. In addition, you may have Windows 7 clients that are not domain members, and thus can’t be DirectAccess clients. Or you might even have domain member Windows 7 computers, but these aren’t configured for DirectAccess. These non-DirectAccess clients can easily connect to the corporate network using the Secure Socket Tunneling Protocol (SSTP), which is firewall and NAT friendly, so that users can connect using SSTP from almost anywhere.
In this Test Lab Guide you will build out a co-located DirectAccess and SSTP server and then test the deployment. You’ll configure the UAG server as both a DirectAccess and SSTP VPN server and then test DirectAccess and SSTP VPN connectivity, and look at several key areas to confirm connectivity and what normal connectivity looks like in these scenarios.
I hope you like the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess with Secure Socket Tunneling (SSTP) Test Lab Guide. As always, if you have any questions on this Test Lab Guide, or have suggestions for improvements or if you find errors, then please let me know! Just write to the email address in my sig line and I’ll get back to you as soon as I can.
HTH,
Tom
Tom Shinder tomsh@microsoft.com Knowledge Engineer, Microsoft DAIP iX/Forefront iX UAG Direct Access/Anywhere Access Group (AAG) The “Edge Man” blog (DA all the time): http://blogs.technet.com/tomshinder/default.aspx Follow me on Twitter: http://twitter.com/tshinder Facebook: http://www.facebook.com/tshinder
Hey folks – since the TLGs are typically put up only in the download center, it makes discoverability of some of the cool content inside of them hard when it comes to search engines. Therefore, I’m going to post the full text of the TLGs on the Edge Man blog. However, I recommend that you download the Word .doc version of the TLGs when you actually put together your Test Lab using the Test Lab Guides.
For a downloadable version of the Test Lab Guide – Demonstrate UAG SP1 RC DirectAccess with SSTP check out:
http://go.microsoft.com/fwlink/?LinkId=206283
==================================================
DirectAccess is a new feature in the Windows 7 and Windows Server 2008 R2 operating systems that gives users the experience of being seamlessly connected to their intranet any time they have Internet access. With DirectAccess enabled, requests for intranet resources (such as e-mail servers, shared folders, or intranet Web sites) are securely directed to the intranet, without requiring users to connect to a VPN. DirectAccess provides increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside the office.
Forefront Unified Access Gateway (UAG) SP1 RC extends the value of the Windows DirectAccess solution by adding features that meet the requirements of many enterprise deployments:
To learn more about UAG DirectAccess, see the following resources:
· Forefront UAG DirectAccess Design Guide
· Forefront UAG DirectAccess Deployment Guide
UAG SP1 RC supports hosting multiple roles on a single UAG server or UAG array. For example, you might want to host both the DirectAccess server and SSTP VPN server roles on the same server or array. Windows 7 clients that are configured DirectAccess clients will automatically use DirectAccess to connect to intranet resources. Windows 7 clients that are not domain members, or who are not configured as DirectAccess clients can use SSTP to connect to the intranet using a network level VPN connection. In addition, DirectAccess clients hosting applications that are not compatible with DirectAccess can connect to the SSTP VPN when they need to use the non-compatible application.
Note
Non-Windows 7 operating systems (such as Windows Vista, Windows XP) can use the UAG Network Connector to connect to the intranet using a network level SSL VPN connection. However, you cannot host the Network Connector application on the same server or array that is also hosting DirectAccess. To support network level VPN connectivity for non-Windows 7 clients, you will need to deploy a second UAG server or array.
This guide provides step-by-step instructions for configuring UAG DirectAccess SP1 RC with SSTP in a test lab so that you can see how it works. You will set up and deploy UAG DirectAccess SP1 RC using five server computers, two client computers, Windows Server 2008 R2 Enterprise edition, and Windows 7 Ultimate Edition. The Test Lab simulates intranet, Internet, and a home networks, and demonstrates a co-located Forefront UAG DirectAccess and SSTP VPN server role deployment. The starting point for this paper is the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess .
Important:
These instructions are designed for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network, and to show clearly the required functionality. This configuration is not designed to reflect best practices, nor does it reflect a required or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed to work only on a separate test lab network. For more information on planning and deploying DirectAccess with Forefront UAG, please see the Forefront UAG DirectAccess design guide and the Forefront UAG DirectAccess deployment guide
In this test lab scenario, Forefront UAG DirectAccess SP1 RC is deployed with:
The test lab consists of three subnets that simulate the following:
Computers on each subnet connect using either a physical or virtual hub or switch, as shown in the following figure.
The following components are required for configuring Forefront UAG DirectAccess in the test lab:
This Test Lab Guide demonstrates a combined UAG SP1 RC DirectAccess and SSTP deployment.
Important
The following instructions are for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network and to clearly show the desired functionality. It is important to remember that this configuration is neither designed to reflect best practices nor does it reflect a desired or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed only to work on a separate test lab network.
Attempting to adapt this test lab configuration to a pilot or production deployment can result in configuration or functionality issues. To ensure proper configuration and operation of UAG DirectAccess and SSTP, please refer to the Forefront UAG DirectAccess Deployment Guide for the steps to configure the UAG DirectAccess server and supporting infrastructure servers.
The following sections describe how to configure UAG1 as both a DirectAccess and SSTP VPN server. After UAG1 is configured, this guide provides steps for demonstrating the DirectAccess and SSTP VPN functionality for CLIENT1 when it is connected to the Homenet subnet.
You must be logged on as a member of the Domain Admins group or a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group. For all tasks described in this document you can use the CONTOSO\User1 account created when you went through the steps in the UAG DirectAccess Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess.
The following procedures are performed to enable and allow you to test the UAG SP1 RC DCA:
· Step 1: Complete the Demonstrate UAG SP1 RC DirectAccess Test Lab Guide – The first step is to complete all the steps in the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess.
· Step 2: Create the HTTPS Trunk. UAG uses the concept of “trunk” as the primary listener for incoming SSL connections to a UAG portal page. In this step you will create an SSL Trunk that can be used to create a portal page that includes the SSTP VPN application.
· Step 3: Configure the Remote Network Access Settings. The SSTP application requires configuration of a number of settings before it can be deployed. In this step you will configure these settings.
· Step 4: Add the SSTP Remote Network Access Application to the Trunk. In order for users to access the SSTP VPN application, that application must be added to a trunk. In this step you will add the SSTP application to the HTTPS trunk.
· Step 5: Activate the Configuration and View Activation in the Activation Monitor. You need to activate the configuration after adding the SSTP VPN application to the trunk. In this step you will activate the configuration and view the activation process in the Activation Monitor.
· Step 6: Test DirectAccess and SSTP Connectivity. After activation is complete, you are ready to test both DirectAccess and SSTP connectivity. In this step you will confirm DirectAccess connectivity and then start an SSTP VPN connection through the portal.
· Step 7: Snapshot the configuration. After completing the Test Lab, take a snapshot of the working UAG DirectAccess with SSTP Test Lab so that you can return to it later to test additional scenarios.
You will notice that there are several steps that begin with an asterisk (*). The * indicates that the step requires that you move to a computer or virtual machine that is different from the computer or virtual machine you were at when you completed the previous step.
The first step is to complete all the steps in the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess. After completing the steps in that Test Lab Guide you will have the core infrastructure required to complete this Test Lab Guide on how to configure the UAG DirectAccess DCA. If you have already completed the steps in that Test Lab Guide and saved a snapshot or disk image of the Test Lab, you can restore the snapshot or image and begin with the next step.
UAG uses the concept of “trunk” as the primary listener for incoming SSL connections to a UAG portal page. In this step you will create an SSL Trunk that can be used to create a portal page that includes the SSTP VPN application.
The SSTP application requires configuration of a number of settings before it can be deployed. In this step you will configure these settings.
In order for users to access the SSTP VPN application, that application must be added to a trunk. In this step you will add the SSTP application to the HTTPS trunk.
You need to activate the configuration after adding the SSTP VPN application to the trunk. In this step you will activate the configuration and view the activation process in the Activation Monitor.
After activation is complete, you are ready to test both DirectAccess and SSTP connectivity. In this step you will confirm DirectAccess connectivity and then start an SSTP VPN connection through the portal.
This completes the UAG SP1 RC DirectAccess with SSTP test lab. To save this configuration so that you can quickly return to a working UAG SP1 RC DirectAccess Connectivity Assistant configuration from which you can test other DirectAccess modular TLGs, TLG extensions, or for your own experimentation and learning, do the following:
For more information on UAG and SSTP, see Setting up Remote Network Access.
For procedures to configure the Base Configuration test lab on which this document is based, see the Test Lab Guide: Base Configuration.
For procedures to configure UAG SP1 RC DirectAccess on which this document is based, see the Test Lab Guide: Demonstrate Forefront UAG SP1 RC DirectAccess.
For a comprehensive list of Test Lab Guides, please see Test Lab Guides.
For a list of UAG DirectAccess related Test Lab Guides, please see UAG DirectAccess Test Lab Guide Portal Page
For the design and configuration of your pilot or production deployment of DirectAccess, see the Forefront UAG DirectAccess design guide and the Forefront UAG DirectAccess deployment guide.
For information about troubleshooting DirectAccess, see the DirectAccess Troubleshooting Guide.
For information on troubleshooting UAG DirectAccess in a Test Lab, see Test Lab Guide: Troubleshooting UAG DirectAccess.
For more information about DirectAccess, see the DirectAccess Getting Started Web page and the DirectAccess TechNet Web page.
OK folks, this is the last TLG for a week or two. Yes, I still have a couple of important ones that need to be done (TLGs that demonstrate how UAG DirectAccess works with BranchCache [very cool!] and a Pilot Deployment Test Lab Guide where the UAG DirectAccess server belongs to a different forest than the computers and users).
So what is this Test Lab Guide? Nothing other than the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess with Secure Socket Tunneling Protocol (SSTP) and Remote Desktop Gateway (RDG). For a while I wondered if it was worth the effort to do this one, because I don’t know of many people who are using the RDG feature included with the UAG server. But then I thought about it and realized that maybe no one is using the RDG feature because no one is writing about it For this reason (and also because I wanted to see if it actually worked), I decided to move forward on this Test Lab Guide.
The good news is that it works! Indeed, the combined DirectAccess, SSTP and Remote Desktop Gateway deployment works a treat. I don’t know why I didn’t think of this earlier, not only for writing a Test Lab Guide, but for deploying myself in my home office (actually, my wife Deb Shinder did the live deployment after she tested the Test Lab Guide for me).
The RDG setup also supports down-level clients such as XP and Vista, which helps in those occasional situations when I don’t have a worked laptop and have to borrow one (like when I’m on the road and my laptop dies and I get a “loaner” that is running XP SP2). Accessing the Remote Desktop works great, and also the RemoteApp feature is even more useful – since I can use that together with my DirectAccess client configuration when I need access to an app that’s not installed on my laptop.
I hope you like this Test Lab Guide and find it useful. As always, if you have any questions or problems with this Test Lab Guide, let me know! Send me a note to the email address in my sig line and I’ll get back to you as soon as I can.
“Why does SharePoint ask for credentials when I connect over DirectAccess?”
There is a very long thread on the TechNet forums regarding an unusual authentication issue when DirectAccess clients try to connect to SharePoint sites. There were a lot of posts and a lot of effort was made to determine the nature of the problem. The good news I have for you today is that we’ve solved the problem and have published a fix!
The problem was due to the fact that the automatic logon level for Windows HTTP Services (WinHTTP) is Medium. When the automatic logon level is set to Medium, it prevents the user credentials from being automatically sent to the web server. The end result is that the address is considered an Internet server when you try to access the WebDAV resource like SharePoint which leads to you being asked for credentials.
Here’s the fix for the problem:
http://support.microsoft.com/kb/2288297
Tom Shinder tomsh@microsoft.com Microsoft DAIP iX/SCD iX UAG Direct Access/Anywhere Access Group (AAG) The “Edge Man” blog (DA all the time): http://blogs.technet.com/tomshinder/default.aspx Follow me on Twitter: http://twitter.com/tshinder Facebook: http://www.facebook.com/tshinder
So you’ve gone through our excellent Test Lab Guides (which you can find at http://social.technet.microsoft.com/wiki/contents/articles/test-lab-guides.aspx) and you’ve read the UAG DirectAccess design guide (http://technet.microsoft.com/en-us/library/ee406191.aspx) and the UAG DirectAccess deployment guide (http://technet.microsoft.com/en-us/library/dd857320.aspx). You’ve got the critical hands-on and the key background information after going through those.
What next?
What would be really handy is high level plan of the steps you need to go through as you roll out your pilot project. This is where Jason Jones, Forefront MVP, comes in. He’s published a very handy pair of documents that will really help you clarify your plan.
Check out Jason’s Deploy Forefront UAG DirectAccess in 8 Easy Steps at http://blog.msedge.org.uk/2010/10/deploying-forefront-uag-directaccess-in.html
And if you’re into creating a UAG DirectAccess Array (and most enterprises are going to be deploying arrays), check out his Deploying a Forefront UAG DirectAccess Array in 10 Easy Steps at http://blog.msedge.org.uk/2010/10/deploying-forefront-uag-directaccess.html
Make sure to put Jason’s blog in your Favorites – he’s always coming up with great design and deployment information for UAG DirectAccess on his blog.
Great news! Last week we released the Release Candidate of UAG Service Pack 1. If you haven’t heard about this, then check out the UAG Team Blog post on this subject at http://blogs.technet.com/b/edgeaccessblog/archive/2010/10/21/announcing-forefront-uag-2010-service-pack-1.aspx
However, most organizations don’t want to deploy pre-release software in their production environment. I’ve always said “don’t make your production network your Test Lab”
But you want to see all the new and cool things that UAG SP1 RC has to offer, especially the cool DirectAccess improvements. How do you do that?
Test Lab Guides!
You can test UAG SP1 RC in a safe and sane Test Lab using our new Test Lab Guide format. The new Test Lab Guide – Demonstrate UAG SP1 RC DirectAccess will walk you through configuring a basic working DirectAccess configuration using UAG SP1 RC. You’ll all see the new DirectAccess Monitor – which allows you to get information on who’s connecting through the DirectAccess tunnels.
There will be many more UAG SP1 RC DirectAccess Test Lab Guides published this week, so stay tuned!
Download the Test Lab Guide – Demonstrate UAG SP1 RC DirectAccess over at:
http://go.microsoft.com/fwlink/?LinkId=204993
Hey folks – since the TLGs are typically put up only on the download center, it makes discoverability of some of the cool content inside of them hard when it comes to search engines. Therefore, I’m going to post the full text of the TLGs on the Edge Man blog. However, I recommend that you download the Word .doc version of the TLGs when you actually put together your Test Lab using the Test Lab Guides.
For a downloadable version of the Test Lab Guide – Demonstrate UAG SP1 RC DirectAccess check out:
Forefront Unified Access Gateway (UAG) 2010 SP1 RC provides users with the experience of being seamlessly connected to their intranet any time they have Internet access. When DirectAccess is enabled, requests for intranet resources (such as e-mail servers, shared folders, or intranet Web sites) are securely directed to the intranet, without the need for users to connect to a VPN. DirectAccess enables increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside of the office. Forefront UAG 2010 SP1 RC DirectAccess extends the benefits of Windows DirectAccess across your infrastructure by enhancing availability and scalability, as well as simplifying deployments and ongoing management. For more information, see Overview of Forefront UAG DirectAccess.
IT professionals can benefit from UAG 2010 SP1 RC DirectAccess in many ways:
· Improved Manageability of Remote Users. Without DirectAccess, IT professionals can only manage mobile computers when users connect to a VPN or physically enter the office. With DirectAccess, IT professionals can manage mobile computers by updating Group Policy settings and distributing software updates any time the mobile computer has Internet connectivity, even if the user is not logged on. This flexibility allows IT professionals to manage remote computers on a regular basis and ensures that mobile users stay up-to-date with security and system health policies.
· Secure and Flexible Network Infrastructure. Taking advantage of technologies such as Internet Protocol version 6 (IPv6) and Internet Protocol security (IPsec), DirectAccess provides secure and flexible network infrastructure for enterprises. Below is a list of DirectAccess security and performance capabilities:
o Authentication. DirectAccess authenticates the computer, enabling the computer to connect to the intranet before the user logs on. DirectAccess can also authenticate the user and supports two-factor authentication using smart cards and one-time passwords, such as RSA SecurID.
o Encryption. DirectAccess uses IPsec to provide encryption for communications across the Internet.
o Access to IPv4-only intranet resources. UAG DirectAccess extends the value of Windows DirectAccess with NAT64/DNS64, an IPv6/IPv4 protocol transition technology that enables DirectAccess client connectivity to IPv4-only resources on the intranet.
· High availability and array configuration. UAG DirectAccess extends the value of Windows DirectAccess by adding integrated support for Network Load Balancing and array configuration, which work together to enable a highly available DirectAccess deployment.
· IT Simplification and Cost Reduction. By default, DirectAccess separates intranet from Internet traffic, which reduces unnecessary traffic on the intranet by sending only traffic destined for the intranet through the DirectAccess server. Optionally, IT can configure DirectAccess clients to send all traffic through the DirectAccess server.
The following figure shows a DirectAccess client on the Internet.
This paper contains instructions for configuring and demonstrating UAG2010 SP1 RC DirectAccess using five server computers and two client computers. The starting point for this guide is a Test Lab based on the “Steps for Configuring the Corpnet Subnet “ and “Steps for Configuring the Internet Subnet“ sections of the Test Lab Guide: Base Configuration. The resulting UAG 2010 SP1 RC DirectAccess test lab simulates an intranet, the Internet, and a home network and demonstrates DirectAccess functionality in different Internet connection scenarios.
These instructions are designed for configuring a Test Lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network, and to show clearly the required functionality. This configuration is not designed to reflect best practices, nor does it reflect a required or recommended configuration for a production network. The configuration, including IP address assignment and all other configuration parameters, is designed to work only on a separate Test Lab network. For more information on planning and deploying DirectAccess with Forefront UAG for your production network, please see the Forefront UAG DirectAccess design guide and the Forefront UAG DirectAccess deployment guide
In this test lab scenario, Forefront UAG DirectAccess is deployed with:
CLIENT1 initially connects to the Corpnet subnet and joins the intranet domain. After UAG1 is configured as a Forefront UAG DirectAccess server, and CLIENT1 is updated with the DirectAccess client Group Policy settings, CLIENT1 later connects to the Internet subnet and the Homenet subnet, and tests DirectAccess connectivity to intranet resources on the Corpnet subnet.
The following steps describe how to configure the server and client computers, and configure the Forefront UAG DirectAccess server, in a test lab. Following these configurations you can verify DirectAccess connectivity from the Internet and Homenet subnets.
Note:
You must be logged on as a member of the Domain Admins group or as a member of the Administrators group on each computer to complete the tasks described in this guide. If you cannot complete a task while you are logged on with an account that is a member of the Administrators group, try performing the task while you are logged on with an account that is a member of the Domain Admins group.
· Step 1: Complete the Base Configuration. The Base Configuration is the core of all Test Lab Guide scenarios. The first step is to complete the Base Configuration.
· Step 2: Configure DC1 - DC1 is a Windows Server 2008 R2 computer that is the domain controller, Certificate server, DNS server, File Server and DHCP server for the corp.contoso.com domain.
· Step 3: Configure APP1- APP1 is a Windows Server 2008 R2 computer that acts in the role of the Network Location Server on the network.
· Step 4: Install and Configure APP3 - APP3 is a Windows Server 2003 Enterprise Edition computer that acts as an IPv4 only host and is used to demonstrate DirectAccess connectivity to IPv4 only resources using the UAG DNS64 and NAT64 features. APP3 hosts both HTTP and SMB resources that the DirectAccess client computer will be able to access from other the simulated Internet.
· Step 5: Configure UAG1 – UAG1 acts as UAG SP1 RC DirectAccess.
· Step 6: Configure CLIENT1 – CLIENT1 is a DirectAccess client that is used to test DirectAccess connectivity in several Internet network access scenarios.
· Step 7: Install and Configure NAT1 – NAT1 acts as a simulated NAT router that enables CLIENT1 access to the UAG DirectAccess server over the simulated Internet.
· Step 8: Test DirectAccess Connectivity from the Internet – CLIENT1 is connected to the simulated Internet subnet to demonstrate DirectAccess connectivity using the 6to4 IPv6 transition technology.
· Step 9: Test DirectAccess Connectivity from Behind a NAT Device – CLIENT1 is connected to the simulated private address network to demonstrate DirectAccess connectivity using the Teredo and IP-HTTPS IPv6 transition technologies.
· Step 10: View DirectAccess Connections in the UAG SP1 RC DirectAccess Monitor. UAG SP1 RC includes a new DirectAccess Web Monitor. In this step you will view information about the UAG SP1 RC DirectAccess server and DirectAccess client connections in the new DirectAccess Monitor application.
· Step 11: Test Connectivity When Returning to the Corpnet – CLIENT1 is connected again to the Corpnet subnet to demonstrate how DirectAccess components are automatically disabled to connect to local resources.
· Step 12: Snapshot the Configuration – At the completion of the lab, snapshot the configuration so that you can later return to a working UAG DirectAccess Test Lab.
This Test Lab Guide uses the Base Configuration network as a starting place. Please complete all the steps in Test Lab Guide: Base Configuration before proceeding with the remainder of the steps in this guide. If you have already completed all the steps in the Base Configuration Test Lab Guide and saved a disk image or a virtual machine snapshot of the Base Configuration, then you can restore the Base Configuration and proceed to the next step.
DC1 acts as a domain controller, Certificate server, DNS server, File Server and DHCP server for the corp.contoso.com domain. The following steps build on the Base Configuration to prepare DC1 to carry out these roles to support a working DirectAccess solution:
A. Create a Reverse Lookup Zone on the DNS Server on DC1. A reverse lookup zone for network ID 10.0.0.0/24 is required to create a pointer record for DC1. The pointer record allows reverse name resolution for DC1, and prevents name resolution errors during DNS related configuration steps. The reverse lookup zone is not required for a functional DirectAccess solution.
B. Enter a Pointer Record for DC1. A pointer record for DC1 will allow services to perform reverse name resolution for DC1. This is when performing DNS related operations. It is not required for a functional DirectAccess solution.
C. Enable ISATAP Name Resolution in DNS on DC1. By default, the Windows Server 2008 R2 DNS server will not answer queries for the ISATAP and WPAD host names. The DNS server is configured so that it will answer queries for ISATAP.
D. Create DNS Records for NLS and ISATAP on DC1. The DirectAccess client uses a Network Location Server (NLS) to determine if the computer is on or off the corporate network. If on the corporate network, the DirectAccess client can connect to the Network Location Server using an HTTPS connection. A DNS record is required to resolve the name of the NLS. In addition, a DNS record for ISATAP is required so that ISATAP capable hosts on the network can obtain IPv6 addressing and routing information from the ISATAP router configured on UAG1.
E. Create a Security Group for DirectAccess Clients on DC1. When DirectAccess is configured on the UAG DirectAccess server, it automatically creates Group Policy Objects and GPO settings that are applied to DirectAccess clients and servers. The DirectAccess client GPO uses security group filtering to assign the GPO settings to a designated DirectAccess security group. This group is populated with DirectAccess client computer accounts. This is a required component of a DirectAccess solution.
F. Create and Deploy a Certificate Template for the IP-HTTPS Listener Certificate and the Network Location Server Certificate. A Web site certificate is required for the Network Location Server so that computers can use HTTPS to connect to it when they are on the corporate network. The UAG DirectAccess server uses a Web site certificate on its IP-HTTPS listener so that it can accept incoming connections from DirectAccess clients that are behind network devices that limit outbound connections to only HTTP/HTTPS. A Web site certificate template is created and used for certificate requests to the Microsoft Certificate Server installed on DC1. A Web site certificate bound to the UAG DirectAccess server’s IP-HTTPS is a required component of a working DirectAccess solution.
G. Create ICMPv4 and ICMPv6 Echo Request Firewall Rules in Domain Group Policy on DC1. ICMP v4 and v6 echo requests inbound and outbound are required for Teredo support. Firewall Rules are configured using the Windows Firewall with Advanced Security GPO snap-in to distribute the configuration.
H. Create a Shared Folder on the C:\ Drive on DC1. A shared folder is created on the C:\drive of DC1 to test SMB connectivity for DirectAccess clients to a resources on the CORP domain.
A reverse lookup zone on DC1 for network ID 10.0.0.0/24 is required to create a pointer record for DC1. The pointer record will allow reverse name resolution for DC1, which will prevent name resolution errors during several DNS related configuration steps. The reverse lookup zone is not required for a functional DirectAccess solution and is used as a convenience in this lab.
A pointer record for DC1 will allow services to perform reverse name resolution for the DC1 computer. This will be useful when performing several DNS related operations. It is not required for a functional DirectAccess solution and is configured as a convenience for this lab.
By default, the Windows Server 2008 R2 DNS server will not answer queries for ISATAP and WPAD host names. These names are included in the DNS server’s Global Query Block List. The following procedures configure the DNS server so that it will answer queries for ISATAP by removing ISATAP from the Global Query Block List.
For more information on configuring the global query block list, please see http://download.microsoft.com/download/5/3/c/53cdc0bf-6609-4841-a7b9-cae98cc2e4a3/DNS_Server_Global_%20Query_Block%20List.doc
DirectAccess clients use a Network Location Server to determine if the computer is on or off the intranet. If the DirectAccess client can connect to the Network Location Server using HTTPS, it determines that it is on the corporate network and the Name Resolution Policy Table (NRPT) is disabled. If the DirectAccess client cannot connect to the Network Location Server when on the intranet, the Name Resolution Policy Table remains enabled which can cause name resolution and connectivity problems when the DirectAccess client is situated on the intranet. A DNS record is required for the DirectAccess client to resolve the name of the Network Location Server.
In addition, all IPv6 capable hosts on the corpnet need to resolve the name ISATAP to the internal IP address of the UAG DirectAccess server, so a DNS record is required for ISATAP. The UAG DirectAccess server will act as an ISATAP router for the organization and provides prefix and routing information for ISATAP hosts on the corporate network.
When you run the UAG DirectAccess wizard on the UAG1 computer, the wizard will create Group Policy Objects and deploy them in Active Directory. One GPO is created for the UAG DirectAccess server, and another is created for DirectAccess clients. Security Group filtering is used to apply the DirectAccess GPO settings to the DirectAccess Clients security Group. To obtain the settings required to be a DirectAccess client, the computer must be a member of this security group. Do not use any of the built-in security groups as your DirectAccess client security Group. Use the following procedure to create the DirectAccess security group. This group is required for a working DirectAccess solution.
A Web site certificate is required for the Network Location Server so that computers can use HTTPS to connect to it when the DirectAccess client is on the intranet. In addition, the UAG DirectAccess server uses a web site certificate on its IP-HTTPS listener so that it can accept incoming connections from DirectAccess clients that are behind network devices that limit outbound connections to only HTTP/HTTPS. The following procedures describe how to create a web site certificate template to use for requests to the Microsoft Certificate Server installed on DC1. A web site certificate bound to the UAG DirectAccess server’s IP-HTTPS listener and a web site certificate bound to the Network Location Server Web site are both required for a working DirectAccess solution.
Support for incoming and outgoing ICMPv4 and v6 is required for Teredo clients. DirectAccess clients will use Teredo as their IPv6 transition technology to connect to the UAG DirectAccess server over the IPv4 Internet when they are assigned a private (RFC 1918) IP address and are located behind a NAT device or firewall that allows outbound UDP port 3544. In addition, enabling ping facilitates connectivity testing between participants in the DirectAccess solution.
DirectAccess clients should be able to connect to SMB resources on the intranet when the DirectAccess client is connected to the simulated Internet, or connecting from behind a NAT device over the Internet. A network share is created on DC1 to test DirectAccess client connectivity to SMB resources over the infrastructure tunnel.
APP1 is a Windows Server 2008 R2 Enterprise Edition computer that acts in the role of the Network Location Server for the intranet. We have chosen to not to install the Network Location Server on the domain controller, even though that would have reduced the number of machines required for the lab network. The reason for this is that NLS on the DC can be a problematic if the DC is IPv6 based and can cause potential problems with network location detection. For this reason we have chosen to install the NLS on APP1.
You will perform the following operations to configure APP1:
A. Obtain an NLS Certificate for SSL Connections to the Network Location Server on APP1. APP1 acts as the Network Location Server. To enable this role, APP1 needs a web site certificate so that the DirectAccess clients are able to establish an SSL connection to a Web site on APP1. DirectAccess clients access this site by connecting to Network Location Server name, which is nls.corp.contoso.com in this lab.
B. Configure the HTTPS Security Binding on the NLS Web Site on APP1. The web site certificate needs to be bound to a web site on APP1 so that it can respond to SSL connection requests from the DirectAccess clients on the intranet.
The Network Location Server requires a Web site certificate to enable SSL session establishment with the DirectAccess client. The subject name on this certificate must match the name that the DirectAccess client uses to connect to the Network Location Server. On this Test Lab network, the DirectAccess client tries to connect to connect to the NLS at nls.corp.contoso.com. This name is used later in the DirectAccess configuration wizard on the UAG server.
After the web server role is installed, the web site certificate must be bound to the Network Location Server web site. This is required for the web server to establish an SSL connection with the computer configured as a DirectAccess client, and is a required component of a DirectAccess solution.
APP3 is a Windows Server 2003 SP2 Enterprise Edition computer that acts as an IPv4 only host and is used to demonstrate DirectAccess connectivity to IPv4 only resources using the UAG DNS64 and NAT64 features. APP3 hosts both HTTP and SMB resources that the DirectAccess client computer will be able to access from other the simulated Internet. The UAG NAT64/DNS64 feature set enables organizations to deploy DirectAccess without requiring them to upgrade network resources to native IPv6 or even IPv6 capable.
For more information on NAT64/DNS64 please see Deep Dive Into DirectAccess – NAT64 and DNS64 in Action
The following operations are performed to configure APP3:
A. Install the operating system on APP3 and Disable the Firewall The first step is to install Windows Server 2003 Enterprise Edition SP2 on APP3. This is not a requirement. You could use another IPv4 only operating system, such as Windows 2000 Server or even Windows XP. The goal is to provide an IPv4 resource for the DirectAccess clients to connect to from over the Internet.
B. Install Web services on APP3 Install IIS Web services on APP3 so that HTTP connectivity over the DirectAccess connection to an IPv4 only host is demonstrated.
C. Create a shared folder on APP3 Create a shared folder on APP3 to demonstrate SMB connectivity over the DirectAccess connection.
The first step is to install Windows Server 2003 Enterprise Edition SP2 on APP3. This is not a requirement. You could use another IPv4 only operating system, such as Windows 2000 Server or even Windows XP. The goal is to provide an IPv4 resource for the DirectAccess clients to connect to from over the Internet.
Note: If you install Windows Server 2003 RTM, there is no Windows Firewall and you will not need to disable the firewall.
Install IIS Web services on APP3 so that HTTP connectivity can be demonstrated over the DirectAccess connection.
Create a shared folder on APP3 to demonstrate the ability to connect to an SMB resource on a IPv4 only computer on the DirectAccess connection over the Internet.
UAG1 acts as the UAG DirectAccess server for the network. UAG1 will be connected to both the simulated Internet and the intranet and will need one network interface connected to each of these networks. The UAG DirectAccess server provides the following network services:
· ISATAP router An ISATAP router is an IPv6 router that advertises subnet prefixes to ISATAP hosts and forwards IPv6 traffic between ISATAP hosts and hosts on other IPv4 subnets. The ISATAP router provides ISATAP clients the information they need to properly configure their ISATAP adapters. For more information about ISATAP, please see http://technet.microsoft.com/en-us/magazine/2008.03.cableguy.aspx
· Teredo server A Teredo server is an IPv6/IPv4 node that is connected to both the IPv4 Internet and the IPv6 intranet, supports a Teredo tunneling interface over which packets are received. The general role of the Teredo server is to assist in the address configuration of Teredo clients and to facilitate the initial communication between Teredo clients and other Teredo clients or between Teredo clients and IPv6 hosts. The Teredo server listens on UDP port 3544 for Teredo traffic. DirectAccess clients located behind NAT devices and firewalls use Teredo to connect to the UAG DirectAccess server. For more information on Teredo, please see http://technet.microsoft.com/en-us/library/bb457011.aspx
· IPsec gateway The Full Intranet access model (which is used in this lab document) allows DirectAccess clients to connect to all resources inside the intranet. It does this by using IPsec-based tunnel policies that require authentication and encryption and IPsec sessions terminate at the IPsec Gateway. The IPsec Gateway is a function that is hosted on the UAG DirectAccess server.
· IP-HTTPS server IP-HTTPS is a new protocol for Windows 7 and Windows Server 2008 R2 that allows DirectAccess clients behind a Web proxy server or firewall to establish connectivity by tunneling IPv6 packets inside an IPv4-based HTTPS session. HTTPS is used instead of HTTP so that Web proxy servers will not attempt to examine the data stream and terminate the connection. The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections. Note that IP-HTTPS does not work behind authenticating web proxies (when authentication is required) or from behind web proxies that perform outbound SSL inspection (such as the TMG 2010 firewall when outbound SSL inspection is enabled).
· NAT64/DNS64 IPv6/IPv4 protocol translator The UAG DirectAccess server includes NAT64 and DNS64, which enables DirectAccess clients on the Internet to connect to IPv4 resources on the intranet. DirectAccess clients always use IPv6 to communicate with intranet servers. When a DirectAccess client needs to connect to IPv4 resources on the intranet, it issues a DNS query for the FQDN of the resource. DNS64 intercepts the request, sends the query to the intranet DNS server, and obtains the IPv4 address of the resource. DNS64 then dynamically generates an IPv6 address for the client to connect to; in addition, DNS64 informs NAT64 of the IPv4/IPv6 mapping. The client issues a request for the dynamically generated IPv6 address, which is intercepted by NAT64, and then NAT64 forwards the request to the IPv4 address of the intranet resource. NAT64 also returns the response based on entries in its state table. For more information about DNS64 and NAT64, please see http://blogs.technet.com/edgeaccessblog/archive/2009/09/08/deep-dive-into-directaccess-nat64-and-dns64-in-action.aspx
· 6to4 relay router A 6to4 relay router can accept traffic from DirectAccess clients using the 6to4 IPv6 transition technology and forward the traffic over an IPv4 intranet. The UAG DirectAccess server acts as the 6to4 relay router and provides addressing information to the DirectAccess clients. DirectAccess clients use this information to configure their 6to4 tunnel adapters to forward IPv6 messages over the IPv4 Internet to the UAG DirectAccess servers. For more information on 6to4 please see http://technet.microsoft.com/en-us/library/cc756770(WS.10).aspx
The following procedures are performed on the UAG1 computer or virtual machine:
A. Rename UAG1 Change the computer name assigned during setup of the Base Configuration to UAG1.
B. Obtain a Certificate for the IP-HTTPS Listener on UAG1 The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections from DirectAccess clients on the Internet. The IP-HTTPS Listener requires a web site certificate to support the SSL connection between itself and the DirectAccess client.
C. Install Forefront UAG on UAG1 Install the Forefront Unified Access Gateway software on UAG1.
D. Run the UAG Getting Started Wizard on UAG1 The UAG Getting Started Wizard walks you through the process of initial configuration of the UAG server.
E. Run the UAG DirectAccess Configuration Wizard on UAG1 DirectAccess is not enabled by default. You must run the UAG DirectAccess wizard to enable DirectAccess features and capabilities on UAG1.
F. Confirm Group Policy Settings on UAG1 The UAG DirectAccess wizard configures GPOs and settings that are automatically deployed to the Active Directory. One GPO is assigned to the UAG DirectAccess server, and one is deployed to machines that belong to the DirectAccess Clients security group. The step confirms that the Group Policy settings were deployed to the UAG DirectAccess server.
G. Confirm IPv6 Settings on UAG1 For the DirectAccess solution to function, the IPv6 settings on must be correct. This step confirms these setting on UAG1.
H. Update IPv6 Settings on DC1 DC1 is capable of being an ISATAP host. However, this functionality might not be immediately available. This step expedites DC1 setting itself up as an ISATAP host by updating its IPv6 configuration.
I. Update IPv6 Settings on APP1 APP1 is capable of being an ISATAP host. However, this functionality might not be immediately available. This step expedites APP1 setting itself up as an ISATAP host by updating its IPv6 configuration.
J. Confirm IPv6 Address Registrations in DNS IPv6 capable hosts can communicate with one another over IPv6 using their ISATAP adapters. However, they must be able to resolve the destination host to an IPv6 address to use this capability. This step confirms that the IPv6 ISATAP addressees are registered in DNS.
K. Confirm IPv6 Connectivity between DC1/APP1/UAG1 After activity the IPv6 settings on DC1, APP1 and UAG1, test IPv6 connectivity by using the ping utility.
Change the computer name of EDGE1 to UAG1.
The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections from DirectAccess clients on the Internet. The IP-HTTPS Listener requires a web site certificate to support the SSL connection between itself and the DirectAccess client. The common name on this certificate must be the name the external DirectAccess client uses to connect to the IP-HTTPS Listener, and must be resolvable using an Internet based DNS server to the first of the two consecutive IP addresses bound to the external interface of the UAG DirectAccess server. Perform the following steps to obtain the IP-HTTPS certificate. In addition, you will request a new computer certificate for UAG1 that supports the machine’s new computer name.
In order to connect to the IP-HTTPS listener on UAG1, the DirectAccess client needs to be able to resolve the subject name listed on the IP-HTTPS certificate. In this step you will configure INET1 with a Host (A) DNS record with the name uag1.contoso.com that resolves to 131.107.0.1.
Install the Forefront Unified Access Gateway software on UAG1.
The UAG Getting Started Wizard walks you through the process of initial configuration of the UAG server. This will set up the basic information required to configure the networking settings on the server, define the server topology (standalone or array) and whether or not to join Microsoft update for updating the server.
DirectAccess is not enabled by default. To enable DirectAccess features and capabilities on UAG1, you need to run the DirectAccess Configuration wizard. After running the DirectAccess Configuration Wizard, two new Group Policy objects are created – one is linked to the computer account for the UAG DirectAccess server, and the second is linked to the DirectAccess clients security group (DA_Clients) you configured earlier. In addition, the IPv6 components, including support for IPv6 transition technologies and IPv6/IPv4 protocol transition technologies are enabled on the UAG DirectAccess server.
The UAG DirectAccess wizard configures GPOs and settings that are automatically deployed to the Active Directory. One GPO is assigned to the UAG DirectAccess server, and one is deployed to machines that belong to the DirectAccess Clients security group. The following steps confirm that the Group Policy settings were deployed to the UAG DirectAccess server.
For the DirectAccess solution to function, the IPv6 settings on must be correct. The following steps confirm these setting on UAG1.
DC1 is capable of being an ISATAP host. However, this functionality might not be immediately available. You can expedite DC1 setting itself up as an ISATAP host by updating its IPv6 configuration.
APP1 is capable of being an ISATAP host. However, this functionality might not be immediately available. You can expedite DC1 setting itself up as an ISATAP host by updating its IPv6 configuration.
IPv6 capable hosts can communicate with one another over an IPv4 network with IPv6 using their ISATAP adapters. However, they must be able to resolve the destination host to an IPv6 address to use this capability. The following steps confirm that the IPv6 ISATAP addressees are registered in DNS.
Note that the ISATAP addresses listed in the DNS resource records do not use the dotted decimal format for the last 32 bits of the IPv6 address that you see when using ipconfig to view IP addressing information on the hosts. However, these addresses represent the same information; the only difference is that the last 32 bits are represented in HEX instead of dotted decimal format.
After activating the IPv6 settings on DC1, APP1 and UAG1, test IPv6 connectivity by using the ping utility
CLIENT1 is a computer or virtual machine running Windows 7 Ultimate Edition that is used demonstrate how DirectAccess works in a number of scenarios. CLIENT1 is first connected to the corpnet subnet to receive the DirectAccess Group Policy settings. CLIENT1 is later moved to the simulated Internet to test DirectAccess connectivity over 6to4 and CLIENT1 is moved behind a NAT device to test both Teredo and IP-HTTPS DirectAccess connectivity.
NOTE: CLIENT1 is a Windows 7 computer and after installation the default power plan is applied. CLIENT1 may go to sleep before you reach the end of the lab configuration. To prevent this from happening, select the High Performance power plan in the Control Panel.
The following operations configure CLIENT1:
A. Add CLIENT1 to the DA_Clients Active Directory Security Group The DirectAccess client settings are assigned only to members of the security group designated for DirectAccess clients. Place CLIENT1 in the DA_Clients security group so that the Group Policy settings are assigned to CLIENT1.
B. Test IPv6 Configuration, Confirm Group Policy Settings and Machine Certificate on CLIENT1 Before moving CLIENT1 out of the corpnet and onto the simulated Internet and behind a NAT device, check the IPv6 configuration on CLIENT1, confirm that DirectAccess client Group Policy Settings are enabled on CLIENT1, and that CLIENT1 has the computer certificate required to establish the IPsec connections to the UAG DirectAccess server.
C. Test Connectivity to a Network Share and Network Location Server The final check on CLIENT1 before moving it outside the corpnet is to confirm connectivity to a network share on the corpnet and to the Network Location Server. Connectivity to the Network Location Server is required so that the DirectAccess client can determine if it is on-network or off-network.
The DirectAccess client settings are assigned only to members of the security group designated for DirectAccess clients. You will place CLIENT1 in the DA_Clients security group so that the Group Policy settings are assigned to CLIENT1.
Before moving CLIENT1 out of the corpnet subnet and onto the simulated Internet and behind a NAT device on the Internet, check the IPv6 configuration on CLIENT1, confirm that DirectAccess client Group Policy Settings are enabled on CLIENT1, and that CLIENT1 has the computer certificate required to establish the IPsec connections to the UAG DirectAccess server.
The final check on CLIENT1 before moving it outside the corpnet subnet is to confirm connectivity to a network share on the corpnet subnet and to the Network Location Server. Connectivity to the Network Location Server is required so that the DirectAccess client can determine if it is on or off the corporate network.
NAT1 is a Windows 7 computer configured as a NAT device that separates a private network from the Internet. The built-in Internet Connection Service (ICS) is used to provide the NAT server functionality. ICS includes DHCP server-like functionality and automatically assigns IP addressing information to clients located behind the NAT1 ICS NAT device. NAT1 has two network interfaces – one connected to the simulated Internet and one connected to a Homenet subnet.
NOTE: NAT1 is a Windows 7 computer and after installation the default power plan is applied. NAT1 may go to sleep before you reach the end of the lab configuration. You can prevent this from happening by selecting the High Performance power plan in the Control Panel.
Perform the following operations to configure NAT1 as a NAT device:
A. Install the operating system on NAT1 The first step is to install the Windows 7 operating system.
B. Rename the interfaces on NAT1 Rename the network interfaces in the Network Connections window to make them easier to identify. Note that this is not required, but makes applying the correct settings on the appropriate interface easier.
C. Disable 6to4 functionality on NAT1 Disable 6to4 functionality on NAT 1. The reason for this is that if you don’t disable 6to4 on NAT1, it will act as a 6to4 router and issue a 6to4 address to CLIENT1 when it is connect to the Homenet subnet. This will prevent CLIENT1 from acting as a Teredo or IP-HTTPS DirectAccess client.
D. Configure ICS on the External Interface of NAT1 Internet Connection Services enable NAT1 to act as a NAT device and DHCP server for clients located behind NAT1. This enables CLIENT1 to automatically obtain IP addressing information and connect to the simulated Internet when connected to the Homenet subnet behind NAT1.
The first step is to install the Windows 7 operating system.
In this step you rename the network interfaces in the Network Connections window to make them easier to identify. Note that this is not required, but makes applying the correct settings on the appropriate interface easier.
In the lab environment we use a Windows 7 computer to simulate a NAT device located in a remote location. One issue with Windows 7 when configured as an Internet Connection Service server is that it can act as a 6to4 router. When this is the case, it might assign the CLIENT1 computer behind the NAT1 ICS computer a 6to4 address and prevent it from acting as a Teredo and IP-HTTPS client. In order to demonstrate both Teredo and IP-HTTPS functionality, 6to4 functionality on the NAT1 is disabled.
Internet Connection Services enable NAT1 to act as a NAT device and DHCP server for clients located behind NAT1. This enables CLIENT1 to automatically obtain IP addressing information and connect to the simulated Internet when connected to the Homenet subnet behind NAT1.
CLIENT1 is now ready for DirectAccess testing. In the first set of tests, you connect CLIENT1 to the simulated Internet. When connected to the simulated Internet, CLIENT1 is assigned a public IPv4 address. When a DirectAccess client is assigned a public IPv4 address, it will try to establish a connection to the DirectAccess server using an IPv6 6to4 connection over its 6to4 tunnel adapter. After connecting to the simulated Internet and establishing the DirectAccess connection, you perform a number of tests to confirm IPv6 connectivity and connectivity to corpnet assets from over the simulated Internet.
When a DirectAccess client is connected to the Internet from behind a NAT device or a Web proxy server, the DirectAccess client uses either Teredo or IP-HTTPS to connect to the DirectAccess server. If the NAT device enables outbound UDP port 3544 to the DirectAccess server’s public IP address, then Teredo is used. If Teredo access is not available, the DirectAccess client falls back to IP-HTTPS over outbound TCP port 443, which enables access through firewalls or Web proxy servers over the traditional SSL port. Teredo is the preferred access method, because of its superior performance over IP-HTTPS. In addition, if the web proxy requires authentication, the IP-HTTPS connection will fail. IP-HTTPS connections also fail if the web proxy performs outbound SSL inspection, due to the fact that the HTTPS session is terminated at the web proxy instead of the UAG DirectAccess server. In this section you will perform the same tests performed when connecting using a 6to4 connection in the previous section.
The following procedures are performed on CLIENT1:
A. Test Teredo Connectivity. The first set of tests are performed when the DirectAccess client is configured to use Teredo. This is the automatic setting when the NAT device allows outbound access to UDP port 3544
B. Test IP-HTTPS Connectivity. The second set of tests are performed when the DirectAccess client is configured to use IP-HTTPS. In order to demonstrate IP-HTTPS connectivity, Teredo is disabled on CLIENT1.
The DirectAccess client can use either Teredo or IP-HTTPS when connecting to the DirectAccess server from behind a NAT device. You will first examine the settings and test connectivity using Teredo.
When the DirectAccess client is unable to establish a Teredo connection with the DirectAccess server (typically when a firewall or router has blocked outbound UDP port 3544), the DirectAccess client configures itself to use IP-HTTPS to tunnel IPv6 messages over the IPv4 Internet. In the following exercises you confirm that the host is configured as an IP-HTTPS host and check connectivity.
1. Open an elevated command prompt. In the command prompt window, enter netsh interface teredo set state disabled and press ENTER. This disables Teredo on CLIENT1 and enables CLIENT1 to configure itself to use IP-HTTPS.
2. Open an elevated command prompt. In the command prompt window, enter ipconfig /all and press ENTER. An Ok response appears when the command completes.
3. Examine the output of the ipconfig command. This computer is now connected to the Internet from behind a NAT device and is assigned a private IPv4 address. Teredo is disabled and the DirectAccess client falls back to IP-HTTPS. When you look at the output of the ipconfig command, you see a section for Tunnel adapter iphttpsinterface with an IP address that starts with 2002:836b:2:8100 consistent with this being an IP-HTTPS address. You will not see a default gateway listed for the IP-HTTPS tunnel adapter.
4. In the command prompt window, enter ipconfig /flushdns and press ENTER. This will flush name resolution entries that may still exist in the client DNS cache from when CLIENT1 was connected to the corpnet.
5. In the command prompt window, enter ping dc1 and press ENTER. You should see replies from the ISATAP address assigned to DC1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.1
6. In the command prompt window, enter ping app1 and press ENTER. You should see replies from the ISATAP address assigned to APP1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.3
7. In the command prompt window, enter ping uag1 and press ENTER. You should see replies from the ISATAP address assigned to UAG1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.2
8. In the command prompt window, enter ping app3 and press ENTER. You should see replies from the NAT64 address assigned by UAG1 to APP3, which in this case is 2002:836b:2:8001::a00:4
9. In the command prompt window, enter netsh namespace show effectivepolicy and press ENTER. The output shows the current settings for the Name Resolution Policy Table (NRPT). These settings indicate that all connections to .corp.contoso.com should be resolved by the DirectAccess DNS Server, which is the UAG DirectAccess server, with the IPv6 address of 2002:836b:3::836b:3. Also, note the NRPT entry indicating that there is an exemption for the name nls.corp.contoso.com; names on the exemption list are not answered by the DirectAccess DNS server. You can ping the DirectAccess DNS server IP address to confirm connectivity to the DirectAccess server; for example, you can ping 2002:836b:3::836b:3 in this example.
10. In the Internet Explorer address bar, enter http://app1.corp.contoso.com and press ENTER. You will see the default IIS site on APP1.
11. In the Internet Explorer address bar, enter http://app3.corp.contoso.com and press ENTER. You will see the default web site on APP3.
12. Click Start and in the Search box, enter \\App3\Files and press ENTER. Double click on the New Text Document file. This demonstrates that you were able to connect to an IPv4 only server using SMB to obtain a resource on an IPv4 only host.
13. Click Start and in the Search box, enter Firewall and press ENTER.
14. In the Windows Firewall with Advanced Security console, notice that only the Private profile is active. The Windows Firewall must be enabled for DirectAccess to work correctly. If for some reason the Windows Firewall were disabled, DirectAccess connectivity would fail.
15. Expand the Monitoring node in the left pane of the console and click the Connection Security Rules node. You should see the active connection security rules: UAG DirectAccess Client – Client Access Enabling Tunnel – All, UAG DirectAccess Client – Clients Corp Tunnel and UAG DirectAccess Client – Exempt NLA. Scroll the middle pane to the right to expose the 1st Authentication Methods and 2nd Authentication Methods columns. Notice that the first rule uses NTLMv2 to establish the infrastructure tunnel and the second rule uses Kerberos V5 to establish the intranet tunnel.
16. In the left pane of the console, expand the Security Associations node and click the Main Mode node. Notice the infrastructure tunnel security associations using NTLMv2 and the intranet tunnel security association using Kerberos V5. When you right click the Kerberos security association, you will see authentication for CORP\User1. This indicates that the client was able to authenticate with the CORP domain using Kerberos to establish the second (intranet) tunnel.
17. Close the System Control Panel window and the Windows Firewall with Advanced Security console. Close all other open windows before moving to the next step.
A new feature included in UAG 2010 Service Pack 1 DirectAccess is the new DirectAccess Monitor feature that is included in the UAG Web Monitor applications. You can use the DirectAccess Monitor to obtain information about current and historical connections to the UAG DirectAccess server.
Perform the following steps to view the DirectAccess client connections in the UAG 2010 Service Pack 1 DirectAccess Monitor:
Many of your users will move between remote locations and the corpnet, so it’s important that when they return to the corpnet that they are able to access resources without having to make any configuration changes. UAG DirectAccess makes this possible because when the DirectAccess client returns to the corpnet, it is able to make a connection to the Network Location Server. Once the HTTPS connection is successfully established to the Network Location Server, the DirectAccess client disables it DirectAccess client configuration and uses a direct connection to the corpnet.
This completes the DirectAccess test lab. To save this configuration so that you can quickly return to a working DirectAccess configuration from which you can test other DirectAccess modular TLGs, TLG extensions, or for your own experimentation and learning, do the following:
For information about troubleshooting DirectAccess in a Test Lab, see the Test Lab Guide: Troubleshoot UAG DirectAccess.
For a comprehensive list of UAG DirectAccess Test Lab Guides, see the TechNet wiki Test Lab Guide clearinghouse at Test Lab Guides.
Test Lab Guides make it easy to test new products and technologies in a pre-tested, well defined Test Lab. Our new Test Lab Guide system is designed so that you don’t have to reinvent the wheel each time you put together a Test Lab each time you want to test out something new. Test Lab Guides are modular, which means you reuse your Test Labs over time to test new technologies and new scenarios. In the course of a year, TLGs should end up saving your potentially hundreds of hours in test time.
In addition, Test Lab Guides “take the covers off” so that you understand what’s happening on the front-end and back-end – something you don’t get with “hands-on labs” where the front-end and back-end are preconfigured and “magically” work. Unfortunately, you can’t take that magic home with you when you actually want to put together a test lab of you own.
If you haven’t checked out how Test Lab Guides work and the philosophy behind them, then check out my blog post on the TLG concept over at http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
I’m glad you asked! All Test Lab Guides start with the “Base Configuration” which you can find at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=ab6c61af-9c34-4692-815c-4396b482d31b&displayLang=en
The Base Configuration Test Lab Guide sets up the contoso.com forest. For all Test Lab Guide modules that test a product or technology, or a collection of products or technologies in a single forest environment, you’ll always start with the Base Configuration. But what if you want to test a product or technology or a collection of products or technologies that includes two forests over the Internet, such as scenarios where two different organizations want to collaborate?
You could use the Base Configuration to build out the contoso.com forest, and the cobble together a test lab configuration for the partner network, but that wouldn’t be very reusable or very scalable. What would be better is if you had a standard and tested configuration for the partner network – where you can then build scenarios on top of that.
Sounds good, right? I thought so! That’s where the Fabrikam Test Lab guide comes in. In the Fabrikam Test Lab Guide, we define the configuration of the partner network for you, and it plugs right into the Base Configuration Test Lab Guide that defines the contoso.com test lab. After you finish the Fabrikam Test Lab Guide, you’ll have a second forest, the fabrikam.com forest, which is separated from the contoso.com forest by a simulated Internet.
I see the Fabrikam TLG being used primarily in the two following scenarios:
As with all Test Lab Guides – I’m here to help. If you need help in creating your own Test Lab Guides, let me know. I think once you get into the groove with writing your own Test Lab Guide extensions and posting them to the wiki, you’ll find them a lot of fun! I know I do. If you have questions or run into issues with this TLG or with TLGs you want to write, let me know. Just write to the email address in my sig line.
So you liked what you saw after going through the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess Test Lab Guide. In that guide you saw how to set up a working DirectAccess configuration with UAG SP1 RC and were able to check out the new Web Monitor view of DirectAccess client connections.
So what’s next? How about some UAG SP1 RC DirectAccess Remote Management?
You got it!
The new Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess Remote Management shows you how to configure UAG DirectAccess clients so that you can manage them from management stations on your intranet. The “always connected” nature of DirectAccess makes it the ideal “always managed” solution – and you can extend that by configuring custom firewall rules to gain even greater control and increased visibility of all your managed assets, regardless if those assets are on the intranet or anywhere on the Internet.
This Test Lab Guide covers several remote management scenarios, including a scenario enabled by a new feature in UAG SP1 RC that allows you to configure DirectAccess clients for remote management only. This was something that our UAG DirectAccess customers asked for, so we made it happen!
This new feature allows IT to always have access to DirectAccess clients – but doesn’t allow users to access the intranet through a DirectAccess connection. One example of why you might do this is when you want to have command and control over all your managed assets, but don’t want the users to have open network access to the intranet over the Internet – providing for a “manage only” DirectAccess deployment.
As always, if you have questions, suggestions or comments about this or any other UAG DirectAccess related Test Lab Guide, let me know! Just write to the email address in my sig line and I’ll get back to you.
Tom Shinder tomsh@microsoft.com Knowledge Engineer, Microsoft DAIP iX/SCD iX UAG Direct Access/Anywhere Access Group (AAG) The “Edge Man” blog (DA all the time): http://blogs.technet.com/tomshinder/default.aspx Follow me on Twitter: http://twitter.com/tshinder Facebook: http://www.facebook.com/tshinder
For a downloadable version of the Test Lab Guide – Demonstrate UAG SP1 RC DirectAccess Remote Management check out:
http://go.microsoft.com/fwlink/?LinkId=205210
Introduction
Forefront Unified Access Gateway (UAG SP1 RC) provides users with the experience of being seamlessly connected to their intranet any time they have Internet access. When DirectAccess is enabled, requests for intranet resources (such as e-mail servers, shared folders, or intranet Web sites) are securely directed to the intranet, without the need for users to connect to a VPN. DirectAccess enables increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside of the office. Forefront UAG SP1 RC DirectAccess extends the benefits of Windows DirectAccess across your infrastructure by enhancing availability and scalability, as well as simplifying deployments and ongoing management. For more information, see Overview of Forefront UAG DirectAccess.
This Test Lab Guide provides step-by-step instructions for configuring Forefront UAG SP1 RC DirectAccess Remote Management in a test lab so that you can see how it works. You will set up and deploy Forefront UAG SP1 RC DirectAccess using 5 server computers, two client computers, Windows Server 2008 R2 Enterprise Edition, Windows Server 2003 Enterprise Edition SP2, and Windows 7 Ultimate Edition. The Test Lab simulates intranet, Internet, and a home networks, and demonstrates Forefront UAG SP1 RC DirectAccess in different Internet connection scenarios.
These instructions are designed for configuring a test lab using the minimum number of computers. Individual computers are needed to separate the services provided on the network, and to show clearly the required functionality. This configuration is not designed to reflect best practices, nor does it reflect a required or recommended configuration for a production network. The configuration, including IP addresses and all other configuration parameters, is designed to work only on a separate test lab network. For more information on planning and deploying DirectAccess with Forefront UAG SP1 RC, please see the Forefront UAG DirectAccess design guide and the Forefront UAG DirectAccess deployment guide
This Test Lab Guides builds on the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess. You will need to complete all the steps in that guide before you can complete the steps in this Test Lab Guide.
In this test lab scenario, Forefront UAG SP1 RC DirectAccess is deployed with:
The following components are required for configuring Forefront UAG SP1 RC DirectAccess in the test lab:
The following steps describe how to configure the server and client computers, in a test lab. Following these configurations you can verify DirectAccess connectivity from the Internet and Homenet subnets. In addition, you will see how you can manage DirectAccess clients from management computers on the intranet. This Test Lab Guide also highlights a new feature included in UAG SP1 RC, which allows you to limit DirectAccess client connectivity to the intranet tunnel only, which enables continuous management of DirectAccess clients without allowing users to access resources on the intranet.
You will perform the following steps to demonstrate UAG SP1 RC DirectAccess remote management in this Test Lab Guide:
· Step 1: Complete the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess – This Test Lab Guide builds on the configuration created after completing the steps in Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess.
· Step 2: Configure Remote Management – In this step you will create the DirectAccess client OU, create and configure a DirectAccess client GPO and refresh the remote access client configuration and enabling remote desktop connectivity to DirectAccess clients.
· Step 3: Test Remote Management of DirectAccess Clients – After the new firewall settings are deployed to the DirectAccess client, management servers on the corporate network can initiate connections to the DirectAccess client. In this step you validate the settings and establish connections from DC1 to CLIENT1, when CLIENT1 is acting as a DirectAccess client behind NAT1.
· Step 4: Limit DirectAccess Client to Only the Management Tunnel. In this step you will configure UAG1 to limit DirectAccess client connectivity to only the infrastructure tunnel.
· Step 5: Snapshot the Configuration. After completing the Test Lab, take a snapshot of the working UAG SP1 RC DirectAccess NLB array so that you can return to it later to test additional scenarios.
The first step is to complete all the steps in the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess. After completing the steps in that Test Lab Guide you will have the core infrastructure required to complete this Test Lab Guide on how to configure UAG SP1 RC DirectAccess remote management. If you have already completed the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess Test Lab Guide and saved the configuration in either a virtual machine snapshot or disk image for a physical deployment, you can restore that configuration and begin with the next step.
DirectAccess uses two IPsec tunnels between DirectAccess client and server to enable communications to the corporate network. The first IPsec tunnel is the “infrastructure” tunnel. This tunnel is established after the DirectAccess client computer starts, but before the user logs on. Authentication is required for this tunnel, and both a computer certificate and the computer account in Active Directory are used to authenticate the first IPsec tunnel connection. The second tunnel (the intranet tunnel) is established after the user logs on and allows the user to access network resources. Authentication for this tunnel uses computer certificate and user (Kerberos) authentication in Active Directory.
The infrastructure tunnel provides bidirectional access to and from servers included in the management servers collection, as defined in the DirectAccess configuration wizard. These servers can connect to DirectAccess clients over the infrastructure tunnel, so that connectivity is enabled whenever the DirectAccess client computer is turned on, regardless of whether the user is logged on. The infrastructure tunnel enables remote management scenarios where administrators can apply patches, make configuration changes, and employ their full suite of configuration and management tools not only to computers on the corporate network, but to any DirectAccess client on the Internet.
You will perform the following procedures to enable several remote management scenarios:
A. Create the DirectAccess Client Organizational Unit and Place CLIENT1 in the New OU. New firewall rules are required to enable some aspects of remote management of DirectAccess clients. Firewall rules can be configured on each client individually, but it is more efficient to use Group Policy to distribute the new firewall rules to all DirectAccess clients. Changes could be made to the DirectAccess Client GPO created by the UAG SP1 RC DirectAccess wizard, but these settings are overwritten each time the wizard is run. Therefore, you will create new GPO to support these custom settings. The new GPO is then linked to an OU that is populated with the DirectAccess client computer accounts.
B. Create and Configure the DirectAccess GPO and Link it to the DirectAccess Client OU. The DirectAccess GPO is linked to the DirectAccess client OU. In this step you create and populate the DirectAccess client OU.
C. Refresh the DirectAccess Client Configuration and Enable Remote Desktop Connections to CLIENT1. The DirectAccess clients need to refresh this Group Policy configuration to receive the new GPO settings. In this step the DirectAccess client refreshes it Group Policy configuration to receive the new firewall settings.
Remote management scenarios for DirectAccess clients can happen in two ways. In the first scenario, the DirectAccess client contains one or more management agents that initiate connections to management servers on the corporate network over either the infrastructure or intranet tunnel. If the user is not logged on, the management agents can initiate connections to management servers over the infrastructure tunnel. If the user is logged on, either the infrastructure or intranet tunnel can be used by the DirectAccess client to connect to the intranet. No special firewall rules are required for the DirectAccess client to initiate connections to management servers.
In the second scenario, management servers initiate connections to the DirectAccess client. Special Windows Firewall with Advanced Security firewall rules are required to enable management servers to initiate connections to Active Directory clients when the DirectAccess client is located behind a NAT device. These firewall rules must be configured for each desired protocol used to initiate the connection to the DirectAccess client, and then each of these rules must enable Edge Traversal.
The special firewall rules can be configured on each DirectAccess client individually. However, this manual approach does not scale. A better solution is to use Active Directory Group Policy to configure and distribute the new firewall rules for the desired protocols with Edge Traversal enabled.
While it is possible to configure these rules using the GPO created by the UAG SP1 RC DirectAccess wizard, these GPO settings are overwritten each time the wizard is run and the new GPO settings deployed. A viable alternative is to create a new GPO and a new Organizational Unit for the DirectAccess clients. The new DirectAccess client GPO can be linked to the new OU to apply the firewall rules required for management servers to initiate connections to the DirectAccess clients.
Note: DirectAccess clients using the 6to4 IPv6 transition technology to connect to the DirectAccess server do not require special firewall rules with Edge Traversal. However, since you cannot predict when any specific DirectAccess client will use any specific IPv6 transition technology at any specific point in time, you should always enable Edge Traversal on your firewall rules.
To apply the GPO settings to the DirectAccess clients, we create an Organizational Unit that will contain the DirectAccess clients. The DirectAccess GPO is linked to the new OU. The first step is to create the DirectAccess OU and place the CLIENT1 into this OU.
The following steps are carried out on DC1.
DirectAccess clients that connect to the DirectAccess server using Teredo or IP-HTTPS need special Firewall Rules to support “manage out” connections. These firewall rules are created for each protocol needed to connect from the intranet to the DirectAccess client. By default, there are no Firewall Rules that allow outbound management from management servers on the intranet, so you must create rules to allow the required protocols. The best way to deploy these Firewall Rules is by configuring them in Group Policy so that the settings are automatically deployed. In this example we will create rules that allow management computers on the corpnet to connect to DirectAccess clients on the Internet using Ping, File Services and Remote Desktop Protocol. Perform the following steps on DC1.
CLIENT1 needs to receive the firewall rules configured in Group Policy. That can be done by initiating a Group Policy refresh while CLIENT1 is running as a DirectAccess client on the Internet. In addition, CLIENT1 needs to be configured to allow Remote Desktop connections before it can accept RDC connections from a management server on the corpnet. Perform the following steps on CLIENT1.
The DirectAccess client is now ready for remote management using the protocols configured in the Firewall Rules that allow for Edge Traversal. Perform the following procedures on DC1. The procedures are performed on DC1 because DC1 is the only computer that is on the management servers list and therefore the only one that can connect to CLIENT1 over the infrastructure tunnel. In addition, CLIENT1 will be restarted, but you will not log on, so that DC1 will be forced to use the infrastructure tunnel to connect to CLIENT1. The intranet tunnel is only available after the user logs on to the DirectAccess client computer.
While seamless access to the intranet for DirectAccess clients is a compelling use case for DirectAccess users, many IT organizations find the remote management capabilities even more useful. There may be some organizations that prefer that only the infrastructure tunnel be available so that DirectAccess client are always managed, but that users cannot access resources on the intranet. UAG SP1 RC includes a new feature that allows you to configure DirectAccess clients so that they only have access to the intranet tunnel.
In this step we will demonstrate how to configure DirectAccess clients so that they have access only to the intranet tunnel so that they can be always managed:
1. *At UAG1, click Start and then click All Programs. Click Microsoft Forefront UAG and then click Forefront UAG Management. In the User Account Control dialog box, click Yes.
2. In the Microsoft Forefront Unified Access Gateway Management console, click DirectAccess in the left pane of the console.
3. In the right pane of the console, in the Step 1 Clients and GPOs section, click Edit.
4. This starts the Clients and GPOs Configuration wizard. On the Deployment Model page, select the Enable remote management of DirectAccess client only option. Confirm that there is a checkmark in the Allow only services running under the client computer account to access infrastructure servers used for remote management checkbox. This option allows system services running in the context of the local computer account to connect to infrastructure servers through the infrastructure tunnel, but does not allow processes running in the context of the logged on user account to reach infrastructure servers. In addition, because the intranet tunnel cannot be established, the user cannot reach any other server on the intranet. Click Next.
5. On the Client Domains page, click Next.
6. On the Policy Management page, click Next.
7. On the Client Groups page, click Finish.
8. In the right pane of the Microsoft Forefront Unified Access Gateway Management console, click the Apply Policy button.
9. On the Forefront UAG DirectAccess Configuration Review page, click Apply Now. Click OK in the DirectAccess Policy Configuration dialog box after you see it report Script run completed with no errors or warning.
10. On the Forefront UAG DirectAccess Configuration Review page, click Close.
11. Open and elevated command prompt. In the command prompt window, enter gpupdate /force and press ENTER. Close the command prompt window when the command completes.
12. *Go to CLIENT1. Log on as CORP\User1. Open an elevated command prompt. In the command prompt window, enter gpupdate /force and press ENTER. Notice that the gpupdate fails, as this command is run under the user context.
13. In the command prompt window, enter net view \\dc1 and press ENTER. You will see that you get a System Error 53 occurred. The network path was not found. Again, the connection attempt fails because the command is sent in the context of the current user.
14. In the command prompt window, enter ping dc1 and press ENTER. You will see four responses from DC1’s ISATAP assigned IPv6 address. This indicates that DNS queries are working correctly over the infrastructure tunnel. DNS queries are sent by the DNS client service in the context of the local computer account, so CLIENT1 was able to resolve the name of DC1. The ping request was send in the context of the local user account. This request was successful because ICMPv6 communications are not sent over the IPsec tunnel, therefore there is no authentication failure.
15. *Return to DC1. Open and elevated command prompt. In the command prompt window enter net view \\client1 and press ENTER. Notice that you can still access CLIENT1 because DC1 connects to CLIENT1 through the infrastructure tunnel.
16. On DC1, open Event Viewer from the Administrative Tools menu. Review the entries related to CLIENT1 starting up and receiving Group Policy settings and machine authentication. This further demonstrates that CLIENT1 was able to communicate with DC1 during the startup process because of the access provided over the infrastructure tunnel.
This completes the UAG SP1 UAG SP1 RC DirectAccess remote management test lab. To save this configuration so that you can quickly return to a working UAG SP1 RC DirectAccess remote management configuration from which you can test other DirectAccess modular TLGs, TLG extensions, or for your own experimentation and learning, do the following:
1. On all physical computers or virtual machines in the test lab, close all windows and then perform a graceful shutdown.
2. If your lab is based on virtual machines, save a snapshot of each virtual machine and name the snapshots UAG SP1RC DirectAccess Remote Management. If your lab uses physical computers, create disk images to save the DirectAccess test lab configuration
For procedures required to build this Test Lab Guide, see Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess.
For the design and configuration of your pilot or production deployment of DirectAccess, see the Forefront UAG SP1 RC DirectAccess design guide and the Forefront UAG SP1 RC DirectAccess deployment guide.
For information on how to troubleshoot UAG DirectAccess in a Test Lab, see Test Lab Guide: Troubleshoot UAG DirectAccess.
For a comprehensive list of UAG DirectAccess Test Lab Guides, see Test Lab Guides.
===================================
The march of the Test Lab Guides continues!
Today I’m offering up to you a Test Lab Guide I think you’re really going to like – the Test Lab Guide – Demonstrate UAG SP1 RC DirectAccess with NAP. In this Test Lab Guide, we change up the NAP settings by putting the Network Policy Server (NPS) and Health Registration Authority (HRA) on the UAG DirectAccess server itself. This is in contrast to how we did it in the previous Test Lab Guide for NAP (Test Lab Guide: Demonstrate UAG DirectAccess and NAP), where we set up the NPS server and the HRA server on DC1. The ability to put the NPS and HRA servers on the UAG server itself is new with UAG SP1.
Why would you want to put the NPS and HRA servers on the UAG server or the servers in the UAG DirectAccess array?
Some reasons why you might want to do this include:
Of course, there might be other reasons why you’d like to put the NPS and HRA servers on the UAG DirectAccess server or array members. And, you might find that you like NAP so much that after you’ve deployed it for your DirectAccess clients, you’ll want to create a larger deployment. That option is still available to you.
I hope you like the Test Lab Guide – Demonstrate UAG SP1 RC DirectAccess with NAP!
Let me know if there is anything I can do to improve it – or if there are other features or configuration options regarding DirectAccess and NAP that you’ll want to see in the RTM version of the document. Also, if you want any questions or need help with the TLG, just let me know! Write to me at the address in my sig line and I’ll get right back to you.
For a downloadable version of the Test Lab Guide – Demonstrate UAG SP1 RC DirectAccess with NAP check out:
http://go.microsoft.com/fwlink/?LinkId=205354
Network Access Protection (NAP), built into Windows Server 2008 R2 and Windows 7, enforces health requirements by monitoring and assessing the health of client computers when they attempt to connect or communicate on a network. Client computers that are not in compliance with system health requirements can be provided with restricted network access until their configuration is updated and brought into compliance.
Combining DirectAccess with NAP allows you to verify that DirectAccess client computers meet your system health requirements before allowing access to the intranet.
To learn more about NAP, see the Network Access Protection Product Information Web site.
UAG DirectAccess SP1 RC enables you to deploy DirectAccess and NAP in two different ways. You can deploy a NAP infrastructure on your intranet that can be used by all systems on your network where the NAP infrastructure components are installed on one or more servers on your intranet. This option was available prior to UAG DirectAccess SP1 RC. A new option available with UAG DirectAccess SP1 RC is the ability to host the NAP server (Network Policy Server) and the Health Registration Authority on the UAG servers themselves. This option is useful if you don’t already have an established NAP deployment and want to focus your NAP design on DirectAccess clients only. We will enable the new NAP option in this Test Lab Guide.
This guide provides step-by-step instructions for configuring UAG DirectAccess SP1 RC with NAP in a test lab so that you can see how it works. You will set up and deploy UAG DirectAccess SP1 RC using five server computers, two client computers, Windows Server 2008 R2 Enterprise edition, and Windows 7 Ultimate Edition. The Test Lab simulates intranet, Internet, and a home networks, and demonstrates Forefront UAG DirectAccess with NAP. The starting point for this paper is the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess .
This Test Lab Guide demonstrates UAG DirectAccess SP1 RC with NAP in full enforcement mode where the UAG DirectAccess SP1 RC server requires health certificates for authentication to access resources through the intranet tunnel. Noncompliant UAG DirectAccess SP1 RC clients cannot access the intranet and cannot use their computer certificate for authentication of the intranet tunnel.
For more information about the different modes of NAP, see Stages of a NAP Deployment.
Attempting to adapt this test lab configuration to a pilot or production deployment can result in configuration or functionality issues. To ensure proper configuration and operation of UAG DirectAccess with NAP for your pilot or production DirectAccess deployment, use the information in Planning Forefront UAG DirectAccess with Network Access Protection (NAP) for your planning and design decisions and Forefront UAG DirectAccess Deployment Guide for the steps to configure the UAG DirectAccess server and supporting infrastructure servers.
The following sections describe how to configure UAG1, APP1 and CLIENT1 for UAG DirectAccess SP1 RC with NAP. After UAG1, APP1 and CLIENT1 are configured, this guide provides steps for demonstrating NAP functionality for CLIENT1 when it is connected to the Homenet subnet.
The following procedures are performed to enable and allow you to test each of them:
· STEP 2: Install the CA Server Role on APP1. In this step you will install a subordinate Certification Authority on APP1 so that it will be able to create health certificates for DirectAccess NAP clients.
· STEP 3: Configure the Subordinate CA and CA Permissions on APP1. In this step you will configure the subordinate CA on APP1 so that it will automatically grant certificates when requested by the UAG1, which is configured as a Health Registration Authority. You will also configure permissions on the CA to enable UAG1 to issue and manage certificates, manage the CA and request certificates.
· STEP 4: Configure UAG1 as an NPS Server and NAP health Registration Authority (HRA). In this step you will reconfigure the DirectAccess settings on UAG1 to support NAP policy enforcement for DirectAccess clients. After you complete this step, UAG1 will be configured as a Network Policy Server that provides NAP server functionality, as well as a Health Registration Server (HRA).
· STEP 5: Verify NAP Configuration on CLIENT1. In this step you will confirm that CLIENT1 received the Group Policy settings required for NAP clients and confirm that CLIENT1 received a health certificate from UAG1.
· STEP 6: Install Microsoft Security Essentials on CLIENT1. In this step you will connect CLIENT1 to a live portion or your network so that it can download and install Microsoft Security Essentials.
· STEP 7: Confirm that CLIENT1 Passes NAP Evaluation. In this step you will move CLIENT1 to the Homenet subnet and confirm that CLIENT1 can pass NAP evaluation and access resources on the intranet through the intranet tunnel.
· STEP 8: Confirm that CLIENT1 cannot access the Intranet Tunnel when NAP Non-Compliant. In this step you will confirm that when CLIENT1 does not meet health requirements it will not be able to connect to resources through the DirectAccess intranet tunnel.
· Step 9: Snapshot the configuration. After completing the Test Lab, take a snapshot of the working UAG DirectAccess with NAP Test Lab so that you can return to it later to test additional scenarios.
The first step is to complete all the steps in the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess. After completing the steps in that Test Lab Guide you will have the core infrastructure required to complete this Test Lab Guide on how to configure UAG DirectAccess with NAP. If you have already completed the steps in that Test Lab Guide and saved a snapshot or disk image of the Test Lab, you can restore the snapshot or image and begin with the next step.
In this step you will install a subordinate Certification Authority on APP1 so that it will be able to create health certificates requested by the Health Registration Authority (HRA) on UAG1 for DirectAccess NAP clients.
In this step you will configure the subordinate CA on APP1 so that it will automatically grant certificates when requested by UAG1. You will also configure permissions on the CA to enable UAG1 to issue and manage certificates, manage the CA and request certificates.
8. In the console tree of the Certification Authority snap-in, right-click corp-APP1-SubCA, and then click Properties.
9. Click the Security tab, and then click Add.
10. Click Object Types, select Computers, and then click OK.
11. Type DC1, and then click OK.
12. Click DC1, select the Issue and Manage Certificates, Manage CA, and Request Certificates check boxes under Allow, and then click OK.
13. Close the Certification Authority console
In this step you will reconfigure the DirectAccess settings on UAG1 to support NAP policy enforcement for DirectAccess clients. After you complete this step, UAG1 will be configured as a Network Policy Server that provides NAP server functionality, as well as a Health Registration Server (HRA). In addition the Connection Security Rule on the UAG DirectAccess server that controls access to the intranet tunnel will require DirectAccess clients to present a health certificate to successfully authenticate.
In this step you will confirm that CLIENT1 received the Group Policy settings required for NAP clients and confirm that CLIENT1 received a health certificate from DC1.
The UAG SP1 RC DirectAccess wizard has configured the SHV on the NAP server to use the default settings. One of these settings is to require that that a healthy client have an anti-virus application installed and that it is up to date. In this step you will connect CLIENT1 to a live portion or your network so that it can download and install Microsoft Security Essentials.
In this step you will move CLIENT1 to a Homenet subnet and confirm that CLIENT1 can pass NAP evaluation and access resources on the intranet through the intranet tunnel.
In this step you will confirm that when CLIENT1 does not meet health requirements it will not be able to connect to resources through the DirectAccess intranet tunnel. In the test lab, DC1 is accessible through the infrastructure tunnel and APP1 is accessible through the intranet tunnel. When the UAG DirectAccess NAP client fails validation, it can only access resources available through the infrastructure tunnel.
This completes the UAG SP1 RC DirectAccess with NAP test lab. To save this configuration so that you can quickly return to a working UAG SP1 RC DirectAccess with NAP configuration from which you can test other DirectAccess modular TLGs, TLG extensions, or for your own experimentation and learning, do the following:
2. If your lab is based on virtual machines, save a snapshot of each virtual machine and name the snapshots TLG UAG DirectAccess SP1RC NAP. If your lab uses physical computers, create disk images to save the DirectAccess test lab configuration.
For a comprehensive list of UAG DirectAccess Test Lab Guides, please see Test Lab Guides.
I’m happy to announce the release of the latest UAG DirectAccess Test Lab Guide – Test Lab Guide: Demonstrate Forefront UAG SP1 RC DirectAccess Force Tunneling, which you can download now at http://go.microsoft.com/fwlink/?LinkId=205454
I found this Test Guide to be especially interesting to put together. If you haven’t heard of Force Tunneling – here’s a little background.
By default, when you configure DirectAccess clients (both Windows DirectAccess and UAG DirectAccess), connections to the intranet are sent through the DirectAccess IPsec tunnels. Connections to Internet resources are sent directly to the Internet servers. This means there are two active paths: one path (the DirectAccess IPsec tunnels) carries traffic to and from the intranet, and a second path, for everything else (including Internet access). If this seems familiar to you, then you’re probably right – this configuration is sometimes referred to as “split tunneling”.
Now, split tunneling has a bit of a history behind it and like all issues that have a history, there are many people who might carry the historical baggage with them. Split tunneling had been considered in the past to be a potential security issue for remote access VPN client connections, and that’s where the idea of split tunneling got it’s checkered reputation. Because of this, many firms will not allow split tunneling. However, this attitude is slowly changing, as we’ve found that about half of enterprises now allow split tunneling for their remote access VPN client connections.
For more information on split tunneling issues, check out my articles:
Why Split Tunneling is not a Security Issue with DirectAccess http://blogs.technet.com/b/tomshinder/archive/2010/03/02/why-split-tunneling-is-not-a-security-issue-with-directaccess.aspx
More on DirectAccess Split Tunneling and Force Tunneling http://blogs.technet.com/b/tomshinder/archive/2010/03/30/more-on-directaccess-split-tunneling-and-force-tunneling.aspx
Although we don’t consider split tunneling to introduce security issues when compared to non-split tunneling configurations, many organizations still do. For that reason, we’ve made it possible to disable split tunneling for DirectAccess clients, using a configuration that we refer to as “Force Tunneling”. When Force Tunneling is enabled, all traffic is sent over the DirectAccess IPsec tunnels, so that both intranet bound and Internet bound traffic is sent over the DirectAccess tunnels. While this will exact a performance toll on the DirectAccess server, it does enable you to force all traffic over the DirectAccess connections.
So what happens to the Internet bound traffic after it goes over the DirectAccess tunnels? UAG SP1 provides you two options:
In the Test Lab Guide I go over both of these configuration options. When testing access through a web proxy, you’ll be using TMG 2010 as the web proxy provider.
I hope you like this Test Lab Guide! Let me know if there’s anything that you think I should add to it, or if there are some other configuration options you’d like to have included to make it more comprehensive. If you have problems with this Test Lab Guide, or any other Test Lab Guide, let me know! Just write to the email address in my sig line and I’ll get right back to you.
If you’re not aware of Test Lab Guides, they’re part of a new initiative we have at Microsoft that is intended to make life easier for you when it comes to adopting new products and technologies. We realize that when you consider bringing in a new product and technology, you have to consider how long its going to take to learn how it works. Sure, you might try a hands-on lab or a virtual lab to see what the product or technology can do, but after that, then what?
You’re likely going to try to set it up in a test lab. But do you know all the front-end and back-end components that go into making the product or solution work? Maybe – but only after you dig through a pile of design and deployment guides and maybe a few KB articles and some obscure forum posts. That “paper chase” takes a lot of time and if you’re like me, you consider the risk/benefit ratio when it comes to your time before you try out something new.
That’s where Test Lab Guides come in. Using a Test Lab Guide, you can test a new product or technology in a well-defined and pre-tested lab environment that covers all the front-end and back-end components. You configure everything in the test lab, you see all the moving parts, and you see how everything works together. Many people have told us already that the Test Lab Guides allowed them to quickly learn complex technologies because they could see how all the parts worked together – something that would have taken a long time using the traditional approach of sifting through hundreds of pages of documentation. Even better, after you go through the Test Lab Guide and get a working configuration, you can save a snapshot of the working setup and return to it later, either to check out how things look like when they’re working, or to extend it on your own with custom settings that mirror your current production environment.
As you can imagine, the key to test lab success is virtualization. Sure, you could scare up a bunch of PCs and create a lab network, but who has the time and resources for putting together a physical test network that contains 10, 15, 20 or even more clients and servers? While I know that can be done because that’s how we used to do things, the idea of saving disk images and exporting them and then importing them again to extend the configuration is just too time consuming for today’s busy admin. Nope – the reality is that with the advent of client and server virtualization on commodity hardware, test labs are almost exclusively done in a virtualized environment.
Test Lab Guides were designed with virtualization in mind. But if that’s true, why isn’t there any virtualization related information contained in the Test Lab Guides outside of the last step in each guide that tells you that you should snapshot your configuration? The reason for this is that when I’ve written Test Lab Guides, I’ve assumed that the admin using the Test Lab Guide is already well versed in his or her virtualization platform of choice, and would easily be able to translate the TLG instructions into that virtualization platform. While we naturally would prefer that you use Hyper-V as your Test Lab Guide virtualization platform, we realize that there are a number of different virtualization platforms to choose from: VMware Workstation, ESX, Xen and other’s are all capable environments on which you can run your Test Lab Guide scenarios.
Providing virtualization specific information would mean that we would include information that is specific for some platforms and not others. In addition, for the non-Hyper-V platform, if there are changes, we might not necessarily know about them, as it’s not in our charter to stay on top of each version of each virtualization offering.
However, I think it is important to share some virtualization information that will help you with your Test Lab Guide experience. Some of this is Hyper-V specific, but hopefully most of it will be easily applied to to non-Hyper-V platforms. And if you’re not currently using Hyper-V, you might want to give it a look. I was a big VMware user prior to joining Microsoft. However, after joining Microsoft I felt it was important for me to have some basic understanding of Hyper-V. The result is that I’ve been using Hyper-V almost exclusively in my Test Lab Guide development process and am very impressed with it. So if you’re a “VMware guy or gal” and never looked at Hyper-V, I recommend that you give it a look. If for no other reason, you might want to use Hyper-V for Test Lab Guides.
Another thing to consider when using virtualized environments for Test Lab Guides is memory. Some virtualization platforms enable something called "memory overcommit" what allows you to assign your virtual machines more memory than is available on the physical host machine. However, some virtualization do not - and Hyper-V is one of those solutions. While in some cases you can run a Test Lab Guide scenario with a machine that has 8 GB of memory, I have made the assumption that most organizations are using virtualization platforms that support at least 16 GB of memory, and ideally can support 24 GB or more. This allows you to run more complex, but more realistic scenarios in the Test Lab.
When working with virtualization, you need a good working understanding of how its virtual networking feature operates. With Hyper-V, there is the concept of “virtual networks” – with each virtual network acting as a type of virtual switch. VMware has a similar concept, which are called “VMNet’s”. Each virtual machine you connect to the same virtual network or VMNet is on the same virtual network segment, or in other words, in the same Ethernet broadcast domain. If you want to create a multi-segmented network, you would create a virtual network for each segment.
When working with Test Lab Guides, you can create virtual networks for each of the subnets called out the in the Test Lab Guide. For example, in the Base Configuration Test Lab Guide (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=ab6c61af-9c34-4692-815c-4396b482d31b), you are asked to create a “Corpnet subnet” and an “Internet subnet”. When using Hyper-V, you would create a virtual network for the Corpnet subnet and another virtual network for the Internet subnet.
If you need more network segments, you would create more virtual networks. For example, in the Test Lab Guide: Demonstrate UAG DirectAccess (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=71be4b7b-e0e9-4204-b2b5-ac7f3c23b16d), you need to create a new subnet called the “Homenet” subnet. To support the Homenet subnet, you just create a new virtual network.
If you are working with Hyper-V, you need to be aware that there are three types of virtual networks that you can choose from. These are:
When I create the Base Configuration, I create two Private virtual networks: one for the Corpnet subnet and one for the Internet subnet. You can name them whatever you want and it’s probably best to name them Corpnet subnet and Internet subnet. Do the same for any other virtual networks you need to create to support the Test Lab. The Test Lab Guide will provide you some guidance on the name of the network (such as calling the new network the “Fabrikam” network), in which case you create a new virtual network for the Fabrikam subnet.
Now you might be wondered what to do if you need to provide Internet access to a machine on a Private virtual network. Remember that virtual machines connected to a Private virtual network are able to communicate with other VMs on the same Private virtual network, but aren’t able to communicate with any other physical or virtual machine. You’ll have to do something to else to provide a virtual machine actual Internet access.
You might want to provide a VM actual Internet access if you want to download some applications or updates. The approach you use to provide this access will vary with the role the virtual machine is playing on the Test Lab network. For example, CLIENT1 (from the Base Configuration) is a Windows 7 client machine that’s designed to move between the Corpnet subnet, the Internet subnet and the Homenet subnet (and even the Fabrikam subnet if you choose to use the Fabrikam Base Configuration [http://www.microsoft.com/downloads/en/details.aspx?FamilyID=4521421f-bd0c-4eed-b280-a7aaf2fde321]). You can create an External virtual network and connect CLIENT1 to that network. It will then pick up IP addressing from the “live” network’s DHCP server and you can then download the information you need from the Internet. After you get the information you need, you can move CLIENT1 from the External virtual network back to the Corpnet subnet (which is a Private virtual network).
While this approach works fine for virtual machines that are designed to be mobile, it gets a bit more tricky when you want to provide Internet access for more “sessile” machines. Examples of these types of machines would be domain controllers and Exchange Servers; both of which really aren’t designed to be moved from one network to the other and be DHCP clients. We’re going to have to think of a different approach for these servers.
In addition, there might be scenarios when you need to demonstrate actual Internet from specific client types access or you want to provide Internet access to all machines so that you can demonstrate things like Windows Update Services.
To do this, you might consider what I did in the Test Lab Guide: Demonstrate UAG SP1 RC Force Tunneling (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=756e35c6-d706-4b18-80c2-881e9bccda3c). In that Test Lab Guide, I configured INET1 with a second network interface and then configured that network interface to use an External virtual network so that it could connect to the Internet. I then configured the default gateway settings on the computers in the Test Lab so that Internet bound traffic would go through INET1. There were some network gateway and DNS configurations that were required to make it work, but it did allow all the computers in the Test Lab Internet access, including DirectAccess clients.
Note: We plan to update the Base Configuration Test Lab Guide so that Internet access is made a default option. I hope to have that update to the Base Configuration Test Lab Guide to you before the end of January. If you need help before that, please let me know and I’d be happy to show you how to provide Internet access to your Test Lab.
Make sure to always create the virtual networks you need before you create the virtual machines that you’ll to connect to them. It’s better to have the virtual network ready for the virtual machines instead of having the virtual machines wait for you to create the networks to connect to them.
For more information about configuring virtual networks on a Hyper-V server, check out the following video: http://www.screencast.com/t/Ft4Dpm4tLZ (around 7 mins)
This is one area where there are a number of options and everyone has their favorite. One popular option is to use parent/child disk configurations, where you essentially create a parent disk that subsequent virtual machines can take advantage of when you want to quickly create new virtual machines for your Test Lab. Kurt Hudson did a great job describing how you do this in his TechNet wiki article Hyper-V Virtual Machine (VM) Parent-Child Configuration Using Differencing Disks http://social.technet.microsoft.com/wiki/contents/articles/hyper-v-virtual-machine-vm-parent-child-configuration-using-differencing-disks.aspx
While this is a valid and popular approach for quickly creating new virtual machines, and something that can be done with VMware and other virtualization platforms, I’ve have chosen not to use this approach when it comes to building out Test Labs. This and similar approaches that “key” into a parent disk introduce dependencies and potential points of failure that reduce the flexibility of the solution. It also makes it more complicated. However, it does have the advantages of allowing you to create virtual machines more quickly, and even more significant is the amount of disk space you can save by using this approach.
If disk space isn’t an issue for you, and if you’re willing to put in a few more minutes per virtual machine to reduce the risks of a parent/child configuration to your entire virtual lab infrastructure, then you might want to consider my approach. My approach is easy and it’s simple (which pretty much describes me). The approach I use for virtual machines:
Creating virtual machines and snapshots are closely related topics. Each virtual machine you create and configure represents a good chunk of invested time. If you don’t snapshot that virtual machine at the end of your Test Lab, you’ve wasted your efforts (OK, not wasted completely because you probably learned something during the process). When you snapshot the virtual machines in your Test Labs, you can quickly restore the snapshots and start at the end of that Test Lab. At that point you can create a new Test Lab, you can play with the settings to see what happens, or you can use troubleshooting and diagnostic tools and see what they look like when the system is working correctly. Snapshots are unique to virtualization and are a powerful tool to speed your ability to create advanced, realistic and actionable Test Lab scenarios that enable you to learn about your products and communicate more effectively than ever.
However, you need to be systematic about snapshotting. Over my years of using VMware Workstation I had created hundreds of virtual machines to support thousands of possible scenarios for ISA Server and TMG. I didn’t have a co-ordinated system for managing the snapshots and as you can imagine this lead to snapshot sprawl. Over time the sprawl got so bad that my carefully saved snapshots didn’t provide me value and I ended up often having to recreate Test Lab scenarios that I had already done.
At the end of each Test Lab Guide there is a step that informs the reader to snapshot the lab. The step also includes instructions on what to name the Test Lab. The reader should be instructed to shut down each of the virtual machines gracefully at the end of the lab and then snapshot all the virtual machines at the same time after all machines have shut down. After the snapshot it complete, rename the snapshot from its default name to the name suggested in the Test Lab Guide.
Something that we don’t include in the Test Lab Guides regarding virtualization, but something that most virtualization savvy admins are already aware, is that the order you start the VMs is important. In general, you want to start the domain controllers first. Then start servers that provide key infrastructure services to other servers and clients.
This requires that the reader understand the overall solution – and this might not be a reasonable expectation, since the reason for going through the Test Lab Guides is to learn about the product. For example, in the Demonstrating UAG DirectAccess Test Lab Guide, you should start the DC1 virtual machine (a domain controller) first, and then start the UAG DirectAccess server. The reason for this is that the UAG DirectAccess server acts as an ISATAP router for the rest of the network, and it should be available when the ISATAP hosts on the network start up and configure their ISATAP adapters as they start up.
I have not included this start up information in the Test Lab Guides, which is something we will fix in the next version of the Test Lab Guide specification.
Three suggestions for you, and things I plan to implement in the next version of Test Lab Guides are:
To get a better idea of how snapshots are created, restored and named, please see my video on this subject at http://www.screencast.com/t/pGpBxCoZO4QO (around 7 mins).
In this article I provided a handful of tips and tricks that I use with virtualization when creating Test Lab Guides. These are methods that have worked for me and many of them come from habits of working with virtualization for the last decade; some of the habits might be good and some might need improvement. But if you starting on your trek of writing Test Lab Guides and also beginning your work with virtualization, I hope that these notes help you creating your Test Lab Guides faster than might have otherwise.
With all the excitement coming from the upcoming release of UAG Service Pack 1, I thought we might do something fun (OK, DirectAccess is always fun, but maybe we can do something closer to what other people would consider fun). What’s more fun than a contest? I know, a contest where you’re the winner! OK, even more fun is a contest where you’re the winner and you actually win something.
How about a Starbucks card? I have one in my hot little hands and its really wanting to go the the winner of the UAG DA Contest winner!
So here’s how the contest is going to work:
Since the contest hasn’t started yet, the leaderboard looks like this (I put my name in there just as an example):
Ready to play? Here are the three questions for Quiz 1/Round 1:
Question 1: Which Operating System(s) can be configured as DirectAccess clients? (choose the best answer)
A. Windows 7 B. Windows Vista SP2 C. Windows Server 2008 R2 D. Windows 7 and Windows Vista SP2 E. Windows Server 2008 R2 and Windows 7
A. Windows 7
B. Windows Vista SP2
C. Windows Server 2008 R2
D. Windows 7 and Windows Vista SP2
E. Windows Server 2008 R2 and Windows 7
Question 2: What happens when the DirectAccess client successfully connects to the Network Location Server (NLS)?
A. The DirectAccess client turns on the Windows Firewall Domain Profile B. The DirectAccess client disables its ISATAP interface C. The DirectAccess disables the Name Resolution Policy Table
A. The DirectAccess client turns on the Windows Firewall Domain Profile
B. The DirectAccess client disables its ISATAP interface
C. The DirectAccess disables the Name Resolution Policy Table
Question 3: When you do an ipconfig /all in a command prompt window and see both the Teredo and IP-HTTPS interfaces assigned an address, which interface is actually being used to transfer data?
A. The Teredo interface B. The IP-HTTPS interface C. Both the Teredo and IP-HTTPS interfaces D. None of the interfaces – when both appear it indicates that the Windows Firewall Domain Profile is active
A. The Teredo interface
B. The IP-HTTPS interface
C. Both the Teredo and IP-HTTPS interfaces
D. None of the interfaces – when both appear it indicates that the Windows Firewall Domain Profile is active
Great! Now click the following link (which includes the subject line I need to track the entries) and email me your answers:
tomsh@microsoft.com
I must receive your entry by December 3, 2010 3:00PM Central Time
Have fun and good luck!
Just a quick note about the UAG DirectAccess contest. We didn’t have a quiz last week because of the entire world was on vacation
We’ll continue the contest this week with the next quiz being tomorrow, January 6, 2011.
The first round of the first contest is complete. The second round of the first contest starts with tomorrow’s quiz, which will be Quiz 1, Round 2.
Tomorrow quiz will also represent the first round in Contest 2. So even if you didn’t do well in Round 1 of Contest 1, you can get back in the game for Contest 2!
Quiz Dates for Contest 1/Round 2 and Contest 2/Round1 are:
The standings for Contest 1/Round 1:
For a review of the scoring methods, check out the first quiz at http://blogs.technet.com/b/tomshinder/archive/2010/12/02/uag-sp1-directaccess-contest-quiz-one-round-one.aspx
For Contest 1 Round 2/Contest 2 Round1 – I’m thinking of doing some more interesting things with the questions, like screenshots of something gone wrong and then looking for the answer to the most likely reason for the finding or what should you do next to determine the problem.
I’m looking forward to seeing your entries this week!
Thanks!
Tom Shinder tomsh@microsoft.com Principal Knowledge Engineer, Microsoft DAIP iX/Forefront iX UAG Direct Access/Anywhere Access Group (AAG) The “Edge Man” blog (DA all the time): http://blogs.technet.com/tomshinder/default.aspx Follow me on Twitter: http://twitter.com/tshinder Facebook: http://www.facebook.com/tshinder
Visit the TechNet forums to discuss all your UAG DirectAccess issues http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/threads Stay up-to-date with “just in time” UAG DirectAccess information on the TechNet wiki http://social.technet.microsoft.com/wiki/tags/DirectAccess/default.aspx
It that time again! The UAG DirectAccess Contest. If you’ve been participating in Contest 1 Round 1, you know the drill.
If you’re new – don’t worry about Contest 1 – you’ll be automatically entered into Contest 2 and you’ll be participating in Round 1. And if you participated in Round 1 of Contest 1 but didn’t do so well, there’s still a chance to improve in Contest 2 – so make sure you send your entries.
You can find the rules of the game over at
http://blogs.technet.com/b/tomshinder/archive/2010/12/02/uag-sp1-directaccess-contest-quiz-one-round-one.aspx
Now for the questions!
There you go!
Now send your answers to me at (make sure to use this link since it contains the subject line I need):
Send your entries until 9AM Central Standard Time (-0600 UTC) on Monday January 9th.
Good luck!
Now for the moment you’ve all been waiting for – the answers to UAG SP1 DirectAccess Contest 1–Round 2/Quiz 1 and Contest 2 Round 1/Quiz 1!
Here you go:
==========================================================
Answer to Question 1: When the DirectAccess client connects to the UAG DirectAccess server, it establishes two IPsec tunnels – the infrastructure tunnel and the intranet tunnel. All traffic destined to the intranet travels through these two IPsec tunnels with the exception of what type of traffic?
A. ICMPv6 B. ICMPv4 C. DCOM D. SIP (Session Initiation Protocol)
The answer to Question 1 is A.
From http://social.technet.microsoft.com/wiki/contents/articles/directaccess-forcing-encryption-for-icmpv6-traffic.aspx (DirectAccess: Forcing Encryption for ICMPv6 Traffic on the TechNet wiki):
“…By default, the DirectAccess Setup Wizard creates Group Policy objects for DirectAccess clients and servers for settings that allow the following behaviors: Internet Control Message Protocol (ICMP) traffic, for both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6), is exempted from Internet Protocol security (IPsec) protection Teredo discovery traffic does not travel within the IPsec tunnels between DirectAccess clients and servers on the intranet…”
“…By default, the DirectAccess Setup Wizard creates Group Policy objects for DirectAccess clients and servers for settings that allow the following behaviors:
The trick here is in the question: “All traffic destined to the intranet travels….” The DirectAccess client only understands IPv6 and therefore does not send any ICMPv4 traffic to the intranet – only ICMPv6 traffic can be sent from the DirectAccess client to the intranet. Therefore, B cannot be true because ICMPv4 is never destined for the intranet. DCOM and SIP traffic are treated like any other non-ICMP traffic and both protocols are always sent through an IPsec tunnel when destined for the intranet.
Question 2: A DirectAccess client is connecting from behind a home NAT device to a UAG DirectAccess server. The user calls the Help Desk and says that he isn’t able to connect to anything on the intranet. You tell the user to open a command prompt and ping the name of a domain controller and the ping succeeds. Then you tell the user to ping the name of a file server and that ping succeeds. Next, you tell the user to ping the name of a web server and that ping succeeds. Then you tell the user to use the net use command to connect to a share on the file server and that fails. Next you tell the user to connect to a share on the domain controller and that attempt is successful. Finally, you tell the user to connect to the web server and that connection attempt fails.
What is the most likely reason for this user’s failure to connect to the resources he needs?
A. The Internet Service Provider is blocking IP Protocol 41 B. Kerberos authentication is failing C. NTLMv2 authentication is failing D. The DirectAccess client doesn’t trust the UAG server’s computer certificate
The answer to Question 2 is B.
Let’s look at what’s happening here:
When we look at this analysis, it becomes clear that the answer is B – that Kerberos authentication is failing. A is not correct because IP Protocol 41 is used by 6to4 – if the client were using 6to4, then even the pings would fail as the IPv6 transition technology would have failed; in addition, the client is connecting from behind a home NAT device, so 6to4 would not be used – IP-HTTPS or Teredo would be used in a NAT scenario. We know that NTLMv2 is not failing, because the infrastructure tunnel is working. And we know that the DirectAccess client trusts the UAG server’s computer certificate, since the client was able to establish the infrastructure tunnel.
========================================================== Question 3: Which of the following are new features included with UAG DirectAccess Service Pack 1?
A. Wizard based configuration of the DirectAccess Connectivity Assistant (DCA) B. Wizard based configuration of “manage only” DirectAccess client connectivity C. Support for Smart Card Authentication D. Support for One Time Password (OTP) Authentication
The answer to question 3 is A, B and D.
Support for Smart Card authentication was available in pre-SP1 UAG DirectAccess.
For more information on what’s new and improved with DirectAccess in UAG SP1, check out UAG 2010 SP1: The New and Improved DirectAccess Features http://blogs.technet.com/b/edgeaccessblog/archive/2010/10/27/uag-sp1-da-overview.aspx
This quiz was a pretty tough one that required you to have a pretty good understanding of the IPv6 transition technologies and authentication for DirectAccess IPsec tunnels. In the next quiz we’ll go more into IPv6 related questions to test some of your IPv6 chops.
The next quiz will be posted late in the day on Thursday, January 13, 2011.
See you then!
(If you didn’t participate in Quiz 1 – you can read the rules of the game over at http://blogs.technet.com/b/tomshinder/archive/2010/12/02/uag-sp1-directaccess-contest-quiz-one-round-one.aspx)
It’s time for Quiz 2-Round 1!
I got started late on this one today and I was also reminded that there are plenty of UAG DirectAccess fans who aren’t in North America
For this reason, I’m going to change one of the rules for the contest which will allow more people to participate. From this point forward, you don’t have to send your answer until 9AM Central Standard Time (-0600 UTC) on Monday December 13th.
All the other rules remain the same.
There you go! Now click the following link (which will populate the subject line on the email message) to email me your answers:
I must receive your entry by December 13, 2010 9:00 AM Central Time
Here are the answers to Quiz 2, Round 1:
====================================================
Question 1: You have installed UAG Service Pack 1 and find that you are unable to connect to resources on the intranet using fully qualified domain names. What is the most likely reason for this failure?
A. The ISATAP adapter on the DirectAccess client failed to start B. The Teredo interface on the UAG DirectAccess server failed to start C. The DNS64 service failed to start D. The IP-HTTPS certificate needs to be renewed
The answer to Question 1 is C. The DNS64 service is used by the UAG DirectAccess server to resolve names on behalf of DirectAccess clients. Although we often talk about DNS64 as providing name resolution support for IPv4 only hosts in conjunction with it’s integration with NAT64, the DNS64 service also provides what you can consider to be a “DNS proxy” to support UAG DirectAccess client name resolution. If you perform a netsh name show eff command on a UAG DirectAccess client, you will see something similar to what appears in the figure below. Notice the DirectAccess (DNS Servers) setting for Settings for .corp.contoso.com. This address is the 6to4 address of the UAG DirectAccess server. When the DNS64 service receives the name query request from the DirectAccess client, it forwards the query to the DNS servers configured on the internal interface of the UAG DirectAccess server and then it receives and caches the DNS server responses before returning the results to the DirectAccess client.
It now should make sense that if the DNS64 services does not start, intranet name resolution for DirectAccess clients will fail. However, why did the DNS64 service fail to start? If you check the UAG Service Pack 1 Release Notes (http://technet.microsoft.com/en-us/library/gg315322.aspx) You will see the following:
“After installing SP1 RTM on a Forefront UAG server running SP1 RC and acting as a DirectAccess server, the DNS64 service will be set to Manual. Following the installation, set the DNS64 service to Automatic and start the service.”
This explains why the DNS64 service failed to start. After applying UAG SP1, you will need to manually configure the DNS64 service to start automatically. Jason Jones provides some information on how to do this on his blog at http://blog.msedge.org.uk/2010/12/microsoft-forefront-uag-dns64-service.html
Answer A is incorrect because the ISATAP adapter on the DirectAccess client isn’t used to connect to the intranet through the DirectAccess tunnels. Answer B is incorrect because if the Teredo adapter failed to start, the IP-HTTPS adapter could enable connectivity – recall that only name resolution is affected, which suggests that connectivity through an IP address was still available. Answer D is incorrect because the IP-HTTPS listener’s certificate status would not have selective effects on name resolution.
Question 2: A Help Desk professional is trying to provide assistance to a DirectAccess user who is connected to the intranet from a hotel on another continent. The DirectAccess connection is working for the user and the user is able to connect to all required resources on the intranet. However, the user is having problems with some editing software and would like the Help Desk Professional to take a look at her system. When the Help Desk Professional tries to RDP into the user’s computer, the connection attempt fails. What is the most likely reason for the connection failure?
A. A Windows Firewall rule on the client exists for inbound RDP with Edge Traversal enabled B. The Help Desk Professional is connecting from a Windows 2000 Workstation Computer C. The hotel where the user is staying blocks outbound RDP connections D. The user is connecting to the UAG DirectAccess server using IP-HTTPS
The answer to Question 2 is B. In this scenario the Help Desk professional is trying to establish a connection from the intranet to the DirectAccess client on the Internet. This is what we often refer to as a “manage out” scenario. In order for hosts on the intranet to initiate connections to DirectAccess clients on the Internet, there must be a Windows Firewall with Advanced Security Firewall Rule in place on the DirectAccess client to support that connection.
In addition, if the DirectAccess client is using Teredo or IP-HTTPS, the the Firewall Rule will need to have Edge Traversal enabled (because these protocols will be used when the DirectAccess client is located behind a NAT device). You can find more information about Edge Traversal and DirectAccess clients at http://technet.microsoft.com/en-us/library/gg315320.aspx In addition to a Firewall Rule that allows the desired protocol inbound to the UAG DirectAccess client with Edge Traversal enabled, the system on the intranet that’s initiating the connection must be an IPv6 capable machine that is able to consume the IPv6 AAAA resource record returned in a name query for the DirectAccess client (and the system must be assigned an IPv6 address, either through native IPv6 addressing or via ISATAP). Since the Help Desk Professional is using Windows 2000 Workstation, the system is not IPv6 capable and therefore the Help Desk Professional will not be able to initiate a connection to the DirectAccess client.
Answer A is incorrect because we do need a firewall rule on the client to support inbound RDP with Edge Traversal enabled. Answer C is incorrect because all communications in this scenario are taking place over the IPsec tunnels used by DirectAccess – which means the firewalls are actually only seeing the IPv6 transition technology headers (most likely Teredo or IP-HTTPS). Answer D is incorrect because “manage out” scenarios are supported for all IPv6 transition technologies the DirectAccess client might use when connecting to the UAG Direct Access server.
Question 3: A UAG DirectAccess server benefits from being placed behind a front-end firewall in order to reduce the firewall filtering load on the TMG server that is also installed on the UAG server. Which of the following protocol(s) is/are not required through the front-end firewall to the UAG DirectAccess server when the server is connected to an IPv4 Internet? (Choose all that apply):
A. IP Protocol 50 B. UDP Port 3544 C. TCP Port 443 D. IP Protocol 41
The answer to Question 3 is A. The question asks which protocol(s) are NOT required access through the front-end firewall to the UAG DirectAccess server when the server is connected to the IPv4 Internet. UDP Port 3544 inbound and outbound to and from the UAG DirectAccess server is required to support Teredo. TCP port 443 is required to and from the UAG DirectAccess server to support IP-HTTPS, and IP Protocol 41 is required to and from the UAG DirectAccess server to support 6to4. Teredo, IP-HTTPS and 6to4 are IPv6 transition technologies that allow the DirectAccess client to tunnel IPv6 messages over the IPv4 Internet.
In contrast, when the UAG DirectAccess server is connected to the IPv6 Internet. there is no need to support the IPv6 transition technologies and the DirectAccess client won’t be tunneling their IPv6 messages inside of these protocols. Instead, the DirectAccess clients will establish IPsec connections to the UAG DirectAccess server directly – these IPsec connections won’t be encapsulated by the IPv6 transition protocol headers because there is no need for them. In this scenario, the front-end firewall needs to allow IP Protocol 50 (ESP) inbound and outbound to and from the UAG DirectAccess server, and UDP port 500 (IKE) inbound and outbound to and from the UAG DirectAccess server. In addition, ICMPv6 inbound and outbound to and from the UAG DirectAccess is also required, because by default, ICMP messages are not encapsulated by IPsec.
Therefore, the answer to the question is A since it is NOT required when the UAG DirectAccess server is connected to an IPv4 Internet.
You an find more information on firewall configuration requirements for the UAG DirectAccess server over at http://technet.microsoft.com/en-us/library/dd857262.aspx
Looks like we have a real horse race going right now! Six contestants are within one point of each other, and eight are within three points of each other. I should note that all the “zero” point results are because the contestant didn’t send an entry for that quiz. No contestant has actually actually submitted an entry where none of the answers were correct. Also, its not too late to come from behind and win! If the leaders fail to submit an entry, or get the questions wrong, you can still circle the field and run in-the-money for round 1.
I want to thank everyone who participated in Quiz 2, Round 1. This was another tough one! Some of the quizzes will be easier, some will be more difficult. But I hope you will continue to play and that you find this a useful and fun learning experience. Quiz 3, Round 1 will be posted on December 16, 2010 – so make sure you put that on your calendar so you don’t miss the quiz because if you do, someone who’s ahead of you now might miss the next quiz and that will be your chance to take the lead! For the same reason, those of you who didn’t participate in Quiz 2 you still have a chance – so make sure to take next week’s quiz and get yourself on the leaderboard! And even if you don’t win, you’ll learn a lot and remember more when you have some “skin in the game”. See you then!
Troubleshooting is always a challenging topic. Challenging from the point of view of the person who has to do the troubleshooting, and challenging to the product group who wants to provide valuable troubleshooting information so that you can solve your troubleshooting issues.
Because information on troubleshooting is so dynamic, we need a way to share information on what we learn about troubleshooting as soon as possible. For this reason, we’ve decided to publish UAG DirectAccess troubleshooting information to the TechNet wiki. With the TechNet wiki, we can provide you “just in time” information about how to troubleshoot problems you might encounter with UAG DirectAccess.
And even more important, if you find that you have a valuable troubleshooting information that will help other UAG DirectAccess admins, you can share that information on the TechNet wiki!
As we begin this effort, we’ve created a main UAG DirectAccess troubleshooting page – Forefront UAG DirectAccess Troubleshooting. On this page you will find useful links to UAG DirectAccess troubleshooting content. Right now, you’ll find links to the following wiki docs:
The great utility of the wiki is that if you find other UAG DirectAccess troubleshooting information, you can add to this list – as another logged onto the wiki can edit and enhance the content. Make sure to add the RSS feed for this page so that you receive automatic updates when this troubleshooting page is updated.
It’s time for Quiz 3-Round 1!
Send your entries until 9AM Central Standard Time (-0600 UTC) on Monday December 20th.
The scores are really close and at this point, anyone can end up winning Round 1. So make sure to send your answers in this week and next week.
The questions in Quiz 1 and Quiz 2 were pretty tough – so I hope you find these a bit easier. So far everyone is doing great and learning a lot! If you know any UAG DirectAccess admins, let them know about the contest so that they play too. Even though they might not win the first round (winner of the first four quizzes), remember there is a second round. So it’s possible to win by cleaning up in the second round. And they can join in on the fun of taking the quizzes and learning from the answers.
When the contest is over I’d like to put together a LiveMeeting and talk about the contest and if the winner is willing to be interviewed, take the opportunity to interview the winner and get his or her thoughts on UAG DirectAccess.
Test Lab Guides provide a method for you to try out a new product or technology and see how it works in your own test lab. When you use Test Lab Guides you see all the working parts, all the front-end and back-end components, and most importantly, see how that all work together to create a working solution.
Test Lab Guides enable you to get your hands on each configuration setting for simple to extremely complex scenarios. In fact, I’m working on a Test Lab Guide now that will require 10 virtual machines – but provides a demonstration of a very complex multi-site deployment of UAG DirectAccess using a single ISATAP cloud to enable multi-point access to the intranet. You’ll see what it looks like in about two weeks.
There are three types of Test Lab Guides:
The following troubleshooting TLGs are available:
The Troubleshooting Test Lab Guides are actually based on a working configuration that you have already created when you did one of the “Demonstrating” Test Lab Guides.
For example, the Test Lab Guide: Troubleshoot UAG DirectAccess is based on the completion of another Test Lab Guide called Test Lab Guide: Demonstrate UAG DirectAccess. In the troubleshooting Test Lab Guide you begin with a working configuration and then break stuff on purpose (we give you instructions on what to break, in what we call “Break-Me’s). After you break the stuff, you use a variety of troubleshooting tools and techniques to troubleshoot the broken configuration.
For an example of how “Break-me’s” work, check out this video.
The goal of the Troubleshooting Test Lab Guides is to show you what tools are available to troubleshoot the product, technology or scenario and what their output looks like when things are working right, and then what the output looks like when things aren’t working (because you’ve broken it on purpose).
We have received various feedback regarding the “Troubleshooting” guides and we would like to get input from the community on whether or not you find this approach valuable and if we should continue investing in the troubleshooting guides. Of course, we think the Troubleshooting Test Lab Guides are a great idea because you get hands-on experience with the troubleshooting tools and some insight into what things should look like and what they might look like when they’re broken. In the guides we try to focus on the most common troubleshooting scenarios so that you get the most “bang for your buck”.
What do you think? Are the troubleshooting Test Lab Guides valuable to you? Would you like to have more troubleshooting Test Lab Guides? Is there something missing from the current approach to Troubleshooting Test Lab Guides that would make them more useful for you?
Let us know! You can write to me at tomsh@microsoft.com and let me know what you think about the Troubleshooting Test Lab Guides or you can write your thoughts and ideas about Troubleshooting Test Lab Guides in the comments section below. I do subscribe to the RSS feed for the comments section, so I’ll know when you’ve posted a comment and I’ll acknowledge your input and address your issues.
Thanks for the help!
Happy Holidays guys! We got a great response to this weeks quiz and added some new contestants. That’s great! Even with the busy holiday it’s cool to see you all interested in playing and learning more about UAG DirectAccess.
Now for the answers:
===========================================
Question 1: You must be running IPv6 on your corporate network in order to deploy a UAG DirectAccess server that enables DirectAccess clients to connect to intranet resources from virtually anywhere. A. True B. False
The answer to Question 1 is B. When you use the UAG DirectAccess server solution, there are no IPv6 dependencies for resources on the intranet. Because the UAG DirectAccess server includes the NAT64/DNS64 service, all the machines behind the UAG DirectAccess server can be IPv4-only operating systems. When you use the UAG DirectAccess server, the only machine that needs to be Windows Server 2008 R2 on the network is the UAG DirectAccess server. Note that when you use an IPv4-only network behind the UAG DirectAccess server, you will not be able to take advantage of a full “manage-out” deployment. In a full “manage-out” deployment, hosts on the intranet can initiate connections to DirectAccess clients. IPv4-only hosts cannot initiate connections from DirectAccess clients, but DirectAccess clients can initiate connections to IPv4-only hosts on the intranet.
Question 2: You have installed UAG RTM and you want to begin the configuration of the DirectAccess feature. The UAG Management console opens and you are able to see the information on all nodes except for the DirectAccess node in the left pane of the console. When you click on the DirectAccess node in the left pane of the console, you see the following error dialog box:
(Cannot Load the DirectAccess view (0).)
What is a possible cause of this problem? A. The NetBIOS name of the UAG server contains more than 15 characters B. In order to configure DirectAccess, you must first install UAG Update 1 C. The DirectAccess server is a member of a Windows Server 2003 domain D. A firewall behind the UAG server is blocking the SNA (TCP/UDP 108) protocol
The answer to Question 2 is A. This is an interesting problem that was discovered by Shannon Fritz, which he shared on the TechNet forums and discusses in his blog post over at http://blog.concurrency.com/infrastructure/uag-cannot-load-the-directaccess-view-0/ The solution was to rename the machine so that the host name portion of the FQDN was 15 characters or less.
=========================================== Question 3: A UAG DirectAccess server must be a domain member. However, the UAG DirectAccess server does not need to be a member of the same forest or domain as the resources that DirectAccess users will connect to. What Active Directory domain functional level is required for the domain that the UAG DirectAccess server belongs to for DirectAccess to work correctly? A. Windows Server 2008 R2 B. Windows Server 2008 C. Windows Server 2003 D. None of the above
The answer to Question 3 is D. This is a tricky question. Many of you answered C because you might have read that Windows Server 2003 domain functional level is the minimum domain functional level. I can’t confirm or deny that is true, since it’s not documented anywhere and I suspect that no testing was done with Windows 2000 Server domain functional level. However, regardless of what the minimal domain functional level might be, the question asked which was required. Because you can use any of these domain functional levels in answers A, B and C, none of them are required – you can use any one of them. This makes answer D the correct answer.
The race remains pretty close as we enter into the last quiz of the first round. Six contestants are within two points for the lead. Also, note that the zeros you see in the results are due to contestants that didn’t send an entry for that quiz – no one has scored a zero on any of their entries. The blue highlighting on the cell indicates that no entry was received. But you can see that a few of the new entrants have some strong performances and could end up in the top three if any of those near the top decide to take a Christmas vacation for Quiz 4 .
I want to thank everyone who participated in Quiz 3, Round 1. Quiz 4 and the last quiz in Round 1 will be posted on December 23, 2010 – so make sure you put that on your calendar so you don’t miss the quiz because if you do, someone behind you might sneak up and take your position! But even if you don’t end up in the top three, you’ll learn a lot and remember more when you have some “skin in the game”. And then there’s always Round 2. See you then!
You’ve deployed DirectAccess on your network as a pilot project for your IT group over the holidays and everything is working great. When the users are behind a wide open NAT device, they use Teredo to connect to the UAG DirectAccess server. When they’re behind a port-restricted firewall or web proxy only, then they fall back to IP-HTTPS. Of course, you’d prefer that they use Teredo because it’s better performance. But IP-HTTPS connectivity is better than no connectivity at all.
Then it happens – the unthinkable!
Performance seems to slow down. You do an ipconfig and find that the Teredo interface isn’t starting up and only IP-HTTPS is being used. You move the client around, first behind a wide open NAT device and nothing changes. Then you disable the 6to4 interface and connect the client directly to the Internet. Still, only the IP-HTTPS interface comes up.
What’s up with that?
Here are some hints:
First, check out http://blogs.technet.com/b/edgeaccessblog/archive/2010/05/09/the-mystery-of-the-ip-https-listener-an-outlook-client-and-an-ipv4-only-network.aspx
Next, check out the graphic below:
Finally, check Ben Lee’s blog where he puts all the pieces together to come up with a solution over at http://www.bibble-it.com/2010/12/19/uag-directaccess-only-connects-via-ip-https