6. Work with the support of Active Directory and Group Policy
Some changes to the DirectAccess server and client configuration to help the solution work. To make these changes in the most effective way, the solution DirectAccess offers is to use Active Directory and Active Directory Group Policy objects. The GPO is assigned to the DirectAccess server and client. In addition, Active Directory is required for authentication. The infrastructure tunnel uses NTLMv2 authentication to verify that the computer account is connected to the DirectAccess server, that computer account must be in the Active Directory domain. The intranet tunnel uses Kerberos authentication for the logged-in user to create the second tunnel.
Although Active Directory and GPO are required, the DirectAccess server does not need to be a member of the domain. As long as there is two-way trust between the DirectAccess server domain and the domains / forest resources, the solution will work.
7. Intranet servers allow DirectAccess clients to know when they're on the corporate network
DirectAccess is designed to work automatically and work in the background. Users do not have to do anything to initialize ( turn on ) DirectAccess connection. All they need to do is turn on ( turn on ) their computer. In fact, users don't even need to login! Before logging in, the infrastructure tunnel is set up automatically, and the DirectAccess client's agents can connect to their servers to update updates and configuration information. The necessary images, security settings, and anything needed to ensure the DirectAccess client strictly adheres to network security and configuration policies.
To make the process transparent, there must be a mechanism in which the DirectAccess client components know when they need to be turned on, always off. That's the Network Location Server. Network Location Server (NLS) is a Web server that allows incoming SSL connections. You can allow authentication to be integrated or anonymously to the NLS server. When the DirectAccess client connects to the NLS, it knows that it is on the corporate network, and will turn off the DirectAccess client components. If the DirectAccess client cannot contact the NLS server, then it knows that it is outside the corporate network and will automatically turn on the DirectAccess client components to set up IPsec tunnels to the DirectAccess server over the Internet. The DirectAccess client will perform an NLS Web server certificate check on the Certificate Revocation List, so CRL must be available. Otherwise connecting to the NLS SSL website will fail and the internal network detection process will also fail.
8. Certificates, certificates, certificates!
Certificates are used in some locations in the DirectAccess client / server solution. Some places where you will see the certificates are:
DirectAccess client . Each DirectAccess client needs a certificate to establish IPsec connections to the DirectAccess server. These certificates are used to create IPsec connections and are also used by IP-HTTPS, where the DirectAccess server will perform computer certificate validation before allowing IP-HTTPS connection to take place. on the Internet. Computer certificates are best assigned by using Microsoft Certificate Server and automatic certificate enrollment based on Group Policy.
IP-HTTPS listener on DirectAccess server. IP-HTTPS is an IPv6 transition technology used for IPv6 tunnel packets on IPv4 Internet. This protocol is designed by Microsoft to allow the DirectAccess client to connect to the DirectAccess server, even if the DirectAccess client behind the firewall only allows HTTP / HTTPS connections to be sent or behind the Web proxy. server. The IP-HTTPS listener requires a website certificate, and the DirectAccess client must be able to contact the server that contains the CRL for certificate authentication. If the CRL check process fails, the IP-HTTPS connection will also fail. Commercial certificates are the best solution for IP-HTTPS listener, because their CRL is available globally.
DirectAccess server . The DirectAccess server stores the IP-HTTPS website certificate, but it also requires a computer certificate to establish IPsec connections with the DirectAccess clients.
9. The naming policy table provides DNS queries according to the policy
The DirectAccess client uses the Name Resolution Policy Table (NRPT) table to determine which DNS server can use to identify the name. When the DirectAccess client is on the corporate network, the NRPT is automatically turned off. When the DirectAccess client detects that it is on the Internet, the DirectAccess client will activate the NRPT and check its entries to see which DNS server to use to connect to the resource. You set your internal domain and possible servers on the NRPT and configure it to use an internal DNS server for name identification.
When the DirectAccess client located on the Internet needs to connect to the resource using FQDN, it checks the NRPT. If this name is in it, the query will be sent to the internal network DNS server. If not in the NRPT, the DirectAccess client sends a query to the DNS server configured on its NIC, which is the Internet DNS server. The name of the NLS server is also placed on the NRPT, however it is grouped into a waiver list - meaning that the DirectAccess client never uses the intranet server to identify the name of the NLS server. So the DirectAccess client on the Internet will not be able to identify the name of the NLS server and so will know that it is on the Internet from which to turn on the DirectAccess client components. More importantly, when connecting to the corporate network via DirectAccess, the DirectAccess clients do not think it is connected to the corporate network by identifying the name of the NLS server.
10. DirectAccess allows ' manage out ' capability
As mentioned above, IT can take advantage of the ' manage out ' capability by infrastructure tunnel to connect to DirectAccess clients on the Internet. However, you still need to configure firewall rules in Windows Firewall with Advanced Security (WFAS) to allow these connections for Teredo clients. When creating these rules, make sure that they have enabled the Edge Traversal feature for Firewall Rule. The DirectAccess client is Teredo when they are behind the NAT to connect to the Internet and the DirectAccess server, at which point the NAT device allows sending on UDP port 3544.