Obsah

DirectAccess

DirectAccess nesmí běžet na doménovém řadiči → nutnost 2. serveru.

2012

Zdroj: http://blogs.msdn.com/b/canberrapfe/archive/2012/07/12/simple-direct-access-setup-with-windows-server-2012-rp.aspx

Instalace (PowerShellem):

Install-WindowsFeature RemoteAccess -IncludeManagementTools

Nastavení

Perform a very basic install of Direct Access:

  1. From the Start screen, click „Remote Access Management“.
  2. In the Remote Access Management console, click Run the Getting Started Wizard.
  3. Choose Deploy DirectAccess only.
  4. Verify that Edge is selected as the network topology. Type the public name of your Direct Access server as the public name to which remote access clients will connect - in my example the public name is „duffey.dyndns.org“ even though the machine i am connecting to is called „da1.contoso.com“ - my firewall will recieve this traffic and forward it to the correct host. Click Next.
  5. On the final wizard page, click the link supplied to edit the wizard settings.
  6. In the Remote Access Review dialog, next to Remote Clients, click Change.
  7. On the Select Groups screen, clear the Enable DirectAccess for mobile computers only checkbox.
  8. Click Domain Computers (CONTOSO\Domain Computers), and then click Remove.
  9. Click Add, type DirectAccessClients, and then click OK.
  10. Click Next, and then click Finish.
  11. Click OK in the Remote Access Review screen, and then click Finish.
  12. Since there is no PKI setup yet in this lab environment, the wizard will automatically provision self-signed certificates for IP-HTTPS and the Network Location Server, and will automatically enable Kerberos proxy. The wizard will also enable NAT64 and DNS64 for protocol translation in the IPv4-only environment. After the wizard successfully completes applying the configuration, click Close.
  13. In the console tree of the Remote Access Management console, select Operations Status. Wait until the status the status monitors display as „Working“. From the Tasks pane under Monitoring, click Refresh periodically to update the display.

Klientský PC

Vše se automaticky nastavuje pomocí Group Policy. Po nastavení na serveru je tedy nutné na klientských PC znovunačíst politiky:

Ověření na klientských PC

Get-DaConnectionStatus
Get-DNSClientNrptPolicy

NLA

DirectAccess vyžaduje, aby veřejná síťovka, na které je publikován DirectAccess, měla nastavený Public profil. Detekci profilu zajišťuje služba NLA 1), která pokud dokáže skrz dané síťové rozhraní provést LDAP dotaz (na portu tcp/389) na doménový řadič. Pokud se to povede, je dané síťové kartě přirazen profil Domain. To se dá vyřešit zablokováním tohoto portu firewallem na straně doménového řadiče pro přístup z DirectAccess Edge serveru.

Podrobnosti o NLA: http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx?Redirected=true

Zdroje

1)
Network Location Awareness