Windows Server | DirectAccess | Remote Access | VPN
DirectAccess is a feature in the Windows 7 , Windows Server 2008 R2 and Windows Server 2012 operating systems that gives users the experience of being seamlessly connected to their corporate network any time they have Internet access.
With DirectAccess, users are able to access corporate resources (such as e-mail servers, shared folders, or intranet web sites) following common security standards, anytime they have an internet connection.
The new thing here is that in windows 2012 you can use a single nic.
In my previous blog I showed the configuration but now I want to NLB the DirectAccess Server.
again my basic setup is here just on one server configured and the second node is stand by. Keep in mind Remote access must be installed on both machines and the NLB option must be installed.
In the configuration menu you can choose enable load balancing.
The wizard shows me that I can choose Windows NLB or a hardware NLB solution.
Yes Ill take the WNLB. and as you can see you don’t need to setup UAG and NLB this and then direct access no go strait to the Remote access console and do your thing.
In this case I use an Edge directaccess option.
Fill in the IPv4 address that will be used as the external VIP by the Network Load Balancing feature. this address must be on the same IP subnet that dedicated external address of Windows 2012 servers.
The Internal IP is just as you do a internal NLB option.
now that the NLB is ready just on one node
We can add a second node to the NLB farm and have our DirectAccess highly available
To add the Second node just do add or remove node.
On firewalls or other products that has multiple NIC’s I make sure that the naming is correct nic name = internet has internet access . or red or green but don’t leave this default now I can easy see what nic I need.
Just to remember If you use a self signed certificate you can’t use NLB so a root CA must be in place.
after the commit my NLB is in place an overview is there with the NLB servers in it.
there are more PowerShell options that you can use.
Get-RemoteAccessHealth –cluster
Get-DAserver
more on Direct Access
Or on powershell
Direct Access Client Cmdlets in Windows PowerShell
Windows Server | DirectAccess | Remote Access | VPN
#DirectAccess is a feature in the Windows 7 , Windows Server 2008 R2 and Windows Server 2012 operating systems that gives users the experience of being seamlessly connected to their corporate network any time they have Internet access.
Direct Access feature in Windows Server 2008 R2 had following goals for organizations;
- Direct Access enhances the productivity of mobile workers by connecting their computers automatically and seamlessly to their intranet any time Internet access is available
- With Direct Access, IT staff can manage mobile computers by updating Group Policy settings and distributing software updates any time the mobile computer has Internet connectivity
- Direct Access separates intranet from Internet traffic.
- When an application on a Direct Access client attempts to resolve a name, it first compares the name with the rules in the NRPT (Name Resolution Policy Table )
If there are no matches, the Direct Access client uses Internet DNS servers to resolve the name
The new thing here is that in windows 2012 you can use a single nic.
In this sample I use a single nic just the easy steps to install the features
If you look for the feature direct access you can’t find it , it is in the remote access option.
The installation is very easy even in windows 2012 you can find the option and install the feature
Now that the installation is ready we can begin with the configuration, just right click on the server and choose the RA management.
The screen pops up with two choices :
I use the getting started wizard and the deploy directAccess only, My VPN is already covered by my TMG server.
Now the installation wizard ask you how you want to configure this edge,two or single nic.
I us a single nic. and I put in the url that is needed for external access.
The first part is now ready in a brief overview we can customize things that we need.
the GPO settings if you want different names or computer groups , you can change it .
again this is my test lab so I can use names that I want to use , in real pick a name that is right for this solution.
I have a CA but in this case I use a self signed certificate just to show that this can be used. If you want to use your CA make sure that your server has a Certificate
Finished
a nice overview of the configuration is showing and all the options are on the left.
to show you the GPO’s that are created. I have to sets one for this demo and one for real. so two gpo’s are created the client settings and the server settings.
what is in this gpo
this is all default.
Now we start with the client setup I choose the top
The second one limit DirectAccess usage to Remote management capabilities and does not offer users access to internal resources.
Now that this is ready I want reporting but therefore I need accounting , I set this up and ready to go.
I can see in the monitoring I have some errors.
You can see that this is my SCCM servers. these are not responding , I know this so I can ignore this error.
You can create more logging in detail just start the tracing and you are good to go.
Now that the setup is complete You can connect with your new Windows 8 Client or 7 to connect to this server.
In my next part id do some more configuration.
again my basic setup is here just on one server configured and the second node is stand by. Keep in mind Remote access must be installed on both machines and the NLB option must be installed.
In the configuration menu you can choose enable load balancing.
The Internal IP is just as you do a internal NLB option.
We can add a second node to the NLB farm and have our DirectAccess highly available
On firewalls or other products that has multiple NIC’s I make sure that the naming is correct nic name = internet has internet access . or red or green but don’t leave this default now I can easy see what nic I need.
after the commit my NLB is in place an overview is there with the NLB servers in it.
