Sunday, 20 October 2013

Direct Access in 5 Easy Steps

Direct Access is a marvellous technology provided by Microsoft. It allows domain-joined devices to access corporate resources seamlessly over the Internet. When an Internet connection is detected Windows automatically connects to the Corporate Workplace Connection without any intervention (like a hands free VPN if you like).

Direct Access provided by Windows Server 2012 is really easy to configure (5 easy steps). It has progressed a lot since the days of Windows Server 2008R2, when this was quite a difficult configuration in conjunction with UAG.

Direct Access is an excellent alternative to traditional VPN technologies.
  • In Enterprise Client Management, a high percentage of helpdesk calls are logged regarding issues with VPN clients. I have seen evidence of a reduction in helpdesk calls after the deployment of Direct Access.
  • The performance overhead of the VPN client is eliminated.
  • Costs can be reduced with the reduction in VPN client licensing.

Note that Direct Access is a supplementary alternative to traditional VPNs rather than a replacement. Devices have to be domain-joined to be able to use the feature. This is normally not allowed in the case of 3rd party support companies or partners. They will continue to use traditional VPNs to connect to your corporate resources.

This series of blog posts will demonstrate how to deliver Direct Access in 5 Easy Steps using Windows Server 2012. We will concentrate only on Windows 8 clients which pretty much can connect "out-of-the-box". Windows 7 clients require a little more work and certificate configuration.

Please browse the sections below for a step by step guide.

Note that there a few ways to deploy the solution - you have some choices along the way. We will deploy a single server solution (with single NIC) incorporating a 3rd Party SSL Certificate.

Other options include:
  • deploying several servers for redundancy and load balancing
  • separate server for Network Location Server (NLS) - recommended
  • Network (NLB) or hardware (HLB) load balancing
  • Two-NIC implementation for deployment in DMZ
  • Certificates: Self-signed, CA, 3rd Party SSL

Start by creating a Windows 2012 server, fully patched, and join to your domain. This will be our Direct Access server (and our NLS in this case).

What is the Network Location Server (NLS)?

The NLS is a critical part of a Direct Access deployment. It is deployed as a means of verifying that Direct Access clients can, in fact, access corporate resources - the Direct Access clients locate and access a secure web page (or can be configured to locate by pinging).

It is also used to detect whether Direct Access clients are on the Internet or Intranet.

Step 1: Networking & Active Directory

Step 2: Certificates

Step 3: Add Remote Access Role

Step 4: Configure Remote Access Role

Step 5: Windows 8 client and troubleshooting


Move NLS to remote web server

High Availability 

This series of blogs is now available as a downloadable PDF from the TechNet Gallery

1 comment:

  1. Hello Gerry,
    Thanks for this step by step guides /series.
    In this demo, you are using one NIC that has dedicated /Static IP ==> Correct?
    I configured my NIC according to settings provided by my ISP (IP subnet Gateway etc) and I have health link.
    ADDS + DNS + DHCP is installed on same server (this server will be running RSA as well).
    I connect my cisco switch to ISP's line and on client side I checked it didn't get IP address.
    No address lease either ...
    How you connect with clients? is DHCP running on same box which has dedicated IP?