Sunday, 20 October 2013

Direct Access Easy Step 1: Networking & Active Directory

Back to Direct Access main menu

There are a number of Networking and Active Directory tasks to be carried out before we start the installation and configuration of the Remote Access role.
 
1. External DNS A record
 
Use a Public IP address that you own that is currently not configured on your external firewall to use port 443.  (eg 82.72.142.22. I've made this up - my apologies if you own it)
 
Contact your domain hosting company (or log on to your domain portal if you have one) to create a new DNS A record for your domain (eg da.contoso.com). Configure this record to use the available Public IP address.
 
Verify that the record has been created by pinging it. It doesn't matter if the ping does not get a reply (perhaps your firewall doesn't allow it). What matters is that the FQDN resolves to the IP address.
 
2. Firewall Rules
 
Create a rule that allows inbound traffic to 82.72.142.22 Port 443.
 
Create a NAT rule that directs this traffic to the IP address of your Direct Access server.
 
 
3. ISATP status
 
Check that ISATAP protocol is allowed in your Active Directory network (by default, it is not).
Execute this command on a DNS server (Windows 2008 upwards).

dnscmd /info /globalqueryblocklist




See that wpad and isatap protocols are currently "blocked".

Remove ISATAP from the Global Query Block List by executing the following command. This configures the list to include wpad only.


dnscmd /config /globalqueryblocklist wpad
 


Query the list again to verify
 
dnscmd /info /globalqueryblocklist
 
 

Restart DNS



Verify the Global Query Block List in the registry (see the path below)




4. Verify that the Direct Access server has been configured to use IPv6 (it is by default).




 5. Create an Active Directory Security Group.

You will enable domain devices for Direct Access by adding their computer accounts to this group.






No comments:

Post a Comment