DirectAccess archeticture desing

Hi all
I'v been asked to design Direct Access 2012 r2 for win7 clients (more than 1000)
what is the best scenario for security? one nic or two nic deployment?
Inside the LAN or in the DMZ?
I will use sll offload for the win7 client double encryption
no multisite
any other confederation for a high level brief?
10x
You should always locate your DirectAccess Server behind an front-end firewall, in a Perimeter Network (DMZ). For an optimal configuration you use two network interfaces; one interface connected to the Perimeter Network (DMZ) and the other interface
connected to the Internal Network (LAN). Optionally, you can have a back-end firewall between the internal network interface and your internal network.
If you want to use all DirectAccess Protocol (e.g. 6to4, Teredo and IP-HTTPS) you need two external IP Addresses without NAT in between. But if you are going to use IP-HTTPS only you can apply NAT and one external IP Address will be enough.
There is many other thing to consider, but network related this is good to start with.
Boudewijn Plomp | BPMi Infrastructure & Security
This posting is provided "AS IS" with no warranties, and confers no rights. Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".

Similar Messages

DirectAccess Problem on Windows 8.1, working on Windows 7

We are currently migrating to new Windows 8.1 clients, but we are having problems getting DirectAccess running.
The same configuration works fine for Windows 7 clients, but the Windows 8.1 seem stuck with a status of "connecting".
The troubleshooting tool indicates that there is a DNS problem. Pinging the IP v6 address of the DNS server is fine, however it does not resolve any entry. (The same works fine on the Windows 7 machines).

Hi,
Did the client get correct certificate?
Run commend
netsh int httpstunnel show int, what we get?
Check event log, is there any errors?

DirectAccess Client not connecting without error code on Windows Server 2012 R2 and Windows 8.1

Hello,
we are currently migrating from Windows Server 2012 to 2012 R2 and are not able to get the new Direct Access Service up and running. Our goal is to establish DirectAccess connection for a handful of clients using the IPHTTPS-adapter on the default port 443.
Errors:
There is actually no error showing up. It seems the infrastructure tunnel cannot be created but none of the IPv6-transition adapters is connecting (teredo and 6-to-4 are down) and the IPHTTPs adapter gives no informations about a problem:
>Get-DAConnectionStatus
Status : Error
Substatus : CouldNotContactDirectAccessServer
>Get-NetIPHttpsState
LastErrorCode : 0x0
InterfaceStatus : Failed to connect to the IPHTTPS server; waiting to reconnect
Setup:
Our setup is a virtualized Windows Server 2012 R2 Standard running on Hyper-V. It is located behind a NAT having the Port 443 mapped to the server. The only role installed after the basic install is RRAS including DirectAccess and VPN. The assistants completed
successfully (running the configuration for DirectAccess and VPN). Operation Status says everything is green und working (for multiple days in the meanwhile). A previous direct access installation (on a different machine running Windows Server 2012) has
been removed before installing the new server. The new installation is using a different router, so this might also be the cause of a problem.
The client is a Windows 8.1 notebook located outside the company network accessing the internet through another NAT-device. The client has been able to connect to the previous DirectAccess setup but has never been able to establish a connection after the
setup of the new Direct Access server. The device has no outbound constraints concerning the NAT-device and is only running the integrated Windows Firewall.
Diagnosis:
So far I've done some basic DNS and connectivity checks. The DNS-name can be resolved correctly and the router even responds to pings. The port forward is working and HTTPs connections are generally possible (temporarily routed the port to
access the NLS-Website located on the server, which worked fine).
Network monitor shows that both computers are communicating, traffic on the expected Port 443 is incoming on the server and responses from the server reach the client.
Opening the IPHTTPs-url and in an endless page load. Sometime the browser page closes but I've never seen any result. Using telnet on the port shows that the server is accepting connections. I've even build a small test application that does a GET-Request
on the URL returning HTTP-200 and no content.
I'm currently running out of ideas what to do and since no error occurs this is kind of a bit frustrating. Any help appreciated.
Regards
Matthias

Hi,
In addition, have you disabled the DA client components on the DA client? If no, please also check
the settings on the Name Resolution Policy Table.
More information:
DirectAccess
Client Location Awareness – NRPT Name Resolution
In addition, error 0x4C9 means the remote computer refused the network connection. It may be due to the invalid
registry or corrupt drivers. For more detailed information, please refer to the link below:
Error 1225 - Error Code 0x4C9
Note:
Microsoft is providing this information as a convenience to you. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
Best regards,
Susie

How can two independent DirectAccess servers be set up safely in the same domain?

I've got a single-tier certificate authority running on a 2008 r2 domain controller with an expiring root certificate. I have a new 2012 r2 domain controller with a new single-tier certificate authority. I also have a DirectAccess server running on 2012
server (two NICs, NAT, IP-HTTPS only). I'd like to get a new DirectAccess server set up running server 2012 r2 using the new CA for the various DirectAccess server and client computer certs. I can get the new environment working and flip machines from
the existing implementation to the new implementation.
I was previously told by a tech working one of my Microsoft support tickets that two independent DirectAccess servers can't run in the same domain. However, I posted a related question
https://social.technet.microsoft.com/Forums/projectserver/en-US/ab53a314-91ea-4d40-afd5-6b8f62698547/2012-directaccess-and-expiring-certificate-authority?forum=winserverNIS and got a response indicating that two independent DirectAccess servers can run
in the same domain. If I can carefully get a second server operational within the same domain, I can build a reg file to deploy to all machines prior to the cutover that will simulate the gpupdate for broken machines in the field, getting them connected so
the policy can be properly pulled from a DC. Would anyone else be willing to confirm or elaborate on operating two independent DirectAccess servers in the same domain? What are the gotchas?

Hi,
Yes you can have 2 Da deployments in one domain.
I have done this a number of times for customer when upgrading from UAG DA to 2012.
Make sure you use different Group policies for the DA servers and Clients. make sure you target the client with only one GPO at a time. Also use different AD groups.
You then change the GPO assignment to the clients and they will flip when the client does a gp update. I have done this for a site that had over 5000 clients and we didn't have one call about it.
You can use DirectAccess Offline Domain Join for any broken machines.
https://technet.microsoft.com/en-gb/library/jj574150.aspx
Regards, Rmknight

Error while trying to configure DirectAccess with OTP

hi you all
I have a working environment of DirectAccess 2012 R2 for Win8.1 clients (One DA Server)
I have both Vasco and Azure MFA for OTP authentication and I wanted to add any of them to my DA topology
I installed a new dedicated Enterprise-CA and added the OTP templates , added a new DAProbe user to my radius server and followed the rest of the documentation as described on TechNet.
I know there's a bug in the DA UI wizard for OTP so I just enabled Two-Factor authentication and then from PowerShell I ran the command
Enable-DAOtpAuthentication -CertificateTemplateName 'DirectAccessOTPLogon' -SigningCertificateTemplateName 'DirectAccessOTPRegistrationAuthority' -CAServer 'testdomain.com\CA' -RadiusServer MFA.testdomain.com -SharedSecret Aa123456
and I get the following error:
Enable-DAOtpAuthentication : The specified CA servers are either not valid enterprise CAs or specified incorrectly.
Rerun the cmdlet with a valid CAServer parameter in the correct format (FQDN\CAServerName).
At line:1 char:1
+ Enable-DAOtpAuthentication -CertificateTemplateName 'DirectAccessOTPLogon' -Sign ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CAServer:root/Microsoft/...pAuthentication) [Enable-DAOtpAuthentication],
CimException
+ FullyQualifiedErrorId : HRESULT 80092004,Enable-DAOtpAuthentication
My radius server is domain joined
the PowerShell runs as Administrator
firewalls are disabled on my DC, CA and my radius server and I can ping the CA without any issues
The CA is Enterprise CA for sure and not Standalone
I can issue certificates from the CA without any issues
I tried to input the CA Server like this @{'domain.fqdn'}, 'domain.fqdn', domain.fqdn - all result the same
I even tried to create another CA from scratch just to be sure the problem is not on my server...
in anyway, I'm stuck. seems like no one else on the web ran into this error...
I'd love to get some help on ways to troubleshoot the problem
thanks
Tamir Levy

Hi,
Microsoft recently published a fix for OTP activation problem with Windows Server 2012 R2 Remote Access Management Console :
https://support.microsoft.com/en-us/kb/3047733/. Your error code remind me a Windows Server 2012 problem. Is subject name encoded in your IPHTTPS certificate is encoded in
UTF-8 Format (https://support.microsoft.com/en-us/kb/2796394/)?
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

DirectAccess 2012R2 - Web Filtering

I have a need to do web filtering (I think). What I have is an external web site (not Corpnet) that can only be accessed from a Corpnet IP address range. Based on this When I go to that web site Split Tunneling sends the traffic down the client side ISP, and
not down the Corpnet side. Since the web site will only allow connects from certain IP address ranges I need that traffic to go down the Corpnet route. I would like to keep Split Tunneling turned on. I did find this article (http://www.concurrency.com/infrastructure/web-filtering-for-directaccess-users-55/),
but it deals with TMG and I'm not sure how to move that over to Window 2012 R2 DA. Can someone help me with this?
Thanks,
Ken ...
Ken Lutz - Spokane County

Hello,
You can try a specific Naming Resolution Policy in an additional GPO for your DirectAccess client based on the FQDN of you website.
This will add the website into the NRPT tables and when your client will try to connect to it, the request will be sent to the DirectAccess infrastructure instead of the ISP.
Gerald

Windows 8.1 not connecting to DirectAccess after coming out of hibernation

Have a strange issue with Windows 8.1 and DirectAccess on Server 2012. Initially after performing a clean install of Windows 8.1 my directaccess connection was working fine, even after coming out of hibernation, it would reconnect to directaccess with no
issues. Yesterday after applying Windows updates and rebooting my Windows 8.1 would connect to DirectAccess fine. If I hibernate and come out of hibernation my DirectAccess status is stuck on Connecting and only connects if I reboot.
I performed a system restore as of last week and my DirectAccess connection is back to working as expected. So it seems a particular windows update is causing this issue. Anyone knows which one in particular?

Hi There - nothing specific that i know of but have all the Hotfixes been applied to both server and 8.1 clients (which may fix the issue)
http://support.microsoft.com/kb/2883952/en-us
John Davies

DirectAccess Windows Server 2012 R2 and Windows 8.1 - status connecting

I've successfully deployed DirectAccess on Windows Server 2012 R2 in a 2 node NLB cluster. Everything in the console is green and I can see clients connecting.
Windows 7 clients can connect and with the DirectAccess connectivity assistant installed show as connected and I can access resources.
On a Windows 8.1 client I can access resource and run the troubleshooting tool which reports no errors, but if I look at connections it shows as connecting and the status never changes to connected. Clients work correctly when on the internal network.
I've looked at available hotfixes, but not found anything for when the status is incorrectly shown.
Any ideas before I raise a support call?
James Saunders

Hi,
You current information hardly determine which part may occur error, I found the similar symptom on the following third party article, may can give you some help.
The similar issue third party article:
Windows 8 DirectAccess client keeps saying "Connecting"
http://tfs.letsblog.it/post/2013/07/10/Windows-8-DirectAccess-client-keeps-saying-Connecting.aspx
More information:
The Network Connection Status Icon
http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

DirectAccess Server 2012 Configuration cannot be retrieved from domain controller

Hi everyone,
We are using DirectAccess over Server 2012. There is just one server, no load balancing.
Everything works fine, all clients can connect successfully and operations status page shows all in green. Nevertheless on the dashboard page in the configuration status section it say “Configuration for server [servername] cannot be retrieved
from the domain controller.”
I found a few hints what could cause this problem:
In my case, the RAConfigTask, a scheduled task, was not enabled on the affected WS2012 server (DA entry point in a multisite deployment). After just enabling it, the errors has gone."
http://blog.gocloud-security.ch/2013/01/11/ws2012-directaccess-and-the-configuration-for-server-server-name-retrieved-from-the-domain-controller-cannot-be-applied-error/
Group Policy was filtering out my DA server from the GPO object for some reason. To fix, I opened up Group Policy Management on the domain controller and made sure that my DA server was a part of the group."http://www.joedissmeyer.com/2012/12/more-issues-and-solutions-for.html
Server has no connectivity to the domain in order to update the policies. Run “gpupdate /force” on the server to force policy update. GPO replication might be required in order to retrieve the updated configuration.
This could be because there is no writable domain controller in the Active Directory site of the Remote Access server. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/56fedb17-1274-4e1a-b2d0-fea809f0bc45
I checked everything. Task is enabled and completed successfully, GPO is not filtered out, run gpupdate without any errors, could connect to domain controller, no errors on domain controller, domain controller is writable.
So, I have no idea what could cause this error. Any ideas or hints?
Thanks
Regards
Sebastian

i have the exact same problem i figured out that there was a problem with the logon as a service
secpol.msc --> Local Policies --> User Rights Assignement, Logon as a service i have NT Service\All Services
i can acces the group policy via the cpnsole just fine i have not connectivity issues what so ever.
i decided to open a call with microsoft, their suggestion .... we dont know reinstall so i did and here we are same problem and no solution. it is getting frustrating...

DirectAccess on Server 2012 R2 with Single NIC behind NAT on IPv4 only Corporate Network Results in "DNS Not Working Properly"

I hit this problem at a customer site and can re-produce it in a simple lab. Lab environment: servers:
1x Server 2012 R2 DC and DNS server - DC1 - 10.0.0.1
1x Server 2012 R2 DirectAccess (DA) server - DA1 - 10.0.0.100
Servers are running "Update" (KB2919355) and following DA hotfixes:
KB2929930
KB2966087
I configured DA (via advanced wizard) as follows:
DA and remote access
AD group
directaccess-webprobehost DNA (A) record pointing to 10.0.0.100
behind an edge device (with a single network adapter)
SSL certificate from enterprise root CA issued to directaccess.contoso.com
NLS on remote server using https://nls.corp.contoso.com
DNS: corp.contoso.com = 10.0.0.1; nls.corp.contoso.com = ""
DNS suffix search list = corp.contoso.com
The DNS server validates successfully in the configuration UI.
With this configuration, I get a static IPv6 address of fd79:7a37:cbd9:3333::1/128 assigned to the NIC
The operations status is all green apart from DNS which displays the following error:
"DNS: Not Working Properly"
Error:
None of the enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 used by DirectAccess clients for name resolution are responding. This might affect DirectAccess client connectivity to corporate resources.
Causes:
Enterprise DNS servers fd79:7a37:cbd9:7777::a00:1 are not responding.
I can, however ping fd79:7a37:cbd9:7777::a00:1 (which is the DNS64 translation of 10.0.0.1)
I would like to know what checks are failing as there are no failures in Event Viewer.
I have come across forums where people have the same issue and fix it by specifying the local IP (in this case 10.0.0.100) as the DNS server, however Richard Hicks has confirmed with me that the DNS server should be set to the DNS server, not the DA server's
IP.

Thanks for the post Matt,
ISATAP has been disabled on my DA server, so the results of a "ROUTE PRINT -6" command yields:
===========================================================================
Interface List
12...00 15 5d 01 03 64 ......Microsoft Hyper-V Network Adapter
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 IPHTTPSInterface
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
12 261 fd79:7a37:cbd9::/48 On-link
14 306 fd79:7a37:cbd9:1000::/64 On-link
14 306 fd79:7a37:cbd9:1000::/128   On-link
14 306 fd79:7a37:cbd9:1000::1/128     On-link
14 306 fd79:7a37:cbd9:1000::2/128    On-link
14 306 fd79:7a37:cbd9:1000:814c:28be:46b5:52c1/128   On-link
12 261 fd79:7a37:cbd9:3333::1/128 On-link
12 261 fd79:7a37:cbd9:7777::/96 On-link
12 261 fe80::/64 On-link
14 306 fe80::/64 On-link
12 261 fe80::20c0:e848:d304:9f01/128   On-link
14 306 fe80::814c:28be:46b5:52c1/128     On-link
1 306 ff00::/8 On-link
12 261 ff00::/8 On-link
14 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
If Metric Network Destination Gateway
0 4294967295 fd79:7a37:cbd9:1000::/64 On-link
0 4294967295 fd79:7a37:cbd9::/48 On-link
0 4294967295 fd79:7a37:cbd9:7777::/96 On-link
===========================================================================

Windows 8.1 DirectAccess DNS-Problems

Hi
We use DirectAccess on Server 2012R2, Win 8 and Win 8.1 Clients (same hardware), force tunneling configured.
We can access our corporate resources (File- and Webservers) without problems.
while the Win 8 clients works great, the Win 8.1 clients make some troubles:
when in DA-Mode (external) the Connection to the file-Server works. After going in standby-mode und back online, the network-drives and the RDP-Sessions can no longer connect (host not found) für about 15 minutes or until i clear the DNS-Cache. In
the corporate Network, the standby-mode does not affect the connectivity or name resolution. Has anyone seen this problem with the win 8.1 clients too?
Thanks, Mario

Hi,
Unfortunately, the available information is not enough to have a clear view of the occurred behavior. Could you provide more information about your environment. For example,the
exact text of any error messages that you received that are associated with this problem?
The server version of the problem on, when you experience this issue what are you trying to do, when this problem occurs the system log record information, screenshots is the best information. And could you clarify “when in DA-Mode (external) the Connection
to the file-Server works. After going in standby-mode und back online” means.
Base on my experience, it maybe is the NRPT policy issue, you can refer the following KB for the further troubleshoot:
Introduction to the NRPT
http://technet.microsoft.com/en-us/library/ee649207%28v=ws.10%29.aspx
DirectAccess Client Location Awareness – NRPT Name Resolution
http://social.technet.microsoft.com/wiki/contents/articles/664.directaccess-client-location-awareness-nrpt-name-resolution.aspx
The more third party article:
Resolving DirectAccess Connectivity Issues (The easy solution
http://acbrownit.wordpress.com/2013/06/05/resolving-directaccess-connectivity-issues-the-easy-solution/
Hope this helps.

Directaccess - IPHTTPS error 0x80190194, Server 2012R2 / Win 8.1

I'm trying to setup directaccess for our network. I already have a server in our edge network with the remote access role installed for the Web Application Proxy service, so I added the DirectAccess role service to that. According to the documentation,
if both are a single server implementation it is supported to run both of those on the same server.
I configured DirectAccess, and added a win8.1 client to the DA security group to test it. I confirmed that on the internal network, the client is able to connect to the NLS and DA shows that it is connected to the local network. However, when
on an outside network, DA just says it's trying to connect, and never does. I ran the log collection tool from the DA connection settings and found that the IPHTTPS connection shows an error code 0x80190194.
I've searched for info on this, but so far I'm not finding anything that seems to fit my situation. The responses to others with this error seem to point to a certificate issue. In my case, I'm using a wildcard certificate for our public domain
name. The cert is signed by a major public CA, so there shouldn't be any trust issues. The external DNS name that DA should connect to is RAS.domain.com and the certificate is for *.domain.com
Any suggestions on what the problem could be, or what to look at next for troubleshooting the issue, would be appreciated.
Thanks!

Thank you for the reply. I ran netsh http show ssl, and the first entry returned is:
SSL Certificate bindings:
IP:port : 0.0.0.0:443
Certificate Hash : 1414baa1409b2c8ffd8c2d549f460db4bcf8130f
Application ID : {f955c070-e044-456c-ac00-e9e4275b3f04}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
That is followed by several entries for addresses related to our Lync and ADFS servers, published through Web Application Proxy. All of those have the same certificate hash listed, which makes sense since I am using the same wildcard certificate for
WAP and DA.
I did find a post or two indicating that the DS Mapper Usage may need to be set to enabled, so I tried that last week but it didn't seem to make any difference.

How to setup the DirectAccess on windows server 2012 r2 essentials with 2 nics

I have a server with two network cards (the first card NIC called "Internet" and the second NIC called "Local Network") with static IP both.
The computer has "DomainName.local"
I still have not connected to the internet with my company domain-name from my server
I have installed and configured the DHCP, DNS, WINS, and trouble-free operation
I have also installed the role "DirectAccess and VPN"
But here we face the problem that I can not set the directaccess with two Network Interface Card
Any information found on pages from microsoft none met my needs
Can you help, set the DirectAccess with my server ?

Hi:
Remove/disable the "internet" nic and connect the server and all stations to a switch. Connect the switch to the router/firewall at the edge. Server stopped doing NAT after 2003.
Larry Struckmeyer[MVP] If your question is answered please mark the response as the answer so that others can benefit.

How ti use MS DirectAccess to connect ECC platform with 2 instances

We have a ECC Platform (6.0 Ehp4) with 2 instances. we connect us to this Platform throught SAP GUI (7.30 SP7).
Currently we supply remote access service via an SSL gateway. We want to implement the comosant Mircosoft DirectAccess to provide this service.
Our platform 2 instannces is made from a microsoft cluster.
When we configure the SAPGui with instances, the DirectAccess works very well. When we use two instances with a logical there is an error name: the connection is established, the system load distribution of SAP means a node and receives a message "address xx.yy.zz.uu don 't reache "
Does anyone has a similar configuration?
Someone he found the solution to work with DirectAccess in SAProuter.
Thank you for your answers Thierry

Hi Thierry,
Did you find a solution to connect to an SAP logon group?
Regards,
Diane Szmurlo

DirectAccess 2012 - Best way to deploy between two firewalls (NAT'd)

We are deploying DirectAccess 2012 and have a requirement that traffic from the internet (red) must be proxied through the DMZ (yellow) before touching anything on the internal network (green). I will initially only be configuring it to use IP-HTTPS (no
teredo). We have two firewalls, one on the perimeter (FW1), and one between the DMZ and internal networks (FW2).
I'm trying to determine the best way of deploying this in our environment. I've come up with two possibilities:
1. Deploy with two network cards, each connected to separate DMZs. In this scenario, NIC 1 would contain the internet facing IP in DMZ 1 (say 10.10.10.2 and NAT'd by FW1), and NIC2 would contain an internal facing IP on DMZ2 (say 10.10.11.2). NIC2 would
be routable to the internal subnets via the internal firewall.
Crude diagram: Internet -> FW1 -> 10.10.10.2---DA---10.10.11.2 -> FW2 -> Internal network
2. Deploy with one network card in the DMZ. This would be NAT'd by FW1, and then pass traffic through to to FW2. Since I'd be allowing all TCP/UDP traffic (as per MS) through FW2 to the primary network, this method seems unsafe to me.
Crude diagram: Internet -> FW1 -> 10.10.10.2---DA -> FW2 -> Internal network
What is the best and most secure way to deploy this in the DMZ? I do not want to put an internal network IP directly on the DirectAccess server, as it needs to go through FW2 before reaching internal. The DA server should be isolated in the DMZ.
Advice is appreciated.

Hi,
The first solution is better. The DA server is under the protection of FW1, and the DA server
already offers certain security itself, such as the requirement of a Computer Certificate, domain membership (which mean domain authentication) and so on.
Here is a related threads,
DirectAccess 2012 + Security concerns
http://social.technet.microsoft.com/Forums/windowsserver/en-US/2e394a72-d263-449f-9ec2-02701aa8cb96/directaccess-2012-security-concerns?forum=winserver8gen
Hope this helps.
Steven Lee
TechNet Community Support

DirectAccess archeticture desing

Similar Messages

Maybe you are looking for