SECURE ACCESS INTERNAL NETWORK RESOURCES WITHOUT VPN – DIRECTACCESS PART1

Our client is looking to methods of remote access. As such we have been engaged to provide a DirectAccess 2016.
DirectAccess provides users with the experience of being seamlessly connected to their intranet any time they have Internet access. When DirectAccess is enabled, requests for intranet resources (such as email servers, shared folders, or intranet websites) are securely directed to the intranet, without the need for users to connect to a VPN. DirectAccess enables increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside of the office. This document also can be used for DirectAccess 2012R2.


Note

Do not attempt to deploy Remote Access on a virtual machine (VM) in Microsoft Azure. Using Remote Access in Microsoft Azure is not supported. You cannot use Remote Access in an Azure VM to deploy VPN, DirectAccess, or any other Remote Access feature in Windows Server 2016 or earlier versions of Windows Server. For more information, see Microsoft server software support for Microsoft Azure virtual machines.

Let’s follow the steps to build DirectAcess.

Create a Security Group for Direct Access Clients

  1. Log on to DC Server.
  2. From the Start screen, click Administrative Tools.
  3. Click Active Directory Users and Computers.
  4. In the console tree, click the arrow to expand domain (local), and then click Users.
  5. In the Tasks pane, click New, and then click Group.
  6. In the Create Group dialog, type DirectAccessClients for Group name.
  7. Scroll down to access the Members section of the Create Group dialog, and click Add.
  8. Click Object Types, select Computers, and click OK.
  9. Add the computer name of Direct Access Clients, and then click OK.
  10. In the Tasks pane, click New, and then click Group.
  11. In the Create Group dialog, type DirectAccessManagement for Group name.
  12. Scroll down to access the Members section of the Create Group dialog, and click Add.
  13. Click Object Types, select Computers, and click OK.
  14. Add the computer name of Direct Access Management Workstations, and then click OK.
  15. Close Active Directory Users and Computers console.

Create the network location server DNS record

  1. Log on to DC Server.
  2. From the Start screen, click Administrative Tools.
  3. Expand DC, Forward Lookup Zones, and select the local domain name.
  4. Right-click the local domain name, and then click New Host (A or AAAA).
  5. Under Name, type DirectAccess-NLS, and under IP address, type IP address of Direct Access Server.
  6. Click Add Host, click OK, and then click Done.
  7. Right-click the local domain name, and then click New Host (A or AAAA).
  8. Under Name, type DirectAccess-ISATAP, and under IP address, type IP address of Direct Access Server.
  9. Click Add Host, click OK, and then click Done.
  10. Close the DNS Manager console.

Configure Group Policy for DirectAccess Client firewall rules

  1. Log on to DC Server.
  2. From the Start screen, click Group Policy Management.
  3. In the console tree, expand Forest: domain.local\Domains\local domain name.
  4. Rick-click DirectAccess Workstations OU, and select Create a GPO in the domain, and Link it here.
  5. Assign the name DirectAccess WFAS Settings to the new group policy.
  6. Expand the DirectAccess Workstations OU, click the name DirectAccess WFAS Settings policy.
  7. On Scope tab, add the DirectAccessClients group to Security Filtering and remove the default group.
  8. On Details tab, set the GPO Status to User configuration settings disabled.
  9. Right-click the name DirectAccess WFAS Settings policy, and select Edit.
  10. In the console tree of the Group Policy Management Editor, expand Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security-LDAP://CN=….
  11. In the console tree, select Inbound Rules, right-click Inbound Rules, and then click New Rule.
  12. In the New Inbound Rule Wizard, on the Rule Type page, click Custom, and then click Next.
  13. On the Program page, click Next.
  14. On the Protocols and Ports page, in Protocol type, click ICMPv4, and then click Customize.
  15. On the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, click OK, and then click Next.
  16. Click Next three times.
  17. On the Name page, in Name, type Inbound ICMPv4 Echo Requests, and then click Finish.
  18. In the console tree, right-click Inbound Rules, and then click New Rule.
  19. On the Rule Type page, click Custom, and then click Next.
  20. On the Program page, click Next.
  21. On the Protocols and Ports page, in Protocol type, click ICMPv6, and then click Customize.
  22. On the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, click OK, and then click Next.
  23. Click Next three times.
  24. On the Name page, in Name, type Inbound ICMPv6 Echo Requests, and then click Finish.
  25. In the console tree, right-click Inbound Rules, and then click New Rule.
  26. On the Rule Type page, click Port, and then click Next.
  27. On the Protocol and Ports, select TCP and type 3389 in Specific local ports.
  28. Click Next three times.
  29. On the Name page, in Name, type Inbound RDP Requests, and then click Finish.
  30. In the console tree, right-click Inbound Rules, and then click New Rule.
  31. On the Rule Type page, click Port, and then click Next.
  32. On the Protocol and Ports, select TCP and type 445 in Specific local ports.
  33. Click Next three times.
  34. On the Name page, in Name, type Inbound File Access Requests, and then click Finish.
  35. Right-click Inbound ICMPv4 Echo Requests, select Properties.
  36. On the Advanced tab, change the Edge traversal drop-down menu to Allow edge traversal, and then click OK.
  37. Right-click Inbound ICMPv6 Echo Requests, select Properties.
  38. On the Advanced tab, change the Edge traversal drop-down menu to Allow edge traversal, and then click OK.
  39. Right-click Inbound RDP Requests, select Properties.
  40. On the Advanced tab, change the Edge traversal drop-down menu to Allow edge traversal, and then click OK.
  41. Right-click Inbound File Access Requests, select Properties.
  42. On the Advanced tab, change the Edge traversal drop-down menu to Allow edge traversal, and then click OK.
  43. Confirm that the rules you created appear in the Inbound Rules node. Close the Group Policy Management Editor, and close Group Policy Management console.

Configure Group Policy for ISATASP

  1. Log on to DC Server.
  2. From the Start screen, click Group Policy Management.
  3. In the console tree, expand Forest: domain.local\Domains\local domain name.
  4. Rick-click DirectAccess Workstations OU, and select Create a GPO in the domain, and Link it here.
  5. Assign the name DirectAccess ISATAP Settings to the new group policy.
  6. Expand the DirectAccess Workstations OU, click the name DirectAccess ISATAP Settings policy.
  7. On Scope tab, add the DirectAccessManagement group to Security Filtering and remove the default group.
  8. On Details tab, set the GPO Status to User configuration settings disabled.
  9. Right-click the name DirectAccess ISATAP Settings policy, and select Edit.
  10. In the console tree of the Group Policy Management Editor, Enable the Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\ISATAP Router Name policy.
  11. Type DirectAccess-ISATAP.domain.local to Enter a Router or relay name.
  12. Enable the Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\ISATAP State policy.
  13. Change Select from the following states to Enable State.
  14. Confirm that the rules you created appear in the Inbound Rules node. Close the Group Policy Management Editor, and close Group Policy Management console.

To be continue……

Cary Sun @SifuSun

About Post Author

Leave a Reply