Presentation is loading. Please wait.

Presentation is loading. Please wait.

DIRECT ACCESS, DO’S AND DON’TS KIERAN JACOBSEN HP ENTERPRISE SERVICES.

Similar presentations


Presentation on theme: "DIRECT ACCESS, DO’S AND DON’TS KIERAN JACOBSEN HP ENTERPRISE SERVICES."— Presentation transcript:

1 DIRECT ACCESS, DO’S AND DON’TS KIERAN JACOBSEN HP ENTERPRISE SERVICES

2 PLAN FOR THE NIGHT Pre-deployment design considerations Deploying your first server Diagnosing Issues

3 WINDOWS 7 OR 8/8.1 Windows 7: Requires certificate based computer authentication Doesn’t support the use of NULL ciphers when IPHTTPS is used Will require connectivity assistant to be installed Has limited support for multi site deployments

4 HIGH AVAILABILITY OPTIONS Load Balancing NLB External Load Balancer Multi Site Clients can select entry points automatically or can specify them manually Global load balanced IP support Limited Windows 7 support Cannot deploy DirectAccess load balancing or multi-site on 2012 R2 when Web Proxy Server installed

5 3 RD PARTLY LOAD BALANCERS F5 & Riverbed support various different deployment types Ensure you enable NULL SSL Ciphers Can provide SSL offload support (if supporting Windows 7)

6 DIRECTACCESS AND PKI CRL and Strong CRL validation IPSEC will fail to establish a connection if using certificate based computer authentication with computer certificates that use SHA512 hashing algorithm

7 LET’S DEPLOY

8 DON’T USE THE GETTING STARTED WIZARD

9 DIRECTACCESS WITH OR WITHOUT VPN

10 JUST 4 SIMPLE STEPS

11 STEP1: FULL ACCESS OR MANAGE OUT?

12 STEP 1: GROUPS

13 STEP 1: NETWORK CONNECTIVITY

14 STEP 2: NETWORK PLACEMENT

15 STEP 2: NETWORK ADAPTERS

16 STEP 2: AUTHENTICATION

17 STEP 3: NETWORK LOCATION SERVICE

18

19 STEP 3: DNS AND NRPT

20 NRPT RESOLUTION: EXCHANGE.CITADEL.UMBRELLACORP.INFO Whilst connected to DirectAccess, User’s Outlook client needs to connect to exchange.citadel.umbrellacorp.info 1.FQDN will be compared to the NRPT – only matches first entry in table, which direct it to DNS proxy on DirectAccess Server 2.User’s computer will send a DNS request to the DirectAccess server 3.DirectAccess server uses locally configured network interfaces to resolve request, if response from corporate DNS servers is an IPv4 address, DirectAccess server will substitute a IPv6 address. 4.Response is sent to the DirectAccess client

21 NRPT RESOLUTION: INSIDE.CITADEL.UMBRELLACORP.INFO (NLS ADDRESS) Whilst connected to DirectAccess, DirectAccess performs a connectivity test to see if it is connected to the corporate network 1.FQDN will be compared to the NRPT – matches second entry in table, which is the NRPT exemption. 2.User’s computer will send a DNS request directly to the DNS server configured on the client’s NIC 3.Public DNS unable to resolve the address, DirectAccess determines it is still externally connected.

22 NRPT RESOLUTION: MICROSOFT.COM Whilst connected to DirectAccess, User opens Internet Explorer and attempts to open up the Microsoft web page 1.FQDN will be compared to the NRPT – no matching entries are found 2.If Split Tunnelling (Default) : User’s computer will send a DNS request directly to the DNS server configured on the client’s NIC, Public DNS will then resolve the address and respond to the client. OR If Force Tunnelling: User’s computer will send DNS request to DirectAccess server, and the DirectAccess server will use locally configured network interfaces to resolve request, if response from corporate DNS servers is an IPv4 address, DirectAccess server will substitute a IPv6 address. The address is then sent to the client.

23 NRPT RESOLUTION: INTRANET (SINGLE LABEL) Whilst connected to DirectAccess, User opens Internet Explorer, types intranet in the box, hits enter: 1.Single-label is in use, append DNS suffix to request to form an FQDN 2.FQDN will be compared to the NRPT – only matches first entry in table, which direct it to DNS proxy on DirectAccess Server 3.User’s computer will send a DNS request to the DirectAccess server 4.DirectAccess server uses locally configured network interfaces to resolve request, if response from corporate DNS servers is an IPv4 address, DirectAccess server will substitute a IPv6 address. 5.Response is sent to the DirectAccess client – Either 1) resolved address or 2) Name not found 6.If name has been resolved, process completed all is done, if name not found, return to step 2 and try the next entry in the DNS suffix search order. If all suffix search entries have been exhausted, continue to 7. 7.Attempt to use LLMNR, NetBIOS or WINS * Special Warning *

24 NRPT RESOLUTION: INTRANET (SINGLE LABEL) – LOCAL NAME RESOLUTION

25 STEP 3: DNS AND NRPT (FORCE TUNNEL)

26 STEP 3: DNS SUFFIXES

27 STEP 3: MANAGEMENT SERVERS

28 STEP 4: APPLICATION SERVERS

29 FINISHING YOUR DEPLOYMENT

30 DEPLOYMENT DONE

31 DIRECTACCESS DIAGNOSTICS Check Operation Status in Remote Access Management Console DirectAccess diagnostic log available from client Access steps changed in 8.1 from 8 Information Logged: NCA Connection Status (Probes List) IP-HTTPs Configuration (Get-NetIPHttpsConfiguration) and IP-HTTPs State (Get-NetIPHttpsState) NRPT Policy (Get-DnsClientNrptPolicy) IPsec Main Mode SA's (Get-NetIPsecMainModeSA) IPsec Quick Mode SA's (Get-NetIPsecQuickModeSA) And more…

32 DIRECTACCESS DIAGNOSTICS – EXTRA COMMANDS “Custom Commands” group policy Computer Configuration -> Admin Templates -> Network -> DirectAccess Client Experience Settings -> Custom Commands Can be any PowerShell Command/Cmdlet/Function/Script Recommended: $wc=new-object net.webclient; $wc.downloadstring(“

33 DIRECTACCESS AND GROUP POLICY Server and workstation configured using group policy Created by management console Server policy filtered by server AD account Client policy filtered by specified groups in step 1 wizard Multi site creates server policies for each site Policies created at root of domain

34 ANTIVIRUS AND SECURITY SOFTWARE DirectAccess requires Windows Firewall IPSEC components Be careful of web filtering functions Ensure network IPS/IDS exclusions are correct

35 QUESTIONS AND LINKS My Blog: My Richard Hicks’ Blog: Tom Schinder’s Blog:


Download ppt "DIRECT ACCESS, DO’S AND DON’TS KIERAN JACOBSEN HP ENTERPRISE SERVICES."

Similar presentations


Ads by Google