Test Lab Guide: Demonstrate Forefront UAG DirectAccess
Microsoft Corporation
Published: July 2010
Abstract
DirectAccess is a new feature in the Windows® 7 and Windows Server® 2008 R2 operating
systems that enables remote users to securely access intranet shared folders, Web sites, and
applications without connecting to a virtual private network (VPN). Forefront UAG DirectAccess
extends the benefits of Windows DirectAccess across your infrastructure by enhancing
availability and scalability, as well as simplifying deployments and ongoing management. This
paper contains an introduction to DirectAccess and step-by-step instructions for extending the
Base Configuration test lab to demonstrate UAG DirectAccess with a simulated Internet,
intranet, and home network.
Copyright Information
This document is provided for informational purposes only and Microsoft makes no warranties, either
express or implied, in this document. Information in this document, including URL and other Internet
Web site references, is subject to change without notice. The entire risk of the use or the results from
the use of this document remains with the user. Unless otherwise noted, the example companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
© 2010 Microsoft Corporation. All rights reserved.
Date of last update: July 26, 2010
Microsoft, Windows, Active Directory, Internet Explorer, and Windows Server are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Contents
Introduction .................................................................................................................................................. 1
In this guide ............................................................................................................................................... 2
Overview of the Test Lab scenario ................................................................................................................ 3
Configuration component requirements ...................................................................................................... 4
Steps for configuring the test lab.................................................................................................................. 5
STEP 1: Complete the Base Configuration ................................................................................................ 6
STEP 2: Configure DC1 .............................................................................................................................. 6
A.
Create Reverse Lookup Zone on DNS Server on DC1.................................................................... 7
B.
Enter PTR Record for DC1 ............................................................................................................. 8
C.
Enable ISATAP Name Resolution on DNS Server on DC1 .............................................................. 8
D.
Create DNS Records for NLS and ISATAP on DC1.......................................................................... 9
E.
Create a Security Group for DirectAccess Clients on DC1 .......................................................... 10
F. Create and Deploy a Certificate Template for the IP-HTTPS Listener Certificate and Network
Location Server Certificate .................................................................................................................. 10
G.
Create ICMPv4 and ICMPv6 Echo Request Firewall Rules in Domain Group Policy on DC1....... 11
H.
Create a Shared Folder on the C:\ Drive on DC1 ........................................................................ 14
STEP 3: Configure APP1........................................................................................................................... 14
A.
Obtain NLS Certificate for SSL Connections to Network Location Server on APP1 .................... 15
B.
Configure the HTTPS Security Binding on the NLS Web Site on APP1 ........................................ 16
STEP 4: Install and Configure APP3 ......................................................................................................... 16
A.
Install the OS on APP3 and Disable the Firewall ......................................................................... 17
B.
Install Web Services .................................................................................................................... 18
C.
Create a Shared Folder on C:\ ..................................................................................................... 19
STEP 5: Configure UAG1.......................................................................................................................... 20
A.
Rename the EDGE1 to UAG1 ...................................................................................................... 22
B.
Obtain the IP-HTTPS Listener Certificate on UAG1 ..................................................................... 22
C.
Configure a DNS Entry on INET1 with the Name on the IP-HTTPS Certificate............................ 24
D.
Install Forefront UAG on UAG1 ................................................................................................... 24
E.
Run the UAG Getting Started Wizard ......................................................................................... 25
F.
Run the UAG DirectAccess Configuration Wizard on UAG1 ....................................................... 26
G.
Confirm Group Policy Settings on UAG1 ..................................................................................... 28
H.
Confirm IPv6 Settings on UAG1 .................................................................................................. 29
I.
Update IPv6 Settings on DC1 ...................................................................................................... 29
J.
Update IPv6 Settings on APP1 .................................................................................................... 30
K.
Confirm IPv6 Address Registration in DNS.................................................................................. 30
L.
Confirm IPv6 Connectivity between DC1/APP1/UAG1 ............................................................... 30
STEP 6: Configure CLIENT1 ...................................................................................................................... 31
A.
Add CLIENT1 to the DA_Clients Security Group.......................................................................... 31
B.
Test IPv6 Configuration, Confirm Group Policy Settings and Machine Certificate on CLIENT1.. 32
C.
Test Connectivity to a Network Share and the Network Location Server .................................. 33
STEP 7: Configure NAT1 .......................................................................................................................... 33
A.
Install the OS on NAT1 ................................................................................................................ 34
B.
Rename the Network Interfaces on NAT1 .................................................................................. 35
C.
Disable 6to4 on NAT1 ................................................................................................................. 35
D.
Configure ICS on the External Interface of NAT1 ........................................................................ 36
STEP 8: Test DirectAccess Connectivity from the Internet ..................................................................... 36
STEP 9: Test DirectAccess Connectivity from Behind a NAT Device ....................................................... 39
A.
Testing Teredo Connectivity ....................................................................................................... 39
B.
Testing IP-HTTPS Connectivity .................................................................................................... 41
STEP 10: Test Connectivity When Returning to the Corpnet .................................................................. 43
STEP 11: Snapshot the Configuration ..................................................................................................... 43
Additional Resources .................................................................................................................................. 44
Introduction
Forefront Unified Access Gateway (UAG) provides users with the experience of being seamlessly
connected to their intranet any time they have Internet access. When DirectAccess is enabled, requests
for intranet resources (such as e-mail servers, shared folders, or intranet Web sites) are securely
directed to the intranet, without the need for users to connect to a VPN. DirectAccess enables increased
productivity for a mobile workforce by offering the same connectivity experience both inside and
outside of the office. Forefront UAG DirectAccess extends the benefits of Windows DirectAccess across
your infrastructure by enhancing availability and scalability, as well as simplifying deployments and
ongoing management. For more information, see Overview of Forefront UAG DirectAccess.
IT professionals can benefit from UAG DirectAccess in many ways:
Improved Manageability of Remote Users. Without DirectAccess, IT professionals can only
manage mobile computers when users connect to a VPN or physically enter the office. With
DirectAccess, IT professionals can manage mobile computers by updating Group Policy settings
and distributing software updates any time the mobile computer has Internet connectivity, even
if the user is not logged on. This flexibility allows IT professionals to manage remote computers
on a regular basis and ensures that mobile users stay up-to-date with security and system health
policies.
Secure and Flexible Network Infrastructure. Taking advantage of technologies such as Internet
Protocol version 6 (IPv6) and Internet Protocol security (IPsec), DirectAccess provides secure and
flexible network infrastructure for enterprises. Below is a list of DirectAccess security and
performance capabilities:
Authentication. DirectAccess authenticates the computer, enabling the computer to connect to
the intranet before the user logs on. DirectAccess can also authenticate the user and supports
two-factor authentication using smart cards.
Encryption. DirectAccess uses IPsec to provide encryption for communications across the
Internet.
Access to IPv4-only intranet resources. UAG DirectAccess extends the value of Windows
DirectAccess with NAT64/DNS64, an IPv6/IPv4 protocol transition technology that enables
DirectAccess client connectivity to IPv4-only resources on the intranet.
High availability and array configuration. UAG DirectAccess extends the value of Windows
DirectAccess by adding integrating support for Network Load Balancing and array configuration,
which work together to enable a highly available DirectAccess deployment.
1
IT Simplification and Cost Reduction. By default, DirectAccess separates intranet from Internet
traffic, which reduces unnecessary traffic on the intranet by sending only traffic destined for the
intranet through the DirectAccess server. Optionally, IT can configure DirectAccess clients to
send all traffic through the DirectAccess server.
The following figure shows a DirectAccess client on the Internet.
Intranet
Internet
DirectAccess
client
DirectAccess
server
Corporate resources
Intranet traffic
Internet traffic
Internet servers
In this guide
This paper contains instructions for configuring and demonstrating UAG DirectAccess using five server
computers and two client computers. The starting point for this paper is a Test Lab based on the “Steps
for Configuring the Corpnet Subnet “ and “Steps for Configuring the Internet Subnet “ sections of the
Test Lab Guide: Base Configuration. The resulting DirectAccess test lab simulates an intranet, the
Internet, and a home network and demonstrates DirectAccess functionality in different Internet
connection scenarios.
Important:
These instructions are designed for configuring a Test Lab using the minimum number of computers.
Individual computers are needed to separate the services provided on the network, and to show
clearly the required functionality. This configuration is not designed to reflect best practices, nor
does it reflect a required or recommended configuration for a production network. The
configuration, including IP address assignment and all other configuration parameters, is designed to
work only on a separate Test Lab network. For more information on planning and deploying
DirectAccess with Forefront UAG for your production network, please see the Forefront UAG
2
DirectAccess design guide and the Forefront UAG DirectAccess deployment guide
Overview of the Test Lab scenario
In this test lab scenario, Forefront UAG DirectAccess is deployed with:
One computer running Windows Server 2008 R2 Enterprise Edition (DC1), that is configured as
an intranet domain controller, Domain Name System (DNS) server, Dynamic Host Configuration
Protocol (DHCP) server, and an enterprise root certification authority (CA).
One intranet member server running Windows Server 2008 R2 Enterprise Edition (UAG1), that is
configured as the first Forefront UAG DirectAccess server in a Forefront UAG DirectAccess server
array.
One intranet member server running Windows Server 2008 R2 Enterprise Edition (APP1) that is
configured as a general application server and Network Location Server.
One intranet member server running Windows Server 2003 SP2 Enterprise Edition (APP3), that
is configured as a IPv4 only web and file server. This server is used to highlight the
NAT64/DNS64 capabilities.
One standalone server running Windows Server 2008 R2 Enterprise Edition (INET1), that is
configured as an Internet DNS and DHCP server.
One standalone client computer running Windows 7 (NAT1), that is configured as a network
address translator (NAT) device using Internet Connection Sharing.
One roaming member client computer running Windows 7 Enterprise or Ultimate (CLIENT1) that
is configured as a DirectAccess client.
The test lab consists of three subnets that simulate the following:
A home network named Homenet (192.168.137.0/24) connected to the Internet by a NAT.
The Internet (131.107.0.0/24).
An intranet named Corpnet (10.0.0.0/24) separated from the Internet by the Forefront UAG
DirectAccess server.
Computers on each subnet connect using either a physical or virtual hub or switch, as shown in the
following figure.
3
APP1
INET1
NAT1
Internet
131.107.0.0/24
Corpnet
10.0.0.0/24
APP3
UAG1
Homenet
192.168.137.0/24
DC1
CLIENT1
CLIENT1 initially connects to the Corpnet subnet and joins the intranet domain. After DA1 is configured
as a Forefront UAG DirectAccess server, and CLIENT1 is updated with the associated Group Policy
settings, CLIENT1 later connects to the Internet subnet and the Homenet subnet, and tests DirectAccess
connectivity to intranet resources on the Corpnet subnet.
Configuration component requirements
The following components are required for configuring Forefront UAG DirectAccess in the test lab:
The product disc or files for Windows Server 2008 R2 Enterprise Edition.
The product disc or files for Windows Server 2003 Enterprise SP2
The product disc or files for of Windows 7 Ultimate.
Five computers or virtual machines that meet the minimum hardware requirements for
Windows Server 2008 R2 Enterprise; two of these computers has two network adapters
installed.
One computer or virtual machine that meets the minimum hardware requirements for Windows
Server 2003 SP2
4
Two computers or virtual machines that meet the minimum hardware requirements for
Windows 7 Ultimate; one of these computers has two network adapters installed.
The product disc or a downloaded version of Microsoft Forefront Unified Access Gateway (UAG)
RTM.
Steps for configuring the test lab
The following steps describe how to configure the server and client computers, and configure the
Forefront UAG DirectAccess server, in a test lab. Following these configurations you can verify
DirectAccess connectivity from the Internet and Homenet subnets.
Note:
You must be logged on as a member of the Domain Admins group or as a member of the
Administrators group on each computer to complete the tasks described in this guide. If you cannot
complete a task while you are logged on with an account that is a member of the Administrators
group, try performing the task while you are logged on with an account that is a member of the
Domain Admins group.
Step 1: Complete the Base Configuration. The Base Configuration is the core of all Test Lab
Guide scenarios. The first step is to complete the Base Configuration.
Step 2: Configure DC1 - DC1 is the domain controller, Certificate server, DNS server, File Server
and DHCP server for the corp.contoso.com domain.
Step 3: Configure APP1- APP1 is a Windows Server 2008 R2 computer that acts in the role of the
Network Location Server on the network.
Step 4: Install and Configure APP3 - APP3 is a Windows Server 2003 Enterprise Edition
computer that acts as an IPv4 only host and is used to demonstrate DirectAccess connectivity to
IPv4 only resources using the UAG DNS64 and NAT64 features. APP3 hosts both HTTP and SMB
resources that the DirectAccess client computer will be able to access from other the simulated
Internet.
Step 5: Configure UAG1 – UAG1 acts as the first DirectAccess server and Array Master in a
Forefront UAG DirectAccess array.
Step 6: Configure CLIENT1 – CLIENT1 is a DirectAccess client that is used to test DirectAccess
connectivity in several Internet network access scenarios.
Step 7: Install and Configure NAT1 – NAT1 acts as a simulated NAT router that enables CLIENT1
access to the UAG DirectAccess server over the simulated Internet.
5
Step 8: Test DirectAccess Connectivity from the Internet – CLIENT1 is connected to the
simulated Internet subnet to demonstrate DirectAccess connectivity using the 6to4 IPv6
transition technology.
Step 9: Test DirectAccess Connectivity from Behind a NAT Device – CLIENT1 is connected to the
simulated private address network to demonstrate DirectAccess connectivity using the Teredo
and IP-HTTPS IPv6 transition technologies.
Step 10: Test Connectivity When Returning to the Corpnet – CLIENT1 is connected again to the
Corpnet subnet to demonstrate how DirectAccess components are automatically disabled to
connect to local resources.
Step 11: Snapshot the Configuration – At the completion of the lab, snapshot the configuration
so that you can later return to a working UAG DirectAccess Test Lab.
Note
You will notice that there are several steps that begin with an asterisk (*). The * indicates that
the step requires that you move to a computer or virtual machine that is different from the
computer or virtual machine you were at when you completed the previous step.
STEP 1: Complete the Base Configuration
This Test Lab Guide uses the Base Configuration network as a starting place. Please complete the steps
in Test Lab Guide: Base Configuration before proceeding with the remainder of the steps in this guide. If
you have already completed the steps in the Base Configuration Test Lab Guide and saved a disk image
or a virtual machine snapshot of the Base Configuration, then you can restore the Base Configuration
and proceed to the next step.
STEP 2: Configure DC1
DC1 acts as the domain controller, Certificate server, DNS server, File Server and DHCP server for the
corp.contoso.com domain. The following steps build on the Base Configuration to prepare DC1 to carry
out these roles to support a working DirectAccess solution:
A. Create a Reverse Lookup Zone on the DNS Server on DC1.
A reverse lookup zone for network ID 10.0.0.0/24 is required to create a pointer record for DC1.
The pointer record allows reverse name resolution for DC1, and prevents name resolution errors
during DNS related configuration steps. The reverse lookup zone is not required for a functional
DirectAccess solution.
B. Enter a Pointer Record for DC1.
A pointer record for DC1 will allow services to perform reverse name resolution for DC1. This is
when performing DNS related operations. It is not required for a functional DirectAccess
solution.
C. Enable ISATAP Name Resolution in DNS on DC1.
By default, the Windows Server 2008 R2 DNS server will not answer queries for the ISATAP and
WPAD host names. The DNS server is configured so that it will answer queries for ISATAP.
6
D. Create DNS Records for NLS and ISATAP on DC1.
The DirectAccess client uses a Network Location Server (NLS) to determine if the computer is on
or off the corporate network. If on the corporate network, the DirectAccess client can connect
to the Network Location Server using an HTTPS connection. A DNS record is required to resolve
the name of the NLS. In addition, a DNS record for ISATAP is required so that ISATAP capable
hosts on the network can obtain IPv6 addressing and routing information from the ISATAP
router configured on UAG1.
E. Create a Security Group for DirectAccess Clients on DC1.
When DirectAccess is configured on the UAG DirectAccess server, it automatically creates Group
Policy Objects and GPO settings that are applied to DirectAccess clients and servers. The
DirectAccess client GPO uses security group filtering to assign the GPO settings to a designated
DirectAccess security group. This group is populated with DirectAccess client computer
accounts. This is a required component of a DirectAccess solution.
F. Create and Deploy a Certificate Template for the IP-HTTPS Listener Certificate and the
Network Location Server Certificate.
A Web site certificate is required for the Network Location Server so that computers can use
HTTPS to connect to it when they are on the corporate network. The UAG DirectAccess server
uses a Web site certificate on its IP-HTTPS listener so that it can accept incoming connections
from DirectAccess clients that are behind network devices that limit outbound connections to
only HTTP/HTTPS. A Web site certificate template is created and used for certificate requests to
the Microsoft Certificate Server installed on DC1. A Web site certificate bound to the UAG
DirectAccess server’s IP-HTTPS is a required component of a working DirectAccess solution.
G. Create ICMPv4 and ICMPv6 Echo Request Firewall Rules in Domain Group Policy on DC1.
ICMP v4 and v6 echo requests inbound and outbound are required for Teredo support. Firewall
Rules are configured using the Windows Firewall with Advanced Security GPO snap-in to
distribute the configuration.
H. Create a Shared Folder on the C:\ Drive on DC1.
A shared folder is created on the C:\drive of DC1 to test SMB connectivity for DirectAccess
clients to a resource on the CORP domain.
A. Create Reverse Lookup Zone on DNS Server on DC1
A reverse lookup zone on DC1 for network ID 10.0.0.0/24 is required to create a pointer record for DC1.
The pointer record will allow reverse name resolution for DC1, which will prevent name resolution
errors during several DNS related configuration steps. The reverse lookup zone is not required for a
functional DirectAccess solution and is used as a convenience in this lab.
1. On DC1, click Start, and point to Administrative Tools. Click DNS.
2. In the DNS Manager console, in the left pane of the console, expand the server name, and click
Reverse Lookup Zones. Right click Reverse Lookup Zones and click New Zone.
3. On the Welcome to the New Zone Wizard page, click Next.
7
4. On the Zone Type page, click Next.
5. On the Active Directory Zone Replication Scope page, click Next.
6. On the Reverse Lookup Zone Name page, click Next.
7. On the Reverse Lookup Zone Name page, select the Network ID option, and then enter 10.0.0
in the text box. Click Next.
8. On the Dynamic Update page, click Next.
9. On the Completing the New Zone Wizard page, click Finish.
10. Leave the DNS console open for the next operation.
B. Enter PTR Record for DC1
A pointer record for DC1 will allow services to perform reverse name resolution for the DC1 computer.
This will be useful when performing several DNS related operations. It is not required for a functional
DirectAccess solution and is configured as a convenience for this lab.
1. On DC1, in the DNS Manager console, expand the Forward Lookup Zones node in the left pane
of the console. Click on corp.contoso.com.
2. Double click on dc1 in the right pane of the console.
3. In the DC1 Properties dialog box, put a checkmark in the Update associated pointer (PTR)
record checkbox and click OK. If the checkbox is already enabled, remove the checkmark and
then enable it again. Click OK.
4. Expand the Reverse Lookup Zones node in the left pane of the console and click 0.0.10.inaddr.arpa. Confirm that there is an entry for 10.0.0.1 in the middle pane of the console.
5. Leave the DNS console open.
C. Enable ISATAP Name Resolution on DNS Server on DC1
By default, the Windows Server 2008 R2 DNS server will not answer queries for ISATAP and WPAD host
names. These names are included in the DNS server’s Global Query Block List. The following procedures
configure the DNS server so that it will answer queries for ISATAP by removing ISATAP from the Global
Query Block List.
1. On DC1, click Start, click All Programs, click Accessories, right-click Command Prompt, and then
click Run as administrator.
2. In the command window, type dnscmd /config /globalqueryblocklist wpad, and then press
ENTER.
8
3. In the command prompt window, type dnscmd /info /globalqueryblocklist to confirm that
ISATAP is not included in the list, and that the display says Query result: String: wpad
4. Close the command prompt window.
For more information on configuring the global query block list, please see
http://download.microsoft.com/download/5/3/c/53cdc0bf-6609-4841-a7b9cae98cc2e4a3/DNS_Server_Global_%20Query_Block%20List.doc
D. Create DNS Records for NLS and ISATAP on DC1
DirectAccess clients use a Network Location Server to determine if the computer is on or off the
corporate network. If the DirectAccess client can connect to the Network Location Server using HTTPS, it
determines that it is on the corporate network and the Name Resolution Policy Table (NRPT) is disabled.
If the DirectAccess client cannot connect to the Network Location Server, the Name Resolution Policy
Table remains enabled which can cause name resolution and connectivity problems when the
DirectAccess client is situated on the corporate network. A DNS record is required for the DirectAccess
client to resolve the name of the Network Location Server.
In addition, all IPv6 capable hosts on the corpnet need to resolve the name ISATAP to the internal
interface of the UAG DirectAccess server, so a DNS record is required for ISATAP. The UAG DirectAccess
server will act as an ISATAP router for the organization and provides prefix and routing information for
ISATAP hosts on the corporate network.
1. On DC1, click the corp.contoso.com forward lookup zone in the left pane of the console. Right
click corp.contoso.com and click New Host (A or AAAA).
2. In the New Host dialog box, enter ISATAP in the Name (uses parent domain name if blank) text
box. Then enter 10.0.0.2 in the IP address text box. (IP address 10.0.0.2 will be the IP address of
the internal interface of the UAG server, which will act as the ISATAP router in this lab).
3.
Click Add Host. Then click OK in the DNS dialog box.
4. In the New Host dialog box, enter NLS in the Name (uses parent domain name if blank) text box
(this is the name the DirectAccess clients use to connect to the Network Location Server). Enter
10.0.0.3 in the IP address text box, and then click Add Host. Click OK in the DNS text box. (Note
that IP address 10.0.0.3 is the IP address of APP1, which acts as a network location server in this
lab).
5. Click Done.
6. Confirm that there are entries for ISATAP and NLS in the middle pane of the console.
7. Close the DNS Manager console.
9
8. Open a command prompt window and enter nslookup isatap and press ENTER. Confirm that
ISATAP resolves to 10.0.0.2. Close the command prompt window.
E. Create a Security Group for DirectAccess Clients on DC1
When you run the UAG DirectAccess wizard on the UAG1 computer, the wizard will create Group Policy
Objects and deploy them in Active Directory. One GPO is created for the UAG DirectAccess server, and
the another is created for DirectAccess clients. Security Group filtering is used to apply the DirectAccess
GPO settings to the DirectAccess Clients security Group. To obtain the settings required to be a
DirectAccess client, the computer must be a member of this security group. Do not use any of the builtin security groups as your DirectAccess security Group. Use the following procedure to create the
DirectAccess security group. This group is required for a working DirectAccess solution.
1. On DC1, open the Active Directory Users and Computers console. In the left pane, right-click
Users, point to New, and then click Group.
2. In the New Object - Group dialog box, under Group name, enter DA_Clients. (Note that the
group name “DA_Clients” is not a mandatory name; you can use any name you like for the
DirectAccess clients security group).
3. Under Group scope, choose Global, under Group type, choose Security, and then click OK.
4. Close the Active Directory Users and Computers console.
F. Create and Deploy a Certificate Template for the IP-HTTPS Listener Certificate and
Network Location Server Certificate
A Web site certificate is required for the Network Location Server so that computers can use HTTPS to
connect to it located on the corporate network. In addition, the UAG DirectAccess server uses a web site
certificate on its IP-HTTPS listener so that it can accept incoming connections from DirectAccess clients
that are behind network devices that limit outbound connections to only HTTP/HTTPS. The following
procedures describe how to create a web site certificate template to use for requests to the Microsoft
Certificate Server installed on DC1. A web site certificate bound to the UAG DirectAccess server’s IPHTTPS listener and a web site certificate bound to the Network Location Server Web site are both
required for a working DirectAccess solution.
1. On DC1, click Start, enter mmc in the Search box, and then press ENTER.
2. Click the File menu, and then click Add/Remove Snap-in.
3. In the list of snap-ins, click Certificate Templates, click Add, and then click OK.
4. In the console tree, expand Certificates Templates.
5. In the right pane, right-click the Web Server template, and then click Duplicate Template.
10
6. Click Windows Server 2008 Enterprise, and then click OK. (Note that you can use either the
Windows Server 2003 or Windows Server 2008 templates). In Template display name, type
Web Server 2008.
7. Click the Server tab. On the Server tab, put a checkmark in the Do not include revocation
information in issued certificates (Applicable only for Windows Server 2008 R2 and above).
Click Apply.
8. Click the Security tab.
9. Click Authenticated Users, and then select Enroll in the Allow column.
10. Click Add, enter Domain Computers in the Enter the object names to select text box, and then
click OK.
11. Click Domain Computers, and then select Enroll in the Allow column. Click Apply.
12. Click the Request Handling tab.
13. Select Allow private key to be exported (note that we do this as a convenience for this lab,
making the private key exportable is not required by DirectAccess; however, in order to create a
UAG DirectAccess array, the same certificate must be installed on all array members; enabling
export of the private key greatly simplifies this requirement). Click Apply.
14. Click OK.
15. Close the MMC window without saving changes.
16. Click Start, point to Administrative Tools, and then click Certification Authority.
17. In the console tree, expand corp-DC1-CA, right-click Certificate Templates, point to New, and
then click Certificate Template to Issue.
18. In the list of certificate templates, click Web Server 2008, and then click OK.
19. In the right pane of the console, you should see the Web Server 2008 certificate template with
an Intended Purpose of Server Authentication.
20. Close the Certification Authority console.
G. Create ICMPv4 and ICMPv6 Echo Request Firewall Rules in Domain Group Policy on
DC1
Support for incoming and outgoing ICMPv4 and v6 is required for Teredo clients. DirectAccess clients
will use Teredo as their IPv6 transition technology to connect to the UAG DirectAccess server over the
IPv4 Internet when they are assigned a private (RFC 1918) IP address and are located behind a NAT
11
device or firewall. In addition, enabling ping facilitates connectivity testing between participants in the
DirectAccess solution.
1. On DC1, click Start, click Administrative Tools, and then click Group Policy Management.
2. In the console tree, expand Forest: corp.contoso.com. Then expand Domains, and then expand
corp.contoso.com.
3. In the console tree, right-click Default Domain Policy, and then click Edit.
4. In the console tree of the Group Policy Management Editor, expand Computer
Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security-LDAP://.
5. In the console tree, click Inbound Rules, right-click Inbound Rules, and then click New Rule.
6. On the Rule Type page, click Custom, and then click Next.
7. On the Program page, click Next.
8. On the Protocols and Ports page, for Protocol type, click ICMPv4, and then click Customize.
9. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and
then click OK.
10. Click Next.
11. On the Scope page, click Next.
12. On the Action page, click Next.
13. On the Profile page, click Next.
14. On the Name page, for Name, type Inbound ICMPv4 Echo Requests, and then click Finish.
15. In the console tree, right-click Inbound Rules, and then click New Rule.
16. On the Rule Type page, click Custom, and then click Next.
17. On the Program page, click Next.
18. On the Protocols and Ports page, for Protocol type, click ICMPv6, and then click Customize.
19. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and
then click OK.
20. Click Next.
12
21. On the Scope page, click Next.
22. On the Action page, click Next.
23. On the Profile page, click Next.
24. On the Name page, for Name, type Inbound ICMPv6 Echo Requests, and then click Finish.
25. In the console tree, right-click Outbound Rules, and then click New Rule.
26. On the Rule Type page, click Custom, and then click Next.
27. On the Program page, click Next.
28. On the Protocols and Ports page, for Protocol type, click ICMPv4, and then click Customize.
29. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and
then click OK.
30. Click Next.
31. On the Scope page, click Next.
32. On the Action page, click Allow the connection, and then click Next.
33. On the Profile page, click Next.
34. On the Name page, for Name, type Outbound ICMPv4 Echo Requests, and then click Finish.
35. In the console tree, right-click Outbound Rules, and then click New Rule.
36. On the Rule Type page, click Custom, and then click Next.
37. On the Program page, click Next.
38. On the Protocols and Ports page, for Protocol type, click ICMPv6, and then click Customize.
39. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and
then click OK.
40. Click Next.
41. On the Scope page, click Next.
42. On the Action page, click Allow the connection, and then click Next.
43. On the Profile page, click Next.
13
44. On the Name page, for Name, type Outbound ICMPv6 Echo Requests, and then click Finish.
45. Confirm that the rules you created appear in the Inbound Rules and Outbound Rules nodes.
Close the Group Policy Management Editor.
H. Create a Shared Folder on the C:\ Drive on DC1
DirectAccess client should be able to connect to SMB resources intranet when the DirectAccess client is
connected to the simulated Internet, or connecting from behind a NAT device over the Internet. A
network share is created on DC1 to test this.
1. Click Start, and then click Computer.
2. Double-click Local Disk (C:).
3. Click New Folder, type Files, and then press ENTER. Leave the Local Disk window open.
4. Click Start, click All Programs, click Accessories, right-click Notepad, and then click Run as
administrator.
5. In the Untitled – Notepad window, type This is a shared file on DC1.
6. Click File, click Save, and navigate to the Files folder.
7. In File name, type Example, and then click Save. Close the Notepad window.
8. In the Local Disk (C:) window, right-click the Files folder, point to Share with, and then click
Specific people.
9. Click Share, and then click Done. (Note: this provides Full Control Share Permissions to
Everyone, and NTFS Full Control permissions to SYSTEM, Administrator, and
CORP\Administrators).
10. Close the Local Disk (C:) window.
STEP 3: Configure APP1
APP1 is a Windows Server 2008 Enterprise Edition R2 computer that acts in the role of the Network
Location Server for the intranet. We have chosen to not to install the Network Location Server on the
domain controller, even though that would have reduced the number of machines required for the lab
network. The reason for this is that NLS on the DC can be a problematic if the DC is IPv6 based and can
cause potential problems with network location detection. For this reason we have chosen to install the
NLS APP1.
You will perform the following operations to configure APP1:
A. Obtain an NLS Certificate for SSL Connections to the Network Location Server on APP1.
APP1 acts as the Network Location Server. To enable this role, APP1 needs a web site certificate
14
so that the DirectAccess clients are able to establish an SSL connection to a Web site on APP1.
DirectAccess clients access this site by connecting to Network Location Server name, which is
nls.corp.contoso.com in this scenario.
B. Configure the HTTPS Security Binding on the NLS Web Site on APP1. The web site certificate
need to be bound to a web site on APP1 so that it can respond to SSL connection requests from
the DirectAccess clients on the corporate network.
A. Obtain NLS Certificate for SSL Connections to Network Location Server on APP1
The Network Location Server requires a Web site certificate to enable SSL session establishment with
the DirectAccess client. The subject name on this certificate must match the name that the DirectAccess
client uses to connect to the Network Location Server. On this Test Lab network, the DirectAccess client
tries to connect to connect to the NLS at nls.corp.contoso.com. This name is used later in the
DirectAccess configuration wizard on the UAG server.
1. On APP1, click Start, enter mmc, and then press ENTER.
2. Click File menu, and then click Add/Remove Snap-in.
3. Click Certificates, click Add, select Computer account, click Next, select Local computer, click
Finish, and then click OK.
4. In the left pane of the console, expand Certificates (Local Computer)\Personal\Certificates.
5. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
6. On the Before You Begin page, click Next.
7. On the Select Certificate Enrollment Policy page, select the Active Directory Enrollment Policy
entry and click Next.
8. On the Request Certificates page, put a checkmark in the Web Server 2008 checkbox, and then
click More information is required to enroll for this certificate.
9. On the Subject tab of the Certificate Properties dialog box, in Subject name section, for Type,
select Common Name.
10. In the Value section, enter nls.corp.contoso.com, and then click Add.
11. In the Alternative name section, for Type, select DNS.
12. In Value, type nls.corp.contoso.com, and then click Add.
13. Click OK, click Enroll, and then click Finish.
14. In the details pane of the Certificates snap-in, verify that a new certificate with the name
nls.corp.contoso.com was enrolled with Intended Purposes of Server Authentication.
15
15. Right click the nls.corp.contoso.com certificate and click Properties.
16. In the nls.corp.contoso.com Properties dialog box, in the Friendly name text box, enter NLS
Certificate. Click OK. (Note: this is not required for the DirectAccess solution to work, but this
makes the certificate easy to identify when binding it to the NLS Web site’s SSL listener).
17. Close the console window. If you are prompted to save settings, click No.
B. Configure the HTTPS Security Binding on the NLS Web Site on APP1
After the web server role is installed, the web site certificate must be bound to the Network Location
Server web site. This is required for the web server to establish an SSL connection with the computer
configured as a DirectAccess client, and is a required component of a DirectAccess solution.
1. On APP1, click Start, point to Administrative Tools, and then click Internet Information Services
(IIS) Manager.
2. In the left pane of the console, open APP1\Sites, and then click Default Web site.
3. In the Actions pane, click Bindings.
4. In the Site Bindings dialog box, click the https entry and then click Edit.
5. In the Add Site Binding dialog box, in SSL Certificate, click the NLS Certificate.
6. Click the View button.
7. In the Certificate dialog box, confirm that the certificate was Issued to: nls.corp.contoso.com.
(this is the name the DirectAccess client computer must use to connect to the Network Location
Server).
8. In the Add Site Binding dialog box, click OK.
9. In the Edit Site Binding dialog box, click OK.
10. In the Site Bindings dialog box, click Close.
11. Close the Internet Information Services (IIS) Manager console.
STEP 4: Install and Configure APP3
APP3 is a Windows Server 2003 SP2 Enterprise Edition computer that acts as an IPv4 only host and is
used to demonstrate DirectAccess connectivity to IPv4 only resources using the UAG DNS64 and NAT64
features. APP3 hosts both HTTP and SMB resources that the DirectAccess client computer will be able to
access from other the simulated Internet. The UAG NAT64/DNS64 feature set enables organizations to
deploy DirectAccess without requiring them to upgrade network resources to native IPv6 or even IPv6
capable.
16
For more information on NAT64/DNS64 please see Deep Dive Into DirectAccess – NAT64 and DNS64 in
Action
The following operations are performed to configure APP3:
A. Install the operating system on APP3 and Disable the Firewall
The first step is to install Windows Server 2003 Enterprise Edition SP2 on APP3. This is not a
requirement. You could use another IPv4 only operating system, such as Windows 2000 Server
or even Windows XP. The goal is to provide an IPv4 resource for the DirectAccess clients to
connect to from over the Internet.
B. Install Web services on APP3
Install IIS Web services on APP3 so that HTTP connectivity over the DirectAccess connection to
an IPv4 only host is demonstrated.
C. Create a shared folder on APP3
Create a shared folder on APP3 to demonstrate SMB connectivity over the DirectAccess
connection.
A. Install the OS on APP3 and Disable the Firewall
The first step is to install Windows Server 2003 Enterprise Edition SP2 on APP3. This is not a
requirement. You could use another IPv4 only operating system, such as Windows 2000 Server or even
Windows XP. The goal is to provide an IPv4 resource for the DirectAccess clients to connect to from over
the Internet.
1. Start the installation of Windows Server 2003.
2. On the Welcome to the Windows Setup Wizard page, click Next.
3. On the Regional and Language Options page, click Next.
4. On the Personalize Your Software page, enter your Name and Organization information, click
Next.
5. On the Licensing Modes page, select Per server. Number of concurrent connections option and
enter 100. Click Next.
6. On the Computer Name and Administrator Password page, in the Computer name text box,
enter APP3. Enter a complex Administrator password and Confirm password. Click Next.
7. On the Date and Time Settings page, set the correct date and time and click Next.
8. On the Networking Settings page, select Custom Settings and click Next.
9. On the Networking Components page, select Internet Protocol (TCP/IP) and click Properties.
17
10. On the Internet Protocol (TCP/IP) Properties page, select the Use the following IP address
option. In the IP address text box, enter 10.0.0.4. In the Subnet Mask text box, enter
255.255.255.0 Select the Use the following DNS server addresses option. In the Preferred DNS
server text box, enter 10.0.0.1.
11. In the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
12. In the Advanced TCP/IP Settings dialog box, click the DNS tab.
13. On the DNS tab, in the DNS Suffix for this connection text box, enter corp.contoso.com. Click
OK. In the Internet Protocol (TCP/IP) Properties dialog box, click OK. On the Networking
Components page, click Next.
14. On the Workgroup or Computer Domain page, select the Yes make this computer a member of
the following domain option. In the text box under that option, enter CORP.
15. In the Join Computer to CORP Domain dialog box, in the User name text box, enter CORP\User1
and in the Password text box, enter User1’s password. Click OK.
16. Log on as CORP\User1.
17. Click Start, point to Control Panel and point to Network Connections. Right click on Local Area
Connection and click Properties.
18. In the Local Area Connection Properties dialog box, click the Advanced tab.
19. On the Advanced tab, click the Settings button.
20. In the Windows Firewall dialog box, on the General tab, select the Off option. (Note: we are
turning off the Windows Firewall as a convenience for this lab so that we can ping APP3. In a
production environment, you should enable ping selectively through the Windows Firewall).
Note: If you install Windows Server 2003 RTM, there is no Windows Firewall and you will not need to
disable the firewall.
B. Install Web Services
Install IIS Web services on APP3 so that HTTP connectivity can be demonstrated over the DirectAccess
connection.
1. At APP3, click Start and point to Control Panel. Click Add or Remove Programs.
2. In the Add or Remove Programs window, click Add/Remove Windows Components button.
3. On Windows Components page, click Application Server and then click Details.
18
4. In the Application Server dialog box, put a checkmark in the Internet Information Services (IIS)
checkbox. Click OK.
5. On the Windows Components page, click Next.
6. On the Completing the Windows Components Wizard page, click Finish.
7. Close the Add or Remove Programs window.
8. Click the Internet Explorer icon in the Quick Start Bar.
9. In the dialog box that informs you Internet Explorer Enhanced Security Configuration is enabled,
put a checkmark in the In the future, do not show this message checkbox and then click OK.
10. In the Internet Explorer address bar, enter http://localhost and press ENTER.
11. You should see the IIS Under Construction page, indicating that the default IIS Web site is
available and running. Close the Internet Explorer window.
C. Create a Shared Folder on C:\
Create a shared folder on APP3 to demonstrate the ability to connect to an SMB resource on a IPv4 only
computer on the DirectAccess connection over the Internet.
1. At APP3, click Start and click Windows Explorer.
2. In the left pane of the Windows Explorer window, expand My Computer and click Local Disk (C:)
3. Click the File menu, point to New and click Folder.
4. Rename New Folder to Files.
5. Right click the Files folder and click Sharing and Security.
6. In the Files Properties dialog box, on the Sharing tab, select the Share this folder option. Accept
the default share name, which is Files. Click OK.
7. Double click the Files folder.
8. Click the File menu, point to new, and click New Text Document.
9. Double click the New Text Document.txt file.
10. In the New Text Document.txt – Notepad window, enter This is a new text document on APP3,
and IPv4 only server.
11. Close the Notepad window. In the Notepad dialog box, click Yes to save the changes.
19
12. Close Windows Explorer.
STEP 5: Configure UAG1
UAG1 acts as the UAG DirectAccess server for the network. UAG1 will be connected to both the
simulated Internet and the intranet and will need one network interface connected to each of these
networks. The UAG DirectAccess server provides the following network services:
ISATAP router
An ISATAP router is an IPv6 router that advertises subnet prefixes to ISATAP hosts and forwards
IPv6 traffic between ISATAP hosts and hosts on other IPv6 subnets. The ISATAP router provides
ISATAP clients the information they need to properly configure their ISATAP adapters. For more
information about ISATAP, please see http://technet.microsoft.com/enus/magazine/2008.03.cableguy.aspx
Teredo server
A Teredo server is an IPv6/IPv4 node that is connected to both the IPv4 Internet and the IPv6
intranet, supports a Teredo tunneling interface over which packets are received. The general
role of the Teredo server is to assist in the address configuration of Teredo clients and to
facilitate the initial communication between Teredo clients and other Teredo clients or between
Teredo clients and IPv6 hosts. The Teredo server listens on UDP port 3544 for Teredo traffic.
DirectAccess clients located behind NAT devices and firewalls use Teredo to connect to the UAG
DirectAccess server. For more information on Teredo, please see
http://technet.microsoft.com/en-us/library/bb457011.aspx
IPsec gateway
The Full Intranet access model (which is used in this lab document) allows DirectAccess clients to
connect to all resources inside the intranet. It does this by using IPsec-based tunnel policies that
require authentication and encryption and IPsec sessions terminate at the IPsec Gateway. The
IPsec Gateway is a function that is hosted on the UAG DirectAccess server.
IP-HTTPS server
IP-HTTPS is a new protocol for Windows 7 and Windows Server 2008 R2 that allows hosts
behind a Web proxy server or firewall to establish connectivity by tunneling IPv6 packets inside
an IPv4-based HTTPS session. HTTPS is used instead of HTTP so that Web proxy servers will not
attempt to examine the data stream and terminate the connection. The UAG DirectAccess
server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections. Note that IP-HTTPS
does not work behind authenticating web proxies (when authentication is required) or from
behind web proxies that perform outbound SSL inspection.
NAT64/DNS64 IPv6/IPv4 protocol translator
The UAG DirectAccess server includes NAT64 and DNS64, which enables DirectAccess clients on
the Internet to connect to IPv4 resources on the intranet. DirectAccess clients always use IPv6 to
communicate with intranet servers. When a DirectAccess client needs to connect to IPv4
resources on the intranet, it issues a DNS query for the FQDN of the resource. DNS64 intercepts
the request, sends the query to the intranet DNS server, and obtains the IPv4 address of the
20
resource. DNS64 then dynamically generates an IPv6 address for the client of the IPv6 address
dynamically assigned to the IPv4 resource; in addition, DNS64 informs NAT64 of the IPv4/IPv6
mapping. The client issues a request for the dynamically generated IPv6 address, which is
intercepted by NAT64, and then NAT64 forwards the request to the IPv4 address of the intranet
resource. NAT64 also returns the response based on entries in its state table. For more
information about DNS64 and NAT64, please see
http://blogs.technet.com/edgeaccessblog/archive/2009/09/08/deep-dive-into-directaccessnat64-and-dns64-in-action.aspx
6to4 relay router
A 6to4 relay router can accept traffic from DirectAccess clients using the 6to4 IPv6 transition
technology and forward the traffic over an IPv4 intranet. The UAG DirectAccess server acts as
the 6to4 relay router and provides addressing information to the DirectAccess clients.
DirectAccess clients use this information to configure their 6to4 tunnel adapters to forward IPv6
messages over the IPv4 Internet to the UAG DirectAccess servers. For more information on 6to4
please see http://technet.microsoft.com/en-us/library/cc756770(WS.10).aspx
The following procedures are performed on the UAG1 computer or virtual machine:
A. Rename UAG1
Change the computer name assigned during setup of the Base Configuration to UAG1.
B. Obtain a Certificate for the IP-HTTPS Listener on UAG1
The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections
from DirectAccess clients on the Internet. The IP-HTTPS Listener requires a web site certificate
to support the SSL connection between itself and the DirectAccess client.
C. Install Forefront UAG on UAG1
Install the Forefront Unified Access Gateway software on UAG1.
D. Run the UAG Getting Started Wizard on UAG1
The UAG Getting Started Wizard walks you through the process of initial configuration of the
UAG server.
E. Run the UAG DirectAccess Configuration Wizard on UAG1
DirectAccess is not enabled by default. You must run the UAG DirectAccess wizard to enable
DirectAccess features and capabilities on UAG1.
F. Confirm Group Policy Settings on UAG1
The UAG DirectAccess wizard configures GPOs and settings that are automatically deployed to
the Active Directory. One GPO is assigned to the UAG DirectAccess server, and one is deployed
to machines that belong to the DirectAccess Clients security group. The step confirms that the
Group Policy settings were deployed to the UAG DirectAccess server.
G. Confirm IPv6 Settings on UAG1
For the DirectAccess solution to function, the IPv6 settings on must be correct. This step
confirms these setting on UAG1.
21
H. Update IPv6 Settings on DC1
DC1 is capable of being an ISATAP host. However, this functionality might not be immediately
available. This step expedites DC1 setting itself up as an ISATAP host by updating its IPv6
configuration.
I. Update IPv6 Settings on APP1
APP1 is capable of being an ISATAP host. However, this functionality might not be immediately
available. This step expedites APP1 setting itself up as an ISATAP host by updating its IPv6
configuration.
J. Confirm IPv6 Address Registration in DNS
IPv6 capable hosts can communicate with one another over IPv6 using their ISATAP adapters.
However, they must be able to resolve the destination host to an IPv6 address to use this
capability. This step confirms that the IPv6 ISATAP addressees are registered in DNS.
K. Confirm IPv6 Connectivity between DC1/APP1/UAG1
After activity the IPv6 settings on DC1, APP1 and UAG1, test IPv6 connectivity by using the ping
utility.
A. Rename the EDGE1 to UAG1
Change the computer name of EDGE1 to UAG1.
1. At the EDGE1 computer or virtual machine, click Start and then right click Computer. Click
Properties.
2. On the System page, click the Advanced system settings link.
3. In the System Properties dialog box, click the Computer Name tab.
4. On the Computer Name tab, click the Change button.
5. In the Computer Name/Domain Changes dialog box, in the Computer name text box, enter
UAG1. Click OK.
6. Click OK in the Computer Name/Domain Changes dialog box informing you that you must
restart the computer.
7. Click Close in the System Properties dialog box.
8. Click Restart Now in the dialog box informing you that you must restart to apply the changes.
9. Log on as CORP\User1
B. Obtain the IP-HTTPS Listener Certificate on UAG1
The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections from
DirectAccess clients on the Internet. The IP-HTTPS Listener requires a web site certificate to support the
SSL connection between itself and the DirectAccess client. The common name on this certificate must be
22
the name the external DirectAccess client uses to the connect to the IP-HTTPS Listener, and must be
resolvable using an Internet based DNS server to the first of the two consecutive IP addresses bound to
the external interface of the UAG DirectAccess server. Perform the following steps to obtain the IPHTTPS certificate. In addition, you will request a new computer certificate for UAG1 that supports the
machine’s new computer name.
1. At UAG1, click Start, type mmc, and then press ENTER. Click Yes at the User Account Control
prompt.
2. Click File, and then click Add/Remove Snap-ins.
3. Click Certificates, click Add, click Computer account, click Next, select Local computer, click
Finish, and then click OK.
4. In the console tree of the Certificates snap-in, open Certificates (Local
Computer)\Personal\Certificates.
5. In the middle pane of the console, click on the EDGE1.corp.contoso.com certificate and press
the DELETE key on the keyboard. Right click an empty area in the middle pane, point to All Tasks
and click Request New Certificate.
6. On the Before You Begin page, click Next.
7. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy and
click Next.
8. On the Request Certificates page, put a checkmark in the Computer checkbox and click Enroll,
then click Finish.
9. You should now see a new certificate for UAG1.corp.contoso.com with the Intended Purposes
of Client Authentication and Server Authentication.
10. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
11. Click Next twice.
12. On the Request Certificates page, click Web Server 2008, and then click More information is
required to enroll for this certificate.
13. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select
Common Name.
14. In Value, type uag1.contoso.com, and then click Add.
15. In Alternative name, for Type, select DNS.
23
16. In Value, enter uag1.contoso.com, and then click Add.
17. Click OK, click Enroll, and then click Finish.
18. In the details pane of the Certificates snap-in, verify that a new certificate with the name
uag1.contoso.com was enrolled with Intended Purposes of Server Authentication.
19. Right-click the certificate and then click Properties.
20. In the Friendly Name text box, enter IP-HTTPS Certificate, and then click OK.
21. Close the console window. If you are prompted to save settings, click No.
C. Configure a DNS Entry on INET1 with the Name on the IP-HTTPS Certificate
In order to connect to the IP-HTTPS listener on UAG1, the DirectAccess client needs to be able to resolve
the subnet name listed on the IP-HTTPS certificate. In this step you will configure INET1 with a Host (A)
DNS record with the name uag1.contoso.com that resolves to 131.107.0.1.
1. *At INET1, log on as Administrator.
2. Click Start, point to Administrative Tools and click DNS.
3. In the DNS Manager console, in the left pane, expand the server name and then expand
Forward Lookup Zones. Click the contoso.com zone.
4. Right click the contoso.com zone and click New Host (A or AAAA).
5. In the New Host dialog box, in the Name text box, enter uag1. In the IP address text box, enter
131.107.0.2.
6. Click Add Host. In the DNS dialog box, click OK.
7. Click Done in the New Host dialog box.
D. Install Forefront UAG on UAG1
Install the Forefront Unified Access Gateway software on UAG1.
8. *At UAG1, insert the Forefront UAG DVD into the optical drive. (Note: Ensure you install
Forefront UAG from the DVD. Network installations are not supported.)
9. Click Start, click Computer, double-click the DVD drive Forefront UAG 2010, and then doubleclick Setup.
10. In the Setup window, under Prepare and Install, click Install Forefront UAG. Click Yes in the
User Account Control dialog box.
11. On the Welcome to the Forefront UAG Setup Wizard page, click Next.
24
12. Read the License Terms, and if you choose to proceed, select I accept the License Terms for
Microsoft Software, and then click Next.
13. On the Select Installation Location page, click Next, and wait for the installation to complete
successfully.
14. On the You have successfully completed the Forefront UAG Setup page, click Restart now, and
then click Next. Wait for the server to restart.
15. Log on to UAG1 as CORP\User1.
E. Run the UAG Getting Started Wizard
The UAG Getting Started Wizard walks you through the process of initial configuration of the UAG
server. This will set up the basic information required to configure the networking settings on the server,
define the server topology (standalone or array) and whether or not to join Microsoft update for
updating the server.
1. At UAG1, click Start, point to All Programs, click Microsoft Forefront UAG, and then click
Forefront UAG Management. Click Yes in the User Account Control dialog box. UAG will start
to configure itself for the first time. The Getting Started Wizard splash screen appears.
2. In the Getting Started Wizard, click Configure Network Settings to start the Network
Configuration Wizard.
3. On the Welcome to the Network Configuration Wizard page, click Next.
4. On the Define Network Adapters page, select Corpnet in the Internal column, and Internet in
the External column. Leave SSL Network tunneling as unassigned, and then click Next.
5. On the Define Internal Network IP Address Range page, verify that the range that appears is
10.0.0.0 to 10.0.0.255, and then click Next.
6. On the Completing the Network Configuration Wizard page, click Finish.
7. On the Getting Started Wizard, click Define Server Topology.
8. On the Welcome to the Server Management Wizard page, click Next.
9. On the Select Configuration page, select Single server, and then click Next.
10. On the Completing the Server Management Wizard page, click Finish.
11. In the Getting Started Wizard, click Join Microsoft Update.
25
12. On the Use Microsoft Update for Forefront UAG page, select I don’t want to use Microsoft
Update, and then click OK. (NOTE: in a production environment it is highly recommended that
you select the use Microsoft Update option).
13. On the Getting Started Wizard page, click Close.
14. In the Getting Started Wizard dialog box, when prompted Do you want to activate the
configuration now, click Yes.
15. On the Activate Configuration page, enter a password and confirm the password for the backup
file that will save the current UAG configuration. Click Next.
16. On the Activate Configuration page, confirm that there is a checkmark in the Back up
configuration before performing this activation checkbox, then click Activate.
17. Wait for the Activation completed successfully message, and then click Finish.
18. To exit the Microsoft Forefront UAG Management console, click the File menu, click Exit, and
then click Yes when prompted Do you want to close the Forefront UAG Management console.
F. Run the UAG DirectAccess Configuration Wizard on UAG1
DirectAccess is not enabled by default. To enable DirectAccess features and capabilities on UAG1, you
need to run the DirectAccess Configuration wizard. After running the DirectAccess Configuration Wizard,
two new Group Policy objects are created – one is linked to the computer account for the UAG
DirectAccess server, and the second is linked to the DirectAccess clients security group (DA_Clients) you
configured earlier. In addition, the IPv6 components, including support for IPv6 transition technologies
and IPv6/IPv4 protocol transition technologies are enabled on the UAG DirectAccess server.
1. Click Start, point to All Programs, click Microsoft Forefront UAG, and then click Forefront UAG
Management. Click Yes in the User Account Control dialog box.
2. In the left pane of the Forefront Unified Access Gateway console, click DirectAccess. In the
Forefront UAG DirectAccess Configuration pane, in the Clients box, click Configure.
3. On the UAG DirectAccess Client Configuration dialog box, click Add.
4. In the Select Group dialog box, enter DA_Clients, click OK, and then click Finish. (Note that you
must use the custom security group that created for the DirectAccess clients. Never use a builtin security group).
5. In the DirectAccess Server box, click Configure.
6. On the Connectivity page, in First Internet-facing IPv4 address, select 131.107.0.2. In Internal
IPv4 address, select 10.0.0.2, and then click Next. (Note the information that appears regarding
ISATAP being enabled on the UAG server, and that an ISATAP entry must be entered into DNS
26
and that ISATAP must be removed from the Global Query Block List. This procedure was carried
out earlier during configuration of DC1).
7. On the Managing DirectAccess Services page, click Next. (Note: the default settings on this page
enable both NAT64 and DNS64, which allow DirectAccess clients to communicate with IPv4 only
servers and resources on the corpnet).
8. On the Authentication Options page, for Browse and select a root or intermediate certificate
that verifies certificates sent by DirectAccess clients, select Use root certificate, and then click
Browse. In the list of certificates, click the corp-DC1-CA root certificate, and then click OK.
9. For Select the certificate that authenticates the UAG DirectAccess server to a client connecting
using IP-HTTPS, click Browse. In the list of certificates, click the IP-HTTPS certificate, click OK,
and then click Finish.
10. In the Infrastructure Servers box, click Configure.
11. On the Network Location Server page, enter nls.corp.contoso.com, click Validate and wait for
the notice Validation successful. The URL https://nls.corp.contoso.com is reachable, and then
click Next.
12. On the DNS Suffixes page, click Next. (Note: the DNS suffixes listed on this page determine what
communications are sent through the DirectAccess tunnels to the DirectAccess server and to the
corpnet.)
13. On the Management Servers and DCs page, click the Domains\corp.contoso.com entry. Note in
the Servers List that DC1.corp.contoso.com was automatically discovered. Click Finish. (Note:
infrastructure servers are those servers that are accessed through the infrastructure tunnel,
which is established before the use logs on. The infrastructure tunnel enables DirectAccess
client computer management even when there is no logged on user).
14. In the Application Servers box, click Configure. Confirm that the Require end-to-edge
authentication and encryption option is selected. Click Finish.
15. In the Forefront UAG DirectAccess pane, click Generate Policies.
16. In the Forefront UAG DirectAccess Configuration Review dialog box, click Apply Now. After the
script has finished executing, in the DirectAccess Policy Configuration message box, click OK,
and then click Close.
17. Open an elevated command prompt. In the command prompt window enter gpupdate /force
and press ENTER. Wait for the command to complete and then close the command prompt
window.
27
18. In the Microsoft Forefront UAG Management console, click the File menu, and then click
Activate. In the Activate Configuration dialog box, click Activate. Wait for the Activation
completed successfully message, and then click Finish.
19. To exit the Microsoft Forefront UAG Management console, click the File menu, click Exit, and
then click Yes when prompted Do you want to close the Forefront UAG Management console.
G. Confirm Group Policy Settings on UAG1
The UAG DirectAccess wizard configures GPOs and settings that are automatically deployed to the
Active Directory. One GPO is assigned to the UAG DirectAccess server, and one is deployed to machines
that belong to the DirectAccess Clients security group. The following steps confirm that the Group Policy
settings were deployed to the UAG DirectAccess server.
1. *Go to the DC1. At DC1, click Start, point to Administrative Tools and click Group Policy
Management.
2. Expand Forest: corp.contoso.com and then expand Domains and then expand
corp.contoso.com.
3. You will find two new GPOs linked to the default domain policy. UAG DirectAccess:
Client{3491980e-ef3c-4ed3-b176-a4420a810f12} is applied to members of the DA_Clients
security group. UAG DirectAccess: DaServer{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300} is
applied to the UAG server. Confirm that the correct security filtering is done for each of these
Group Policy Objects by clicking on the GPO and then viewing the entries in the Security
Filtering section on the Scope tab in the right pane of the console.
4. *Go to the UAG1. Open an elevated command prompt. Change the focus to
c:\Users\User1\Desktop (enter cd c:\Users\User1\Desktop and press ENTER).
5. At the command prompt, enter gpresult /scope computer /f /h report.html and press ENTER
6. On the desktop, double click the report file. In the Group Policy Objects section, notice in the
Group Policy Objects\Applied GPOs section that UAG DirectAccess: DAServer{ab991ef0-6fa94bd9-bc42-3c397ce8ad300} appears, shows that the DirectAccess server GPO has been applied
to UAG1. Close the Internet Explorer window.
7. Click Start and enter wf.msc in the Search box and press ENTER.
8. In the Windows Firewall with Advanced Security console, notice in the middle pane that it says
that the Domain Profile is Active and Public Profile is Active. It is important that the Windows
Firewall is enabled and both the Domain and Public Profiles are active. If the Windows Firewall
with Advanced Security is disabled, or if Domain or Public profiles are disabled, then
DirectAccess will not work correctly.
28
9. In the left pane of the Windows Firewall with Advanced Security Console, click the Connection
Security Rules node. Notice in the middle pane of the console that there are two connection
security rules: UAG DirectAccess Gateway – Clients Access Enabling Tunnel – All and UAG
DirectAccess Gateway – Clients Corp Tunnel. The first rule is used for the infrastructure tunnel
and the second rule is used to establish the intranet tunnel. Both of these rules are delivered to
UAG1 using Group Policy.
10. Close the Windows Firewall with Advanced Security console.
H. Confirm IPv6 Settings on UAG1
For the DirectAccess solution to function, the IPv6 settings on must be correct. The following steps
confirm these setting on UAG1.
1. At UAG1, click Start and right click on the command prompt and click Run as administrator.
Click Yes in the User Account Control dialog box.
2. In the command prompt window, enter ipconfig /all and press ENTER.
3. The ipconfig /all display shows information related to the UAG1 networking configuration. There
are several sections of interest. The Tunnel adapter 6TO4 Adapter section shows information
that includes the Global IPv6 address used by UAG1 on its external interface. The Tunnel
adapter isatap.corp.contoso.com section shows information regarding UAG1’s ISATAP
interface; here you find the ISATAP address for UAG1. In the Tunnel adapter IPHTTPSInterface
section, you’ll see information regarding the IP-HTTPS interface. If you are using the IP
addressing scheme used in this lab, you should see the following addresses:
6TO4 Adapter: 2002:836b:2::836b:2 and 2002:836b:2::836b:3
ISATAP: 2002:836b:2:8000:0:5efe:10.0.0.2
IPHTTPS: 2002:836b:2:8100:c887:6a74:6ef0:bf (Note that the “debolded” values will vary due
to how the IP-HTTPS address is generated)
4. To see information regarding the Teredo interface on UAG1, enter netsh interface Teredo show
state and press ENTER. The output should include an entry State: online
I. Update IPv6 Settings on DC1
DC1 is capable of being an ISATAP host. However, this functionality might not be immediately available.
You can expedite DC1 setting itself up as an ISATAP host by updating its IPv6 configuration.
1. *At DC1, click Start and then right click the command prompt icon. Click Run as administrator.
2. In the command prompt window, enter sc control iphlpsvc paramchange and press ENTER.
3. Close the command prompt window after the command completes.
29
J. Update IPv6 Settings on APP1
APP1 is capable of being an ISATAP host. However, this functionality might not be immediately available.
You can expedite DC1 setting itself up as an ISATAP host by updating its IPv6 configuration.
1. *At APP1, click Start and then right click the command prompt icon. Click Run as administrator.
2. In the command prompt window, enter sc control iphlpsvc paramchange and press ENTER.
3. Close the command prompt window after the command completes.
K. Confirm IPv6 Address Registration in DNS
IPv6 capable hosts can communicate with one another over an IPv4 network with IPv6 using their
ISATAP adapters. However, they must be able to resolve the destination host to an IPv6 address to use
this capability. The following steps confirm that the IPv6 ISATAP addressees are registered in DNS.
1. *At DC1, click Start, point to Administrative Tools and click DNS.
2. In the DNS Manager, expand the server name, then expand the Forward Lookup Zones node in
the left pane of the console. Click corp.contoso.com.
3. Click the Name column in the right pane of the console so that computer names are listed
alphabetically. For APP1, DC1 and UAG1 there should be an IPv4 address and IPv6 address. If
there is no IPv6 address, return to the machine that does not have an IPv6 address and open an
elevated command prompt. At the elevated command prompt enter ipconfig /registerdns. Then
return to the DNS console on DC1 and confirm that the IPv6 address is registered in DNS. If the
IPv6 address does not appear in the console, refresh the console view.
Note that the ISATAP addresses listed in the DNS resource records do not use the dotted decimal format
for the last 32 bits of the IPv6 address that you see when using ipconfig to view IP addressing
information on the hosts. However, these addresses represent the same information; the only
difference is that the last 32 bits are represented in HEX instead of dotted decimal format.
L. Confirm IPv6 Connectivity between DC1/APP1/UAG1
After activating the IPv6 settings on DC1, APP1 and UAG1, test IPv6 connectivity by using the ping utility
1. *At DC1, click Start and right click the command prompt icon and click Run as administrator.
2. In the command prompt window, enter ipconfig /flushdns to remove IPv4 address entries that
might already be in the DNS client cache.
3. In the command prompt window, enter ping UAG1 and press ENTER. You should see the ISATAP
address of UAG1 in the reply, which is 2002:836b:2:8000:0:5efe:10.0.0.2.
30
4. In the command prompt windows, enter ping APP1 and press ENTER. You should see the ISATAP
address of DC2 in the reply, which is 2002:836b:2:8000:0:5efe:10.0.0.3. Close the command
prompt window.
5. *At UAG1, use an elevated command prompt window and ping DC1 and APP1 and confirm that
the responses are from the ISATAP addresses of those servers. The close the command prompt
window
STEP 6: Configure CLIENT1
CLIENT1 is a computer or virtual machine running Windows 7 that is used demonstrate how
DirectAccess works in a number of scenarios. CLIENT1 is first connected to the corpnet to receive the
DirectAccess Group Policy settings. CLIENT1 is later moved to the simulated Internet to test DirectAccess
connectivity over 6to4 and CLIENT1 is moved behind a NAT device to test both Teredo and IP-HTTPS
DirectAccess connectivity.
NOTE:
CLIENT1 is a Windows 7 computer and after installation the default power plan is applied.
CLIENT1 may go to sleep before you reach the end of the lab configuration. To prevent this from
happening, select the High Performance power plan in the Control Panel.
The following operations configure CLIENT1:
A. Add CLIENT1 to the DA_Clients Active Directory Security Group
The DirectAccess client settings are assigned only to members of the security group designated
for DirectAccess clients. Place CLIENT1 in the DA_Clients security group so that the Group Policy
settings are assigned to CLIENT1.
B. Test IPv6 Configuration, Confirm Group Policy Settings and Machine Certificate on CLIENT1
Before moving CLIENT1 out of the corpnet and onto the simulated Internet and behind a NAT
device, check the IPv6 configuration on CLIENT1, confirm that DirectAccess client Group Policy
Settings are enabled on CLIENT1, and that CLIENT1 has the computer certificate required to
establish the IPsec connections to the UAG DirectAccess server.
C. Test Connectivity to a Network Share and Network Location Server
The final check on CLIENT1 before moving it outside the corpnet is to confirm connectivity to a
network share on the corpnet and to the Network Location Server. Connectivity to the Network
Location Server is required so that the DirectAccess client can determine if it is on-network or
off-network.
A. Add CLIENT1 to the DA_Clients Security Group
The DirectAccess client settings are assigned only to members of the security group designated for
DirectAccess clients. You will place CLIENT1 in the DA_Clients security group so that the Group Policy
settings are assigned to CLIENT1.
31
1. *On the DC1 computer or virtual machine, click Start, point to Administrative Tools, and then
click Active Directory Users and Computers.
2. In the console tree, expand corp.contoso.com, and then click Users.
3. In the details pane, double-click DA_Clients.
4. In the DA_Clients Properties dialog box, click the Members tab, and then click Add.
5. In the Select Users, Contacts, Computers, or Groups dialog box, click Object Types, click
Computers, and then click OK.
6. Under Enter the object names to select (examples), type CLIENT1, and then click OK.
7. Verify that CLIENT1 is displayed below Members, and then click OK.
8. Close the Active Directory Users and Computers console.
9. *On CLIENT1, start the computer and log on as CORP\User1. If CLIENT1 is already started,
restart the computer and log on as CORP\User1.
B. Test IPv6 Configuration, Confirm Group Policy Settings and Machine Certificate on
CLIENT1
Before moving CLIENT1 out of the corpnet and onto the simulated Internet and behind a NAT device on
the Internet, check the IPv6 configuration on CLIENT1, confirm that DirectAccess client Group Policy
Settings are enabled on CLIENT1, and that CLIENT1 has the computer certificate required to establish
the IPsec connections to the UAG DirectAccess server.
1. On the CLIENT1 computer or virtual machine, click Start and then click All Programs. Click
Accessories and then right click command prompt. Click Run as administrator. Click Yes in the
UAC dialog box.
2. In the command prompt window, enter ping dc1 and press ENTER. Confirm that the reply comes
from an IPv6 ISATAP address, 2002:836b:2:8000:0:5efe:10.0.0.1.
3. Ping APP1 and UAG1 to confirm that both these machines reply with IPv6 ISATAP addresses,
2002:836b:2:8000:0:5efe:10.0.0.3 and 2002:836b:2:8000:0:5efe:10.0.0.2.
4. In the command prompt window, enter netsh namespace show policy and press ENTER. This
command shows the DNS Name Resolution Policy Table (NRPT) settings, which were provided to
CLIENT1 via Group Policy. For more information about DirectAccess and the NRPT, please see
http://technet.microsoft.com/en-us/library/dd637795(WS.10).aspx
5. In the command prompt window, enter netsh namespace show effectivepolicy and press
ENTER. This command shows the current DNS name resolution policy table settings and
32
indicates that the client is in the corporate network and Name Resolution Policy Table (NRPT)
settings are turned off.
6. In the command prompt window, enter certutil –store my and press ENTER. The output will
display information about the certificate installed on CLIENT1. The subject name on the
certificate should be CN=CLIENT1.corp.contoso.com and the certificate template name
(certificate type) should be Machine, Computer. This machine certificate was assigned using
Group Policy autoenrollment and will be used to create the IPsec tunnels between CLIENT1 and
UAG1 when CLIENT1 leaves the corporate network.
C. Test Connectivity to a Network Share and the Network Location Server
The final check on CLIENT1 before moving it outside the corpnet is to confirm connectivity to a network
share on the corpnet and to the Network Location Server. Connectivity to the Network Location Server
is required so that the DirectAccess client can determine if it is on or off the corporate network.
1. On CLIENT1, from the taskbar, click the Internet Explorer icon.
2. In the Welcome to Internet Explorer 8 window, click Next. In the Turn on Suggested Sites
window, click No, don’t turn on, and then click Next. In the Choose your settings dialog box,
click Use express settings, and then click Finish.
3. In the Toolbar, click Tools, and then click Internet Options. For Home page, click Use blank, and
then click OK.
4. In the Address bar, enter https://nls.corp.contoso.com/, and then press ENTER. You should see
the default IIS 7 Web page on DC1.
5. Close the Internet Explorer window.
6. Click Start, enter \\DC1\Files, and then press ENTER.
7. You should see a folder window with the contents of the Files file share.
8. In the Files folder window, double-click the Example.txt file. You should see the contents of the
Example.txt file. Close the example.txt - Notepad and the Files folder windows.
STEP 7: Configure NAT1
NAT1 is a Windows 7 computer configured as a NAT device that separates a private network from the
Internet. The built-in Internet Connection Service (ICS) is used to provide the NAT server functionality.
ICS includes DHCP server-like functionality and automatically assigns IP addressing information to clients
located behind the NAT1 ICS NAT device. NAT1 has two network interfaces – one connected to the
simulated Internet and one connected to a Homenet subnet.
NOTE:
NAT1 is a Windows 7 computer and after installation the default power plan is applied. NAT1
33
may go to sleep before you reach the end of the lab configuration. You can prevent this from
happening by selecting the High Performance power plan in the Control Panel.
Perform the following operations to configure NAT1 as a NAT device:
A. Install the operating system on NAT1
The first step is to install the Windows 7 operating system. Note that this is not a requirement;
you can use any NAT device to simulate NAT device functionality.
B. Rename the interfaces on NAT1
Rename the network interfaces in the Network Connections window to make them easier to
identify. Note that this is not required, but makes applying the correct settings on the
appropriate interface easier.
C. Disable 6to4 functionality on NAT1
Disable 6to4 functionality on NAT 1. The reason for this is that if you don’t disable 6to4 on NAT1,
it will act as a 6to4 router and issue a native IPv6 address to CLIENT1 when it is connect to the
Homenet subnet. This will prevent CLIENT1 from acting as a Teredo or IP-HTTPS DirectAccess
client.
D. Configure ICS on the External Interface of NAT1
Internet Connection Services enable NAT1 to act as a NAT device and DHCP server for clients
located behind NAT1. This enables CLIENT1 to automatically obtain IP addressing information
and connect to the simulated Internet when connected to the Homenet subnet behind NAT1.
A. Install the OS on NAT1
The first step is to install the Windows 7 operating system. Note that this is not a requirement; you can
use any NAT device to simulate NAT device functionality.
1. At NAT1, connect one network adapter to the Internet subnet or virtual switch, and the other to
the Homenet subnet or virtual switch.
2. Start the installation of Windows 7 Ultimate Edition.
3. When prompted for a user name, enter User1. When prompted for a computer name, enter
NAT1.
4. When prompted for a password, enter a strong password twice.
5. If prompted for a Password Hint, enter a password hint.
6. When prompted for protection settings, click Use recommended settings.
7. When prompted for your computer's current location, click Public network.
34
B. Rename the Network Interfaces on NAT1
In this step you rename the network interfaces in the Network Connections window to make them
easier to identify. Note that this is not required, but makes applying the correct settings on the
appropriate interface easier.
1. Click Start, and then click Control Panel.
2. Under Network and Internet, click View status and tasks, and then click Change adapter
settings.
3. In the Network Connections window, right-click the network connection that is connected to
the Homenet subnet, and then click Rename.
4. Enter Homenet, and then press ENTER.
5. In the Network Connections window, right-click the network connection that is connected to
the Internet subnet, and then click Rename.
6. Enter Internet, and then press ENTER.
7. Leave the Network Connections window open for the next procedure.
8. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click
Run as administrator.
9. To check network communication between NAT1 and INET1, in the command window, type
ping inet1.isp.example.com, and then press ENTER.
10. Verify that there are four responses from 131.107.0.1.
C. Disable 6to4 on NAT1
In the lab environment we use a Windows 7 computer to simulate a NAT device located in a remote
location. One issue with Windows 7 when configured as an Internet Connection Service server is that it
can act as a 6to4 router. When this is the case, it might assign the CLIENT1 computer behind the NAT1
ICS computer a 6to4 address and prevent it from acting as a Teredo and IP-HTTPS client. In order to
demonstrate both Teredo and IP-HTTPS functionality, 6to4 functionality on the NAT1 is disabled.
1. In an elevated command prompt window, enter netsh interface 6to4 set state state=disabled,
and then press ENTER. An Ok response is returned after the command completes.
2. Close the command window.
35
D. Configure ICS on the External Interface of NAT1
Internet Connection Services enable NAT1 to act as a NAT device and DHCP server for clients located
behind NAT1. This enables CLIENT1 to automatically obtain IP addressing information and connect to
the simulated Internet when connected to the Homenet subnet behind NAT1.
1. At NAT1, in the Network Connections window, right-click Internet, and then click Properties.
2. Click the Sharing tab, select Allow other network users to connect through this computer’s
Internet connection, and then click OK.
3. Right click the Homenet interface on NAT1 and click Status.
4. In the Local Area Connection Status dialog box, on the General tab, click the Details button.
5. In the Network Connection Details dialog box, notice that the internal interface has been
assigned an IP address and subnet mask by the Internet Connection Service, using a network ID
of 192.168.137.0/24. DHCP clients placed behind NAT1 obtain an IP address on this network ID
and DNS server settings from the Internet Connection Services.
6. Click Close in the Network Connection Details dialog box, and click Close in the Local Area
Connection Status dialog box.
7. Close the Network Connections window.
STEP 8: Test DirectAccess Connectivity from the Internet
CLIENT1 is now ready for DirectAccess testing. In the first set of tests, you connect CLIENT1 to the
simulated Internet. When connected to the simulated Internet, CLIENT1 is assigned a public IP address.
When a DirectAccess client is assigned a public IP address, it will try to establish a connection to the
DirectAccess server using an IPv6 6to4 connection over its 6to4 tunnel adapter. After connecting to the
simulated Internet and establishing the DirectAccess connection, you perform a number of tests to
confirm IPv6 connectivity and connectivity to corpnet assets from over the simulated Internet.
1. Unplug CLIENT1 from the corpnet switch and connect it to the Internet switch. Wait for 30
seconds.
2. Open an elevated command prompt. In the command prompt window, enter ipconfig /all and
press ENTER.
3. Examine the output from the ipconfig command. CLIENT1 is now connected to the Internet and
has a public IP address. When the DirectAccess client has a public IP address, it will use the 6to4
IPv6 transition technology to tunnel the IPv6 messages over an IPv4 Internet between the
DirectAccess client and UAG DirectAccess server. Look at the information in the Tunnel adapter
6TO4 adapter. You see a tunnel adapter address that begins with 2002:836b, which is a globally
routable address. You will also see a default gateway, which is the first of the two consecutive
36
IPv6 6to4 IP addresses assigned to the UAG DirectAccess server. This address should be
2002:836b:2::836b:2. Note the DNS server entry in this section. This is the DNS server that is
used to access any resource other than what is accessible over the DirectAccess connection.
4. In the command prompt window, enter ipconfig /flushdns and press ENTER. This flushes name
resolution entries that may still exist in the client DNS cache from when CLIENT1 was connected
to the corpnet.
5. In the command prompt window, enter ping dc1 and press ENTER. You should see replies from
the ISATAP address assigned to DC1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.1
6. In the command prompt window, enter ping app1 and press ENTER. You should see replies from
the ISATAP address assigned to DC2, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.3
7. In the command prompt window, enter ping uag1 and press ENTER. You should see replies from
the ISATAP address assigned to UAG1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.2
8. In the command prompt window, enter ping app3 and press ENTER. You should see replies from
the NAT64 address assigned by UAG1 to APP3, which in this case is 2002:836b:2:8001::a00:4
The ability to ping APP3 is important, because success indicates that you were able to establish a
connection using NAT64/DNS64, as APP3 is an IPv4 only resource.
9. In the command prompt window, enter netsh namespace show effectivepolicy and press
ENTER. The output shows the current settings for the Name Resolution Policy Table (NRPT).
These settings indicate that all connections to .corp.contoso.com should be resolved by the
DirectAccess DNS Server, which is the UAG DirectAccess server, with the IPv6 address of
2002:836b:3::836b:3. Also, note the NRPT entry indicating that there is an exemption for the
name nls.corp.contoso.com; names on the exemption list are not answered by the DirectAccess
DNS server. You can ping the DirectAccess DNS server IP address to confirm connectivity to the
DirectAccess server; for example, you can ping 2002:836b:3::836b:3 in this example.
10. Click the Internet Explorer icon, click the Tools menu and click Internet Options. In the Internet
Options dialog box, on the General tab, click the Use Blank button to set the default Web page
as blank. Close the Internet Explorer window.
11. In the Internet Explorer address bar, enter http://app1.corp.contoso.com and press ENTER.
You will see the default IIS site on APP1.
12. In the Internet Explorer address bar, enter http://app3.corp.contoso.com and press ENTER.
You will see the default web site on APP3.
13. Click Start and in the Search box, enter \\App3\Files and press ENTER. Double click on the New
Text Document file. This demonstrates that you were able to connect to an IPv4 only server
using SMB to obtain a resource in the resource domain.
37
14. Click Start and in the Search box, enter Firewall and press ENTER.
15. In the Windows Firewall with Advanced Security console, notice that only the Public Profile is
active. The Windows Firewall must be enabled for DirectAccess to work correctly. If for some
reason that the Windows Firewall were disabled, DirectAccess connectivity would fail.
16. Expand the Monitoring node in the left pane of the console and click the Connection Security
Rules node. You should see the active connection security rules: UAG DirectAccess Client –
Client Access Enabling Tunnel – All, UAG DirectAccess Client – Clients Corp Tunnel and UAG
DirectAccess Client – Exempt NLA. Scroll the middle pane to the right to expose the 1st
Authentication Methods and 2nd Authentication Methods columns. Notice that the first rule
uses NTLMv2 to establish the infrastructure tunnel and the second rule uses Kerberos V5 to
establish the intranet tunnel. The second tunnel is required to connect to APP1 and APP3, since
they are not on the management servers list.
17. In the left pane of the console, expand the Security Associations node and click the Main Mode
node. Notice the infrastructure tunnel security associations using NTLMv2 and the intranet
tunnel security association using Kerberos V5. Right click the entry that shows User (Kerberos
V5) as the 2nd Authentication Method and click Properties. On the General tab, notice the
Second authentication Local ID is CORP\User1, indicating that User1 was able to successfully
authenticate to the CORP domain using Kerberos.
18. Click Start and right click on Computer and click Properties. Click the Remote Settings link in the
left pane of the console. On the Remote tab, in the Remote Desktop section, select the Allow
connections only from computers running Remote Desktop with Network Level
Authentication (more secure) and click OK. This enables Remote Desktop Connections from
Windows Vista and above and Windows 2008 and above computers for remote management.
We will use this feature to test the ability to remotely manage DirectAccess clients from
management servers on the corpnet.
19. *Move to the DC1 computer or virtual machine. Click Start and enter mstsc and press ENTER. In
the Remote Desktop Connection dialog box, in the Computer text box, enter
client1.corp.contoso.com and click Connect. In the Windows Security dialog box, select Use
another account. In the User name text box enter CORP\User1 and enter User1’s password and
click OK. The Remote Desktop Session is successfully established. Note that when you connect
from an infrastructure server, you can establish the connection even before the user logs in,
increasing your ability to manage DirectAccess client machines on the Internet.
NOTE: You are able to “manage out” CLIENT1 without creating special Firewall Rules because it
is acting as a 6to4 IPv6 host. In order to remotely manage Teredo and IP-HTTPS DirectAccess
clients, you will need to configure special Firewall Rules that enable inbound access for the
38
protocol or service and enable “edge traversal” for that Firewall Rule. This configuration is
covered later in this lab.
20. Close the Remote Desktop Connection window. Click OK in the Remote Desktop Connection
dialog box that informs you that this will disconnect your session.
21. *Return to CLIENT1. Log on as CORP\User1.
22. Close the System Control Panel window and the Windows Firewall with Advanced Security
console. Close all other open windows before moving to the next step.
STEP 9: Test DirectAccess Connectivity from Behind a NAT Device
When a DirectAccess client is connected to the Internet from behind a NAT device or a Web proxy
server, the DirectAccess client uses either Teredo or IP-HTTPS to connect to the DirectAccess server. If
the NAT device enables outbound UDP port 3544 to the DirectAccess server’s public IP address, then
Teredo is used. If Teredo access is not available, the DirectAccess client falls back to IP-HTTPS over
outbound TCP port 443, which enables access through firewalls or Web proxy servers over the
traditional SSL port. Teredo is the preferred access method, because of its superior performance over IPHTTPS. In addition, if the web proxy requires authentication, the IP-HTTPS connection will fail. IP-HTTPS
connections also fail if the web proxy performs outbound SSL inspection, due to the fact that the HTTPS
session is terminated at the web proxy instead of the UAG DirectAccess server. In this section you will
perform the same tests performed when connecting using a 6to4 connection in the previous section.
The following procedures are performed on CLIENT1:
A. Test Teredo Connectivity. The first set of tests are performed when the DirectAccess client is
configured to use Teredo. This is the automatic setting when the NAT device allows outbound
access to UDP port 3544
B. Test IP-HTTPS Connectivity. The second set of tests are performed when the DirectAccess client
is configured to use IP-HTTPS. In order to demonstrate IP-HTTPS connectivity, Teredo is disabled
on CLIENT1.
A. Testing Teredo Connectivity
The DirectAccess client can use either Teredo or IP-HTTPS when connecting to the DirectAccess server
from behind a NAT device. You will first examine the settings and test connectivity using Teredo.
1. Unplug CLIENT1 from the Internet switch and connect it to the Homenet switch. If asked what
type of network you want to define the current network, select Home Network.
2. Open an elevated command prompt. In the command prompt window, enter ipconfig /all and
press ENTER.
3. Examine the output of the ipconfig command. This computer is now connected to the Internet
from behind a NAT device and is assigned a private IPv4 address. When the DirectAccess client is
39
behind a NAT device and assigned a private IPv4 address, the preferred IPv6 transition
technology is Teredo. If you look at the output of the ipconfig command, you should see a
section for Tunnel adapter Local Area Connection and then a Description Teredo Tunneling
Pseudo-Interface, with an IP address that starts with 2001: consistent with being a Teredo
address. You will not see a default gateway listed for the Teredo tunnel adapter.
4. In the command prompt window, enter ipconfig /flushdns and press ENTER. This will flush
name resolution entries that may still exist in the client DNS cache from when CLIENT1 was
connected to the Internet.
5. In the command prompt window, enter ping dc1 and press ENTER. You should see replies from
the ISATAP address assigned to DC1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.1
6. In the command prompt window, enter ping app1 and press ENTER. You should see replies from
the ISATAP address assigned to APP1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.3
7. In the command prompt window, enter ping uag1 and press ENTER. You should see replies from
the ISATAP address assigned to UAG1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.2
8. In the command prompt window, enter ping app3 and press ENTER. You should see replies from
the NAT64 address assigned by UAG1 to APP3, which in this case is 2002:836b:2:8001::a00:4
9. In the command prompt window, enter netsh namespace show effectivepolicy and press
ENTER. The output shows the current settings for the Name Resolution Policy Table (NRPT).
These settings indicate that all connections to .corp.contoso.com should be resolved by the
DirectAccess DNS Server, which is the UAG DirectAccess server, with the IPv6 address of
2002:836b:3::836b:3. Also, note the NRPT entry indicating that there is an exemption for the
name nls.corp.contoso.com; names on the exemption list are not answered by the DirectAccess
DNS server. You can ping the DirectAccess DNS server IP address to confirm connectivity to the
DirectAccess server; for example, you can ping 2002:836b:3::836b:3 in this example.
10. In the Internet Explorer address bar, enter http://app1.corp.contoso.com and press ENTER.
You will see the default IIS site on DC2.
11. In the Internet Explorer address bar, enter http://app3.corp.contoso.com and press ENTER.
You will see the default web site on APP3.
12. Click Start and in the Search box, enter \\App3\Files and press ENTER. Double click on the New
Text Document file. This demonstrates that you were able to connect to an IPv4 only server
using SMB to obtain a resource on an IPv4 only host.
13. Click Start and in the Search box, enter Firewall and press ENTER.
40
14. In the Windows Firewall with Advanced Security console, notice that only the Private profile is
active. The Windows Firewall must be enabled for DirectAccess to work correctly. If for some
reason the Windows Firewall were disabled, DirectAccess connectivity would fail.
15. Expand the Monitoring node in the left pane of the console and click the Connection Security
Rules node. You should see the active connection security rules: UAG DirectAccess Client –
Client Access Enabling Tunnel – All, UAG DirectAccess Client – Clients Corp Tunnel and UAG
DirectAccess Client – Exempt NLA. Scroll the middle pane to the right to expose the 1st
Authentication Methods and 2nd Authentication Methods columns. Notice that the first rule
uses NTLMv2 to establish the infrastructure tunnel and the second rule uses Kerberos V5 to
establish the intranet tunnel.
16. In the left pane of the console, expand the Security Associations node and click the Main Mode
node. Notice the infrastructure tunnel security associations using NTLMv2 and the intranet
tunnel security association using Kerberos V5. Right click the entry that shows User (Kerberos
V5) as the 2nd Authentication Method and click Properties. On the General tab, notice the
Second authentication Local ID is CORP\User1, indicating that User1 was able to successfully
authenticate to the CORP domain using Kerberos to establish the second tunnel (intranet
tunnel).
17. Close the System Control Panel window and the Windows Firewall with Advanced Security
console. Close all other open windows before moving to the next step.
B. Testing IP-HTTPS Connectivity
When the DirectAccess client is unable to establish a Teredo connection with the DirectAccess server
(typically when a firewall or router has blocked outbound UDP port 3544), the DirectAccess client
configures itself to use IP-HTTPS to tunnel IPv6 messages over the IPv4 Internet. In the following
exercises you confirm that the host is configured as an IP-HTTPS host and check connectivity.
1. Open an elevated command prompt. In the command prompt window, enter netsh interface
teredo set state disabled and press ENTER. This disables Teredo on CLIENT1 and enables
CLIENT1 to configure itself to use IP-HTTPS.
2. Open an elevated command prompt. In the command prompt window, enter ipconfig /all and
press ENTER. An Ok response appears when the command completes.
3. Examine the output of the ipconfig command. This computer is now connected to the Internet
from behind a NAT device and is assigned a private IPv4 address. Teredo is disabled and the
DirectAccess client falls back to IP-HTTPS. When you look at the output of the ipconfig
command, you see a section for Tunnel adapter iphttpsinterface with an IP address that starts
with 2002:836b:2:8100 consistent with this being an IP-HTTPS address. You will not see a
default gateway listed for the IP-HTTPS tunnel adapter.
41
4. In the command prompt window, enter ipconfig /flushdns and press ENTER. This will flush
name resolution entries that may still exist in the client DNS cache from when CLIENT1 was
connected to the corpnet.
5. In the command prompt window, enter ping dc1 and press ENTER. You should see replies from
the ISATAP address assigned to DC1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.1
6. In the command prompt window, enter ping app1 and press ENTER. You should see replies
from the ISATAP address assigned to APP1, which in this case is
2002:836b:2:8000:0:5efe:10.0.0.3
7. In the command prompt window, enter ping uag1 and press ENTER. You should see replies
from the ISATAP address assigned to UAG1, which in this case is
2002:836b:2:8000:0:5efe:10.0.0.2
8. In the command prompt window, enter ping app3 and press ENTER. You should see replies
from the NAT64 address assigned by UAG1 to APP3, which in this case is
2002:836b:2:8001::a00:4
9. In the command prompt window, enter netsh namespace show effectivepolicy and press
ENTER. The output shows the current settings for the Name Resolution Policy Table (NRPT).
These settings indicate that all connections to .corp.contoso.com should be resolved by the
DirectAccess DNS Server, which is the UAG DirectAccess server, with the IPv6 address of
2002:836b:3::836b:3. Also, note the NRPT entry indicating that there is an exemption for the
name nls.corp.contoso.com; names on the exemption list are not answered by the
DirectAccess DNS server. You can ping the DirectAccess DNS server IP address to confirm
connectivity to the DirectAccess server; for example, you can ping 2002:836b:3::836b:3 in this
example.
10. In the Internet Explorer address bar, enter http://app1.corp.contoso.com and press ENTER.
You will see the default IIS site on APP1.
11. In the Internet Explorer address bar, enter http://app3.corp.contoso.com and press ENTER.
You will see the default web site on APP3.
12. Click Start and in the Search box, enter \\App3\Files and press ENTER. Double click on the New
Text Document file. This demonstrates that you were able to connect to an IPv4 only server
using SMB to obtain a resource on an IPv4 only host.
13. Click Start and in the Search box, enter Firewall and press ENTER.
14. In the Windows Firewall with Advanced Security console, notice that only the Private profile is
active. The Windows Firewall must be enabled for DirectAccess to work correctly. If for some
reason the Windows Firewall were disabled, DirectAccess connectivity would fail.
42
15. Expand the Monitoring node in the left pane of the console and click the Connection Security
Rules node. You should see the active connection security rules: UAG DirectAccess Client –
Client Access Enabling Tunnel – All, UAG DirectAccess Client – Clients Corp Tunnel and UAG
DirectAccess Client – Exempt NLA. Scroll the middle pane to the right to expose the 1st
Authentication Methods and 2nd Authentication Methods columns. Notice that the first rule
uses NTLMv2 to establish the infrastructure tunnel and the second rule uses Kerberos V5 to
establish the intranet tunnel.
16. In the left pane of the console, expand the Security Associations node and click the Main
Mode node. Notice the infrastructure tunnel security associations using NTLMv2 and the
intranet tunnel security association using Kerberos V5. When you right click the Kerberos
security association, you will see authentication for CORP\User1. This indicates that the client
was able to authenticate with the CORP domain using Kerberos to establish the second
(intranet) tunnel.
17. Close the System Control Panel window and the Windows Firewall with Advanced Security
console. Close all other open windows before moving to the next step
STEP 10: Test Connectivity When Returning to the Corpnet
Many of your users will move between remote locations and the corpnet, so it’s important that when
they return to the corpnet that they are able to access resources without having to make any
configuration changes. UAG DirectAccess makes this possible because when the DirectAccess client
returns to the corpnet, it is able to make a connection to the Network Location Server. Once the HTTPS
connection is successfully established to the Network Location Server, the DirectAccess client disables it
DirectAccess client configuration and uses a direct connection to the corpnet.
1. Shut down CLIENT1 and then unplug CLIENT1 from the Home subnet or virtual switch and
connect it to the Homenet subnet or virtual switch. Log on as CORP\User1. If asked what type
of network you want to define the current network, select Work Network.
2. Open an elevated command prompt. In the command prompt window, enter ipconfig /all. The
output will indicate that CLIENT1 has a local IP address, and that there is no active 6to4, Teredo
or IP-HTTPS tunnel. Note that CLIENT1 has an active ISATAP tunnel adapter.
3. Test connectivity to the network share on APP3. Click Start and enter \\APP3\Files and press
enter. You will be able to open the file in that folder.
STEP 11: Snapshot the Configuration
This completes the DirectAccess test lab. To save this configuration so that you can quickly return to a
working DirectAccess configuration from which you can test other DirectAccess modular TLGs, TLG
extensions, or for your own experimentation and learning, do the following:
43
1. On all physical computers or virtual machines in the test lab, close all windows and then perform a
graceful shutdown.
2. If your lab is based on virtual machines, save a snapshot of each virtual machine and name the
snapshots DirectAccess. If your lab uses physical computers, create disk images to save the
DirectAccess test lab configuration.
Additional Resources
For procedures to configure the Base Configuration test lab on which this document is based, see the
Test Lab Guide: Base Configuration.
For procedures to demonstrate additional DirectAccess functionality using the DirectAccess test lab
described in this document, see the “DirectAccess Test Lab Extensions” section of DirectAccess Test Lab
for Windows Server 2008 R2.
For the design and configuration of your pilot or production deployment of DirectAccess, see the
Forefront UAG DirectAccess design guide and the Forefront UAG DirectAccess deployment guide.
For information about troubleshooting DirectAccess, see the DirectAccess Troubleshooting Guide.
For more information about DirectAccess, see the DirectAccess Getting Started Web page and the
DirectAccess TechNet Web page.
44
