Forefront UAG DirectAccess Proof of Concept Lab Guide
Microsoft Corporation
Published: August 2010
Abstract
DirectAccess is a new feature in the Windows® 7 and Windows Server® 2008 R2 operating systems that
enables remote users to securely access intranet shared folders, Web sites, and applications without
connecting to a virtual private network (VPN). Forefront UAG DirectAccess extends the benefits of
Windows DirectAccess across your infrastructure by enhancing availability and scalability, as well as
simplifying deployments and ongoing management. This paper contains an introduction to DirectAccess
and step-by-step instructions for creating a Proof of Concept test lab that breaks out the UAG
DirectAccess server and DirectAccess client machines into a forest separate from the production forest.
Copyright Information
This document is provided for informational purposes only and Microsoft makes no warranties, either
express or implied, in this document. Information in this document, including URL and other Internet
Web site references, is subject to change without notice. The entire risk of the use or the results from
the use of this document remains with the user. Unless otherwise noted, the example companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
© 2010 Microsoft Corporation. All rights reserved.
Date of last update: August 7, 2010
Microsoft, Windows, Active Directory, Internet Explorer, and Windows Server are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Contents
Introduction .................................................................................................................................................. 1
Overview of the POC Lab Environment ........................................................................................................ 2
Overview of Configuration Steps .................................................................................................................. 4
1.
Configure DC1 (PILOT DOMAIN) ........................................................................................................... 6
A.
Install the OS on DC1 ........................................................................................................................ 8
B.
Configure TCP/IP Properties on DC1 ................................................................................................. 9
C.
Rename the DC1 Computer or Virtual Machine ............................................................................... 9
D.
Configure DC1 as a Domain Controller and DNS Server ................................................................. 10
E.
Create Reverse Lookup Zone on DNS Server on DC1...................................................................... 11
F.
Enter PTR Record for DC1 ............................................................................................................... 11
G.
Enable ISATAP Name Resolution on DNS Server on DC1 ................................................................ 12
H.
Create DNS Records for NLS and ISATAP on DC1............................................................................ 12
I.
Configure Conditional Forwarding to the CORP Domain on DC1 ................................................... 13
J.
Configure DC1 as DHCP and Certificate Server ............................................................................... 14
K.
Create a New Administrator Account in Active Directory on DC1 .................................................. 15
L.
Create a Security Group for DirectAccess Clients on DC1 .............................................................. 16
M.
Create and Deploy a Security Template for the IP-HTTPS Listener Certificate and Network
Location Server Certificate...................................................................................................................... 17
N.
Create ICMPv4 and ICMPv6 Echo Request Firewall Rules in Domain Group Policy on DC1........... 18
O.
Enable Computer Certificate Autoenrollment in Group Policy for the PILOT Domain on DC1 ...... 21
P.
Configure DNS Suffix Search List in Group Policy on DC1 ............................................................... 21
Q.
Create a Shared Folder on the C:\ Drive on DC1 ............................................................................ 22
2.
Configure DC2 (CORP DOMAIN).......................................................................................................... 22
A.
Install the OS on DC2 ...................................................................................................................... 24
B.
Configure TCP/IP Properties on DC2 ............................................................................................... 24
C.
Rename the DC2 Computer to DC2 ................................................................................................ 25
D.
Configure DC2 as a Domain Controller and DNS Server ................................................................. 25
E.
Enable ISATAP Name Resolution on DNS Server on DC2 ................................................................ 26
F.
Create a Reverse Lookup Zone on the DC2 DNS Server.................................................................. 27
G.
Enter Pointer (PTR) Record for DC2 on the DC2 DNS Server .......................................................... 27
H.
Create a Host (A) Record for ISATAP on the DC2 DNS Server ......................................................... 28
I.
Configure Conditional Forwarding to the PILOT Domain on the DC2 DNS Server ......................... 28
J.
Create a New Administrator User Account in Active Directory on DC2 ......................................... 29
K.
On DC2 Configure a Two-way Trust between the CORP and PILOT Forests ................................... 30
L.
Install Web Server Role on DC2 ...................................................................................................... 31
M.
3.
Create a Shared Folder on the C:\ Drive ..................................................................................... 31
Configure APP1 (PILOT Domain) ......................................................................................................... 32
A.
Install the OS on APP1..................................................................................................................... 32
B.
Configure TCP/IP Properties on APP1 ............................................................................................. 33
C.
Rename the APP1 Computer or Virtual Machine and Join the PILOT Domain ............................... 34
D.
Obtain NLS Certificate for SSL Connections to Network Location Server on APP1 ........................ 34
E.
Install the Web Server Role on APP1 .............................................................................................. 35
F.
Configure the HTTPS Security Binding on the NLS Web Site on APP1 ............................................ 36
4.
Configure UAG1 (PILOT DOMAIN) ...................................................................................................... 36
A.
Install the OS on UAG1.................................................................................................................... 39
B.
Configure TCP/IP Properties on UAG1 ............................................................................................ 39
C.
Rename the Computer and Join UAG1 to the PILOT Domain ......................................................... 40
D.
Obtain the IP-HTTPS Listener Certificate on UAG1 ......................................................................... 41
E.
Install Forefront UAG on UAG1 ....................................................................................................... 42
F.
Run the UAG Getting Started Wizard ............................................................................................. 43
G.
Run the UAG DirectAccess Configuration Wizard ........................................................................... 44
H.
Confirm Group Policy Settings on UAG1 ......................................................................................... 46
I.
Confirm IPv6 Settings on UAG1 ...................................................................................................... 47
J.
Update IPv6 Settings on DC1 .......................................................................................................... 47
K.
Update IPv6 Settings on DC2 .......................................................................................................... 48
L.
Confirm IPv6 Address Registration in DNS...................................................................................... 48
M.
5.
Confirm IPv6 Connectivity between DC1/DC2/UAG1 ................................................................. 49
Configure CLIENT1 (PILOT DOMAIN)................................................................................................... 49
A.
Install the Operating System on CLIENT1 ....................................................................................... 50
B.
Join CLIENT1 to the PILOT Domain ................................................................................................. 51
C.
Add CLIENT1 to the DA_Clients Security Group.............................................................................. 51
D.
Add CORP\User2 to Local Administrators Group on CLIENT1 ........................................................ 52
E.
Test IPv6 Configuration, Confirm Group Policy Settings and Machine Certificate on CLIENT1 ...... 52
F.
6.
Test Connectivity to a Network Share and the Network Location Server ...................................... 53
Configure INET1 .................................................................................................................................. 54
A.
Install the Operating System ........................................................................................................... 54
B.
Configure TCP/IP Properties on INET1 ............................................................................................ 55
C.
Rename the Computer on INET1 .................................................................................................... 55
D.
Install and Configure the DNS Server Role on INET1 ...................................................................... 56
E.
Install the DHCP Server Role on INET1............................................................................................ 57
7.
Configure NAT1 ................................................................................................................................... 58
A.
Install the OS on NAT1 .................................................................................................................... 59
B.
Rename the Network Interfaces on NAT1 ...................................................................................... 59
C.
Disable 6to4 on NAT1 ..................................................................................................................... 60
D.
Configure ICS on the External Interface of NAT1 ............................................................................ 60
8.
Configure APP3 ................................................................................................................................... 61
A.
Install the OS on APP3..................................................................................................................... 61
B.
Install Web Services ........................................................................................................................ 62
C.
Create a Shared Folder on C:\ ......................................................................................................... 63
9.
Test DirectAccess Connectivity from the Internet .............................................................................. 63
10.
Test DirectAccess Connectivity from Behind a NAT Device ............................................................ 66
A.
Testing Teredo Connectivity ........................................................................................................... 66
B.
Testing IP-HTTPS Connectivity ........................................................................................................ 68
11.
Test Connectivity When Returning to the Corpnet ........................................................................ 70
Introduction
Introducing DirectAccess into a production environment can be a potentially challenging task to multiple
entities within an organization. Network security administrators, Active Directory domain and forest
administrators, desktop management administrators, and many other may be concerned with the
introduction of a new technology. While many organizations have great interest in DirectAccess
technology and the scenarios that it enables, they have concerns about integrating a new technology
into their corporate network, especially one that that interfaces with their Active Directory
infrastructure.
For these reasons, many organizations may prefer that UAG DirectAccess server and DirectAccess client
computer accounts be deployed in a dedicated forest that is separate from the production environment.
The UAG proof of concept forest is then configured to have a two-way trust with the organizations
resources forest(s). The advantages of this approach include:
Making network security professionals more comfortable with placing an Internet facing domain
member on the network, as the UAG DirectAccess server must be joined to an Active Directory
domain
Reducing the number of user accounts in the UAG DirectAccess domain to just two: the default
domain administrator account and a domain/forest admin account that is used for configuration
and management. The default domain account can be renamed and given a very complex
password, and the admin account used for configuration and management can be given a hard
to guess name and a complex, but more wieldy password than the default domain administrator
account. This helps reduce the risk of compromising the UAG domain/forest accounts, which
otherwise might be used to launch an attack against the production domains/forests
Computer accounts for the Proof of Concept belong to the UAG DirectAccess forest, but the user
accounts are part of the production domains and forests. This enables administrators to have a
higher fidelity experience with DirectAccess, enabling the DirectAccess client to connect to
production resources. This enables the organization to test DirectAccess and determine if
DirectAccess is compatible with their current application suite and provides a foundation for
determining which applications may not be compatible and identify candidates for upgrade or
replacement
Reducing the organizations risk related to Group Policy Object configuration. IT organizations
may be concerned about deploying UAG DirectAccess Group Policy settings into the production
domains and forests before thoroughly testing the solution.
It needs to be emphasized that this breaking out of the UAG DirectAccess forest and UAG DirectAccess
GPOs from the production environment should be considered as part of Proof of Concept (POC)
deployment. Organizations should not interpret this design to be the Microsoft recommended
configuration for production deployments. Instead, this approach is implemented as a Proof of Concept
deployment approach that enables organizations to get a more “real world” experience from the
1
perspectives of both the end-user with the organization’s current application suite and the IT group’s
ability to “manage out” or remotely manage DirectAccess clients.
The goal of separating out the UAG DirectAccess forest from the production forest is to create a safe
POC deployment environment where organizations can safely deploy Group Policy Objects to a UAG
DirectAccess forest, while leaving the production Active Directory GPOs untouched. We consider this a
superior approach for deploying a POC. It is simple to deploy a separate forest for the UAG DirectAccess
server and computer accounts, which can easily be taken down after completing the POC stage.
Important:
This document is designed to provide a test lab environment that highlights the configuration
options you would carry out for your own UAG DirectAccess Proof of Concept. Many of the
settings created in this document are specific to the lab environment, and are not to be
considered appropriate for a live Proof of Concept deployment or to be considered best
practices. It is critical that you review the Forefront UAG DirectAccess Deployment Guide
before you begin your live Proof of Concept. This POC lab guide will help bring many of the
principles you about in the deployment guide into a practical context.
Overview of the POC Lab Environment
The POC lab environment is depicted in figure 1. Figure 1 includes the names of the servers and clients,
the domains participating in the solution, and the network connections used by each of the clients and
servers. There is an IP addressing table at the bottom of the figure.
2
VN3
CLIENT1
APP3
NAT1
corp.contoso.com
VN1
VN2
DC2
INET1
UAG1
DC1
pilot.contoso.com
APP1
Figure 1: Diagram of the POC/Pilot lab environment
In figure 1, note that there are three network segments, each of which represents an isolated Ethernet
broadcast domain. You can use physical servers and separate physical switches, or physical servers and
VLANs, or virtual machines and virtual networks to accomplish this goal. If you are using Hyper-V,
configure three different Private virtual networks for VN1 (Corpnet), VN2 (Internet) and VN3 (Homenet).
The computers on the network include:
DC1. This is the Windows Server 2008 R2 Enterprise Edition domain controller for the
pilot.contoso.com forest. The PILOT domain is the UAG DirectAccess domain, and will contain
the computer accounts used in the POC project. UAG DirectAccess GPOs are deployed only to
this forest. DC1 also provides DHCP, DNS, Web, and Certificate services to the network.
3
DC2. This is the Windows Server 2008 R2 Enterprise Edition domain controller for the
corp.contoso.com forest. The CORP domain is the resource domain, and thus contains the user
accounts used by the DirectAccess clients; it also includes the application resources that are
accessed by the CORP domain users when connecting as DirectAccess clients. A two-way trust is
established between the PILOT and CORP domains to enable Kerberos authentication required
for building out the second (intranet) tunnel.
APP1. This is a Windows Server 2008 R2 computer that belongs to the PILOT domain. APP1 is
responsible for hosting the Network Location Server (NLS), which enables DirectAccess clients to
detect if they are currently located on the intranet.
APP3. This is an IPv4-only application server in the CORP (resource) domain used to
demonstrate DirectAccess user’s ability to connect to IPv4-only resources on the corpnet. Runs
Windows Server 2003 Enterprise Edition.
UAG1. This is the UAG DirectAccess server acting in only DirectAccess server mode; no other
UAG roles are deployed on this server. UAG1 is a member of the UAG DirectAccess domain,
which is the PILOT domain. UAG1 runs Windows Server 2008 R2 (required for the UAG
DirectAccess server installation)
INET1. This is on the simulated Internet. This computer supplies DNS and DHCP services to
computers connected to the simulated Internet. Specially, it provides Internet IP addressing
information for CLIENT1 so that it can act as a 6to4 client, and provides name resolution services
so that CLIENT1 can resolve the name of the UAG DirectAccess server to the IP address used to
accept 6to4 connections on the external interface of the UAG server.
NAT1. This is a Windows 7 computer acting as a NAT device that connects a private address (RFC
1918) network to the simulated Internet. Internet Connection Services (ICS) is enabled on NAT1
to provide NAT, DHCP and name resolution services to CLIENT1. CLIENT1 will be placed behind
NAT1 to test Teredo and IP-HTTPS connectivity.
CLIENT1. This is a Windows 7 client that will act as the DirectAccess client. The CLIENT1 machine
account will belong to the PILOT domain so that UAG DirectAccess client Group Policy Object
settings can be enforced on this machine. However, when CLIENT1 is placed on the simulated
Internet and behind the NAT device, a user from the resource domain (CORP) will be connecting
to the network over a DirectAccess connection.
NOTE:
Many of the configuration settings included in this document are specific for the lab environment,
and are enabled to streamline the lab environment and facilitate various activities, such as name
resolution. Where appropriate, this document calls out what activities are specific for the
DirectAccess solution to work correctly, and which activities or configuration settings are optional
and not required for DirectAccess to work correctly.
Overview of Configuration Steps
The following provides a high level view of what you will do in this POC lab:
4
STEP1: Configure DC1 (PILOT Domain)
You will configure DC1 to be a domain controller in the PILOT domain. The PILOT domain
contains the computer accounts and the UAG DirectAccess client and server GPOs that are
applied to the PILOT domain computer accounts. You will configure DC1 to be a DNS server,
DHCP server, Enterprise Certificate Server and Web server. DC1 will host a network share to
determine SMB connectivity to the PILOT domain over the intranet tunnel.
STEP2: Configure DC2 (CORP Domain)
You will configure DC2 to be a domain controller in the CORP domain, which is the resource
domain containing the user accounts and application resources. This machine is also a DNS
server for the CORP domain. A two-way trust between the CORP and PILOT forests will be
created, and DNS settings configured so that all machines in both domains and resolve names in
both domains.
STEP3: Configure APP1 (PILOT Domain)
APP1 is a Windows Server 2008 R2 computer that acts in the role of the Network Location
Server on the network. We have chosen to not to install the Network Location Server on the
domain controller, even though that would have reduced the number of machines required for
the lab network. The reason for this is that locating NLS on the DC can be a problematic if the DC
is IPv6 based (which isn’t the case in this POC lab and vast majority of networks at this time).
However, to insure a successful pilot experience, we will dedicate a server resource to the NLS
role.
STEP4: Configure UAG1 (PILOT Domain)
UAG1 is a member of the PILOT domain and is the UAG DirectAccess server for the network.
Forefront Unified Access Gateway 2010 will be installed on this machine and then DirectAccess
will be configured. IPv6 settings will also be checked on each server in this step.
STEP5: Configure CLIENT1 (PILOT Domain)
CLIENT1 is a Windows 7 client that will act as the DirectAccess client in the POC lab. This
machine is a member of the PILOT domain and will move between the intranet, the simulated
Internet, and the private network behind the NAT device. CLIENT1 receives the UAG
DirectAccess client GPO settings.
STEP6: Configure INET1
INET1 is located on the simulated Internet and acts as an Internet DNS and DHCP server. You will
install and configure the DNS and DHCP services on this machine. It will provide DHCP and DNS
services to CLIENT1 when connected to the simulated Internet, and to NAT1’s external interface.
STEP7: Configure NAT1
NAT1 is a NAT device that separates a private address network from the simulated Internet and
the UAG DirectAccess server. NAT1 runs Windows 7 and Internet Connection Sharing (ICS) is
enabled so that it can provide NAT, DHCP and DNS services to ICS clients behind NAT1, such as
when CLIENT1 is moved to the private network.
STEP8: Configure APP3 (CORP Domain)
APP3 is a Windows Server 2003 Enterprise Edition computer that is a member of the CORP
domain. This machine is used to demonstrate NAT64/DNS64 connectivity to IPv4-only resources.
5
STEP9: Test DirectAccess from a Direct Internet Connection
In this step you will move CLIENT1 to the simulated Internet and test DirectAccess client
connectivity when using the 6to4 IPv6 transition technology (more information about 6to4 is
included later in this document).
STEP10: Test DirectAccess from Behind a NAT Device
In this step you will move CLIENT1 to the private network located behind NAT1. From the
private network, you will test DirectAccess client connectivity when it is acting as a Teredo
client. Then you will disable Teredo and test connectivity as an IP-HTTPS client. Both Teredo and
IP-HTTPS are IPv6 transition technologies and will be discussed later in this document.
STEP11: Test Connectivity when returning to the Corpnet
Many of your users will move between remote location and the corpnet, so it’s important that
when they connect again to the corpnet that they are able to access resources without having to
make any configuration changes to their computers. UAG DirectAccess makes this possible
because when the DirectAccess client return to the corpnet, they are able to make a connection
to the Network Location Server. Once the HTTPS connection is successfully established to the
Network Location Server, the DirectAccess client disables it DirectAccess client configuration
and uses a direct connection to the corpnet
NOTE:
In the step-by-step instructions, you will see some steps that are preceded by an asterisk (*). The *
indicates that you will be moving focus to a different machine. This is used as an aid to remind you
that the configuration step should be performed on a different machine than you were at when you
executed the instructions on the step before the *.
1. Configure DC1 (PILOT DOMAIN)
DC1 will act as the domain controller, Certificate server, DNS server, File Server and DHCP server for the
pilot.contoso.com domain. You will perform the following steps to prepare DC1 to carry out these roles
to support a working DirectAccess solution:
A. Install the operating system on DC1.
The first step is to install the Windows Server 2008 R2 operating system on the PILOT domain’s
domain controller, DC1.
B. Configure TCP/IP Properties on DC1.
After installing the operating system on DC1, configure the TCP/IP Properties to provide the
server an IP address, subnet mask, DNS server and connection specific suffix.
C. Rename the Computer on DC1.
Change the default name of the computer assigned during setup to DC1.
D. Configure DC1 as a Domain Controller and DNS Server.
DC1 will be the domain controller and the authoritative DNS server for the PILOT domain. The
domain controller and DNS server is required as part of the part infrastructure and for the
DirectAccess solution.
6
E. Create a Reverse Lookup Zone on the DNS Server on DC1.
A reverse lookup zone for network ID 10.0.0.0/24 is required to create a pointer record for DC1.
The pointer record will allow reverse name resolution for DC1, which will prevent name
resolution errors during several of the DNS related configuration steps covered in this
document. The reverse lookup zone is not required for a functional DirectAccess solution.
F. Enter a Pointer Record for DC1.
A pointer record for DC1 will allow services to perform reverse name resolution for the DC1
computer. This will be useful when perform several DNS related operations later in this
document. It is not required for a functional DirectAccess solution.
G. Enable ISATAP Name Resolution in DNS on DC1.
By default, the Windows Server 2008 R2 DNS server will not answer queries for the ISATAP and
WPAD host names. You will configure the DNS server so that it will answer queries for ISATAP.
H. Create DNS Records for NLS and ISATAP on DC1.
The DirectAccess client uses a Network Location Server to determine if the computer is on or off
the intranet. If on the intranet, the computer will be able to connect to the Network Location
Server using an HTTPS connection. A DNS record is required to resolve the name of the Network
Location Server. In addition, a DNS record for ISATAP is required so that ISATAP capable
computers on the network can obtain IPv6 addressing and routing information.
I. Configure Conditional Forwarding to the CORP Domain on DC1.
DirectAccess clients on the Internet will need to be able to resolve names in both the
DirectAccess pilot domain (PILOT) and the user account, production domain (CORP). The UAG
DirectAccess server acts as a caching only DNS server for DirectAccess clients and uses the DC1
computer in the DirectAccess domain to resolve names. We will configure the DNS server on
DC1 to forward requests for the CORP domain to the CORP domain DNS server; this enables the
DNS server on DC1 to resolve names in both the PILOT and CORP domains.
J. Configure DC1 as a DHCP and Certificate Server.
DC1 is configured as a DHCP server so that CLIENT1 can automatically obtain IP addressing
information when connected to the corpnet. Certificate Services are installed on DC1 so that
computer certificates can be automatically assigned to all members of the PILOT domain, which
are used for IPsec communications, as well as Web site certificates, which are used by the
Network Location Server and the UAG DirectAccess server’s IP-HTTPS listener. DHCP is not
required to support a DirectAccess solution. Certificates are required by the DirectAccess
solution; however you can use either or both commercial or private certificates as part of the
DirectAccess solution.
K. Create a New Administrator Account on DC1.
As a network management best practice, you should not use the default domain administrator
account for regular network operations. For this reason we will create a new domain
administrator account and use this when making configuration changes. Using an alternate
domain admin account is not required for a functional DirectAccess solution.
L. Create a Security Group for DirectAccess Clients on DC1.
When DirectAccess is configured on the UAG DirectAccess server, it automatically creates Group
Policy Objects and GPO settings that are applied to the DirectAccess client and server. The
7
M.
N.
O.
P.
Q.
DirectAccess client GPO uses security group filtering to assign the GPO settings to the security
group that DirectAccess computer belongs to. A custom security group that is populated with
the computer accounts of DirectAccess computers is a required component of a DirectAccess
solution.
Create and Deploy a Security Template for the IP-HTTPS Listener Certificate and the Network
Location Server Certificate.
A Web site certificate is required for the Network Location Server so that computers can use
HTTPS to connect to it when they are on the corpnet. The UAG DirectAccess server uses a Web
site certificate on its IP-HTTPS listener so that it can accept incoming connections from
DirectAccess clients that are behind network devices that limit outbound connections to only
HTTP/HTTPS. We will create a Web site certificate template that we will use to request a
certificate from the Microsoft Certificate Server installed on DC1. A Web site certificate bound
to the UAG DirectAccess server’s IP-HTTPS is a required component of a working DirectAccess
solution.
Create ICMPv4 and ICMPv6 Echo Request Firewall Rules in Domain Group Policy on DC1.
ICMP v4 and v6 echo requests inbound and outbound are required for Teredo support.
Enable Computer Certificate Autoenrollment in Group Policy for the PILOT Domain on DC1.
DirectAccess clients use computer certificates to establish IPsec connections to the UAG
DirectAccess server. In addition, in an end to end scenario, IPsec is used to connect to the
destination resource server. Computer certificates are required for a working DirectAccess
solution.
Configure DNS Suffix Search List in Group Policy on DC1.
Most users prefer to use single label names when connecting to corpnet resources. To enable
single label name resolution for DirectAccess clients and servers in this POC test lab (and in your
production environment), you can assign a DNS suffix search list using Group Policy. This is not a
requirement for a working DirectAccess solution, but facilitates access to corpnet resources.
Create a Shared Folder on the C:\ Drive on DC1.
We will create a shared folder on the C:\drive of DC1 to test SMB connectivity for DirectAccess
clients to a resource on the PILOT domain.
A. Install the OS on DC1
The first step is to install the Windows Server 2008 R2 Enterprise Edition software on the DC1 computer
or virtual machine. We choose Enterprise Edition to support the installation of an Enterprise CA later,
which will enable autoenrollment of the CA certificate to all domain members, which reduces
administrative overhead.
Perform the following steps to install the operating system on DC1:
1. On the DC1 computer or virtual machine, start the installation of Windows Server 2008 R2
Enterprise Edition.
8
2. Follow the instructions to complete the installation, specifying Windows Server 2008 R2
Enterprise Edition and a strong password for the local Administrator account. Log on using the
local Administrator account.
3. Connect the network adapter to the Corpnet subnet or the virtual switch representing the
corpnet subnet.
B. Configure TCP/IP Properties on DC1
After installing the operating system on DC1, configure its TCP/IP Properties to provide the server an IP
address, subnet mask, DNS server address and connection specific suffix. Note that the connection
specific suffix is not required for a working DirectAccess solution, but simplifies name resolution prior to
completing the DNS infrastructure in the POC lab environment.
Perform the following steps to configure TCP/IP properties on DC1:
1. On the DC1 computer or virtual machine, in Initial Configuration Tasks, clicks Configure
networking.
2. In Network Connections, right-click Local Area Connection, and then click Properties.
3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
4. Select Use the following IP address, type 10.0.0.1 next to IP address, and type 255.255.255.0
next to Subnet mask.
5. Select the Use the following DNS server addresses option. Enter 10.0.0.1 in the Preferred DNS
server text box.
6. Click Advanced, and then click the DNS tab.
7. In DNS suffix for this connection, type pilot.contoso.com, click OK twice, and then click Close.
(Note: configuring a DNS suffix is not required for DirectAccess to work correctly, but is used to
simplify name resolution before a search suffix list is assigned via Group Policy, which we will
configure later).
8. Close the Network Connections window.
C. Rename the DC1 Computer or Virtual Machine
The installation routine created a default computer name. Now you will change the computer name
from its default to DC1.
Perform the following steps to change the computer name on DC1:
1. On the DC1 computer or virtual machine, In Initial Configuration Tasks, click Provide computer
name and domain.
9
2. In the System Properties dialog box, click Change. In the Computer Name/Domain Change
dialog box, in the Computer name text box, enter DC1, and click OK twice, and then click Close.
When prompted to restart the computer, click Restart Now.
3. After restarting, login using the local administrator account.
D. Configure DC1 as a Domain Controller and DNS Server
DC1 will be the domain controller and the authoritative DNS server for the PILOT (pilot.contoso.com)
domain. The domain controller and DNS server is required as part of the part infrastructure and for the
DirectAccess solution.
Perform the following steps to configure DC1 as a domain controller and DNS server:
1. On the DC1 computer or virtual machine, on the Initial Configuration Tasks page, click the Add
Roles link.
2. Click Next on the Before You Begin page.
3. On the Select Server Roles page, click Active Directory Domain Services, click Add Required
Features, click Next on the Introduction to the Active Directory Domain Services page, and click
Install on the Confirm Installation Selections page. Click Close on the Installation Results page.
4. To start the Active Directory Installation Wizard, click Start, type dcpromo in the Search box,
and then press ENTER.
5. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.
6. On the Operating System Compatibility page, click Next.
7. On the Choose a Deployment Configuration page, click Create a new domain in a new forest,
and then click Next.
8. On the Name the Forest Root Domain page, type pilot.contoso.com, and then click Next.
9. On the Set Forest Functional Level page, in Forest Functional Level, click Windows Server 2008
R2, and then click Next. (Note that Windows Server 2008 R2 Forest Functional Level is not
required for the DirectAccess solution to work correctly. You can use any of the available Forest
Functional Levels.)
10. On the Additional Domain Controller Options page, insure that the DNS Server option is
selected and click Next, click Yes in the Active Directory Domain Service Installation Wizard
dialog box, and then on the Location for Database, Log Files, and SYSVOL page, click Next.
11. On the Directory Services Restore Mode Administrator Password page, type a strong password
twice, and then click Next.
12. On the Summary page, click Next.
10
13. In the Active Directory Domain Services Installation Wizard dialog box, put a checkmark in the
Reboot on completion checkbox.
14. Log on to DC1 as PILOT\Administrator after the server automatically restarts.
E. Create Reverse Lookup Zone on DNS Server on DC1
A reverse lookup zone on DC1 for network ID 10.0.0.0/24 is required to create a pointer record for DC1.
The pointer record will allow reverse name resolution for DC1, which will prevent name resolution
errors during several of the DNS related configuration steps covered in this document. The reverse
lookup zone is not required for a functional DirectAccess solution and is used as a convenience in this
lab.
Perform the following steps to create the reverse lookup zone on the DNS server on DC1:
1. On the DC1 computer or virtual machine, click Start, and point to Administrative Tools. Click
DNS.
2. In the DNS Manager console, in the left pane of the console, expand the server name, and click
Reverse Lookup Zones. Right click Reverse Lookup Zones and click New Zone.
3. On the Welcome to the New Zone Wizard page, click Next.
4. On the Zone Type page, click Next.
5. On the Active Directory Zone Replication Scope page, click Next.
6. On the Reverse Lookup Zone Name page, click Next.
7. On the Reverse Lookup Zone Name page, select the Network ID option, and then enter 10.0.0
in the text box. Click Next.
8. On the Dynamic Update page, click Next.
9. On the Completing the New Zone Wizard page, click Finish.
10. Leave the DNS console open for the next operation.
F. Enter PTR Record for DC1
A pointer record for DC1 will allow services to perform reverse name resolution for the DC1 computer.
This will be useful when performing several DNS related operations later in this document. It is not
required for a functional DirectAccess solution and it configured as a convenience for this POC lab.
Perform the following steps to enter the PTR record for DC1:
1. On the DC1 computer or virtual machine, in the DNS Manager console, expand the Forward
Lookup Zones node in the left pane of the console. Click on pilot.contoso.com.
11
2. Double click on dc1 in the right pane of the console.
3. In the DC1 Properties dialog box, put a checkmark in the Update associated pointer (PTR)
record checkbox and click OK.
4. Expand the Reverse Lookup Zones node in the left pane of the console and click 0.0.10.inaddr.arpa. Confirm that there is an entry for 10.0.0.1 in the middle pane of the console.
5. Leave the DNS console open.
G. Enable ISATAP Name Resolution on DNS Server on DC1
By default, the Windows Server 2008 R2 DNS server will not answer queries for the ISATAP and WPAD
host names because these names are included in the DNS server’s Global Query Block List. You will
configure the DNS server so that it will answer queries for ISATAP by removing ISATAP from the Global
Query Block List.
Perform the following steps to enable ISATAP name resolution on the DNS server on DC1:
1. On the DC1 computer or virtual machine, click Start, click All Programs, click Accessories, rightclick Command Prompt, and then click Run as administrator.
2. In the command window, type dnscmd /config /globalqueryblocklist wpad, and then press
ENTER.
3. In the command prompt window, type dnscmd /info /globalqueryblocklist to confirm that
ISATAP is not included in the list, and that the printout reads Query result: String: wpad
4. Close the command window.
For more information on configuring the global query block list, please see
http://download.microsoft.com/download/5/3/c/53cdc0bf-6609-4841-a7b9cae98cc2e4a3/DNS_Server_Global_%20Query_Block%20List.doc
H. Create DNS Records for NLS and ISATAP on DC1
DirectAccess clients use a Network Location Server to determine if the computer is on the intranet. If
the computer can connect to the Network Location Server using HTTPS, the computer determines that it
is on the intranet and the Name Resolution Policy Table (NRPT) is disabled. If the computer cannot
connect to the Network Location Server, the NRPT is enabled and uses the DNS proxy on the UAG
DirectAccess server to resolve intranet host names. A DNS record is required for the DirectAccess client
to resolve the name of the Network Location Server. In addition, all IPv6 capable hosts on the corpnet
need to resolve the name ISATAP to the internal interface of the UAG DirectAccess server, so a DNS
record is required for ISATAP. The UAG DirectAccess server will act as an ISATAP router for the
organization and provides prefix and routing information for ISATAP clients.
Perform the following steps to create the NLS and ISATAP DNS records:
12
1. On the DC1 computer or virtual machine, in the DNS console, click the pilot.contoso.com
forward lookup zone in the left pane of the console. Right click pilot.contoso.com and click New
Host (A or AAAA).
2. In the New Host dialog box, enter isatap in the Name (uses parent domain name if blank) text
box. Then enter 10.0.0.2 in the IP address text box. (IP address 10.0.0.2 will be the IP address of
the internal interface of the UAG server, which will act as the ISATAP router in this scenario).
3.
Click Add Host. Then click OK in the DNS dialog box.
4. In the New Host dialog box, enter nls in the Name (uses parent domain name if blank) text box
(this is the name the DirectAccess clients will use to connect to the Network Location Server).
Enter 10.0.0.3 in the IP address text box, then click Add Host. Click OK in the DNS text box.
(Note that IP address 10.0.0.3 is the IP address of APP1, which will act as a network location
server in this scenario).
5. Click Done.
6. Confirm that there are entries for DC1, ISATAP and NLS in the middle pane of the console. Leave
the DNS console open for the next section.
7. Open a command prompt window and enter nslookup isatap and press ENTER. Confirm that
DC1 is able to resolve ISATAP to 10.0.0.2. Close the command prompt window.
I. Configure Conditional Forwarding to the CORP Domain on DC1
In the POC lab scenario, there are two domains: the UAG DirectAccess domain (PILOT) that contains the
DirectAccess computer accounts, and the “production” domain (CORP), which contains the user
accounts and information resources. The DirectAccess client computer and users will need to resolve
names in both domains. The UAG DirectAccess server acts as a DNS proxy for DirectAccess clients, and
the UAG DirectAccess server is configured to use the UAG DirectAccess domain’s DNS server as its DNS
server. This enables the UAG DirectAccess server to resolve names in the PILOT domain. To provide
name resolution for the CORP domain, we will create a conditional forwarder on DC1 to forward queries
for corp.contoso.com to the DNS server for the CORP domain. Configuring conditional forwarding is not
a required component of a DirectAccess solution, but enables name resolution throughout the
enterprise for DirectAccess clients. Note that there are other methods for configuring name resolution
for multiple domains, such as configuring zone transfers between primary and secondary servers.
Perform the following steps to configure conditional forwarding:
1. On the DC1 computer or virtual machine, in the left pane of the DNS Manager console, click on
Conditional Forwarders. Right click on Conditional Forwarders and click New Conditional
Forwarder.
2. In the New Conditional Forwarder dialog box, in the DNS Domain text box, enter
corp.contoso.com.
13
3. In the IP addresses of the master servers list, enter 10.0.0.10 and press ENTER. (Note: IP
address 10.0.0.10 will be the IP address of the corp.contoso.com DNS server and domain
controller that you will configure later; name resolution at this point will fail because the server
is not yet online).
4. Click OK.
5. Close the DNS Manager console.
J. Configure DC1 as DHCP and Certificate Server
A DHCP server is used on the simulated corpnet to provide IP addressing information for the
DirectAccess client when it is connected to the corpnet. DHCP is not required for a working DirectAccess
solution, but facilitates automatic addressing when the DirectAccess client moves between the corpnet
and external networks. The Microsoft Certificate Server is used to provide computer certificates to
domain member computers, which can be used for computer authentication and IPsec connectivity. In
addition, the Certificate Server will be used to obtain Web site certificates for the Network Location
Server and the UAG DirectAccess server’s IP-HTTPS listener. Note that a Microsoft Certificate Server is
not required for either computer or Web site certificates. However, it is the preferred method for
computer certificate assignment as it can significantly lower administrative overhead. In a production
environment, the IP-HTTPS Listener will typically use a commercial certificate, though this is not a
requirement; a commercial certificate simplifies DirectAccess client access to the Certificate Revocation
List, which is required. Both computer and Web site certificates are required for a working DirectAccess
solution.
Perform the following steps to configure DC1 as a DHCP and Certificate server:
1. On the DC1 computer or virtual machine, in the Initial Configuration Tasks window, click the
Add Roles link.
2. On the Before You Begin page, click Next.
3. On the Select Server Roles page, put a checkmark in the Active Directory Certificate Services
and DHCP Server checkboxes. Click Next.
4. On the Introduction to DHCP Server page, click Next.
5. On the Select Network Connection Bindings page, confirm that in the Network Connections
section that 10.0.0.1 is selected. Click Next.
6. On the Specify IPv4 DNS Server Settings dialog page, confirm that the Parent domain text box
contains pilot.contoso.com. In the Preferred DNS server IPv4 address text box, enter 10.0.0.1.
Click Validate. A green circle with a checkmark should appear and it should state Valid to the
right of that circle. Click Next.
7. On the Specify IPv4 WINS Server Settings page, click Next.
14
8. On the Add or Edit DHCP Scopes page, click the Add button.
9. In the Add Scope dialog box, in the Scope name text box enter Corpnet. In the Starting IP
address text box, enter 10.0.0.100. In the Ending IP address text box, enter 10.0.0.150. In the
subnet mask text box, enter 255.255.255.0. Click OK.
10. On the Add or Edit DHCP Scopes page, click Next.
11. On the Configure DHCPv6 Stateless Mode page, select the Disable DHCPv6 stateless mode for
this server option and click Next. (Note: Disabling stateless mode is not a requirement for the
DirectAccess solution; this option is selected because we are not using a native IPv6
infrastructure in this POC lab network).
12. On the Authorize DHCP Server page, click Next.
13. On the Introduction to Active Directory Certificate Services page, click Next.
14. On the Select Role Services page, confirm that there is a checkmark in the Certification
Authority checkbox, then click Next.
15. On the Specify Setup Type page, confirm that Enterprise is selected and click Next. (Note: we
use an Enterprise CA so that we can use autoenrollment to distribute the CA certificate and
computer certificates).
16. On the Specify CA Type page, confirm that Root CA is selected and click Next.
17. On the Set Up Private key page, confirm that Create a new private key is selected and click
Next.
18. On the Configure Cryptography for CA page, click Next.
19. On the Configure CA Name page, click Next.
20. On the Set Validity Period page, click Next.
21. On the Configure Certificate Database page, click Next.
22. On the Confirm Installation Selections page, click Install.
23. On the Installation Results page, click Close.
K. Create a New Administrator Account in Active Directory on DC1
As a network management best practice, you should not use the default domain administrator account
for regular network operations. For this reason we will create a new domain administrator account and
use this when making configuration changes. Using an alternate domain admin account is not required
for a functional DirectAccess solution, and is done as a best practice example for this POC lab.
15
Perform the following steps to create a new administrator account in Active Directory on DC1:
1. On the DC1 computer or virtual machine, click Start, point to Administrative Tools, and then
click Active Directory Users and Computers.
2. In the console tree, expand pilot.contoso.com, right-click Users, point to New, and then click
User.
3. In the New Object - User dialog box, next to Full name, type User1, and in User logon name,
type User1.
4. Click Next.
5. In Password, type the password that you want to use for this account, and in Confirm password,
type the password again.
6. Clear the User must change password at next logon check box, and select the Password never
expires check box.
7. Click Next, and then click Finish.
8. In the console tree, click Users.
9. In the details pane, double-click Domain Admins.
10. In the Domain Admins Properties dialog box, click the Members tab, and then click Add.
11. Under Enter the object names to select (examples), type User1, and then click OK twice.
12. Leave the Active Directory Users and Computers console open for the following procedure.
L. Create a Security Group for DirectAccess Clients on DC1
When you run the UAG DirectAccess wizard on the UAG1 computer, the wizard will create Group Policy
Objects and deploy them in Active Directory. One GPO is created for the UAG DirectAccess server, and
the second is created for DirectAccess clients. Security Group filtering is used to apply the DirectAccess
GPO settings to the DirectAccess Clients security Group. Therefore, in order to obtain the settings
required to be a DirectAccess client, the computer must be a member of this security group. Do not use
any of the built in security groups as your DirectAccess security Group. Here you will create the
DirectAccess clients security group. This group is required for a working DirectAccess solution.
Perform the following steps to create a security group for DirectAccess clients on DC1:
1. On the DC1 computer or virtual machine, in the Active Directory Users and Computers console
tree, right-click Users, point to New, and then click Group.
16
2. In the New Object - Group dialog box, under Group name, type DA_Clients. (Note that the
group name “DA_Clients” is not a hard coded value; you can use any name you like for the
DirectAccess clients security group).
3. Under Group scope, choose Global, under Group type, choose Security, and then click OK.
4. Close the Active Directory Users and Computers console.
M. Create and Deploy a Security Template for the IP-HTTPS Listener
Certificate and Network Location Server Certificate
A Web site certificate is required for the Network Location Server so that computers can use HTTPS to
connect to it when they are on the corpnet. The UAG DirectAccess server uses a Web site certificate on
its IP-HTTPS listener so that it can accept incoming connections from DirectAccess clients that are
behind network devices that limit outbound connections to only HTTP/HTTPS. We will create a Web site
certificate template that we will use to request a certificate from the Microsoft Certificate Server
installed on DC1. A Web site certificate bound to the UAG DirectAccess server’s IP-HTTPS listener and a
Web site certificate bound to the Network Location Server Web site are both required for a working
DirectAccess solution.
WARNING:
The certificate template configured in this lab does not include certificate revocation list
information. This is done as a convenience for the lab so that you do not need to publish the CRL
for the CA that issued the certificate used for the IP-HTTPS listener. Do not do this in a
production environment. The DirectAccess must be able to access the CRL of the CA that issued
the IP-HTTPS listener certificate.
Perform the following steps to create and deploy a security template:
1. On the DC1 computer or virtual machine, click Start, enter mmc in the Search box, and then
press ENTER.
2. Click File, and then click Add/Remove Snap-in.
3. In the list of snap-in, click Certificate Templates, click Add, and then click OK.
4. In the console tree, click Certificate Templates.
5. In the contents pane, right-click the Web Server template, and then click Duplicate Template.
6. Click Windows Server 2008 Enterprise, and then click OK. (Note that you can use either the
Windows Server 2003 or Windows Server 2008 templates – we choose to use the Windows
Server 2008 template in this example).
7. In Template display name, type Web Server 2008.
8. Click the Security tab.
17
9. Click Authenticated Users, and then select Enroll in the Allow column.
10. Click Add, enter Domain Computers in the Enter the object names to select text box, and then
click OK.
11. Click Domain Computers, and then select Enroll in the Allow column.
12. Click the Request Handling tab.
13. Select Allow private key to be exported. [Note that this is done for convenience for this lab and
for future labs built out using this document. When the private key is marked as “exportable”
you will be able to export the certificate with its private key from the first UAG server in the
array and use that certificate on new array members when you them]
14. Click the Server tab. On the Server tab put a checkmark in the Do not include revocation
information in issued certificates (Applicable only for Windows Server 2008 R2 and above).
Note that we are using this option for the test lab only so that we do not need to publish the
CRL to support the CRL check required to establish an IP-HTTPS connection.
15. Click OK.
16. Close the MMC window without saving changes.
17. Click Start, point to Administrative Tools, and then click Certification Authority.
18. In the console tree, expand pilot-DC1-CA, right-click Certificate Templates, point to New, and
then click Certificate Template to Issue.
19. In the list of certificate templates, click Web Server 2008, and then click OK.
20. In the right pane of the console, you should see the Web Server 2008 certificate template with
an Intended Purpose of Server Authentication.
21. Close the Certification Authority console.
N. Create ICMPv4 and ICMPv6 Echo Request Firewall Rules in Domain Group
Policy on DC1
Support for incoming and outgoing ICMPv4 and v6 is required for Teredo clients. DirectAccess clients
will use Teredo as their IPv6 transition technology to connect to the UAG DirectAccess server over the
IPv4 Internet when they are assigned a private (RFC 1918) IP address, such as when they are located
behind a NAT device or firewall. In addition, enabling ping facilitates connectivity testing between
participants in the DirectAccess solution.
Perform the following steps to create the ICMP firewall rules:
1. On the DC1 computer or virtual machine, click Start, click Administrative Tools, and then click
Group Policy Management.
18
2. In the console tree, expand Forest: pilot.contoso.com. Then expand Domains, and then expand
pilot.contoso.com.
3. In the console tree, right-click Default Domain Policy, and then click Edit.
4. In the console tree of the Group Policy Management Editor, expand Computer
Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security-LDAP://.
5. In the console tree, click Inbound Rules, right-click Inbound Rules, and then click New Rule.
6. On the Rule Type page, click Custom, and then click Next.
7. On the Program page, click Next.
8. On the Protocols and Ports page, for Protocol type, click ICMPv4, and then click Customize.
9. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and
then click OK.
10. Click Next.
11. On the Scope page, click Next.
12. On the Action page, click Next.
13. On the Profile page, click Next.
14. On the Name page, for Name, type Inbound ICMPv4 Echo Requests, and then click Finish.
15. In the console tree, right-click Inbound Rules, and then click New Rule.
16. On the Rule Type page, click Custom, and then click Next.
17. On the Program page, click Next.
18. On the Protocols and Ports page, for Protocol type, click ICMPv6, and then click Customize.
19. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and
then click OK.
20. Click Next.
21. On the Scope page, click Next.
22. On the Action page, click Next.
23. On the Profile page, click Next.
19
24. On the Name page, for Name, type Inbound ICMPv6 Echo Requests, and then click Finish.
25. In the console tree, right-click Outbound Rules, and then click New Rule.
26. On the Rule Type page, click Custom, and then click Next.
27. On the Program page, click Next.
28. On the Protocols and Ports page, for Protocol type, click ICMPv4, and then click Customize.
29. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and
then click OK.
30. Click Next.
31. On the Scope page, click Next.
32. On the Action page, click Allow the connection, and then click Next.
33. On the Profile page, click Next.
34. On the Name page, for Name, type Outbound ICMPv4 Echo Requests, and then click Finish.
35. In the console tree, right-click Outbound Rules, and then click New Rule.
36. On the Rule Type page, click Custom, and then click Next.
37. On the Program page, click Next.
38. On the Protocols and Ports page, for Protocol type, click ICMPv6, and then click Customize.
39. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and
then click OK.
40. Click Next.
41. On the Scope page, click Next.
42. On the Action page, click Allow the connection, and then click Next.
43. On the Profile page, click Next.
44. On the Name page, for Name, type Outbound ICMPv6 Echo Requests, and then click Finish.
45. Confirm that the rules you created appear in the Inbound Rules and Outbound Rules nodes.
Close the Group Policy Management Editor.
20
O. Enable Computer Certificate Autoenrollment in Group Policy for the PILOT
Domain on DC1
In the DirectAccess solution, computer certificates can be used for computer authentication and IPsec
connection establishment. One efficient method for distributing computer certificates is to take
advantage of Group Policy based autoenrollment for computer certificates.
Perform the following steps to enable computer certificate autoenrollment:
1. On the DC1 computer or virtual machine, from the Administrative Tools menu, open Group
Policy Management.
2. In the Group Policy Management console, expand Forest: pilot.contoso.com and then expand
Domains. Expand pilot.contoso.com and then right click Default Domain Policy and click Edit.
3. In the console tree of the Group Policy Management Editor, navigate to Computer
Configuration\Policies\Windows Settings\Security Settings\Public Key Policies.
4. In the details pane, right-click Automatic Certificate Request Settings, point to New, and then
click Automatic Certificate Request.
5. In the Automatic Certificate Request Wizard, click Next.
6. On the Certificate Template page, click Computer, click Next, and then click Finish.
7. Leave the Group Policy Management Editor open for the next procedure.
P. Configure DNS Suffix Search List in Group Policy on DC1
DirectAccess clients will need to be able to resolve single label names for servers located in either the
PILOT or CORP domain. One method that you can use to fully qualify single label names is to configure a
DNS suffix search list. This can be manually configured on each DirectAccess client, or you can reduce
administrative overhead by using Active Directory Group Policy to deliver a DNS suffix search. We will
configure a DNS Suffix Search list using the Group Policy option in this scenario.
Perform the following steps to configure the DNS suffix search list:
1. On the DC1 computer or virtual machine, in the console tree of the Group Policy Management
Editor, navigate to Computer Configuration\Policies\Administrative Templates\Network\DNS
Client.
2. Double click on the DNS Suffix Search List entry in the right pane.
3. In the DNS Suffix Search List dialog box, select the Enabled option. In the DNS Suffixes text box,
enter pilot.contoso.com,corp.contoso.com (do not put a space between the two FQDN entries).
Click OK.
21
4. Close the Group Policy Management Editor console and close the Group Policy Management
console.
Q. Create a Shared Folder on the C:\ Drive on DC1
When the DirectAccess client is connected to the simulated Internet, or connecting from behind a NAT
device over the Internet, we want to determine if the DirectAccess user can connect to a Server
Message Block (SMB) resource on the PILOT domain. We will create a network share on DC1 to support
this test.
Perform the following steps to create a shared folder on DC1:
1. Click Start, and then click Computer.
2. Double-click the drive on which Windows Server 2008 R2 is installed.
3. Click New Folder, type Files, and then press ENTER. Leave the Local Disk window open.
4. Click Start, click All Programs, click Accessories, right-click Notepad, and then click Run as
administrator.
5. In the Untitled – Notepad window, type This is a shared file on DC1.
6. Click File, click Save, double-click Computer, double-click the drive on which Windows Server
2008 R2 is installed, and then double-click the Files folder.
7. In File name, type Example.txt, and then click Save. Close the Notepad window.
8. In the Local Disk window, right-click the Files folder, point to Share with, and then click Specific
people.
9. Click Share, and then click Done. (Note: this provides Full Control Share Permissions to
Everyone, and NTFS Full Control permissions to SYSTEM, Administrator, and
PILOT\Administrators).
10. Close the Local Disk window.
2. Configure DC2 (CORP DOMAIN)
In the POC lab, DC2 acts as a domain controller, DNS server , Web server and File server on the CORP
domain. The CORP domain represents the domain containing the user accounts and resources that are
currently in production on the corporate network. While the DirectAccess computer accounts will be
members of the PILOT domain for the POC deployment, users in the current production domain (CORP)
will continue to use the same user accounts that they have been using prior to joining their computers
to the PILOT domain. You will perform the following steps when configuring DC2:
22
A. Install the OS on DC2.
The first step is to install the Windows Server 2008 R2 operating system on the CORP domain’s
domain controller, DC2. Note that we used Windows Server 2008 R2 in this example out of
choice, not out of requirements. You can use Windows Server 2003 as a domain controller if you
like, and it will be supported by the DirectAccess configuration.
B. Configure TCP/IP Properties on DC2
After installing the operating system on DC2, configure the TCP/IP Properties to provide the
server an IP address, subnet mask, DNS server and connection specific suffix.
C. Rename the Computer to DC2
Change the default name of the computer assigned during setup to DC2.
D. Configure DC2 as a Domain Controller and DNS Server
DC2 will be the domain controller and the authoritative DNS server for the CORP domain. The
CORP domain is the user account and resource domain in this POC lab scenario. The domain
controller and DNS server is required as part of the part infrastructure and for the DirectAccess
solution.
E. Enable ISATAP Name Resolution on the DC2 DNS Server
By default, the Windows Server 2008 R2 DNS server will not answer queries for the ISATAP and
WPAD host names. You will configure the DNS server so that it will answer queries for ISATAP.
F. Create a Reverse Lookup Zone on the DC2 DNS Server
A reverse lookup zone for network ID 10.0.0.0/24 is required to create a pointer record for DC2.
The pointer record will allow reverse name resolution for DC2, which will prevent name
resolution errors during several of the DNS related configuration steps covered in this
document. The reverse lookup zone is not required for a functional DirectAccess solution.
G. Enter a Pointer (PTR) Record on the DC2 DNS Server
A pointer record for DC2 will allow services to perform reverse name resolution for the DC2
computer. This will be useful when perform several DNS related operations later in this
document. It is not required for a functional DirectAccess solution.
H. Create a Host (A) Record for ISATAP on the DC2 DNS Server
A DNS record for ISATAP is required so that ISATAP capable computers on the network can
obtain IPv6 addressing and routing information used by their ISATAP adapters.
I. Configure Conditional Forwarding to the PILOT domain on the DC2 DNS Server
In the POC lab scenario, computers in the CORP domain will need to resolve names of
computers in the PILOT domain. We will configure conditional forwarding to the
pilot.contoso.com domain on the DC2 DNS server so that computers using DC2 as a DNS server
can resolve names in the PILOT domain.
J. Create a New Administrator Account in the Active Directory on DC2
As a network management best practice, you should not use the default domain administrator
account for regular network operations. For this reason we will create a new domain
administrator account and use this when making configuration changes. Using an alternate
domain admin account is not required for a functional DirectAccess solution.
23
K. Configure a Two-Way Trust between the CORP and PILOT forests on DC2
We will create a two-way trust between the CORP and PILOT forests so that DirectAccess client
users will be able to log into and access resources in the CORP domain.
L. Install the Web Server Role on DC2
We will install the Web server role on DC2 to demonstrate how DirectAccess client users are
able to access Web services located on a IPv6 capable host on the production network (CORP).
M. Create a Shared Folder on the C:\ Drive of DC2
We will configure a shared folder on DC2 to demonstrate how DirectAccess client users are able
to connect to Server Message Block (SMB) resources on the production network (CORP).
A. Install the OS on DC2
The first step is to install the Windows Server 2008 R2 operating system on the CORP domain’s domain
controller, DC2. Note that we used Windows Server 2008 R2 in this example out of choice, not out of
requirements. You can use Windows Server 2003 as a domain controller if you like, as UAG DirectAccess
supports an IPv4 network infrastructure using IPv6/IPv4 protocol transition technologies, including
NAT64/DNS64. In this POC lab, we will demonstrate the ability to connect to IPv4 resources configuring
the APP3 computer on Windows Server 2003 later in this document.
Perform the following steps to install the operating system on DC2:
1. *On the DC2 computer or virtual machine, start the installation of Windows Server 2008 R2.
2. Follow the instructions to complete the installation, specifying Windows Server 2008 R2
Enterprise Edition and a strong password for the local Administrator account. Log on using the
local Administrator account.
3. Connect the network adapter to the Corpnet subnet or corpnet virtual switch.
B. Configure TCP/IP Properties on DC2
After installing the operating system on DC2, configure the TCP/IP Properties to provide the server an IP
address, subnet mask, DNS server and connection specific suffix.
Perform the following steps to configure TCP/IP properties on DC2:
1. In Initial Configuration Tasks, click Configure networking.
2. In Network Connections, right-click Local Area Connection, and then click Properties.
3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
4. Select Use the following IP address, type 10.0.0.10 next to IP address, and type 255.255.255.0
next to Subnet mask.
5. Select the Use the following DNS server addresses option. Enter 10.0.0.10 in the Preferred DNS
server text box.
24
6. Click Advanced, and then click the DNS tab.
7. In DNS suffix for this connection, type corp.contoso.com, click OK twice, and then click Close.
(Note: configuring a DNS suffix is not required for DirectAccess to work correctly, but is used to
simplify name resolution before a search suffix is assigned via domain membership , which we
will configure later).
8. Close the Network Connections window.
C. Rename the DC2 Computer to DC2
Change the default name of the computer assigned to the DC2 computer or virtual machine during
setup to DC2.
Perform the following steps to rename DC2:
1. In Initial Configuration Tasks, click Provide computer name and domain.
2. In System Properties, click Change. In Computer name, type DC2, and click OK twice, and then
click Close. When prompted to restart the computer, click Restart Now.
3. After restarting, login using the local administrator account.
D. Configure DC2 as a Domain Controller and DNS Server
DC2 will be the domain controller and the authoritative DNS server for the CORP domain. The CORP
domain is the user account and resource domain in this POC lab scenario. The CORP domain controller
and DNS server are required to authenticate production network users connecting over the DirectAccess
client connection from the Internet.
Perform the following steps to configure DC2 as a domain controller and DNS server:
1. On the DC2 computer or virtual machine, on the Initial Configuration Tasks page, click the Add
Roles link.
2. Click Next on the Before You Begin page.
3. On the Select Server Roles page, click Active Directory Domain Services, click Add Required
Features, click Next on the Introduction to the Active Directory Domain Services page, and click
Install on the Confirm Installation Selections page. Click Close on the Installation Results page.
4. To start the Active Directory Installation Wizard, click Start, type dcpromo, and then press
ENTER.
5. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.
6. On the Operating System Compatibility page, click Next.
25
7. On the Choose a Deployment Configuration page, click Create a new domain in a new forest,
and then click Next.
8. On the Name the Forest Root Domain page, type corp.contoso.com, and then click Next.
9. On the Set Forest Functional Level page, in Forest Functional Level, click Windows Server 2008
R2, and then click Next. (Note that Windows Server 2008 R2 Forest Functional Level is not
required for the DirectAccess solution to work correctly. You can use any of the available Forest
Functional Levels.)
10. On the Additional Domain Controller Options page, insure that the DNS Server option is select
and click Next, click Yes in the Active Directory Domain Service Installation Wizard dialog box,
and then on the Location for Database, Log Files, and SYSVOL page, click Next.
11. On the Directory Services Restore Mode Administrator Password page, type a strong password
twice, and then click Next.
12. On the Summary page, click Next.
13. In the Active Directory Domain Services Installation Wizard dialog box, put a checkmark in the
Reboot on completion checkbox.
14. Log on to DC2 as CORP\Administrator.
E. Enable ISATAP Name Resolution on DNS Server on DC2
By default, the Windows Server 2008 R2 DNS server will not answer queries for the ISATAP and WPAD
host names. You will configure the DNS server so that it will answer queries for ISATAP.
Perform the following steps to enable ISATAP name resolution on the DNS server on DC2:
1. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click
Run as administrator.
2. In the command window, type dnscmd /config /globalqueryblocklist wpad, and then press
ENTER.
3. In the command prompt window, type dnscmd /info /globalqueryblocklist to confirm that
ISATAP is not included in the list. The output of the command should include Query result:
String: wpad
4. Close the command window.
For more information on configuring the global query block list, please see
http://download.microsoft.com/download/5/3/c/53cdc0bf-6609-4841-a7b9cae98cc2e4a3/DNS_Server_Global_%20Query_Block%20List.doc
26
F. Create a Reverse Lookup Zone on the DC2 DNS Server
A reverse lookup zone for network ID 10.0.0.0/24 is required to create a pointer record for DC2. The
pointer record will allow reverse name resolution for DC2, which will prevent name resolution errors
during several of the DNS and forest related configuration steps covered in this document. The reverse
lookup zone is not required for a functional DirectAccess solution.
Perform the following steps to create the reverse lookup zone:
1. Click Start, and point to Administrative Tools. Click DNS.
2. In the DNS Manager console, in the left pane of the console, expand the server name, and click
Reverse Lookup Zones. The right click Reverse Lookup Zones and click New Zone.
3. On the Welcome to the New Zone Wizard page, click Next.
4. On the Zone Type page, click Next.
5. On the Active Directory Zone Replication Scope page, click Next.
6. On the Reverse Lookup Zone Name page, click Next.
7. On the Reverse Lookup Zone Name page, select the Network ID option, and then enter 10.0.0
in the text box. Click Next.
8. On the Dynamic Update page, click Next.
9. On the Completing the New Zone Wizard page, click Finish.
10. Leave the DNS console open to complete the next procedure.
G. Enter Pointer (PTR) Record for DC2 on the DC2 DNS Server
A pointer record for DC2 will allow for reverse name resolution for the DC2 computer. This will be useful
when we perform several DNS and forest related operations later in this document. It is not required for
a functional DirectAccess solution.
Perform the following steps to create the pointer record:
1. In the DNS Manager console, expand the Forward Lookup Zones node in the left pane of the
console. Click on corp.contoso.com.
2. Double click on DC2 in the right pane of the console.
3. In the DC2 Properties dialog box, put a checkmark in the Update associated pointer (PTR)
record checkbox and click OK.
4. Expand the Reverse Lookup Zones node in the left pane of the console and click 0.0.10.inaddr.arpa. Confirm that there is an entry for 10.0.0.10 in the middle pane of the console.
27
H. Create a Host (A) Record for ISATAP on the DC2 DNS Server
A DNS record for ISATAP is required so that ISATAP capable computers on the network can obtain IPv6
addressing and routing information used by their ISATAP adapters. The ISATAP DNS record will resolve
to the IP address on the internal interface of the UAG DirectAccess computer in the PILOT domain.
Perform the following steps to add the ISATAP DNS record:
1. Click the corp.contoso.com forward lookup zone in the left pane of the console. Right click
corp.contoso.com and click New Host (A or AAAA).
2. In the New Host dialog box, enter isatap in the Name (uses parent domain name if blank) text
box. Then enter 10.0.0.2 in the IP address text box. (IP address 10.0.0.2 will be the IP address of
the internal interface of the UAG server, which will act as the ISATAP router in this scenario).
3.
Click Add Host. Then click OK in the DNS dialog box.
4. Click Done.
5. Confirm that there are entries for DC2 and ISATAP in the middle pane of the console.
6. Open a command prompt window and enter nslookup isatap and press ENTER. Confirm that
DC2 is able to resolve ISATAP to 10.0.0.2. Close the command prompt window.
I. Configure Conditional Forwarding to the PILOT Domain on the DC2 DNS
Server
In the POC lab scenario, computers in the CORP domain will need to resolve names of computers in the
PILOT domain. We will configure conditional forwarding to the pilot.contoso.com domain on the DC2
DNS server so that computers using DC2 as a DNS server can resolve names in the PILOT domain.
Perform the following steps to enable conditional forwarding:
1. In the left pane of the DNS Manager console, click on Conditional Forwarders. Right click on
Conditional Forwarders and click New Conditional Forwarder.
2. In the New Conditional Forwarder dialog box, in the DNS Domain text box, enter
pilot.contoso.com.
3. In the IP addresses of the master servers list, enter 10.0.0.1 and press ENTER. (Note: you will
see an error indicated by a red circle with a “X” inside it indicating that the server with this IP
address is not authoritative for the required zone; this is incorrect).
4. Click OK.
5. Expand Conditional Forwarders and click pilot.contoso.com, the right click pilot.contoso.com
and click Properties.
28
6. In the pilot.contoso.com Properties dialog box, click the Edit button.
7. In the Edit Conditional Forwarder dialog box, you will see in the IP addresses of the master
servers section that the IP address is validated. Click OK.
8. Click OK in the pilot.contoso.com Properties dialog box.
9. Close the DNS Manager console.
10. *Move to the DC1 computer and open the DNS Manager.
11. Expand the computer name, then expand the Conditional Forwarders node. Click the
corp.contoso.com node and then right click it. Click Properties.
12. In the corp.contoso.com Properties dialog box, click the Edit button.
13. Confirm that the address of the corp.contoso.com master server is validated. Click OK.
14. Click OK in the corp.contoso.com Properties dialog box.
15. Close the DNS Manager console.
16. *Return to the DC2 computer.
J. Create a New Administrator User Account in Active Directory on DC2
As a network management best practice, you should not use the default domain administrator account
for regular network operations. For this reason we will create a new domain administrator account and
use this when making configuration changes. Using an alternate domain admin account is not required
for a functional DirectAccess solution.
Perform the following steps to create a new administrator account:
1. At the DC2 computer, click Start, point to Administrative Tools, and then click Active Directory
Users and Computers.
2. In the console tree, open corp.contoso.com, right-click Users, point to New, and then click User.
3. In the New Object - User dialog box, next to Full name, type User2 and in User logon name,
type User2.
4. Click Next.
5. In Password, type the password that you want to use for this account, and in Confirm password,
type the password again.
6. Clear the User must change password at next logon check box, and select the Password never
expires check box.
29
7. Click Next, and then click Finish.
8. In the console tree, click Users.
9. In the details pane, double-click Domain Admins.
10. In the Domain Admins Properties dialog box, click the Members tab, and then click Add.
11. Under Enter the object names to select (examples), type User2, and then click OK twice.
12. Close the Active Directory Users and Computers console.
K. On DC2 Configure a Two-way Trust between the CORP and PILOT Forests
We will create a two-way trust between the CORP and PILOT forests so that DirectAccess client users
will be able to log into and access resources in the CORP domain.
Perform the following steps to create the two-way trust between the CORP and PILOT Forests:
1. At the DC2 computer, click Start, point to Administrative Tools, and then click Active Directory
Domains and Trusts.
2. In the Active Directory Domains and Trusts console, click the corp.contoso.com entry in the left
pane and then right click it. Click Properties.
3. In the corp.contoso.com Properties dialog box, click the Trusts tab.
4. On the Trusts tab, click the New Trust button.
5. On the Welcome to the New Trust Wizard page, click Next.
6. On the Trust Name page, in the Name text box, enter pilot.contoso.com. Click Next.
7. On the Trust Type page, select the Forest Trust option. Click Next.
8. On the Direction of Trust page, select the Two-way option. Click Next.
9. On the Sides of Trust page, select the Both this domain and the specified domain option and
click Next.
10. On the User Name and Password page, enter in the User name text box PILOT\Administrator
and the administrator’s password in the PILOT domain. Click Next.
11. On the Outgoing Trust Authentication Level-Local Forest page, select the Forest-wide
authentication option and click Next.
12. On the Outgoing Trust Authentication Level—Specified Forest page, select the Forest-wide
authentication option and click Next.
13. On the Trust Selections Complete page, click Next.
30
14. On the Trust Creation Complete page, click Next.
15. On the Confirm Outgoing Trust page, select Yes, confirm the outgoing trust option and click
Next.
16. On the Confirm Incoming Trust page, select Yes, confirm the incoming trust option and click
Next.
17. On the Completing the New Trust Wizard page, click Finish.
18. In the corp.contoso.com Properties dialog box, click OK.
19. Close the Active Directory Domains and Trusts console.
L. Install Web Server Role on DC2
We will install the Web server role on DC2 to demonstrate how DirectAccess client users are able to
access Web services located on an IPv6 capable host on the production network (CORP).
Perform the following steps to install the web services role on DC2:
1. On the DC2 computer or virtual machine, in the Initial Configuration Tasks window, click the
Add Roles link.
2. On the Before You Begin page, click Next.
3. On the Select Server Roles page, select the Web Server (IIS) check box, and then click Next.
4. On the Introduction to Web Server (IIS) page, click Next.
5. On the Select Role Services page, click Next.
6. On the Confirm Installation Selections page, click Install.
7. Verify that all installations were successful, and then click Close.
M. Create a Shared Folder on the C:\ Drive
We will configure a shared folder on DC2 to demonstrate how DirectAccess client users are able to
connect to Server Message Block (SMB) resources on the production network (CORP).
Perform the following steps to create the shared folder on DC2:
1. At the DC2 computer or virtual machine, click Start, and then click Computer.
2. Double-click the drive on which Windows Server 2008 R2 is installed.
3. Click New Folder, type Files, and then press ENTER. Leave the Local Disk window open.
31
4. Click Start, click All Programs, click Accessories, right-click Notepad, and then click Run as
administrator.
5. In the Untitled – Notepad window, type This is a shared file on DC2.
6. Click File, click Save, double-click Computer, double-click the drive on which Windows Server
2008 R2 is installed, and then double-click the Files folder.
7. In File name, type Example.txt, and then click Save. Close the Notepad window.
8. In the Local Disk window, right-click the Files folder, point to Share with, and then click Specific
people.
9. Click Share, and then click Done. (Note: this provides Full Control Share Permissions to
Everyone, and NTFS Full Control permissions to SYSTEM, Administrator, and
PILOT\Administrators).
10. Close the Local Disk window.
3. Configure APP1 (PILOT Domain)
APP1 is a Windows Server 2008 R2 computer that acts in the role of the Network Location Server. We
have chosen to not to install the Network Location Server on the domain controller, even though that
would have reduced the number of machines required for the lab network. The reason for this is that
NLS on the DC can be a problematic if the DC is IPv6 based.
You will perform the following operations to configure APP1:
A. Install the operating system on APP1
The first step is to install Windows Server 2008 Enterprise Edition on APP1.
B. Obtain a Web site certificate for APP1.
APP1 will act as the Network Location Server. To enable this role, APP1 will need a web site
certificate so that the DirectAccess clients will be able to establish an SSL connection to a Web
site on APP1. DirectAccess client this site by connecting to Network Location Server name, which
is nls.pilot.contoso.com in this scenario.
C. Install Web services on APP1
You will install IIS Web services on APP1 so that it can host the Network Location Server web
site.
D. Configure the HTTPS Security Binding on the APP1 web site. You need to bind the web site
certificate to a web site on APP1 so that it can respond to SSL connection requests from the
DirectAccess clients on the corporate network.
A. Install the OS on APP1
The first step is to install Windows Server 2008 R2 Enterprise Edition on APP1. This is not a requirement.
We could use another IPv4 only operating system to host the NLS web site. The goal is to provide an SSL
32
web site that the DirectAccess clients can connect to so that they can determine if they are on the
corporate network.
Perform the following steps to install the operating system on APP1:
1. On the APP1 computer or virtual machine, start the installation of Windows Server 2008 R2
Enterprise Edition.
2. Follow the instructions to complete the installation, specifying Windows Server 2008 R2
Enterprise Edition and a strong password for the local Administrator account. Log on using the
local Administrator account.
3. Connect the network adapter to the Corpnet subnet or the virtual switch representing the
corpnet subnet.
B. Configure TCP/IP Properties on APP1
After installing the operating system on APP1, configure its TCP/IP Properties to provide the server an IP
address, subnet mask, DNS server address and connection specific suffix. Note that the connection
specific suffix is not required for a working DirectAccess solution, but simplifies name resolution prior to
completing the DNS infrastructure in the POC lab environment.
Perform the following steps to configure the TCP/IP properties on APP1:
1. On the APP1 computer or virtual machine, in Initial Configuration Tasks, clicks Configure
networking.
2. In Network Connections, right-click Local Area Connection, and then click Properties.
3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
4. Select Use the following IP address, type 10.0.0.3 next to IP address, and type 255.255.255.0
next to Subnet mask.
5. Select the Use the following DNS server addresses option. Enter 10.0.0.1 in the Preferred DNS
server text box.
6. Click Advanced, and then click the DNS tab.
7. In DNS suffix for this connection, type pilot.contoso.com, click OK twice, and then click Close.
(Note: configuring a DNS suffix is not required for DirectAccess to work correctly, but is used to
simplify name resolution before a search suffix list is assigned via Group Policy, which we will
configure later).
8. Close the Network Connections window
33
C. Rename the APP1 Computer or Virtual Machine and Join the PILOT Domain
The installation routine created a default computer name. Now you will change the computer name
from its default to APP1.
Perform the following steps to rename APP1 and join it to the PILOT domain:
1. On the APP1 computer or virtual machine, In Initial Configuration Tasks, click Provide computer
name and domain.
2. In the System Properties dialog box, click Change. In the Computer Name/Domain Change
dialog box, in the Computer name text box, enter APP1. In the Member of frame, select the
Domain option, and enter pilot.contoso.com in the text box. Click OK.
3. In the Computer Name/Domain Changes dialog box, enter PILOT\User1 in the User name text
box and the password in the Password text box. Click OK.
4. After restarting, login as PILOT\User1.
D. Obtain NLS Certificate for SSL Connections to Network Location Server on
APP1
The Network Location Server is used by computers configured to be DirectAccess clients to determine if
the computer is on-network or off-network. If the computer can connect to the Network Location Server
using HTTPS, then the computer determines that it is on the intranet and will turn off the Name
Resolution Policy Table (NRPT). If the computer is not able to connect to the Network Location Server
using HTTPS, then it determines that it is the intranet and will use the DNS server configured on its local
interface instead of the servers listed in the NRPT. The Network Location Server requires a Web site
certificate to enable SSL session establishment with the computer configured as a DirectAccess client.
The subject name on this certificate must match the name that the computer will use to connect to the
Network Location Server. On our POC lab network, the computer will try to connect to
nls.pilot.contoso.com. You will use this name later in the DirectAccess configuration wizard on the UAG
server.
Perform the following steps to obtain the NLS certificate:
1. On the APP1 computer or virtual machine, click Start, type mmc, and then press ENTER.
2. Click File, and then click Add/Remove Snap-in.
3. Click Certificates, click Add, select Computer account, click Next, select Local computer, click
Finish, and then click OK.
4. In the left pane of the console, expand Certificates (Local Computer)\Personal\Certificates.
5. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
6. On the Before You Begin page, click Next.
34
7. On the Select Certificate Enrollment Policy page, select the Active Directory Enrollment Policy
entry and click Next.
8. On the Request Certificates page, put a checkmark in the Web Server 2008 checkbox, and then
click More information is required to enroll for this certificate.
9. On the Subject tab of the Certificate Properties dialog box, in Subject name section, for Type,
select Common Name.
10. In Value, type nls.pilot.contoso.com, and then click Add.
11. In Alternative name section, for Type, select DNS.
12. In Value, type nls.pilot.contoso.com, and then click Add.
13. Click OK, click Enroll, and then click Finish.
14. In the details pane of the Certificates snap-in, verify that a new certificate with the name
nls.pilot.contoso.com was enrolled with Intended Purposes of Server Authentication.
15. Right click the nls.pilot.contoso.com certificate and click Properties.
16. In the nls.pilot.contoso.com Properties dialog box, in the Friendly name text box, enter NLS
Certificate. Click OK. (Note: this is not required for the DirectAccess solution to work, but this
makes the certificate easy to identify when binding it to the NLS Web site’s SSL listener).
17. Close the console window. If you are prompted to save settings, click No.
E. Install the Web Server Role on APP1
APP1 will host the Network Location Server. Since the Network Location Server is a web server that can
accept SSL connections from computers configured to be DirectAccess clients, we must install the web
server role on the Network Location Server.
Perform the following steps to install the web server role on APP1:
1. On the APP1 computer or virtual machine, in the Initial Configuration Tasks window, click the
Add Roles link.
2. On the Before You Begin page, click Next.
3. On the Select Server Roles page, select the Web Server (IIS) check box, and then click Next.
4. On the Introduction to Web Server (IIS) page, click Next.
5. On the Select Role Services page, click Next.
6. On the Confirm Installation Selections page, click Install.
35
7. Verify that all installations were successful, and then click Close.
F. Configure the HTTPS Security Binding on the NLS Web Site on APP1
After the web server role is installed, you need to bind the Network Location Server web site certificate
to an SSL listener on the web site. This is required for the web server to establish an SSL connection with
the computer configured as a DirectAccess client, and is a required component of a DirectAccess
solution.
Perform the following steps to configure the HTTPS security binding on APP1:
1. On the APP1 computer or virtual machine, click Start, point to Administrative Tools, and then
click Internet Information Services (IIS) Manager.
2. In the left pane of the console, open APP1/Sites, and then click Default Web site.
3. In the Actions pane, click Bindings.
4. In the Site Bindings dialog box, click Add.
5. In the Add Site Binding dialog box, in Type, click https. In SSL Certificate, click the
nls.pilot.contoso.com.
6. Click the View button.
7. In the Certificate dialog box, confirm that the certificate was Issued to: nls.pilot.contoso.com.
(this is the name the DirectAccess client computer must use to connect to the Network Location
Server).
8. In the Add Site Binding dialog box, click OK.
9. In the Site Bindings dialog box, click Close.
10. Close the Internet Information Services (IIS) Manager console.
4. Configure UAG1 (PILOT DOMAIN)
The UAG1 computer or virtual machine will act as the UAG DirectAccess server for the network, and will
belong to the PILOT domain. UAG1 will be connected to both the simulated Internet and the intranet
and will need one network interface connected to each of these networks. The UAG DirectAccess server
provides the following network services:
ISATAP router
An ISATAP router is an IPv6 router that advertises subnet prefixes to ISATAP hosts and forwards
IPv6 traffic between ISATAP hosts and hosts on other IPv6 subnets. The ISATAP router provides
ISATAP clients the information they need to properly configure their ISATAP adapters. For more
36
information about ISATAP, please see http://technet.microsoft.com/enus/magazine/2008.03.cableguy.aspx
Teredo server
A Teredo server is an IPv6/IPv4 node that is connected to both the IPv4 Internet and the IPv6
intranet, supports a Teredo tunneling interface over which packets are received. The general
role of the Teredo server is to assist in the address configuration of Teredo client and to
facilitate the initial communication between Teredo clients and other Teredo clients or between
Teredo clients and IPv6-only hosts. The Teredo server listens on UDP port 3544 for Teredo
traffic. DirectAccess clients located behind NAT devices and firewalls use Teredo to connect to
the UAG DirectAccess server. For more information on Teredo, please see
http://technet.microsoft.com/en-us/library/bb457011.aspx
IPsec gateway
The Full Intranet access model (which is used in this POC lab document) allows DirectAccess
clients to connect to all resources inside the intranet. It does this by using IPsec-based tunnel
policies that require authentication and encryption and IPsec sessions terminate at the IPsec
Gateway. The IPsec Gateway is a function that is hosted on the UAG DirectAccess server.
IP-HTTPS server
IP-HTTPS is a new protocol for Windows 7 and Windows Server 2008 R2 that allows hosts
behind a Web proxy server or firewall to establish connectivity by tunneling IPv6 packets inside
an IPv4-based HTTPS session. HTTPS is used instead of HTTP so that Web proxy servers will not
attempt to examine the data stream and terminate the connection. The UAG DirectAccess
server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections.
NAT64/DNS64 IPv6/IPv4 protocol translator
The UAG DirectAccess server includes NAT64 and DNS64, which enables DirectAccess clients on
the Internet to connect to IPv4 resources on the intranet. DirectAccess clients always use IPv6 to
communicate with intranet servers. When a DirectAccess client needs to connect to an IPv4
resources on the intranet, it issues a DNS query for the FQDN of the resource. DNS64 intercepts
the request, sends the query to the intranet DNS server, and obtain the IPv4 address of the
resource. DNS64 then dynamically generates an IPv6 address for the client of the IPv6 address
dynamically assigned to the IPv4 resource; in addition, DNS64 informs NAT64 of the IPv4/IPv6
mapping. The client issues a request for the dynamically generated IPv6 address, which is
intercepted by NAT64, and then NAT64 forwards the request to the IPv4 address of the intranet
resource. NAT64 also returns the response based on entries in its state table. For more
information about DNS64 and NAT64, please see
http://blogs.technet.com/edgeaccessblog/archive/2009/09/08/deep-dive-into-directaccessnat64-and-dns64-in-action.aspx
6to4 relay router
A 6to4 relay router can accept traffic from DirectAccess clients using the 6to4 IPv6 transition
technology and forward the traffic over an IPv4 intranet. The UAG DirectAccess server acts as
the 6to4 relay router and provides addressing information to the DirectAccess clients.
DirectAccess clients use this information to configure their 6to4 tunnel adapter to forward IPv6
37
messages over the IPv4 Internet to the UAG DirectAccess servers. For more information on 6to4
please see http://technet.microsoft.com/en-us/library/cc756770(WS.10).aspx
We will perform the following procedures on the UAG1 computer or virtual machine:
A. Install the operating system on UAG1.
The first step is to install the Windows Server 2008 R2 operating system on the UAG1 computer
or virtual machine. Forefront Unified Access Gateway 2010 required Windows Server 2008 R2.
B. Configure TCP/IP Properties on UAG1.
After installing the operating system on UAG1, configure the TCP/IP Properties to provide the
server an IP address, subnet mask, DNS server and connection specific suffix on both the
internal and external interfaces. Settings are configured on both the Internet and the corpnet
interfaces.
C. Rename the UAG1 Computer and Join it to the PILOT Domain
Change the default computer name assigned during setup to UAG1.
D. Obtain a Certificate for the IP-HTTPS Listener on UAG1
The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections
from DirectAccess clients on the Internet. The IP-HTTPS Listener requires a web site certificate
to support the SSL connection between itself and the DirectAccess client.
E. Install Forefront UAG on UAG1
You will install the Forefront Unified Access Gateway software on the UAG computer or virtual
machine.
F. Run the UAG Getting Started Wizard on UAG1
The UAG Getting Started Wizard walks you through the process of initial configuration of the
UAG server.
G. Run the UAG DirectAccess Configuration Wizard on UAG1
DirectAccess is not enabled by default. To enable DirectAccess features and capabilities on
UAG1, you will need to run the DirectAccess Configuration wizard.
H. Confirm Group Policy Settings on UAG1
The UAG DirectAccess wizard configures GPO objects and settings that are automatically
deployed to the Active Directory. One GPO is assigned to the UAG DirectAccess server, and one
is deployed to machines that belong to the DirectAccess Clients security group. You will confirm
that the Group Policy settings were deployed to the UAG DirectAccess server.
I. Confirm IPv6 Settings on UAG1
For the DirectAccess solution to function, the IPv6 settings on must be correct. You will confirm
these setting on UAG1.
J. Update IPv6 Settings on DC1
DC1 is capable of being a ISATAP host. However, this functionality might not be immediately
available. You can expedite DC1 setting itself up as an ISATAP host by updating its IPv6
configuration.
K. Update IPv6 Settings on DC2
DC2 is capable of being a ISATAP host. However, this functionality might not be immediately
38
available. You can expedite DC1 setting itself up as a ISATAP host by updating its IPv6
configuration.
L. Confirm IPv6 Address Registration in DNS
IPv6 capable hosts can communicate with one another over IPv6 using their ISATAP adapters.
However, they must be able to resolve the destination host to an IPv6 address to use this
capability. You will confirm that the IPv6 ISATAP addressees are registered in DNS.
M. Confirm IPv6 Connectivity between DC1/DC2/UAG1
After activity the IPv6 settings on DC1, DC2 and UAG1, test IPv6 connectivity by using the ping
utility.
A. Install the OS on UAG1
The first step is to install the Windows Server 2008 R2 operating system on the UAG1 computer or
virtual machine. Forefront Unified Access Gateway 2010 requires Windows Server 2008 R2.
1. *At the UAG1 computer or virtual machine, start the installation of Windows Server 2008 R2.
2. Follow the instructions to complete the installation, specifying Windows Server 2008 R2
Enterprise Edition and a strong password for the local Administrator account. Log on using the
local Administrator account.
3. Connect one network interface to the simulated Internet or virtual switch representing the
simulated Internet and one to the corpnet or virtual switch representing the corpnet.
B. Configure TCP/IP Properties on UAG1
After installing the operating system on UAG1, configure the TCP/IP Properties to provide the server an
IP address, subnet mask, DNS server and connection specific suffix on both the internal and external
interfaces. Settings are configured on both the Internet and the corpnet interfaces. Note that you will
enter two consecutive public IP addresses to the external interface of UAG1. The is required to support
DirectAccess clients and Teredo. Public IP addresses are required. If you use private IP address, the UAG
DirectAccess Configuration Wizard will warn you of the configuration and not enable DirectAccess.
Perform the following steps to configure TCP/IP properties on UAG1:
1. At the UAG1 computer or virtual machine, in Initial Configuration Tasks, click Configure
networking.
2. In Network Connections, right-click the network connection that is connected to the Corpnet
subnet or virtual switch, and then click Rename.
3. Type Corpnet, and then press ENTER.
4. Right-click Corpnet, and then click Properties.
5. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
39
6. Select Use the following IP address. In IP address, type 10.0.0.2. In Subnet mask, type
255.255.255.0.
7. Select Use the following DNS server addresses. In Preferred DNS server, type 10.0.0.1.
8. Click Advanced, and then the DNS tab.
9. In DNS suffix for this connection, type pilot.contoso.com, click OK twice, and then click Close.
(A connection specific DNS suffix is not required for DirectAccess to work correctly).
10. In the Network Connections window, right-click the network connection that is connected to
the Internet subnet, and then click Rename.
11. Type Internet, and then press ENTER.
12. Right-click Internet, and then click Properties.
13. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
14. Select Use the following IP address. In IP address, type 131.107.0.2. In Subnet mask, type
255.255.255.0.
15. Click Advanced. On the IP Settings tab, click Add for IP Addresses.
16. In IP address, type 131.107.0.3. In Subnet mask, type 255.255.255.0, and then click Add.
17. Click the DNS tab.
18. In DNS suffix for this connection, type isp.example.com, and then click OK twice and then click
Close. (A connection specific DNS suffix is not required for DirectAccess to work correctly).
19. Close the Network Connections window.
20. To check network communication between UAG1 and DC1/DC2, click Start, click All Programs,
click Accessories, and then click Command Prompt.
21. In the command window, type ping dc1.pilot.contoso.com and press ENTER. Then type
dc2.corp.contoso.com and press ENTER.
22. Verify that there are four responses from 10.0.0.1 and 10.0.0.10
23. Close the command window.
C. Rename the Computer and Join UAG1 to the PILOT Domain
Change the default computer name assigned during setup to UAG1 and join the UAG1 computer or
virtual machine to the pilot.contoso.com domain.
Perform the following steps to rename UAG1 and join it to the domain:
40
1. At the UAG1 computer or virtual machine, in the Initial Configuration Tasks window, click the
Provide computer name and domain link.
2. On the Computer Name tab, click the Change button.
3. In the Computer Name/Domain Changes dialog box, in the Computer name text box, enter
UAG1. In the Member of frame, select the Domain option. Enter pilot.contoso.com in the text
box. Click OK.
4. In the Windows Security dialog box, in the User name text box enter Administrator and enter
the PILOT domain’s Administrator password. Click OK.
5. Click OK in the Welcome to the domain dialog box.
6. Click OK in the Computer Name/Domain Changes dialog box informing you that you must
restart the computer.
7. Click Close in the System Properties dialog box.
8. Click Restart Now in the dialog box informing you that you must restart to apply the changes.
9. Log on as PILOT\User1
D. Obtain the IP-HTTPS Listener Certificate on UAG1
The UAG DirectAccess server uses an IP-HTTPS listener to accept incoming IP-HTTPS connections from
DirectAccess clients on the Internet. The IP-HTTPS Listener requires a web site certificate to support the
SSL connection between itself and the DirectAccess client. The common name on this certificate will be
the name the external DirectAccess client will use to the connect to the IP-HTTPS Listener, and must be
resolvable using an Internet based DNS server to the first of the two consecutive IP addresses bound to
the external interface of the UAG DirectAccess server.
Perform the following steps to obtain the IP-HTTPS certificate:
1. At the UAG1 computer or virtual machine, click Start, type mmc, and then press ENTER. Click
Yes at the User Account Control prompt.
2. Click File, and then click Add/Remove Snap-ins.
3. Click Certificates, click Add, click Computer account, click Next, select Local computer, click
Finish, and then click OK.
4. In the console tree of the Certificates snap-in, open Certificates (Local
Computer)\Personal\Certificates.
5. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
6. Click Next twice.
41
7. On the Request Certificates page, click Web Server 2008, and then click More information is
required to enroll for this certificate.
8. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select
Common Name.
9. In Value, type uag1.contoso.com, and then click Add.
10. In Alternative name, for Type, select DNS.
11. In Value, type uag1.contoso.com, and then click Add.
12. Click OK, click Enroll, and then click Finish.
13. In the details pane of the Certificates snap-in, verify that a new certificate with the name
uag1.contoso.com was enrolled with Intended Purposes of Server Authentication.
14. Right-click the certificate and then click Properties.
15. In the Friendly Name text box, enter IP-HTTPS Certificate, and then click OK.
16. Close the console window. If you are prompted to save settings, click No.
E. Install Forefront UAG on UAG1
You will install the Forefront Unified Access Gateway software on the UAG computer or virtual machine.
Perform the following steps to install UAG on UAG1:
1. At the UAG1 computer or virtual machine, insert the Forefront UAG DVD into the CD drive.
(Note: Ensure you install Forefront UAG from the DVD. Network installations are not supported.)
2. Click Start, click Computer, double-click the DVD drive Forefront UAG 2010, and then doubleclick Setup.
3. In the Setup window, under Prepare and Install, click Install Forefront UAG. Click Yes in the
User Account Control dialog box.
4. On the Welcome to the Forefront UAG Setup Wizard page, click Next.
5. Read the License Terms, and if you choose to proceed, select I accept the License Terms for
Microsoft Software, and then click Next.
6. On the Select Installation Location page, click Next, and wait for the installation to complete
successfully.
7. On the You have successfully completed the Forefront UAG Setup page, click Restart now, and
then click Next. Wait for the server to restart.
42
8. Log on to UAG1 as PILOT\User1.
F. Run the UAG Getting Started Wizard
The UAG Getting Started Wizard walks you through the process of initial configuration of the UAG
server. This will set up the basic information required to configure the networking settings on the server,
define the server topology (standalone or array) and whether or not to join Microsoft update for
updating the server.
Perform the following steps to run the Getting Started Wizard:
1. At the UAG1 computer, click Start, point to All Programs, click Microsoft Forefront UAG, and
then click Forefront UAG Management. Click Yes in the User Account Control dialog box. UAG
will start to configure itself for the first time. The Getting Started Wizard splash screen appears.
2. In the Getting Started Wizard, click Configure Network Settings to start the Network
Configuration Wizard.
3. On the Welcome to the Network Configuration Wizard page, click Next.
4. On the Define Network Adapters page, select Corpnet in the Internal column, and Internet in
the External column. Leave SSL Network tunneling as unassigned, and then click Next.
5. On the Define Internal Network IP Address Range page, verify that the range that appears is
10.0.0.0 to 10.0.0.255, and then click Next.
6. On the Completing the Network Configuration Wizard page, click Finish.
7. On the Getting Started Wizard, click Define Server Topology.
8. On the Welcome to the Server Management Wizard page, click Next.
9. On the Select Configuration page, select Single server, and then click Next.
10. On the Completing the Server Management Wizard page, click Finish.
11. In the Getting Started Wizard, click Join Microsoft Update.
12. On the Use Microsoft Update for Forefront UAG page, select I don’t want to use Microsoft
Update, and then click OK. (NOTE: in a production environment it is highly recommended that
you select the use Microsoft Update option).
13. On the Getting Started Wizard page, click Close.
14. In the Getting Started Wizard dialog box, when prompted Do you want to activate the
configuration now, click Yes.
43
15. On the Activate Configuration page, enter a password and confirm the password for the backup
file that will save the current UAG configuration. Click Next.
16. On the Activate Configuration page, confirm that there is a checkmark in the Back up
configuration before performing this activation checkbox, then click Activate.
17. Wait for the Activation completed successfully message, and then click Finish.
18. To exit the Microsoft Forefront UAG Management console, click the File menu, click Exit, and
then click Yes when prompted Do you want to close the Forefront UAG Management console.
G. Run the UAG DirectAccess Configuration Wizard
DirectAccess is not enabled by default. To enable DirectAccess features and capabilities on UAG1, you
will need to run the DirectAccess Configuration wizard. After running the DirectAccess Configuration
Wizard, two new Group Policy objects are created – one is linked to the computer account for the UAG
DirectAccess server, and the second is linked to the DirectAccess clients security group you configured
earlier. In addition, the IPv6 components, including support for IPv6 transition technologies and
IPv6/IPv4 protocol transition technologies are enabled.
Perform the following steps to run the UAG DirectAccess Configuration Wizard:
1. Click Start, point to All Programs, click Microsoft Forefront UAG, and then click Forefront UAG
Management. Click Yes in the User Account Control dialog box.
2. In the left pane of the Forefront Unified Access Gateway console, click DirectAccess. In the
Forefront UAG DirectAccess Configuration pane, in the Clients box, click Configure.
3. On the UAG DirectAccess Client Configuration dialog box, click Add.
4. In the Select Group dialog box, type DA_Clients, click OK, and then click Finish. (Note that you
must use a custom security group that you create for the DirectAccess clients. Never use a builtin security group).
5. In the DirectAccess Server box, click Configure.
6. On the Connectivity page, in First Internet-facing IPv4 address, select 131.107.0.2. In Internal
IPv4 address, select 10.0.0.2, and then click Next. (Note the information that appears regarding
ISATAP being enabled on the UAG server, and that an ISATAP entry must be entered into DNS
and that ISATAP must be removed from the Global Query Block List. We have done this on both
the DC1 and DC2 DNS servers, so this step is already configured).
7. On the Managing DirectAccess Services page, click Next. (Note: the default settings on this page
enable both NAT64 and DNS64, which allow DirectAccess clients to communicate with IPv4
resources on the corpnet).
44
8. On the Authentication Options page, for Browse and select a root or intermediate certificate
that verifies certificates sent by DirectAccess clients, select Use root certificate, and then click
Browse. In the list of certificates, click the pilot-DC1-CA root certificate, and then click OK.
9. For Select the certificate that authenticates the UAG DirectAccess server to a client connecting
using IP-HTTPS, click Browse. In the list of certificates, click the IP-HTTPS certificate, click OK,
and then click Finish.
10. In the Infrastructure Servers box, click Configure.
11. On the Network Location Server page, type nls.pilot.contoso.com, click Validate and wait for
the notice Validation successful. The URL https://nls.pilot.contoso.com is reachable, and then
click Next.
12. On the DNS Suffixes page, double click in the area where it says Double-click here to add.. .
13. In the Name Resolution Servers used by DirectAccess dialog box, select the DNS Suffix option.
In the text box, enter corp.contoso.com. From the Choose the DNS server to resolve DNS suffix
queries options, select the UAG DNS64 server option. Click OK.
14. On the DNS Suffixes page, confirm that you see the *.corp.contoso.com entry in the Name
Suffix list and then click Next.
15. On the Management Servers and DCs page, click the Domains\pilot.contoso.com entry. Note in
the Servers List that DC1.pilot.contoso.com was automatically discovered. Click the Add
Domain button. In the New Item dialog box, in the Enter a new domain name text box, enter
corp.contoso.com and click OK. Notice that the domain controller for corp.contoso.com is
automatically discovered. Click Finish. (Note: infrastructure servers are those servers that are
accessed through the infrastructure tunnel, which is established before the use logs on and
enables DirectAccess client computer management).
16. In the Application Servers box, click Configure. Confirm that the Require end-to-edge
authentication and encryption option is selected. Click Finish.
17. In the Forefront UAG DirectAccess pane, click Generate Policies.
18. In the Forefront UAG DirectAccess Configuration Review dialog box, click Apply Now. After the
script has finished executing, in the DirectAccess Policy Configuration message box, click OK,
and then click Close.
19. Open and elevated command prompt. In the command prompt window, enter gpupdate /force
and wait for the command to complete. Close the command prompt window.
20. In the Microsoft Forefront UAG Management console, click the File menu, and then click
Activate. In the Activate Configuration dialog box, click Activate. Wait for the Activation
completed successfully message, and then click Finish.
45
21. To exit the Microsoft Forefront UAG Management console, click the File menu, click Exit, and
then click Yes when prompted Do you want to close the Forefront UAG Management console.
H. Confirm Group Policy Settings on UAG1
The UAG DirectAccess wizard configures GPO objects and settings that are automatically deployed to
the Active Directory. One GPO is assigned to the UAG DirectAccess server, and one is deployed to
machines that belong to the DirectAccess Clients security group. You will confirm that the Group Policy
settings were deployed to the UAG DirectAccess server.
Perform the following steps to confirm Group Policy settings on UAG1:
1. *Go to the DC1 computer. At DC1, click Start, point to Administrative Tools and click Group
Policy Management.
2. Expand Forest: pilot.contoso.com and then expand Domains and then expand
pilot.contoso.com.
3. You will find two new GPOs linked to the default domain policy. UAG DirectAccess:
Client{3491980e-ef3c-4ed3-b176-a4420a810f12} is applied to members of the DA_Clients
security group. UAG DirectAccess: DaServer{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300} is
applied to the UAG server. Confirm that the correct security filtering is done for each of these
Group Policy Objects by clicking on the GPO and then viewing the entries in the Security
Filtering section on the Scope tab in the right pane of the console.
4. *Go to the UAG1 computer. Open an elevated command prompt. Change the focus to
c:\Users\User1\Desktop. .
5. At the command prompt, enter gpupdate /force
6. At the command prompt, enter gpresult /scope computer /f /h report.html and press ENTER
7. On the desktop, double click the report file. In the Group Policy Objects section, notice in the
Group Policy Objects\Applied GPOs section that UAG DirectAccess: DAServer{ab991ef0-6fa94bd9-bc42-3c397ce8ad300} appears, shows that the DirectAccess server GPO has been applied
to UAG1. Close the Internet Explorer window.
8. Click Start and enter wf.msc in the Search box and press ENTER.
9. In the Windows Firewall with Advanced Security console, notice in the middle pane that it says
that the Domain Profile is Active and Public Profile is Active. It is important that the Windows
Firewall is enabled and both the Domain and Public Profiles are active. If the Windows Firewall
with Advanced Security is disabled, or if Domain or Public profiles are disabled, then
DirectAccess will not work correctly.
10. In the left pane of the Windows Firewall with Advanced Security Console, click the Connection
Security Rules node. Notice in the middle pane of the console that there are two connection
46
security rules: UAG DirectAccess Gateway – Clients Access Enabling Tunnel – All and UAG
DirectAccess Gateway – Clients Corp Tunnel. The first rule is used for the infrastructure tunnel
and the second rule is used to establish the intranet tunnel. Both of these rules are delivered to
UAG1 using Group Policy.
11. Close the Windows Firewall with Advanced Security console.
I. Confirm IPv6 Settings on UAG1
For the DirectAccess solution to function, the IPv6 settings on must be correct. You will confirm these
setting on UAG1.
Perform the following steps to update IPv6 settings on UAG1:
1. At the UAG1 computer or virtual machine, click Start and right click on the command prompt
and click Run as administrator. Click Yes in the User Account Control dialog box.
2. In the command prompt window, enter ipconfig /all and press ENTER.
3. The ipconfig /all printout will show information related to the UAG1 computer’s networking
configuration. There are several sections here of interest. The Tunnel adapter 6TO4 Adapter
section shows information that includes the Global IPv6 address used by UAG1 on it’s external
interface. The Tunnel adapter isatap.pilot.contoso.com section shows information regarding
UAG1’s ISATAP interface; here you will find the ISATAP address for UAG1. In the Tunnel adapter
IPHTTPSInterface section, you’ll see information regarding the IP-HTTPS interface. If you are
using the IP addressing scheme suggested in this Lab Tester’s Guide, you should see the
following addresses in use:
6TO4 Adapter: 2002:836b:2::836b:2 and 2002:836b:2::836b:3
ISATAP: 2002:836b:2:8000:0:5efe:10.0.0.2
IPHTTPS: 2002:836b:2:8100:c887:6a74:6ef0:bf (Note that the “debolded” values will vary due
to how the IP-HTTPS address is generated)
4. To see information regarding the Teredo interface on UAG1, enter netsh interface Teredo show
state and press ENTER. The output should include an entry State: online
J. Update IPv6 Settings on DC1
DC1 is capable of being a ISATAP host. However, this functionality might not be immediately available.
You can expedite DC1 setting itself up as a ISATAP host by updating its IPv6 configuration.
Perform the following steps to update IPv6 settings on DC1:
1. *At the DC1 computer or virtual machine, click Start and then right click the command prompt
icon. Click Run as administrator.
2. In the command prompt window, enter sc control iphlpsvc paramchange and press ENTER.
3. Close the command prompt window after the command completes.
47
K. Update IPv6 Settings on DC2
DC2 is capable of being an ISATAP host. However, this functionality might not be immediately available.
You can expedite DC1 setting itself up as an ISATAP host by updating its IPv6 configuration.
Perform the following steps to update IPv6 settings on DC2:
1. *At the DC2 computer or virtual machine, click Start and then right click the command prompt
icon. Click Run as administrator.
2. In the command prompt window, enter sc control iphlpsvc paramchange and press ENTER.
3. Close the command prompt window after the command completes.
L. Confirm IPv6 Address Registration in DNS
IPv6 capable hosts can communicate with one another over IPv6 using their ISATAP adapters. However,
they must be able to resolve the destination host to an IPv6 address to use this capability. You will
confirm that the IPv6 ISATAP addressees are registered in DNS.
Perform the following steps to confirm IPv6 address registration:
1. *At the DC1 computer or virtual machine, click Start, point to Administrative Tools and click
DNS.
2. In the DNS Manager, expand the server name, then expand the Forward Lookup Zones node in
the left pane of the console. Click pilot.contoso.com.
3. Click the Name column in the right pane of the console so that computer names are listed
alphabetically. For APP1, DC1 and UAG1 there should be an IPv4 address and IPv6 address. If
there is no IPv6 address, return to the machine that does not have an IPv6 address and open an
elevated command prompt. At the elevated command prompt enter ipconfig /registerdns. Then
return to the DNS console on DC1 and confirm that the IPv6 address is registered in DNS.
4. *Move to the DC2 computer or virtual machine and click Start, point to Administrative Tools
folder and click DNS.
5. In the DNS Manager, expand the server name, then expand Forward Lookup Zones. Click on
corp.contoso.com. Confirm that DC2 has both an IPv4 and IPv6 address registered in DNS. If no
IPv6 address appears, use an elevated command prompt on DC2 and use ipconfig /registerdns
to register that computers address in DNS. Return to the DNS console on DC2 and refresh to
view the newly registered IPv6 address.
Note that the ISATAP addresses listed in the DNS resource records do not use the dotted decimal format
for the last 32 bits of the IPv6 address that you see when using ipconfig to view IP addressing
information on the hosts. However, these addresses represent the same information; the only
difference is that the last 32 bits are represented in HEX instead of dotted decimal format.
48
M. Confirm IPv6 Connectivity between DC1/DC2/UAG1
After activating the IPv6 settings on DC1, DC2 and UAG1, test IPv6 connectivity by using the ping utility.
Perform the following steps to confirm IPv6 connectivity:
1. *At the DC1 computer or virtual machine, click Start and right click the command prompt icon
and click Run as administrator.
2. In the command prompt window, enter ipconfig /flushdns to remove IPv4 address entries that
might already be in the DNS client cache.
3. In the command prompt window, enter ping UAG1 and press ENTER. You should see the ISATAP
address of UAG1 in the reply, which is 2002:836b:2:8000:0:5efe:10.0.0.2.
4. In the command prompt windows, enter ping dc2 and press ENTER. You should see the ISATAP
address of DC2 in the reply, which is 2002:836b:2:8000:0:5efe:10.0.0.10. Close the command
prompt window.
5. *At DC2, use an elevated command prompt window to ping DC1 and UAG1 and confirm that the
responses are from the ISATAP addresses of those servers. Then close the command prompt
window. Note: if you receive a response from the link-local address of DC1 or UAG1, reissue the
request using a FQDN. For example, use ping dc1.pilot.contoso.com and
uag1.pilot.contoso.com. You can recognize the link-local address because it will start with FE80.
The ISATAP address will begin with 2002 and end with 5efe:w.x.y.z, where w.x.y.z represents
the four octets of the IPv4 address. The reason for this is that the CORP domain members don’t
have a suffix search list that includes the pilot.contoso.com domain, so local name resolution
results in obtaining the link-local address for single label name requests.
6. *At UAG1, use an elevated command prompt window to DC1 and DC2 and confirm that the
responses are from the ISATAP addresses of those servers. The close the command prompt
window.
5. Configure CLIENT1 (PILOT DOMAIN)
CLIENT1 is a computer or virtual machine running Windows 7 that you will use to demonstrate how
DirectAccess works in a number of scenarios. You will connect CLIENT1 to the corpnet to join the
machine to the domain and receive the DirectAccess Group Policy settings. Then you will move CLIENT1
to the simulated Internet to test DirectAccess connectivity over 6to4 and finally move CLIENT1 behind a
NAT device to test both Teredo and IP-HTTPS DirectAccess connectivity.
NOTE:
CLIENT1 is a Windows 7 computer and after installation the default power plan is applied. The
CLIENT1 computer my go to sleep before you reach the end of the lab configuration. You can
prevent this from happening by selecting the High Performance power plan in the Control Panel.
We will not describe the steps for configuring the new power plan in this lab document.
49
You will perform the following operations to configure CLIENT1:
A. Install the Windows 7 operating system on the CLIENT1 computer or virtual machine
Windows 7 is required for DirectAccess client connectivity. The first step is to install Windows 7
on the DirectAccess computer or virtual machine.
B. Join CLIENT1 to the PILOT domain
DirectAccess support only domain member client machines for authentication and Group Policy
settings assignment. To meet this requirement, we will join CLIENT1 to the PILOT domain.
C. Add CLIENT1 to the DA_Clients Active Directory Security Group
The DirectAccess client settings are assigned only to members of the DA_Clients Active Directory
Security Group. You will place CLIENT1 in the DA_Clients security group so that the Group Policy
settings are assigned to CLIENT1.
D. Add CORP\User2 to the Local Administrators Group on CLIENT1
To improve the user experience on the CLIENT1 computer and reduce the number of UAC
prompts seen when performing various configuration options on CLIENT1, we will place
CORP\User2 into the local administrators group on CLIENT1. We want User2 from the CORP
domain to log on to the DirectAccess client computer or virtual machine to demonstrate that a
member in the resource domain is able to transparently connect to resources in the domain that
the user normally participates in.
E. Test IPv6 Configuration, Confirm Group Policy Settings and Machine Certificate on CLIENT1
Before you move CLIENT1 out of the corpnet and onto the simulated Internet and behind a NAT
device on the Internet, you will check the IPv6 configuration on CLIENT1, confirm that
DirectAccess client Group Policy Settings are enabled on CLIENT1, and that CLIENT1 has the
computer certificate required to establish the IPsec connections to the UAG DirectAccess server.
F. Test Connectivity to a Network Share and Network Location Server
The final check on CLIENT1 before moving it outside the corpnet is to confirm connectivity to a
network share on the corpnet and to the Network Location Server. Connectivity to the Network
Location Server is required so that the DirectAccess client can determine if it is on-network or
off-network.
A. Install the Operating System on CLIENT1
Windows 7 is required for DirectAccess client connectivity. The first step is to install Windows 7 on the
DirectAccess computer or virtual machine.
Perform the following steps to install the operating system on CLIENT1:
1. Connect CLIENT1 to the Corpnet subnet.
2. Start the installation of the Windows 7 Enterprise or Windows 7 Ultimate.
3. When prompted for a user name, type User1. When prompted for a computer name, type
CLIENT1.
4. When prompted for a password, type a strong password twice.
50
5. When prompted for protection settings, click Use recommended settings.
6. When prompted for your computer's current location, click Work network.
B. Join CLIENT1 to the PILOT Domain
DirectAccess support only domain member client machines for authentication and Group Policy settings
assignment. To meet this requirement, we will join CLIENT1 to the PILOT domain.
Perform the following steps to join CLIENT1 to the PILOT domain:
1. At the CLIENT1 computer or virtual machine, click Start, right-click Computer, and then click
Properties.
2. Under Computer name, domain, and workgroup settings, click Change settings.
3. In the System Properties dialog box, click Change.
4. In the Computer Name/Domain Changes dialog box, click Domain, type pilot.contoso.com, and
then click OK.
5. When prompted for a user name and password, type the user name and password for the User1
domain account, and then click OK.
6. When you see a dialog box that welcomes you to the corp.contoso.com domain, click OK.
7. When you see a dialog box that prompts you to restart the computer, click OK.
8. In the System Properties dialog box, click Close.
9. In the dialog box that prompts you to restart the computer, do not click anything and proceed to
the following procedure.
C. Add CLIENT1 to the DA_Clients Security Group
The DirectAccess client settings are assigned only to members of the DA_Clients Active Directory
Security Group. You will place CLIENT1 in the DA_Clients security group so that the Group Policy settings
are assigned to CLIENT1.
Perform the following steps to add CLIENT1 to the DA_Clients security group:
1. *On the DC1 computer or virtual machine, click Start, point to Administrative Tools, and then
click Active Directory Users and Computers.
2. In the console tree, expand corp.contoso.com, and then click Users.
3. In the details pane, double-click DA_Clients.
4. In the DA_Clients Properties dialog box, click the Members tab, and then click Add.
51
5. In the Select Users, Contacts, Computers, or Groups dialog box, click Object Types, click
Computers, and then click OK.
6. Under Enter the object names to select (examples), type CLIENT1, and then click OK.
7. Verify that CLIENT1 is displayed below Members, and then click OK.
8. Close the Active Directory Users and Computers console.
9. *On CLIENT1, in the dialog box that prompts you to restart the computer, click Restart Now.
10. After CLIENT1 has been restarted, click Switch User, then click Other User and log on to the
CORP domain with the User1 account.
D. Add CORP\User2 to Local Administrators Group on CLIENT1
To improve the user experience on the CLIENT1 computer and reduce the number of UAC prompts seen
when performing various configuration options on CLIENT1, we will place CORP\User2 into the local
administrators group on CLIENT1. We want to User2 from the CORP domain to log on to the
DirectAccess client computer or virtual machine to demonstrate that a member in the resource domain
is able to transparently connect to resources in the domain that the user normally participates in.
Perform the following steps to add CORP\User2 to the local administrators group on CLIENT1:
1. On the CLIENT1 computer or virtual machine, click Start and then click Control Panel.
2. In the Control Panel window, click User Accounts.
3. In the User Accounts window, click Give other users access to this computer.
4.
In User Accounts dialog box, on the Users tab, click the Add button.
5. On the Add New User page, enter User2 in the User Name text box, and in the Domain text box,
enter CORP. Click Next.
6. On the Add New User page, select the Administrator option. Click Finish.
7. In the User Accounts dialog box, click OK.
8. Close the User Accounts window.
E. Test IPv6 Configuration, Confirm Group Policy Settings and Machine
Certificate on CLIENT1
Before you move CLIENT1 out of the corpnet and onto the simulated Internet and behind a NAT device
on the Internet, you will check the IPv6 configuration on CLIENT1, confirm that DirectAccess client
Group Policy Settings are enabled on CLIENT1, and that CLIENT1 has the computer certificate required
to establish the IPsec connections to the UAG DirectAccess server.
52
Perform the following steps to confirm Group Policy settings and machine certificate:
1. On the CLIENT1 computer or virtual machine, click Start and then click All Programs. Click
Accessories and then right click command prompt. Click Run as administrator. Click Yes in the
UAC dialog box.
2. In the command prompt window, enter ping dc1 and press ENTER. Confirm that the reply comes
from an IPv6 ISATAP address, 2002:836b:2:8000:0:5efe:10.0.0.1.
3. Ping DC2 and UAG1 to confirm that both these machines reply with IPv6 ISATAP addresses,
2002:836b:2:8000:0:5efe:10.0.0.10 and 2002:836b:2:8000:0:5efe:10.0.0.2.
4. Ping APP1. You should see replies from the address 2002:836b:2:8000:0:5efe:10.0.0.3.
5. In the command prompt window, enter netsh namespace show policy and press ENTER. This
command shows the DNS name resolution policy table (NRPT) settings, which were provided to
CLIENT1 via Group Policy. For more information about DirectAccess and the NRPT, please see
http://technet.microsoft.com/en-us/library/dd637795(WS.10).aspx
6. In the command prompt window, enter netsh namespace show effectivepolicy and press
ENTER. This command shows the current DNS name resolution policy table settings and
indicates that the client is in the corporate network and DirectAccess settings are turned off.
7. In the command prompt windows, enter certutil –store my and press ENTER. The output will
display information about the certificate installed on CLIENT1. The subject name on the
certificate should CN=CLIENT1.pilot.contoso.com and the certificate template name (certificate
type) should be Machine, Computer. This machine certificate was assigned using Group Policy
autoenrollment and will be used to create the IPsec tunnels between CLIENT1 and UAG1 when
CLIENT1 leaves the corporate network.
F. Test Connectivity to a Network Share and the Network Location Server
The final check on CLIENT1 before moving it outside the corpnet is to confirm connectivity to a network
share on the corpnet and to the Network Location Server. Connectivity to the Network Location Server
is required so that the DirectAccess client can determine if it is on-network or off-network.
Perform the following steps to test connectivity to a network share and the Network Location Server:
1. ON the CLIENT1 computer or virtual machine, from the taskbar, click the Internet Explorer icon.
2. In the Welcome to Internet Explorer 8 window, click Next. In the Turn on Suggested Sites
window, click No, don’t turn on, and then click Next. In the Choose your settings dialog box,
click Use express settings, and then click Finish.
3. In the Toolbar, click Tools, and then click Internet Options. For Home page, click Use blank, and
then click OK.
53
4. In the Address bar, type https://nls.pilot.contoso.com/, and then press ENTER. You should see
the default IIS 7 Web page on DC1.
5. Close the Internet Explorer window.
6. Click Start, type \\DC1\Files, and then press ENTER.
7. You should see a folder window with the contents of the Files file share.
8. In the Files folder window, double-click the Example.txt file. You should see the contents of the
Example.txt file.
9. Close the example.txt - Notepad and the Files folder windows.
6. Configure INET1
In the POC lab environment the INET1 computer will provide simulated Internet DNS and DHCP services
to the CLIENT1 computer when the CLIENT1 computer is connected to the simulated Internet. CLIENT1,
when connected to the simulated Internet needs to be able to resolve the public name of the UAG
DirectAccess computer to connect using the 6to4 IPv6 transition technology. INET1 will also host a DHCP
server to assign CLIENT1 a public IP address.
You will perform the following operation to configure INET1 to perform these duties:
A. Install the Windows Server 2008 R2 operating system on INET1
The first step is to install the operating system on the INET1 computer or virtual machine. In the
POC lab environment, you’ll use Windows Server 2008 R2. This is not a requirement for the
DirectAccess solution, since in a production environment any OS might be used to provide DNS
and DHCP services to the Internet-based DirectAccess client.
B. Configure the TCP/IP Properties on INET1
You will assign a public IP address to the INET1 computer or virtual machine’s interface.
C. Rename the computer on INET1
You will rename the computer from the default name provided by the OS installer to INET1.
D. Install and Configure the DNS Server Role on INET1
The DNS server role is installed on the INET1 computer or virtual machine so that the Internet
connected DirectAccess client can resolve the name of the UAG DirectAccess server to create
the 6to4 connection.
E. Install the DHCP server role on INET1
The DHCP server role is installed on INET1 so that the DirectAccess client can obtain a public IP
address automatically after being connected to the Internet subnet or virtual switch.
A. Install the Operating System
The first step is to install the operating system on the INET1 computer or virtual machine. In the POC lab
environment, you’ll use Windows Server 2008 R2. This is not a requirement for the DirectAccess
54
solution, since in a production environment any OS might be used to provide DNS and DHCP services to
the Internet-based DirectAccess client.
Perform the following steps to install the operating system on INET1:
1. At the INET1 computer or virtual machine, start the installation of Windows Server 2008 R2.
2. Follow the instructions to complete the installation, specifying a strong password for the local
Administrator account. Log on using the local Administrator account.
3. Connect the network adapter to the Internet subnet or virtual switch.
B. Configure TCP/IP Properties on INET1
You will assign a public IP address to the INET1 computer or virtual machine’s interface.
Perform the following steps to configure the TCP/IP properties on INET1:
1. At the INET1 computer and virtual machine, in Initial Configuration Tasks, click Configure
networking.
2. In the Network Connections window, right-click Local Area Connection, and then click
Properties.
3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
4. Select Use the following IP address. In IP address, type 131.107.0.1. In Subnet mask, type
255.255.255.0. For Preferred DNS server enter 131.107.0.1.
5. Click Advanced, and then click the DNS tab.
6. In DNS suffix for this connection, type isp.example.com, and then click OK.
7. Click OK, and then click Close to close the Local Area Connection Properties dialog box.
8. Close the Network Connections window.
9. Click Start, right-click Network, and then click Properties.
10. In the Network and Sharing Center window, click Change advanced sharing settings.
11. In the Advanced sharing settings window, click Turn on file and printer sharing, and then click
Save changes. (Note: this is done so that inbound ICMP ping requests are allowed for INET1 to
test connectivity. It is not required by the DirectAccess solution itself).
12. Close the Network and Sharing Center window.
C. Rename the Computer on INET1
You will rename the computer from the default name provided by the OS installer to INET1.
55
Perform the following steps to rename INET1:
1. At the INET1 computer or virtual machine, in Initial Configuration Tasks, click Provide Computer
Name and Domain.
2. In the System Properties dialog box, on the Computer Name tab, click Change.
3. In Computer Name, type INET1.
4. Click OK.
5. When you are prompted that you must restart the computer, click OK.
6. On the System Properties dialog box, click Close.
7. When you are prompted to restart the computer, click Restart Now.
8. After the computer has restarted, log on with the local Administrator account.
D. Install and Configure the DNS Server Role on INET1
The DNS server role is installed on the INET1 computer or virtual machine so that the Internet connected
DirectAccess client can resolve the name of the UAG DirectAccess server to create the 6to4 connection.
Perform the following steps to install and configure the DNS server role on INET1:
1. At the INET1 computer or virtual machine, in the Initial Configuration Tasks window, click the
Add Roles link. Click Next on the Before You Begin page.
2. On the Select Server Roles page, select the DNS Server checkbox, and then click Next.
3. Click Next twice and then click Install.
4. Verify that the installation was successful, and then click Close.
5. Click Start, point to Administrative Tools, and then click DNS.
6. In the console tree of DNS Manager, expand INET1.
7. Click Forward Lookup Zones, right-click Forward Lookup Zones, click New Zone, and then click
Next.
8. On the Zone Type page, click Next.
9. On the Zone Name page, type isp.example.com, and then click Next.
10. On the Zone File page, click Next.
11. On the Dynamic Update page, click Next, and then click Finish.
56
12. In the console tree, expand Forward Lookup zones, right click isp.example.com, and then click
New Host (A or AAAA).
13. In Name, type INET1. In IP address, type 131.107.0.1. Click Add Host.
14. Click OK, and then click Done.
15. In the console tree, right-click Forward Lookup Zones, click New Zone, and then click Next.
16. On the Zone Type page, click Next.
17. On the Zone Name page, type contoso.com, and then click Next.
18. On the Zone File page, click Next.
19. On the Dynamic Update page, click Next, and then click Finish.
20. In the console tree, right click contoso.com, and then click New Host (A or AAAA).
21. In Name, type uag1. In IP address, type 131.107.0.2.
22. Click Add Host. Click OK, and then click Done.
23. Close the DNS console.
E. Install the DHCP Server Role on INET1
The DHCP server role is installed on INET1 so that the DirectAccess client can obtain a public IP address
automatically after being connected to the Internet subnet or virtual switch.
Perform the following steps to install and configure the DHCP server on INET1:
1. On the INET1 computer or virtual machine, in the Initial Configuration Tasks window, click the
Add roles link.
2. On the Before You Begin page, click Next.
3. On the Select Server Roles page, select the DHCP Server check box, and then click Next twice.
4. On the Select Network Connection Bindings page, verify that 131.107.0.1 is selected, and then
click Next.
5. On the Specify IPv4 DNS Server Settings page, verify that isp.example.com is listed under
Parent domain.
6. Type 131.107.0.1 under Preferred DNS server IP address, and click Validate. Verify that the
result returned is Valid, and then click Next.
7. On the Specify IPv4 WINS Server Settings page, accept the default setting of WINS is not
required on this network, and then click Next.
57
8. On the Add or Edit DHCP Scopes page, click Add.
9. In the Add Scope dialog box, type Internet next to Scope Name. Next to Starting IP Address,
type 131.107.0.100, next to Ending IP Address, type 131.107.0.150, and next to Subnet Mask,
type 255.255.255.0.
10. Select the Activate this scope check box, click OK, and then click Next.
11. On the Configure DHCPv6 Stateless Mode page, select Disable DHCPv6 stateless mode for this
server, and then click Next.
12. On the Confirm Installation Selections page, click Install.
13. Verify that the installation was successful, and then click Close.
7. Configure NAT1
NAT1 is a Windows 7 computer that will be configured as a NAT device that separates a private network
from the Internet. The built-in Internet Connection Service (ICS) will be used as a NAT server. ICS
includes DHCP server-like functionality (DHCP allocator) and will automatically assign IP addressing
information to clients located behind the NAT1 ICS NAT device. NAT1 will have two network interfaces –
one connected to the simulated Internet and one connected to a “home” network.
NOTE:
CLIENT1 is a Windows 7 computer and after installation the default power plan is applied. The CLIENT1
computer my go to sleep before you reach the end of the lab configuration. You can prevent this from
happening by selecting the High Performance power plan in the Control Panel. We will not describe the
steps for configuring the new power plan in this lab document.
You will perform the following operations to configure NAT1 as a NAT device:
A. Install the operating system on NAT1
The first step is to install the Windows 7 operating system. Note that this is not a requirement;
you can use any NAT device to simulate NAT device functionality.
B. Rename the interfaces on NAT1
In this step you will rename the network interfaces in the Network Connections window to make
them easier to identify. Note that this is not required, but makes applying the correct settings
on the appropriate interface easier.
C. Disable 6to4 functionality on NAT1
You must disable 6to4 functionality on NAT 1. The reason for this is that if you don’t disable 6to4
on NAT1, it will act as a 6to4 router and issue a native IPv6 address to CLIENT1 when it is
connected to the Homenet subnet. This will prevent CLIENT1 from acting as a Teredo or IPHTTPS DirectAccess client.
D. Configure ICS on the External Interface of NAT1
Internet Connection Services enable NAT1 to act as a NAT device and DHCP server for clients
58
located behind NAT1. This enables CLIENT1 to automatically obtain IP addressing information
and connect to the simulated Internet when connected to the “Homenet” subnet behind NAT1.
A. Install the OS on NAT1
The first step is to install the Windows 7 operating system. Note that this is not a requirement; you can
use any NAT device to simulate NAT device functionality.
Perform the following steps to install the operating system on NAT1:
1. At the NAT1 computer or virtual machine, connect one network adapter to the Internet subnet
or virtual switch, and the other to the Homenet subnet or virtual switch.
2. Start the installation of Windows 7 Enterprise Edition, or Windows 7 Ultimate Edition.
3. When prompted for a user name, type User1. When prompted for a computer name, type
NAT1.
4. When prompted for a password, type a strong password twice.
5. If prompted for a Password Hint, type a password hint.
6. When prompted for protection settings, click Use recommended settings.
7. When prompted for your computer's current location, click Public network.
B. Rename the Network Interfaces on NAT1
In this step you will rename the network interfaces in the Network Connections window to make them
easier to identify. Note that this is not required, but makes applying the correct settings on the
appropriate interface easier.
Perform the following steps to rename the interfaces on NAT1:
1. Click Start, and then click Control Panel.
2. Under Network and Internet, click View status and tasks, and then click Change adapter
settings.
3. In the Network Connections window, right-click the network connection that is connected to
the Homenet subnet, and then click Rename.
4. Type Homenet, and then press ENTER.
5. In the Network Connections window, right-click the network connection that is connected to
the Internet subnet, and then click Rename.
6. Type Internet, and then press ENTER.
7. Leave the Network Connections window open for the next procedure.
59
8. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click
Run as administrator.
9. To check network communication between NAT1 and INET1, in the command window, type
ping inet1.isp.example.com, and then press ENTER.
10. Verify that there are four responses from 131.107.0.1.
C. Disable 6to4 on NAT1
In the POC lab environment we use a Windows 7 computer to simulate a NAT device located in a remote
location. One issue we can have with Windows 7 when configured as an Internet Connection Service
server is that it can act as a 6to4 router. When this is the case, it will assign the CLIENT1 computer
behind the NAT1 ICS computer a 6to4 address and prevent it from acting as a Teredo and IP-HTTPS
client. We want to be able to demonstrate both Teredo and IP-HTTPS functionality, so we will disable
6to4 on the NAT1 Windows 7 computer.
Perform the following steps to disable 6to4 on NAT1:
1. Open an elevated command prompt window. In the command window, type netsh interface
6to4 set state state=disabled, and then press ENTER. You should get an Ok response after the
command completes.
2. Close the command window.
D. Configure ICS on the External Interface of NAT1
Internet Connection Services enable NAT1 to act as a NAT device and DHCP server for clients located
behind NAT1. This enables CLIENT1 to automatically obtain IP addressing information and connect to
the simulated Internet when connected to the “Homenet” subnet behind NAT1.
Perform the following steps to configure ICS on the external interface of NAT1:
1. At the NAT1 computer or virtual machine, in the Network Connections window, right-click
Internet, and then click Properties.
2. Click the Sharing tab, select Allow other network users to connect through this computer’s
Internet connection, and then click OK.
3. Right click the Homenet interface on NAT1 and click Status.
4. In the Local Area Connection Status dialog box, on the General tab, click the Details button.
5. In the Network Connection Details dialog box, notice that the internal interface has been
assigned an IP address and subnet mask by the Internet Connection Service, using a network ID
of 192.168.137.0/24. DHCP clients placed behind NAT1 will obtain an IP address on this network
ID and DNS server settings from the Internet Connection Services.
60
6. Click Close in the Network Connection Details dialog box, and click Close in the Local Area
Connection Status dialog box.
7. Close the Network Connections window.
8. Configure APP3
APP3 is a Windows Server 2003 Enterprise Edition computer that acts as an IPv4 only host and is used to
demonstrate DirectAccess connectivity to IPv4 only resources using the UAG DNS64 and NAT64
features. APP3 hosts both HTTP and SMB resources that the DirectAccess client computer will be able to
access from other the simulated Internet. APP3 belongs to the resource domain (CORP), and the user
account logged on to the DirectAccess client belongs to the CORP domain (CORP\User2).
You will perform the following operations to configure APP3:
A. Install the operating system on APP3
The first step is to install Windows Server 2003 Enterprise Edition on APP3. This is not a
requirement. We could use another IPv4 only operating system, such as Windows 2000 Server
or even Windows XP. The goal is to provide a IPv4 resource for the DirectAccess clients to
connect to from over the Internet.
B. Install Web services on APP3
You will install IIS Web services on APP3 so that you can demonstrate HTTP connectivity over
the DirectAccess connection.
C. Create a shared folder on APP3
You will create a shared folder on APP3 so that you can demonstrate SMB connectivity over the
DirectAccess connection.
A. Install the OS on APP3
The first step is to install Windows Server 2003 Enterprise Edition on APP3. This is not a requirement.
We could use another IPv4 only operating system, such as Windows 2000 Server or even Windows XP.
The goal is to provide an IPv4 resource for the DirectAccess clients to connect to from over the Internet.
Perform the following steps to install the operating system on APP3:
1. *Connect the APP3 computer or virtual machine to the Corpnet subnet.
2. Start the installation of Windows Server 2003.
3. On the Welcome to the Windows Setup Wizard page, click Next.
4. On the Regional and Language Options page, click Next.
5. On the Personalize Your Software page, enter your Name and Organization information, click
Next.
61
6. On the Licensing Modes page, select Per server. Number of concurrent connections option and
enter 100. Click Next.
7. On the Computer Name and Administrator Password page, in the Computer name text box,
enter APP3. Enter a complex Administrator password and Confirm password. Click Next.
8. On the Date and Time Settings page, set the correct date and time and click Next.
9. On the Networking Settings page, select Custom Settings and click Next.
10. On the Networking Components page, select Internet Protocol (TCP/IP) and click Properties.
11. On the Internet Protocol (TCP/IP) Properties page, select the Use the following IP address
option. In the IP address text box, enter 10.0.0.4. In the Subnet Mask text box, enter
255.255.255.0 Select the Use the following DNS server addresses option. In the Preferred DNS
server text box, enter 10.0.0.10.
12. In the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
13. In the Advanced TCP/IP Settings dialog box, click the DNS tab.
14. On the DNS tab, in the DNS Suffix for this connection text box, enter corp.contoso.com. Click
OK. In the Internet Protocol (TCP/IP) Properties dialog box, click OK. On the Networking
Components page, click Next.
15. On the Workgroup or Computer Domain page, select the Yes make this computer a member of
the following domain option. In the text box under that option, enter CORP.
16. In the Join Computer to CORP Domain dialog box, in the User name text box, enter CORP/User2
and in the Password text box, enter User2’s password. Click OK.
17. Log on as CORP\Administrator.
B. Install Web Services
You will install IIS Web services on APP3 so that you can demonstrate HTTP connectivity over the
DirectAccess connection.
Perform the following steps to install IIS web services on APP3:
1. At APP3, click Start and point to Control Panel. Click Add or Remove Programs.
2. In the Add or Remove Programs window, click Add/Remove Windows Components button.
3. On Windows Components page, click Application Server and then click Details.
4. In the Application Server dialog box, put a checkmark in the Internet Information Services (IIS)
checkbox. Click OK.
62
5. On the Windows Components page, click Next.
6. On the Completing the Windows Components Wizard page, click Finish.
7. Close the Add or Remove Programs window.
8. Click the Internet Explorer icon in the Quick Start Bar.
9. In the dialog box that informs you Internet Explorer Enhanced Security Configuration is enabled,
put a checkmark in the In the future, do not show this message checkbox and then click OK.
10. In the Internet Explorer address bar, enter http://localhost and press ENTER.
11. You should see the IIS Under Construction page, indicating that the default IIS Web site is
available and running.
C. Create a Shared Folder on C:\
The first step is to install Windows Server 2003 Enterprise Edition on APP3. This is not a requirement.
We could use another IPv4 only operating system, such as Windows 2000 Server or even Windows XP.
The goal is to provide an IPv4 resource for the DirectAccess clients to connect to from over the Internet.
1. At APP3, click Start and click Windows Explorer.
2. In the left pane of the Windows Explorer window, expand My Computer and click Local Disk (C:)
3. Click the File menu, point to New and click Folder.
4. Rename New Folder to Files.
5. Right click the Files folder and click Sharing and Security.
6. In the Files Properties dialog box, on the Sharing tab, select the Share this folder option. Accept
the default share name, which is Files. Click OK.
7. Double click the Files folder.
8. Click the File menu, point to new, and click New Text Document.
9. Double click the New Text Document.txt file.
10. In the New Text Document.txt – Notepad window, enter This is a new text document.
11. Close the Notepad window. In the Notepad dialog box, click Yes to save the changes.
9. Test DirectAccess Connectivity from the Internet
Now you can DirectAccess connectivity on CLIENT1. For your first set of tests, you will connect CLIENT1
to the simulated Internet. When connected to the simulated Internet, CLIENT1 will be assigned a public
63
IP address. When a DirectAccess client is assigned a public IP address, it will try to establish a connection
to the DirectAccess server using an IPv6 6to4 connection over its 6to4 tunnel adapter. After connecting
to the simulated Internet and establishing the DirectAccess connection, you will carry out a number of
tests to confirm IPv6 connectivity and connectivity to resource domain assets from over the simulated
Internet.
1. *On the CLIENT1 computer or virtual machine, log off from CLIENT1. Log on as CORP\User2.
2. Unplug CLIENT1 from the corpnet switch and connect it to the Internet switch.
3. Open an elevated command prompt. In the command prompt window, enter ipconfig /all and
press ENTER.
4. Examine the output from the ipconfig command. This computer is now connected to the
Internet and has a public IP address. When the DirectAccess client has a public IP address, it will
use the 6to4 IPv6 transition technology to tunnel the IPv6 messages over an IPv4 Internet
between the DirectAccess client and UAG DirectAccess server. Look at the information in the
Tunnel adapter 6TO4 adapter. You will see a tunnel adapter address that begins with
2002:836b, which is a globally routable address.
5. In the command prompt window, enter ipconfig /flushdns and press ENTER. This will flush
name resolution entries that may still exist in the client DNS cache from when CLIENT1 was
connected to the corpnet.
6. In the command prompt window, enter ping dc1 and press ENTER. You should see replies from
the ISATAP address assigned to DC1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.1
7. In the command prompt window, enter ping dc2 and press ENTER. You should see replies from
the ISATAP address assigned to DC2, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.10
8. In the command prompt window, enter ping uag1 and press ENTER. You should see replies from
the ISATAP address assigned to UAG1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.2
9. In the command prompt window, enter ping app3 and press ENTER. You should see replies from
the NAT64 address assigned by UAG1 to APP3, which in this case is 2002:836b:2:8001::a00:4
The ability to ping APP3 is important, as it indicates that NAT64/DNS64 is working correctly.
10. In the command prompt window, enter netsh namespace show effectivepolicy and press
ENTER. The output shows the current settings for the Name Resolution Policy Table (NRPT).
These settings indicate that all connections to .corp.contoso.com and .pilot.contoso.com should
be resolved by the DirectAccess DNS64 DNS proxy , which is the UAG DirectAccess server, with
the IPv6 address of 2002:836b:3::836b:3. Also, note the NRPT entry indicating that there is an
exemption for the name nls.pilot.contoso.com; names on the exemption list are not answered
by the DirectAccess DNS server. You can ping the DirectAccess DNS server IP address to confirm
64
connectivity to the DirectAccess server; for example, you can ping 2002:836b:3::836b:3 in this
example.
11. Click the Internet Explorer icon, click the Tools menu and click Internet Options. In the Internet
Options dialog box, on the General tab, click the Use Blank button to set the default Web page
as blank. Close the Internet Explorer window.
12. In the Internet Explorer address bar, enter http://dc2.corp.contoso.com and press ENTER. You
will see the default IIS site on DC2.
13. In the Internet Explorer address bar, enter http://app3.corp.contoso.com and press ENTER.
You will see the default web site on APP3. The connection to APP3 differs from that made by the
connection to DC2; DC2 is accessible over the infrastructure tunnel (because this server is listed
as a management sever in the DirectAccess configuration), which uses computer certificate and
NTLMv2 authentication. In contrast, the connection to APP3 is to a server that is not on the
management servers list, and thus must be made over the intranet tunnel, which requires
Kerberos authentication.
14. Click Start and in the Search box, enter \\App3\Files and press ENTER. Double click on the New
Text Document file. This demonstrates that you were able to connect to an IPv4 only server
using SMB to obtain a resource in the resource domain.
15. Click Start and in the Search box, enter wf.msc and press ENTER.
16. In the Windows Firewall with Advanced Security console, notice that only the Public Profile is
active. The Windows Firewall must be enabled for DirectAccess to work correctly. If for some
reason that the Windows Firewall were disabled, DirectAccess connectivity would fail.
17. Expand the Monitoring node in the left pane of the console and click the Connection Security
Rules node. You should see the active connection security rules: UAG DirectAccess Client –
Client Access Enabling Tunnel – All, UAG DirectAccess Client – Clients Corp Tunnel and UAG
DirectAccess Client – Exempt NLA. Scroll the middle pane to the right to expose the 1st
Authentication Methods and 2nd Authentication Methods columns. Notice that the first rule
uses NTLMv2 to establish the infrastructure tunnel and the second rule uses Kerberos V5 to
establish the intranet tunnel.
18. In the left pane of the console, expand the Security Associations node and click the Main Mode
node. Notice the infrastructure tunnel security associations using NTLMv2 and the intranet
tunnel security association using Kerberos V5. Right click the entry that shows User (Kerberos
V5) as the 2nd Authentication Method and click Properties. On the General tab, notice the
Second authentication Local ID is CORP\User2, indicating that User2 was able to successfully
authenticate to the CORP domain over the forest trust.
19. Close all open windows before moving to the next step.
65
10. Test DirectAccess Connectivity from Behind a NAT Device
When a DirectAccess client is connected to the Internet from behind a NAT device or a Web proxy
server, the client will use either Teredo or IP-HTTPS to connect to the DirectAccess server. If the NAT
device enables outbound UDP port 3544 to the DirectAccess server’s public IP address, then Teredo will
be used. If Teredo access is not available, the DirectAccess client will fall back to IP-HTTPS over
outbound TCP port 443, which enables access through firewalls or Web proxy servers over the
traditional SSL port. Teredo is the preferred access method, because of its superior performance.
In this section you will perform the same tests that you performed when connecting using a 6to4
connection in the previous section.
A. Testing Teredo Connectivity
The DirectAccess client can use either Teredo or IP-HTTPS when connecting to the DirectAccess server
from behind a NAT device. You will first examine the settings and test connectivity using Teredo.
Perform the following steps to test Teredo connectivity:
1. Unplug CLIENT1 from the Internet switch and connect it to the Homenet switch. If asked what
type of network you want to define the current network, select Home Network.
2. Open an elevated command prompt. In the command prompt window, enter ipconfig /all and
press ENTER.
3. Examine the output of the ipconfig command. This computer is now connect to the Internet
from behind a NAT device and is assigned a private IPv4 address. When the DirectAccess client is
behind a NAT device and assigned a private IPv4 address, the preferred IPv6 transition
technology is Teredo. If you look at the output of the ipconfig command, you should a section
for Tunnel adapter Local Area Connection and then a Description Teredo Tunneling PseudoInterface, with an IP address that starts with 2001: indicating that this is a Teredo address. You
will not see a default gateway listed for the Teredo tunnel adapter.
4. In the command prompt window, enter ipconfig /flushdns and press ENTER. This will flush
name resolution entries that may still exist in the client DNS cache from when CLIENT1 was
connected to the corpnet.
5. In the command prompt window, enter ping dc1 and press ENTER. You should see replies from
the ISATAP address assigned to DC1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.1
6. In the command prompt window, enter ping dc2 and press ENTER. You should see replies from
the ISATAP address assigned to DC2, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.10
7. In the command prompt window, enter ping uag1 and press ENTER. You should see replies from
the ISATAP address assigned to UAG1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.2
66
8. In the command prompt window, enter ping app3 and press ENTER. You should see replies from
the NAT64 address assigned by UAG1 to APP3, which in this case is 2002:836b:2:8001::a00:4
9. In the command prompt windows, enter netsh namespace show effectivepolicy and press
ENTER. The output shows the current settings for the Name Resolution Policy Table (NRPT).
These settings indicate that all connections to .corp.contoso.com and .pilot.contoso.com should
be resolved by the DirectAccess DNS64 DNS proxy, which is the UAG DirectAccess server, with
the IPv6 address of 2002:836b:3::836b:3. Also, note the NRPT entry indicating that there is an
exemption for the name nls.pilot.contoso.com; names on the exemption list are not answered
by the DirectAccess DNS server. You can ping the DirectAccess DNS server IP address to confirm
connectivity to the DirectAccess server; for example, you can ping 2002:836b:3::836b:3 in this
example.
10. In the Internet Explorer address bar, enter http://dc2.corp.contoso.com and press ENTER. You
will see the default IIS site on DC2.
11. In the Internet Explorer address bar, enter http://app3.corp.contoso.com and press ENTER.
You will see the default web site on APP3. The connection to APP3 differs from that made by the
connection DC2; DC2 is accessible over the infrastructure tunnel (because this server is listed as
management severs in the DirectAccess configuration), which uses computer certificate and
NTLMv2 authentication. In contrast, the connection to APP3 is to a server that is not on the
management servers list, and thus must be made over the intranet tunnel, which requires
Kerberos authentication.
12. Click Start and in the Search box, enter \\App3\Files and press ENTER. Double click on the New
Text Document file. This demonstrates that you were able to connect to an IPv4 only server
using SMB to obtain a resource in the resource domain.
13. Click Start and in the Search box, enter wf.msc and press ENTER.
14. In the Windows Firewall with Advanced Security console, notice that only the Private profile is
active. The Windows Firewall must be enabled for DirectAccess to work correctly. If for some
reason that the Windows Firewall were disabled, DirectAccess connectivity would fail.
15. Expand the Monitoring node in the left pane of the console and click the Connection Security
Rules node. You should see the active connection security rules: UAG DirectAccess Client –
Client Access Enabling Tunnel – All, UAG DirectAccess Client – Clients Corp Tunnel and UAG
DirectAccess Client – Exempt NLA. Scroll the middle pane to the right to expose the 1st
Authentication Methods and 2nd Authentication Methods columns. Notice that the first rule
uses NTLMv2 to establish the infrastructure tunnel and the second rule uses Kerberos V5 to
establish the intranet tunnel.
16. In the left pane of the console, expand the Security Associations node and click the Main Mode
node. Notice the infrastructure tunnel security associations using NTLMv2 and the intranet
67
tunnel security association using Kerberos V5. Right click the entry that shows User (Kerberos
V5) as the 2nd Authentication Method and click Properties. On the General tab, notice the
Second authentication Local ID is CORP\User2, indicating that User2 was able to successfully
authenticate to the CORP domain over the forest trust.
17. Close the System Control Panel window and the Windows Firewall with Advanced Security
console. Close all other open windows before moving to the next step.
B. Testing IP-HTTPS Connectivity
When the DirectAccess client is unable to establish a Teredo connection with the DirectAccess server
(typically when a firewall or router has blocked outbound UDP port 3544), the DirectAccess client will
configure itself to use IP-HTTP to tunnel IPv6 messages over the IPv4 Internet. In the following exercises
you will confirm that the host is configured as a IP-HTTPS host and check its connectivity characteristics.
Perform the following steps to enable IP-HTTPS connectivity:
1. Open an elevated command prompt. In the command prompt window, enter netsh interface
teredo set state disabled and press ENTER.
2. Open an elevated command prompt. In the command prompt window, enter ipconfig /all and
press ENTER. You should see an Ok response when the command completes.
3. Examine the output of the ipconfig command. This computer is now connected to the Internet
from behind a NAT device and is assigned a private IPv4 address. We have disabled Teredo
functionality and the DirectAccess client falls back to IP-HTTPS. When you look at the output of
the ipconfig command, you should see a section for Tunnel adapter iphttpsinterface with an IP
address that starts with 2002:836b:2:8100 indicating that this is a IP-HTTPS address. You will not
see a default gateway listed for the IP-HTTPS tunnel adapter.
4. In the command prompt window, enter ipconfig /flushdns and press ENTER. This will flush
name resolution entries that may still exist in the client DNS cache from when CLIENT1 was
connected to the corpnet.
5. In the command prompt window, enter ping dc1 and press ENTER. You should see replies from
the ISATAP address assigned to DC1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.1
6. In the command prompt window, enter ping dc2 and press ENTER. You should see replies from
the ISATAP address assigned to DC2, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.10
7. In the command prompt window, enter ping uag1 and press ENTER. You should see replies from
the ISATAP address assigned to UAG1, which in this case is 2002:836b:2:8000:0:5efe:10.0.0.2
8. In the command prompt window, enter ping app3 and press ENTER. You should see replies from
the NAT64 address assigned by UAG1 to APP3, which in this case is 2002:836b:2:8001::a00:4
68
9. In the command prompt windows, enter netsh namespace show effectivepolicy and press
ENTER. The output shows the current settings for the Name Resolution Policy Table (NRPT).
These settings indicate that all connections to .corp.contoso.com and .pilot.contoso.com should
be resolved by the DirectAccess DNS Server, which is the UAG DirectAccess server, with the IPv6
address of 2002:836b:3::836b:3. Also, note the NRPT entry indicating that there is an exemption
for the name nls.pilot.contoso.com; names on the exemption list are not answered by the
DirectAccess DNS server. You can ping the DirectAccess DNS server IP address to confirm
connectivity to the DirectAccess server; for example, you can ping 2002:836b:3::836b:3 in this
example.
10. In the Internet Explorer address bar, enter http://dc2.corp.contoso.com and press ENTER. You
will see the default IIS site on DC2.
11. In the Internet Explorer address bar, enter http://app3.corp.contoso.com and press ENTER.
You will see the default web site on APP3. The connection to APP3 differs from that made by the
connections to DC1 and DC2; both DC1 and DC2 are accessible over the infrastructure tunnel
(because these two servers are listed as management severs in the DirectAccess configuration),
which uses computer certificate and NTLMv2 authentication. In contrast, the connection to
APP3 is to a server that is not on the management servers list, and thus must be made over the
intranet tunnel, which requires Kerberos authentication.
12. Click Start and in the Search box, enter \\App3\Files and press ENTER. Double click on the New
Text Document file. This demonstrates that you were able to connect to an IPv4 only server
using SMB to obtain a resource in the resource domain.
13. Click Start and in the Search box, enter wf.msc and press ENTER.
14. In the Windows Firewall with Advanced Security console, notice that only the Private profile is
active. The Windows Firewall must be enabled for DirectAccess to work correctly. If for some
reason that the Windows Firewall were disabled, DirectAccess connectivity would fail.
15. Expand the Monitoring node in the left pane of the console and click the Connection Security
Rules node. You should see the active connection security rules: UAG DirectAccess Client –
Client Access Enabling Tunnel – All, UAG DirectAccess Client – Clients Corp Tunnel and UAG
DirectAccess Client – Exempt NLA. Scroll the middle pane to the right to expose the 1st
Authentication Methods and 2nd Authentication Methods columns. Notice that the first rule
uses NTLMv2 to establish the infrastructure tunnel and the second rule uses Kerberos V5 to
establish the intranet tunnel.
16. In the left pane of the console, expand the Security Associations node and click the Main Mode
node. Notice the infrastructure tunnel security associations using NTLMv2 and the intranet
tunnel security association using Kerberos V5. When you right click the Kerberos security
association, you will see authentication for CORP\User2.
69
17. Close the System Control Panel window and the Windows Firewall with Advanced Security
console. Close all other open windows before moving to the next step
11. Test Connectivity When Returning to the Corpnet
Many of your users will move between remote location and the corpnet, so it’s important that when
they connect again to the corpnet that they are able to access resources without having to make any
configuration changes to their computers. UAG DirectAccess makes this possible because when the
DirectAccess client return to the corpnet, they are able to make a connection to the Network Location
Server. Once the HTTPS connection is successfully established to the Network Location Server, the
DirectAccess client disables it DirectAccess client configuration and uses a direct connection to the
corpnet.
Perform the following steps to test connectivity after returning CLIENT1 to the Corpnet subnet:
1. Shut down CLIENT1. Unplug CLIENT1 from the Home subnet or virtual switch and connect it to
the Corpnet subnet or virtual switch. If asked what type of network you want to define the
current network, select Work Network.
2. Log on as CORP\User2.
3. Open an elevated command prompt. In the command prompt window, enter ipconfig /all. The
output will indicate that CLIENT1 has a local IP address, and that there is no active 6to4, Teredo
or IP-HTTPS tunnel.
4. Test connectivity to the network share on APP3. Click Start and enter \\APP3\Files and press
enter. You will be able to open the file in that folder.
70
71
