Windows Server 2008 R2 : Work with Remote Clients (part 2) - Install and Configure DirectAccess

2. Install and Configure DirectAccess

One of the new features in Windows Server 2008 R2 is DirectAccess. In addition to requiring a Windows Server 2008 R2 server, this feature is available only to Windows 7 clients. This new capability allows you as the IT administrator a great amount of control over your remote clients. DirectAccess will enable your Windows 7 clients the ability to always be connected to your corporate network regardless of how they are connected to the Internet. DirectAccess is a connection solution for Windows Server 2008 R2 servers and Windows 7 clients, surpassing existing VPN solutions. Having your clients always connect provides a consistent management model for you. This provides you with a consistent way to manage, patch, and secure remote workstations that in the past may not have always been connected on a frequent basis. For your users, DirectAccess provides an "always-on" secure connection to corporate networks and resources.

The installation for this tool set can be lengthy and complex, although in the end this work could be worth your time and effort if you have or are planning to have Windows 7 clients in your environment. In this section, you will see an overview of the steps required to configure DirectAccess on your Windows Server 2008 R2 server. There are also numerous prerequisites needed to be configured. Among many other things, DirectAccess requires an understanding of IPv6 (with IPv4 translation), Public Key Infrastructure (PKI), and the use of certificates, as well as a firm understanding of DNS to make this solution work. Microsoft created a nice step-by-step guide located here, which will also include all the necessary prerequisites and client-side configuration: www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=8d47ed5f-d217-4d84-b698-f39360d82fac.

Although the installation can be complex, the tool set on the Windows Server 2008 R2 server, which you will see in this section, is designed to help you through the process. The built-in tools in Windows Server 2008 R2 will make sure you have dotted your i's and crossed your t's for the installation and configuration of DirectAccess.

2.1. Install the DirectAccess Management Console

When you need to configure DirectAccess, you will need to install the DirectAccess management console. The management console is a Windows Server 2008 R2 feature and can be installed by adding the feature. The DirectAccess console is a tool designed to step you through the process of properly configuring your server.

1. Open Server Manager by selecting Start => Administrative Tools => Server Manager.

2. Click Features on the tree menu on the left.

3. Click Add Features in the details pane on the right.

4. Select DirectAccess Management Console, and click Next.

5. Review the confirmation screen, and click Install.

6. Review the summary screen, and click Close.

After you have installed the console, you can find the tool in the Administrative Tools group, and when you open the tool, you can begin the process of setting up DirectAccess. When you first open the console, you will see a link to help titled Checklist: Before You Configure DirectAccess. This link will take you through all the necessary prerequisite steps.

1. Open the DirectAccess management console by selecting Start => Administrative Tools => DirectAccess Management Console.

2. On the tree on the left of the console, click Setup; you may see a screen with some errors like Figure 4. If you have errors, take corrective action, and click Retry.

3. After you have fixed any error messages, you will see a screen similar to Figure 5.

Figure 4. DirectAccess error

Figure 5. DirectAccess setup

As you can see, the DirectAccess tool provides you a visual step-by-step guidance in properly configuring this powerful connection component. Each configuration step for DirectAccess can be modified after you have done your initial configuration. You also have to complete the steps in order to get a properly configured DirectAccess server:

1. Remote clients: In this step, you will configure which clients will be able to use DirectAccess. You will add the appropriate computer groups in your AD infrastructure that contain your preprovisioned DirectAccess systems. Remember, only Windows 7 clients can participate in DirectAccess.

2. DirectAccess server setup: In this step, you will configure the connection aspects of your network adapters. You will need to specify which network adapters are used for the Internet and your internal network. You will also have the ability to configure your DirectAccess server to accept logins via smart cards. You will also need to configure your certificate authorities (CAs) for the DirectAccess server used to provide secure communications.

3. Infrastructure servers: In this step, you will configure how your clients will access your core infrastructure services such as the AD domain controllers and DNS servers your users will need to access to work with your network infrastructure. You can also configure in this step an internal web server with the ability to provide location services for infrastructure components to your DirectAccess clients.

4. Application servers: In this step, you will configure your end-to-end authentication and security for the DirectAccess components. DirectAccess allows you to secure the communication channel from the beginning to the end to keep a safe and secure channel. You also have to ability to control which servers your DirectAccess clients can connect to; you have the ability to restrict communications to certain servers in your network.

As you have seen, this was a brief overview of the configuration for DirectAccess. This is a new solution and provides a secure and fast connection method for your remote clients to connect to your environment in addition to any VPNs you may currently have.