2. Install and Configure DirectAccess
One of the new features in
Windows Server 2008 R2 is DirectAccess. In addition to requiring a
Windows Server 2008 R2 server, this feature is available only to Windows
7 clients. This new capability allows you as the IT administrator a
great amount of control over your remote clients. DirectAccess will
enable your Windows 7 clients the ability to always be connected to your
corporate network regardless of how they are connected to the Internet.
DirectAccess is a connection solution for Windows Server 2008 R2
servers and Windows 7 clients, surpassing existing VPN solutions. Having
your clients always connect provides a consistent management model for
you. This provides you with a consistent way to manage, patch, and
secure remote workstations that in the past may not have always been
connected on a frequent basis. For your users, DirectAccess provides an
"always-on" secure connection to corporate networks and resources.
The installation for this tool
set can be lengthy and complex, although in the end this work could be
worth your time and effort if you have or are planning to have Windows 7
clients in your environment. In this section, you will see an overview
of the steps required to configure DirectAccess on your Windows Server
2008 R2 server. There are also numerous prerequisites needed to be
configured. Among many other things, DirectAccess requires an
understanding of IPv6 (with IPv4 translation), Public Key Infrastructure
(PKI), and the use of certificates, as well as a firm understanding of
DNS to make this solution work. Microsoft created a nice step-by-step
guide located here, which will also include all the necessary
prerequisites and client-side configuration: www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=8d47ed5f-d217-4d84-b698-f39360d82fac.
Although the installation can be
complex, the tool set on the Windows Server 2008 R2 server, which you
will see in this section, is designed to help you through the process.
The built-in tools in Windows Server 2008 R2 will make sure you have
dotted your i's and crossed your t's for the installation and configuration of DirectAccess.
2.1. Install the DirectAccess Management Console
When you need to configure
DirectAccess, you will need to install the DirectAccess management
console. The management console is a Windows Server 2008 R2 feature and
can be installed by adding the feature. The DirectAccess console is a
tool designed to step you through the process of properly configuring
Open Server Manager by selecting Start => Administrative Tools => Server Manager.
Click Features on the tree menu on the left.
Click Add Features in the details pane on the right.
Select DirectAccess Management Console, and click Next.
Review the confirmation screen, and click Install.
Review the summary screen, and click Close.
After you have installed the
console, you can find the tool in the Administrative Tools group, and
when you open the tool, you can begin the process of setting up
DirectAccess. When you first open the console, you will see a link to
help titled Checklist: Before You Configure DirectAccess. This link will
take you through all the necessary prerequisite steps.
Open the DirectAccess management console by selecting Start => Administrative Tools => DirectAccess Management Console.
On the tree on the left of the console, click Setup; you may see a screen with some errors like Figure 4. If you have errors, take corrective action, and click Retry.
After you have fixed any error messages, you will see a screen similar to Figure 5.
Figure 4. DirectAccess error
Figure 5. DirectAccess setup
As you can see, the
DirectAccess tool provides you a visual step-by-step guidance in
properly configuring this powerful connection component. Each
configuration step for DirectAccess can be modified after you have done
your initial configuration. You also have to complete the steps in order
to get a properly configured DirectAccess server:
In this step, you will configure which clients will be able to use
DirectAccess. You will add the appropriate computer groups in your AD
infrastructure that contain your preprovisioned DirectAccess systems.
Remember, only Windows 7 clients can participate in DirectAccess.
DirectAccess server setup:
In this step, you will configure the connection aspects of your network
adapters. You will need to specify which network adapters are used for
the Internet and your internal network. You will also have the ability
to configure your DirectAccess server to accept logins via smart cards.
You will also need to configure your certificate authorities (CAs) for
the DirectAccess server used to provide secure communications.
In this step, you will configure how your clients will access your core
infrastructure services such as the AD domain controllers and DNS
servers your users will need to access to work with your network
infrastructure. You can also configure in this step an internal web
server with the ability to provide location services for infrastructure
components to your DirectAccess clients.
In this step, you will configure your end-to-end authentication and
security for the DirectAccess components. DirectAccess allows you to
secure the communication channel from the beginning to the end to keep a
safe and secure channel. You also have to ability to control which
servers your DirectAccess clients can connect to; you have the ability
to restrict communications to certain servers in your network.
As you have seen, this
was a brief overview of the configuration for DirectAccess. This is a
new solution and provides a secure and fast connection method for your
remote clients to connect to your environment in addition to any VPNs
you may currently have.