Next article
We built the basic environment of DA Experiment, this article mainly look at the configuration of DA Server and client authentication
Da Server Configuration
First look at the CLIENT1 in-network test access to the APP1 server, the results are as follows:
650) this.width=650; "title=" 0002 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px ;p adding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 0002 "src=" http:// S3.51cto.com/wyfs02/m02/7a/62/wkiom1aowirx9r3jaacx5bqbx4m475.png "height="/>
Access is normal.
Configuring the DA Server
Da Server-Server Manager-Tools-click the remote access component
Run the Start wizard
650) this.width=650; "Title=" 001 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 001 "src=" http:// S3.51cto.com/wyfs02/m02/7a/62/wkiol1aownkxkk9_aafxaxzly_e551.png "height="/>
Select "Deploy DirectAccess only"
650) this.width=650; "title=" 002 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 002 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiol1aownthyu6kaadcoc3slco303.png "height=" 547 "/>
Network topology Select Edge, the wizard automatically retrieves the public name of the remote access server, here is "directaccess.sr.local", Next
650) this.width=650; "title=" 003 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 003 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiom1aowjgdb5caaadk0jhiem4031.png "height=" 545 "/>
Click "Here" can make some changes, here first skip, follow through step 1,2,3,4 together to modify, direct completion.
650) this.width=650; "title=" 004 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 004 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiol1aownnyrhbqaadikgzidqg358.png "height=" 549 "/>
The configuration was successful, but prompted with a warning.
650) this.width=650; "title=" 005 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 005 "src=" http:// S3.51cto.com/wyfs02/m01/7a/62/wkiol1aownri1qriaaceb9yfoqk226.png "height=" 470 "/>
Next, we need to do some setup
Click Step 1-Edit
650) this.width=650; "title=" 006 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 006 "src=" http:// S3.51cto.com/wyfs02/m01/7a/62/wkiol1aown2gnl9naagtajf2vta554.png "height="/>
Choose a deployment scenario, default, Next
650) this.width=650; "title=" 007 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 007 "src=" http:// S3.51cto.com/wyfs02/m01/7a/62/wkiom1aowjnyazw2aaeo1dsyslc592.png "height=" 548 "/>
Select group, which removes the default group "Domain Computers" and adds the security group "Da-clients" that you created earlier
650) this.width=650; "title=" 008 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 008 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiom1aowjuqr-ziaaezw7zokcq632.png "height=" 548 "/>
Uncheck the "Enable direct access for mobile computers only" setting. Next
650) this.width=650; "title=" 009 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 009 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiol1aowolsjbmsaaewtazpyua061.png "height=" 545 "/>
Confirm the NCA resource URL and da connection name, complete.
650) this.width=650; "title=" 010 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 010 "src=" http:// S3.51cto.com/wyfs02/m01/7a/62/wkiol1aowotihq3gaaeqdpcnexa899.png "height=" 547 "/>
Switch to step 2 edit
650) this.width=650; "title=" 011 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 011 "src=" http:// S3.51cto.com/wyfs02/m01/7a/63/wkiom1aowkggqqqsaagiqbnuajs464.png "height="/>
Confirm network topology and DA external access name
650) this.width=650; "title=" 012 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 012 "src=" http:// S3.51cto.com/wyfs02/m02/7a/62/wkiol1aowoiynn2iaaehqff4lvu076.png "height=" 548 "/>
Confirm the network adapter information and select the certificate for the IP-HTTPS connection
650) this.width=650; "title=" 013 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 013 "src=" http:// S3.51cto.com/wyfs02/m02/7a/63/wkiom1aowkts-co2aaelmu9yafs004.png "height=" 546 "/>
Authentication page, tick "Use computer certificate", browse to select the root certificate of the enterprise CA, complete.
650) this.width=650; "title=" 014 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 014 "src=" http:// S3.51cto.com/wyfs02/m02/7a/62/wkiol1aowoub-5xraaekc0jetsg867.png "height=" 549 "/>
Switch to step 3-Edit
650) this.width=650; "title=" 015 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 015 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiol1aowo7cv1oeaag9y1ebqwk539.png "height="/>
on the Network Location Server page, set the URL of the NLS server and click Verify Pass. Here is https://2012r2-a.sr.local, can also be in DNS settings alias NLS point to 2012r2-a host record, next
650) this.width=650; "title=" 016 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 016 "src=" http:// S3.51cto.com/wyfs02/m01/7a/62/wkiol1aowpdsxdoraaezi-qbgtw603.png "height=" 549 "/>
Confirm DNS suffix and internal DNS server IPV6 address
650) this.width=650; "title=" 017 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 017 "src=" http:// S3.51cto.com/wyfs02/m01/7a/63/wkiom1aowkywni3aaaeyw7-ja9i632.png "height=" 549 "/>
DNS suffix search list, default settings, next
650) this.width=650; "title=" 018 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 018 "src=" http:// S3.51cto.com/wyfs02/m02/7a/63/wkiom1aowk6wcnj-aaer55bmwze414.png "height=" 551 "/>
Set the Management Server IP address, none here.
650) this.width=650; "title=" 019 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 019 "src=" http:// S3.51cto.com/wyfs02/m02/7a/62/wkiol1aowpxdt4pnaadxj-j7irk025.png "height=" 549 "/>
Click Done to make the changes take effect.
650) this.width=650; "Title=" 020 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 020 "src=" http:// S3.51cto.com/wyfs02/m02/7a/63/wkiom1aowlosb5nraafl-ezshta815.png "height=" 635 "/>
The configuration was successfully applied.
650) this.width=650; "title=" 021 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 021 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiol1aowprdhohtaab-fmtyby8100.png "height=" 248 "/>
The dashboard looks at the operation status and configuration status of the DA components.
650) this.width=650; "title=" 022 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 022 "src=" http:// S3.51cto.com/wyfs02/m01/7a/63/wkiom1aowlayzdclaadvkn7ffqa052.png "height=" 610 "/>
2 new Gpo:da server settings in the domain, DA client settings
650) this.width=650; "title=" 023 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 023 "src=" http:// S3.51cto.com/wyfs02/m01/7a/62/wkiol1aowp2imoc9aad0x465mdy509.png "height=" 692 "/>
Client 1 Force update policy
View da connection status, shown as connectedlocally.
650) this.width=650; "title=" 024 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 024 "src=" http:// S3.51cto.com/wyfs02/m02/7a/62/wkiol1aowp7dkhf2aaa913ir6ju436.png "height=" 292 "/>
650) this.width=650; "title=" 025 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 025 "src=" http:// S3.51cto.com/wyfs02/m02/7a/63/wkiom1aowliylu8jaaayjq5xa0c646.png "height=" 321 "/>
Move client CLIENT1 to an Internet network
View da connection status, shown as connectedremotely.
650) this.width=650; "title=" 026 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 026 "src=" http:// S3.51cto.com/wyfs02/m00/7a/63/wkiom1aowlmj1uebaaajdeg-beq333.png "height=" 198 "/>
View Client IP Address
650) this.width=650; "title=" 027 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 027 "src=" http:// S3.51cto.com/wyfs02/m01/7a/63/wkiom1aowlrwnfb_aacd0jxps3i458.png "height=" 457 "/>
Testing and intra-enterprise Server network connectivity
650) this.width=650; "title=" 028 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 028 "src=" http:// S3.51cto.com/wyfs02/m02/7a/62/wkiol1aowqcw9h7laabrrd7fmnc330.png "height=" 253 "/>
CLIENT1 testing access to intranet file servers and Web servers
650) this.width=650; "title=" 029 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 029 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiol1aowqhgghjgaaczvdmo3ds547.png "height=" 507 "/>
Client Other diagnostic commands:
Get-ncsipolicyconfiguration
650) this.width=650; "title=" 030 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 030 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiol1aowqkcrwcyaabunzf423c705.png "height=" 291 "/>
Get-dnsclientnrptpolicy
650) this.width=650; "title=" 031 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 031 "src=" http:// S3.51cto.com/wyfs02/m01/7a/62/wkiol1aowqpis8ecaaazbfyuvba406.png "height=" 249 "/>
Get-netiphttpsconfiguration
650) this.width=650; "title=" 032 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 032 "src=" http:// S3.51cto.com/wyfs02/m00/7a/63/wkiom1aowl-g4md2aabbjz9ovsq254.png "height=" 422 "/>
Netsh int 6to4 Show State
650) this.width=650; "title=" 033 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 033 "src=" http:// S3.51cto.com/wyfs02/m01/7a/63/wkiom1aowl-q3a8naabeslnquoq937.png "height=" 222 "/>
Remote Client Status
650) this.width=650; "title=" 034 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 034 "src=" http:// S3.51cto.com/wyfs02/m02/7a/62/wkiol1aowqaiscz6aac5dufwce8658.png "height=" 665 "/>
Considerations for DA Configuration:
Windows Firewall for computers in the domain must be enabled to block the Allow and block entries in the default profile because disabling the Windows Firewall service also disables IPSec
If you want to enable a client to connect by using Teredo, the DirectAccess server must have two contiguous public IPV4 addresses configured on the external physical interface, and the DA server cannot be behind the NAT device. This is for a Teredo client NAT detection requirements;
If the DirectAccess server is behind a NAT device or has only one network interface, it can only be deployed using the Ip-https method for client connections.
Verify the PKI infrastructure and server certificates. An enterprise has a CA schema or a certificate issued by the enterprise using a public CA, the domain computer is configured to automatically request a certificate, and the DA server applies a separate computer certificate for the IP-HTTPS connection, in addition to a computer certificate that is automatically requested (the certificate common name and access name are consistent), if it is an enterprise CA, It is also best to set up CRL certificate revocation lists and publish them externally
Check the 1th step of the Remote Access Setup Wizard for members of the DirectAccess Client security group
firewall port exception settings for DA connections Firewall Exceptions
more (the wrong part is at the end of the document)
Direct Access Technology Four: configuration of the DA Server and client authentication