Direct Access Technology Four: configuration of the DA Server and client authentication

Source: Internet
Author: User

Next article

We built the basic environment of DA Experiment, this article mainly look at the configuration of DA Server and client authentication

Da Server Configuration

First look at the CLIENT1 in-network test access to the APP1 server, the results are as follows:

650) this.width=650; "title=" 0002 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px ;p adding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 0002 "src=" http:// S3.51cto.com/wyfs02/m02/7a/62/wkiom1aowirx9r3jaacx5bqbx4m475.png "height="/>

Access is normal.

Configuring the DA Server

Da Server-Server Manager-Tools-click the remote access component

Run the Start wizard

650) this.width=650; "Title=" 001 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 001 "src=" http:// S3.51cto.com/wyfs02/m02/7a/62/wkiol1aownkxkk9_aafxaxzly_e551.png "height="/>

Select "Deploy DirectAccess only"

650) this.width=650; "title=" 002 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 002 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiol1aownthyu6kaadcoc3slco303.png "height=" 547 "/>

Network topology Select Edge, the wizard automatically retrieves the public name of the remote access server, here is "directaccess.sr.local", Next

650) this.width=650; "title=" 003 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 003 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiom1aowjgdb5caaadk0jhiem4031.png "height=" 545 "/>

Click "Here" can make some changes, here first skip, follow through step 1,2,3,4 together to modify, direct completion.

650) this.width=650; "title=" 004 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 004 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiol1aownnyrhbqaadikgzidqg358.png "height=" 549 "/>

The configuration was successful, but prompted with a warning.

650) this.width=650; "title=" 005 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 005 "src=" http:// S3.51cto.com/wyfs02/m01/7a/62/wkiol1aownri1qriaaceb9yfoqk226.png "height=" 470 "/>

Next, we need to do some setup

Click Step 1-Edit

650) this.width=650; "title=" 006 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 006 "src=" http:// S3.51cto.com/wyfs02/m01/7a/62/wkiol1aown2gnl9naagtajf2vta554.png "height="/>

Choose a deployment scenario, default, Next

650) this.width=650; "title=" 007 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 007 "src=" http:// S3.51cto.com/wyfs02/m01/7a/62/wkiom1aowjnyazw2aaeo1dsyslc592.png "height=" 548 "/>

Select group, which removes the default group "Domain Computers" and adds the security group "Da-clients" that you created earlier

650) this.width=650; "title=" 008 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 008 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiom1aowjuqr-ziaaezw7zokcq632.png "height=" 548 "/>

Uncheck the "Enable direct access for mobile computers only" setting. Next

650) this.width=650; "title=" 009 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 009 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiol1aowolsjbmsaaewtazpyua061.png "height=" 545 "/>

Confirm the NCA resource URL and da connection name, complete.

650) this.width=650; "title=" 010 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 010 "src=" http:// S3.51cto.com/wyfs02/m01/7a/62/wkiol1aowotihq3gaaeqdpcnexa899.png "height=" 547 "/>

Switch to step 2 edit

650) this.width=650; "title=" 011 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 011 "src=" http:// S3.51cto.com/wyfs02/m01/7a/63/wkiom1aowkggqqqsaagiqbnuajs464.png "height="/>

Confirm network topology and DA external access name

650) this.width=650; "title=" 012 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 012 "src=" http:// S3.51cto.com/wyfs02/m02/7a/62/wkiol1aowoiynn2iaaehqff4lvu076.png "height=" 548 "/>

Confirm the network adapter information and select the certificate for the IP-HTTPS connection

650) this.width=650; "title=" 013 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 013 "src=" http:// S3.51cto.com/wyfs02/m02/7a/63/wkiom1aowkts-co2aaelmu9yafs004.png "height=" 546 "/>

Authentication page, tick "Use computer certificate", browse to select the root certificate of the enterprise CA, complete.

650) this.width=650; "title=" 014 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 014 "src=" http:// S3.51cto.com/wyfs02/m02/7a/62/wkiol1aowoub-5xraaekc0jetsg867.png "height=" 549 "/>

Switch to step 3-Edit

650) this.width=650; "title=" 015 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 015 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiol1aowo7cv1oeaag9y1ebqwk539.png "height="/>

on the Network Location Server page, set the URL of the NLS server and click Verify Pass. Here is https://2012r2-a.sr.local, can also be in DNS settings alias NLS point to 2012r2-a host record, next

650) this.width=650; "title=" 016 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 016 "src=" http:// S3.51cto.com/wyfs02/m01/7a/62/wkiol1aowpdsxdoraaezi-qbgtw603.png "height=" 549 "/>

Confirm DNS suffix and internal DNS server IPV6 address

650) this.width=650; "title=" 017 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 017 "src=" http:// S3.51cto.com/wyfs02/m01/7a/63/wkiom1aowkywni3aaaeyw7-ja9i632.png "height=" 549 "/>

DNS suffix search list, default settings, next

650) this.width=650; "title=" 018 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 018 "src=" http:// S3.51cto.com/wyfs02/m02/7a/63/wkiom1aowk6wcnj-aaer55bmwze414.png "height=" 551 "/>

Set the Management Server IP address, none here.

650) this.width=650; "title=" 019 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 019 "src=" http:// S3.51cto.com/wyfs02/m02/7a/62/wkiol1aowpxdt4pnaadxj-j7irk025.png "height=" 549 "/>

Click Done to make the changes take effect.

650) this.width=650; "Title=" 020 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 020 "src=" http:// S3.51cto.com/wyfs02/m02/7a/63/wkiom1aowlosb5nraafl-ezshta815.png "height=" 635 "/>

The configuration was successfully applied.

650) this.width=650; "title=" 021 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 021 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiol1aowprdhohtaab-fmtyby8100.png "height=" 248 "/>

The dashboard looks at the operation status and configuration status of the DA components.

650) this.width=650; "title=" 022 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 022 "src=" http:// S3.51cto.com/wyfs02/m01/7a/63/wkiom1aowlayzdclaadvkn7ffqa052.png "height=" 610 "/>

2 new Gpo:da server settings in the domain, DA client settings

650) this.width=650; "title=" 023 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 023 "src=" http:// S3.51cto.com/wyfs02/m01/7a/62/wkiol1aowp2imoc9aad0x465mdy509.png "height=" 692 "/>

Client 1 Force update policy

View da connection status, shown as connectedlocally.

650) this.width=650; "title=" 024 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 024 "src=" http:// S3.51cto.com/wyfs02/m02/7a/62/wkiol1aowp7dkhf2aaa913ir6ju436.png "height=" 292 "/>

650) this.width=650; "title=" 025 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 025 "src=" http:// S3.51cto.com/wyfs02/m02/7a/63/wkiom1aowliylu8jaaayjq5xa0c646.png "height=" 321 "/>

Move client CLIENT1 to an Internet network

View da connection status, shown as connectedremotely.

650) this.width=650; "title=" 026 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 026 "src=" http:// S3.51cto.com/wyfs02/m00/7a/63/wkiom1aowlmj1uebaaajdeg-beq333.png "height=" 198 "/>

View Client IP Address

650) this.width=650; "title=" 027 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 027 "src=" http:// S3.51cto.com/wyfs02/m01/7a/63/wkiom1aowlrwnfb_aacd0jxps3i458.png "height=" 457 "/>

Testing and intra-enterprise Server network connectivity

650) this.width=650; "title=" 028 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 028 "src=" http:// S3.51cto.com/wyfs02/m02/7a/62/wkiol1aowqcw9h7laabrrd7fmnc330.png "height=" 253 "/>

CLIENT1 testing access to intranet file servers and Web servers

650) this.width=650; "title=" 029 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 029 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiol1aowqhgghjgaaczvdmo3ds547.png "height=" 507 "/>

Client Other diagnostic commands:

Get-ncsipolicyconfiguration

650) this.width=650; "title=" 030 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 030 "src=" http:// S3.51cto.com/wyfs02/m00/7a/62/wkiol1aowqkcrwcyaabunzf423c705.png "height=" 291 "/>

Get-dnsclientnrptpolicy

650) this.width=650; "title=" 031 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 031 "src=" http:// S3.51cto.com/wyfs02/m01/7a/62/wkiol1aowqpis8ecaaazbfyuvba406.png "height=" 249 "/>

Get-netiphttpsconfiguration

650) this.width=650; "title=" 032 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 032 "src=" http:// S3.51cto.com/wyfs02/m00/7a/63/wkiom1aowl-g4md2aabbjz9ovsq254.png "height=" 422 "/>

Netsh int 6to4 Show State

650) this.width=650; "title=" 033 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 033 "src=" http:// S3.51cto.com/wyfs02/m01/7a/63/wkiom1aowl-q3a8naabeslnquoq937.png "height=" 222 "/>

Remote Client Status

650) this.width=650; "title=" 034 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" 034 "src=" http:// S3.51cto.com/wyfs02/m02/7a/62/wkiol1aowqaiscz6aac5dufwce8658.png "height=" 665 "/>

Considerations for DA Configuration:

  • Windows Firewall for computers in the domain must be enabled to block the Allow and block entries in the default profile because disabling the Windows Firewall service also disables IPSec

  • If you want to enable a client to connect by using Teredo, the DirectAccess server must have two contiguous public IPV4 addresses configured on the external physical interface, and the DA server cannot be behind the NAT device. This is for a Teredo client NAT detection requirements;

  • If the DirectAccess server is behind a NAT device or has only one network interface, it can only be deployed using the Ip-https method for client connections.

  • Verify the PKI infrastructure and server certificates. An enterprise has a CA schema or a certificate issued by the enterprise using a public CA, the domain computer is configured to automatically request a certificate, and the DA server applies a separate computer certificate for the IP-HTTPS connection, in addition to a computer certificate that is automatically requested (the certificate common name and access name are consistent), if it is an enterprise CA, It is also best to set up CRL certificate revocation lists and publish them externally

  • Check the 1th step of the Remote Access Setup Wizard for members of the DirectAccess Client security group

  • firewall port exception settings for DA connections Firewall Exceptions


more (the wrong part is at the end of the document)

Direct Access Technology Four: configuration of the DA Server and client authentication

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.