Direct Access Technology III: Deployment and Configuration DirectAccess

Previous article

DA Experimental Environment Preparation

Experimental topology

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M02/7A/4F/ Wkiom1anp6ex6qqeaaihof8qfhk223.png "" 628 "height=" 365 "/>

Topology description

The following computers are included in this topology:

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M00/7A/4F/ Wkiol1anp-3scrk0aafunkuyzfk726.png "" 628 "height=" 286 "/>

Topological subnets:

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M00/7A/4F/ Wkiom1anp6mzgcpfaaar5940wqs102.png "" 381 "height=" 113 "/>

The lab environment recommends using DHCP, which reduces the work of manually changing the IP configuration when the computer CLIENT1 roaming.

The experiment virtual machine is as follows:

650) this.width=650; "title=" image "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M00/7A/4F/ Wkiol1anp-6ikabdaable98zdlm593.png "" 619 "height=" "/>

Main steps:

Step 1: Configure DC1

? Create a security group da-clients, add the CLIENT1 computer;

? Configure DHCP scopes to assign TCP/IP parameters to intranet computers;

? Configure the domain Firewall policy to open exceptions for ICMPV4/6 access points;

? Deploy enterprise CAs to automatically request certificates for member computers through domain policy;

Step 2: Configure APP1

? APP1 join domain, update Group Policy;

? Configured to become a file server intranet;

? Install IIS, deploy as a webserver;

? Confirm the certificate that the computer automatically requests, bind the certificate for the above website, (note that the certificate of auto-request is the name of the computer, so the access name is the same as our NLS server);

Step 3: Configure EDGE1

? EDGE1 join domain, update Group Policy;

? Confirm that the computer certificate of the automatic application is in effect;

? Request a computer certificate for the Ip-https connection from the MMC console, select the computer, and the certificate common name is set to Directaccess.sr.local (the name will also be used when the public network publishes DA)

Step 4: Configure INET1

? Configure DNS, new zone sr.local, new host record DirectAccess corresponding IP address 131.107.0.2

? New Zone msftncsi.com, new host record DNS points to 131.107.255.255, new host record www to 131.107.0.1 (this section is used to CLIENT1 in a simulated environment to use the NCSI network connection status indicator function, NCSI see

? Configure IIS to add a text file Ncsi.txt under the default Web site home directory, with the content "Microsoft NCSI"

? Configure DHCP, yes the client roams to the Internet can get the address;

Step 5: Configure Client1

? Join Client1 to Domain;

? Confirm that Group Policy is in effect;

? Test the file service and Web service of intranet APP1 server;

Step 6: Configure NAT1 (optional, for simulating a home network)

? Enable NAT feature;

? The external network card automatically obtains the address;

? The intranet is set to 192.168.137.1/24;

The above is a description of the general process of preparation of DA deployment, everyone as a reference.

Some documents may have a CA CRL publication, but from the experimental results, the client does not verify the revocation information of the certificate by default, so this step can be skipped first.

Of course, detailed procedures can also refer to the official Microsoft manual

Direct-access Step-by-Step

In the next chapter, we will focus on the DA server configuration and client authentication

Direct Access Technology III: Deployment and Configuration DirectAccess