The Cable Guy - June 2010
DirectAccess with Network Access Protection (NAP)
DirectAccess is a new feature in the Windows 7 and Windows Server 2008 R2 operating systems that enables remote users to securely access intranet resources without connecting to a virtual private network (VPN). Network Access Protection (NAP), also built into Windows Server 2008 R2 and Windows 7, monitors and assesses the health of client computers when they attempt to connect or communicate on a network.
DirectAccess with NAP allows you to specify that only DirectAccess clients that meet system health requirements can reach intranet resources across the Internet.
DirectAccess tunnels
DirectAccess clients on the Internet using the full intranet access or selected server access models create the following Internet Protocol security (IPsec) tunnels to a DirectAccess server:
Infrastructure tunnel
Used to reach intranet Domain Name System (DNS) servers and Active Directory Domain Services (AD DS) domain controllers. By default, this tunnel requires a computer certificate and computer account NT LAN Manager Version 2 (NTLMv2) credentials for authentication. The DirectAccess client creates this tunnel before the user logs on.
Management tunnel
Used to reach additional intranet locations before the user logs on. Intranet management servers can also create this tunnel to remotely manage DirectAccess clients. Like the infrastructure tunnel, by default this tunnel requires a computer certificate and computer account NTLMv2 credentials for authentication.
Intranet tunnel
Used to reach intranet locations that are not in the list of destination addresses in the infrastructure and management tunnel rules after the user has logged on. By default, this tunnel requires a computer certificate and user account Kerberos credentials for authentication.
NAP and IPsec enforcement
NAP can be deployed in a variety of enforcement methods to enforce system health requirements for connecting or communicating. The IPsec enforcement method uses health certificates-digital certificates with the System Health Authentication object identifier (OID) in the Enhanced Key Usage (EKU) field-and IPsec connection security rules, which require IPsec protection of intranet traffic and IPsec peer authentication with health certificates. This combination can enforce system health requirements for communication between computers on an intranet. Computers that are not compliant with system health requirements and do not have a health certificate cannot initiate communication on the intranet.
An IPsec enforcement deployment requires the following:
Health Registration Authority (HRA) A Web server that receives and responds to NAP clients and their requests to validate their system health and obtain a health certificate.
NAP Certification Authority (CA) A CA in your public key infrastructure (PKI), typically dedicated, that issues health certificates for compliant NAP clients.
NAP health policy server A Network Policy Server (NPS) that validates system health requests.
Remediation servers Servers that contain resources that NAP clients need to correct their noncompliant system health.
Health certificates obtained through the HRA have short lifetimes, typically on the order of hours. You can also issue exemption health certificates that have a long lifetime to servers that need health certificates for IPsec peer authentication but do not need to perform system health validation.
DirectAccess with NAP
DirectAccess with NAP is system health compliance integrated with the DirectAccess connection process. When you combine DirectAccess with NAP to enforce system health requirements prior to allowing access to intranet resources, you leverage the following:
The NAP infrastructure to issue health certificates (HRAs, NAP CAs, NAP health policy servers) and correct system health (remediation servers)
The DirectAccess connection security rules for the infrastructure, management, and intranet tunnels
By default, the connection security rules configured on the DirectAccess client and server for the infrastructure, management, and intranet tunnels do not require health certificates for authentication. The set of rules that you need to modify to require health certificates depend on the following:
NAP deployment mode (reporting or full enforcement)
Reporting mode does not require system health compliance. Noncompliant DirectAccess clients can access the intranet. Therefore, no changes need to be made to DirectAccess connection security rules.
Full enforcement mode requires system health compliance. In this mode, you must configure connection security rules to require the use of health certificates, rather than normal computer certificates.
Location of your HRAs and remediation servers
HRAs and remediation servers can be located on your intranet or on the Internet.
The following sections describe these two possible locations of HRAs and remediation servers and the resulting changes that need to be made to connection security rules to require health certificates.
Intranet-based HRAs and remediation servers
Figure 1 shows the configuration when the HRA and remediation servers are only on the intranet.
Figure 1 DirectAccess with NAP when the HRAs and remediation servers are on the intranet
When the HRAs and remediation servers are only located on the intranet, they must be accessible to DirectAccess clients with computer certificates, but no health certificates. Health validation occurs after the infrastructure and management tunnels are created. The DirectAccess client needs the infrastructure tunnel to access an intranet DNS server to resolve intranet names and the management tunnel to access the HRAs and remediation servers.
However, for full enforcement mode, the DirectAccess client needs a health certificate before it can reach other intranet resources. Therefore, the health certificate requirement only applies to the connection security rules for the intranet tunnel.
Configuration steps
To configure DirectAccess with NAP when the HRAs and remediation servers are on the intranet, you need to:
Add the IPv6 addresses of the HRAs and remediation servers to the list of management servers. You can do this with step 3 of the DirectAccess Setup Wizard or with Netsh.exe commands.
Configure the intranet tunnel rule in DirectAccess server Group Policy object (GPO) to require health certificates with a Netsh.exe command.
For detailed steps, see Configure DirectAccess Connection Security Rules for NAP.
Note that when you use Netsh.exe to customize DirectAccess connection security rules, the changes are overwritten the next time you apply the settings of the DirectAccess Setup Wizard. To ensure that the custom settings are maintained, you should either no longer use the DirectAccess Setup Wizard for configuration changes or compile a list of custom changes in a script and run the script each time you apply the DirectAccess Setup Wizard settings.
How it works
The following describes how DirectAccess with NAP works for a DirectAccess client when the HRA and remediation servers are only on the intranet:
When the DirectAccess client starts and attempts to log on to the AD DS domain with its computer account, it creates the infrastructure tunnel using its computer certificate. [traffic travels across the infrastructure tunnel]
When the NAP Agent starts, the DirectAccess client resolves the fully qualified domain name (FQDN) of a configured HRA uniform resource locator (URL), creates the management tunnel using its computer certificate, and then sends its current health state information to the HRA. [management tunnel]
The HRA sends the DirectAccess client's health state information to the NAP health policy server. [intranet traffic]
The NAP health policy server evaluates the health state information of the DirectAccess client, determines whether it is compliant, and sends the results to the HRA. [intranet traffic]
The HRA sends the DirectAccess client the health evaluation results. [management tunnel]
Assuming a compliant health state, the HRA obtains a health certificate from a NAP CA and sends it to the DirectAccess client. [management tunnel]
When the DirectAccess client attempts to access a resource on the intranet, it first creates the intranet tunnel using the health certificate. [intranet tunnel]
If the DirectAccess client is not compliant:
The HRA sends the DirectAccess client the health evaluation results, which include health remediation instructions, and does not obtain a health certificate. [management tunnel]
Depending on the health evaluation components installed, the DirectAccess client might need to access remediation servers to correct its health state. If so, the DirectAccess client sends update requests to the appropriate remediation servers. [management tunnel]
The remediation servers provision the DirectAccess client with the required settings or updates to comply with system health requirements. [management tunnel]
The DirectAccess client sends its updated health state information to the HRA. [management tunnel]
The HRA sends the updated health state information to the NAP health policy server. Assuming that all the required updates were made, the NAP health policy server determines that the DirectAccess client is compliant and sends that result to the HRA. [intranet traffic]
The HRA obtains a health certificate from the NAP CA. [intranet traffic]
The HRA sends the health certificate to the DirectAccess client. [management tunnel]
When the DirectAccess client attempts to access a resource on the intranet, it creates the intranet tunnel using the health certificate. [intranet tunnel]
HRAs and remediation servers on the Internet
Figure 2 shows the configuration when the HRAs and remediation servers are only on the Internet. For more information about this configuration, see NAP on the Internet, The Cable Guy article for June 2009.
Figure 2 DirectAccess with NAP when the HRAs and remediation servers are on the Internet
When the HRAs and remediation servers are located only on the Internet, they are always accessible to DirectAccess clients and system health validation occurs independently of DirectAccess tunnels.
For full enforcement mode, the DirectAccess client needs a health certificate before it can reach any intranet resource with the exception of management servers, which might be needed to remotely manage or support non-compliant DirectAccess clients from the intranet. Therefore, requiring a health certificate applies to the connection security rules for the infrastructure, intranet, and management (optional) tunnels.
Configuration steps
To configure DirectAccess with NAP when the HRAs and remediation servers are on the Internet, you need to change the infrastructure, intranet, and management tunnel rules in DirectAccess server GPO to require health certificates with Netsh.exe commands.
The following commands use the default names of the GPOs and connection security rules as configured by the DirectAccess Setup Wizard in Windows Server 2008 R2:
At an administrator-level command prompt, run the netsh -c advfirewall command.
At the netsh advfirewall prompt, run the following commands:
set store gpo="DomainName\DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}"
**consec set rule "DirectAccess Policy-DaServerToDnsDC" new auth1=computercert auth1ca=**CANameString auth1healthcert=yes applyauthz=yes
**consec set rule "DirectAccess Policy-DaServerToCorp" new auth1=computercert auth1ca=**CANameString auth1healthcert=yes applyauthz=yes
**consec set rule "DirectAccess Policy-DaServerToMgmt" new auth1=computercert auth1ca=**CANameString auth1healthcert=yes applyauthz=yes
Notes
DomainName is the FQDN of your AD DS domain. CANameString is the value of the Auth1CAName field in the display of the consec show rule name="DirectAccess Policy-DaServerToCorp" command.
Run the last command only if you have defined management servers and you want to prevent noncompliant DirectAccess clients from accessing them.
How it works
The following describes how DirectAccess with NAP works for a DirectAccess client when the HRAs and remediation servers are only on the Internet:
When the DirectAccess client starts, it attempts to log on to the AD DS domain with its computer account and create the infrastructure tunnel. Because the DirectAccess client has no health certificate, this attempt fails. [Internet traffic]
When the NAP Agent starts, the DirectAccess client resolves the FQDN of an HRA URL and then sends its current health state information to the HRA on the Internet. [Internet traffic]
The HRA sends the DirectAccess client's health state information to a NAP health policy server. [intranet traffic]
The NAP health policy server evaluates the health state information of the DirectAccess client, determines whether it is compliant, and sends the results to the HRA. [intranet traffic]
The HRA sends the DirectAccess client the health evaluation results. [Internet traffic]
Assuming a compliant health state, the HRA obtains a health certificate from a NAP CA and sends it to the DirectAccess client. [Internet traffic]
The next time the DirectAccess client computer attempts to log on to the AD DS domain with its computer account or resolve an intranet FQDN, it first creates the infrastructure tunnel using the health certificate. [infrastructure tunnel]
When the DirectAccess client needs to access a resource on the intranet, it first creates the intranet tunnel using the health certificate. [intranet tunnel]
If the DirectAccess client is not compliant:
The HRA sends the DirectAccess client the health evaluation results, which include health remediation instructions, and does not obtain a health certificate. [Internet traffic]
Depending on the health evaluation components installed, the DirectAccess client might need to access remediation servers to correct its health state. If so, the DirectAccess client sends update requests to the appropriate remediation servers. [Internet traffic]
The remediation servers provision the DirectAccess client with the required settings or updates for compliance with system health requirements. [Internet traffic]
The DirectAccess client sends its updated health state information to the HRA. [Internet traffic]
The HRA sends the updated health state information to the NAP health policy server. Assuming that all the required updates were made, the NAP health policy server determines that the DirectAccess client is compliant and sends that result to the HRA. [intranet traffic]
The HRA obtains a health certificate from the NAP CA. [intranet traffic]
The HRA sends the health certificate to the DirectAccess client. [Internet traffic]
The next time the DirectAccess client computer attempts to log on to the AD DS domain with its computer account or resolve an intranet FQDN, it first creates the infrastructure tunnel using the health certificate. [infrastructure tunnel]
When the DirectAccess client needs to access a resource on the intranet, it creates the intranet tunnel using the health certificate. [intranet tunnel]
For More Information
See the following resources:
For a list of all The Cable Guy articles, click here.