Configure DirectAccess in Windows Server Essentials
Updated: March 5, 2014
Applies To: Windows Server 2012 Essentials, Windows Server 2012 R2 Essentials
This topic provides step-by-step instructions for configuring DirectAccess in Windows Server Essentials to enable your mobile workforce to seamlessly connect to your organization’s network from any Internet-equipped remote location without establishing a virtual private network (VPN) connection. DirectAccess can offer mobile workers the same connectivity experience inside and outside the office from their Windows 8.1, Windows 8, and Windows 7 computers.
This topic applies to a server running Windows Server 2012 Essentials or Windows Server 2012 R2 Essentials, or to a server running Windows Server 2012 R2 Standard or Windows Server 2012 R2 Datacenter with the Windows Server Essentials Experience role installed. In Windows Server 2012 R2 Essentials, if the domain contains more than one Windows Server Essentials server, DirectAccess must be configured on the domain controller.
Note
This topic provides instructions for configuring DirectAccess when your Windows Server Essentials server is the domain controller. If the Windows Server Essentials server is a domain member, follow the instructions to configure DirectAccess on a domain member in Add DirectAccess to an Existing Remote Access (VPN) Deployment instead.
Process overview
To configure DirectAccess in Windows Server Essentials, complete the following steps.
Important
Before you use the procedures in this guide to configure DirectAccess in Windows Server Essentials, you must enable VPN on the server. For instructions, see Manage VPN.
Step 2: Change the network adapter address of the server to a static IP address
Step 3: Prepare a certificate and DNS record for the network location server
Step 4: Create a security group for DirectAccess client computers
Step 5: Enable and configure DirectAccess
Step 5a: Enable DirectAccess by using the Remote Access Management Console
Step 5b: Remove the invalid IPv6Prefix in RRAS GPO (Windows Server 2012 Essentials only)
Step 5c: Enable client computers running Windows 7 Enterprise to use DirectAccess
Step 5e: Add a registry key to bypass CA certification when you establish an IPsec channel
Step 6: Configure Name Resolution Policy Table settings for the DirectAccess server
Step 7: Configure TCP and UDP firewall rules for the DirectAccess server GPOs
Step 8: Change the DNS64 configuration to listen to the IP-HTTPS interface
Note
Appendix: Set up DirectAccess by using Windows PowerShell provides a Windows PowerShell script that you can use to perform the DirectAccess setup.
Step 1: Add Remote Access Management Tools to your server
To add Remote Access Management Tools
On the server, in the bottom left corner of the Start page, click the Server Manager icon.
In Windows Server 2012 R2 Essentials, you will need to search for Server Manager to open it. On the Start page, type Server Manager, and then click Server Manager in the search results. To pin Server Manager to the Start page, right-click Server Manager in the search results, and click Pin to Start.
If a User Account Control warning message displays, click Yes.
On the Server Manager Dashboard, click Manage, and then click Add Roles and Features.
In the Add Roles and Features Wizard, do the following:
On the Installation Type page, click Role-based or feature-based installation.
On the Server Selection page (or the Select destination server page in Windows Server 2012 Essentials), click Select a server from the server pool.
On the Features page, expand Remote Server Administration Tools (Installed), expand Remote Access Management Tools (Installed), expand Role Administration Tools (Installed), expand Remote Access Management Tools, and then select Remote Access GUI and Command-Line Tools.
Follow the instructions to complete the wizard.
Step 2: Change the network adapter address of the server to a static IP address
DirectAccess requires an adapter with a static IP address. You need to change the IP address for the local network adapter on your server.
To add a static IP address
On the Start page, open Control Panel.
Click Network and Internet, and then click View network status and tasks.
In the task pane of the Network and Sharing Center, click Change adapter settings.
Right-click the local network adapter, and then click Properties.
On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
On the General tab, click Use the following IP address, and then type the IP address that you want to use.
A default value for subnet mask appears automatically in the Subnet mask box. Accept the default value, or type the subnet mask value that you want to use.
In the Default gateway box, type the IP address of your default gateway.
In the Preferred DNS server box, type the IP address of your DNS server.
Note
Use the IP address that is assigned to your network adapter by DHCP (for example, 192.168.X.X) instead of a loopback network (for example, 127.0.0.1). To find out the assigned IP address, run ipconfig at a command prompt.
In the Alternate DNS Server box, type the IP address of your alternate DNS server, if any.
Click OK, and then click Close.
Important
Ensure that you configure the router to forward ports 80 and 443 to the new static IP address of the server.
Step 3: Prepare a certificate and DNS record for the network location server
To prepare a certificate and DNS record for the network location server, perform the following tasks:
Step 3a: Grant full permissions to Authenticated Users for the Web server’s certificate template
Your first task is to grant full permissions to authenticate users for the Web server’s certificate template in the certification authority.
To grant full permissions to Authenticated Users for the Web server’s certificate template
On the Start page, open Certification Authority.
In the console tree, under Certification Authority (Local), expand <servername>-CA, right-click Certificate Templates, and then click Manage.
In Certification Authority (Local), right-click Web Server, and then click Properties.
In Web Server properties, on the Security tab, click Authenticated Users, select Full Control, and then click OK.
Restart Active Directory Certificate Services. In Control Panel, open View local services. In the list of services, right-click Active Directory Certificate Services, and then click Restart.
Step 3b: Enroll a certificate for the network location server with a common name that is unresolvable from the external network
Next, enroll a certificate for the network location server with a common name that is unresolvable from the external network.
To enroll a certificate for the network location server
On the Start page, open mmc (the Microsoft Management Console).
If a User Account Control warning message appears, click Yes.
The Microsoft Management Console (MMC) opens.
On the File menu, click Add/Remove Snap-ins.
In the Add or Remote Snap-ins box, click Certificates, and then click Add.
On the Certificates snap-in page, click Computer account, and then click Next.
On the Select Computer page, click Local computer, click Finish, and then click OK.
In the console tree, expand Certificates (Local Computer), expand Personal, right-click Certificates, and then, in All Tasks, click Request New Certificate.
When the Certificate Enrollment Wizard appears, click Next.
On the Select Certificate Enrollment Policy page, click Next.
On the Request Certificates page, select the Web Server check box, and then click More information is required to enroll this certificate.
In the Certificate Properties box, enter the following settings for Subject Name:
For Type, select Common name.
For Value, type the name of the network location server (for example, DirectAccess-NLS.contoso.local), and then click Add.
Click OK, and then click Enroll.
When certificate enrollment completes, click Finish.
Step 3c: Add a new host on the DNS server and map it to the Windows Server Essentials server address
To complete the DNS configuration, add a new host on the DNS server and map it to the Windows Server Essentials server address.
To map a new host to the Windows Server Essentials server address
On the Start page, open DNS Manager. To open DNS Manager, search for dnsmgmt.msc, and then click dnsmgmt.msc in the results.
In the DNS Manager console tree, expand the local server, expand Forward Lookup Zones, right-click the zone with server’s domain suffix, and then click New Host (A or AAAA).
Type the name and IP address of the server (for example, DirectAccess-NLS.contoso.local) and its corresponding server address (for example, 192.168.x.x).
Click Add Host, click OK, and then click Done.
Step 4: Create a security group for DirectAccess client computers
Next, create a security group to use for DirectAccess client computers, and then add the computer accounts to the group.
To add a security group for client computers that use DirectAccess
- On the Server Manager Dashboard, click Tools, and then click Active Directory Users and Computers.
Note
If you do not see Active Directory Users and Computers on the Tools menu, you need to install the feature. To install Active Directory Users and Groups, run the following Windows PowerShell cmdlet as an administrator: Install-WindowsFeature RSAT-ADDS-Tools
. For more information, see Installing or Removing the Remote Server Administration Tool Pack.
In the console tree, expand the server, right-click Users, click New, and then click Group.
Enter a group name, group scope, and group type (create a security group), and then click OK.
The new security group is added to the Users folder.
To add computer accounts to the security group
On the Server Manager Dashboard, click Tools, and then click Active Directory Users and Computers.
In the console tree, expand the server, and then click Users.
In the list of user accounts and security groups on the server, right-click the security group that you created for DirectAccess, and then click Properties.
On the Members tab, click Add.
In the dialog box, type the names of the computer accounts that you want to add to the group, separating the names with a semicolon (;). Then click Check Names.
After the computer accounts are validated, click OK. Then click OK again.
Note
You can also use the Member of tab in the computer account properties to add the account to the security group.
Step 5: Enable and configure DirectAccess
To enable and configure DirectAccess in Windows Server Essentials, you must complete the following steps:
Step 5a: Enable DirectAccess by using the Remote Access Management Console
Step 5b: Remove the invalid IPv6Prefix in RRAS GPO (Windows Server 2012 Essentials only)
Step 5c: Enable client computers running Windows 7 Enterprise to use DirectAccess
Step 5e: Add a registry key to bypass CA certification when you establish an IPsec channel
Step 5a: Enable DirectAccess by using the Remote Access Management Console
This section provides step-by-step instructions to enable DirectAccess in Windows Server Essentials. If you have not configured VPN on the server yet, you should do that before you start this procedure. For instructions, see Manage VPN.
To enable DirectAccess by using the Remote Access Management Console
On the Start page, open Remote Access Management.
In the Enable DirectAccess Wizard, do the following:
Review DirectAccess Prerequisites, and click Next.
On the Select Groups tab, add the security group that you created earlier for DirectAccess clients. (If you have not created the security group, see Step 4: Create a security group for DirectAccess client computers for instructions.)
On the Select Groups tab, click Enable DirectAccess for mobile computers only if you want to enable mobile computers to use DirectAccess to remotely access the server, and then click Next.
In Network Topology, select the topology of the server, and then click Next.
In DNS Suffix Search List, add the additional DNS suffix for the client computers, if needed, and then click Next.
Note
By default, the Enable DirectAccess Wizard already adds the DNS suffix for current domain. However, you can add more if needed.
6. Review the Group Policy Objects (GPOs) that will be applied, and modify them if needed.
7. Click **Next**, and then click **Finish**.
8. Restart the Remote Access Management service by running the following Windows PowerShell command in elevated mode:
```
Restart-Service RaMgmtSvc
```
Step 5b: Remove the invalid IPv6Prefix in RRAS GPO (Windows Server 2012 Essentials only)
This section applies to a server running Windows Server 2012 Essentials.
Open Windows PowerShell as an Administrator and run the following commands:
gpupdate
$key = Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemoteAccess\config\MachineSIDs | Where-Object{$_.GetValue("IPv6RrasPrefix") -ne $null}
Remove-GPRegistryValue -Name "DirectAccess Server Settings" -Key $key.Name -ValueName IPv6RrasPrefix
gpupdate
Step 5c: Enable client computers running Windows 7 Enterprise to use DirectAccess
If you have client computers running Windows 7 Enterprise, complete the following procedure to enable DirectAccess from those computers.
To enable Windows 7 Enterprise computers to use DirectAccess
On the server’s Start page, open Remote Access Management.
In the Remote Access Management Console, click Configuration. Then, in the Setup Details pane, under Step 2, click Edit.
The Remote Access Server Setup Wizard opens.
On the Authentication tab, choose the certification authority (CA) certificate that will be the trusted root certificate (you can choose the CA certificate of the Windows Server Essentials server). Click Enable Windows 7 client computers to connect via DirectAccess, and then click Next.
Follow the instructions to complete the wizard.
Important
There is a known issue for Windows 7 Enterprise computers connecting over DirectAccess if the Windows Server 2012 Essentials server did not come with UR1 pre-installed. To enable DirectAccess connections in that environment, you must perform these additional steps: Install the hotfix described in Microsoft Knowledge Base (KB) article 2796394 on the Windows Server 2012 Essentials server. Then restart the server. Then install the hotfix described in Microsoft Knowledge Base (KB) article 2615847 on each Windows 7 computer. This issue was resolved in Windows Server 2012 R2 Essentials.
Step 5d: Configure the network location server
This section provides step-by-step instructions to configure the network location server settings.
Note
Before you begin, copy the contents of the <SystemDrive>\inetpub\wwwroot folder to the <SystemDrive>\Program Files\Windows Server\Bin\WebApps\Site\insideoutside folder. Also copy the default.aspx file from the <SystemDrive>\Program Files\Windows Server\Bin\WebApps\Site folder to the <SystemDrive>\Program Files\Windows Server\Bin\WebApps\Site\insideoutside folder.
To configure the network location server
On the Start page, open Remote Access Management.
In the Remote Access Management Console, click Configuration, and in the Remote Access Setup details pane, in Step 3, click Edit.
In the Remote Access Server Setup Wizard, on the Network Location Server tab, select The network location server is deployed on the Remote Access server, and then select the certificate that was previously issued (in Step 3: Prepare a certificate and DNS record for the network location server).
Follow the instructions to complete the wizard, and then click Finish.
Step 5e: Add a registry key to bypass CA certification when you establish an IPsec channel
Your next step is to configure the server to bypass CA certification when an IPsec channel is established.
To add a registry key to bypass the CA certification
On the Start page, open regedit (the Registry Editor).
In the Registry Editor, expand HKEY_LOCAL_MACHINE, expand System, expand CurrentControlSet, expand Services, and expand IKEEXT.
Under IKEEXT, right-click Parameters, click New, and then click DWORD (32 bit) Value.
Rename the newly added value to ikeflags.
Double-click ikeflags, set the Type to Hexadecimal, set the value to 8000, and then click OK.
Note
You can use the following Windows PowerShell command in elevated mode to add this registry key:
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\IKEEXT\Parameters -Name ikeflags -Type DWORD -Value 0x8000
Step 6: Configure Name Resolution Policy Table settings for the DirectAccess server
This section provides instructions for editing the Name Resolution Policy Table (NPRT) entries for internal addresses (for example, entries with a contoso.local suffix) for DirectAccess client GPOs, and then set the IPHTTPS interface address.
To configure Name Resolution Policy Table entries
On the Start page, open Group Policy Management.
In the Group Policy Management console, click the default forest and domain, right-click DirectAccess Client Settings, and then click Edit.
Click Computer Configurations, click Policies, click Windows Settings, and then click Name Resolution Policy. Choose the entry that has the namespace that is identical to your DNS suffix, and then click Edit Rule.
Click the DNS Settings for DirectAccess tab; then select Enable DNS settings for DirectAccess in this rule. Add the IPv6 address for the IP-HTTPS interface in the DNS server list.
Note
You can use the following Windows PowerShell command to get the IPv6 address:
(Get-NetIPInterface -InterfaceAlias IPHTTPSInterface | Get-NetIPAddress -PrefixLength 128)[1].IPAddress
Step 7: Configure TCP and UDP firewall rules for the DirectAccess server GPOs
This section includes step-by-step instructions to configure TCP and UDP firewall rules for the DirectAccess server GPOs.
To configure firewall rules
On the Start page, open Group Policy Management.
In the Group Policy Management console, click the default forest and domain, right-click DirectAccess Server Settings, and then click Edit.
Click Computer Configuration, click Policies, click Windows Settings, click Security Settings, click Windows Firewall with Advanced Security, click next-level Windows Firewall with Advanced Security, and then click Inbound Rules. Right-click Domain name Server (TCP-In), and then click Properties.
Click the Scope tab, and in the Local IP address list, add the IPv6 address of the IP-HTTPS interface.
Repeat the same procedure for Domain Name Server (UDP-In).
Step 8: Change the DNS64 configuration to listen to the IP-HTTPS interface
You must change the DNS64 configuration to listen to the IP-HTTPS interface by using the following Windows PowerShell command.
Set-NetDnsTransitionConfiguration –AcceptInterface IPHTTPSInterface
Step 9: Reserve ports for the WinNat service
Use the following Windows PowerShell command to reserve ports for the WinNat service. Replace "192.168.1.100" with the actual IPv4 address of your Windows Server 2012 Essentials server.
Set-NetNatTransitionConfiguration –IPv4AddressPortPool @("192.168.1.100, 10000-47000")
Important
To avoid port conflicts with applications, be sure that the port range that you reserve for the WinNat service does not include port 6602.
Step 10: Restart the WinNat service
Restart the Windows NAT Driver (WinNat) service by running the following Windows PowerShell command.
Restart-Service winnat
Appendix: Set up DirectAccess by using Windows PowerShell
This section describes how to set up and configure DirectAccess by using Windows PowerShell.
Preparation
Before you begin configuring your server for DirectAccess, you must complete the following:
Follow the procedure in Step 3: Prepare a certificate and DNS record for the network location server to enroll a certificate named DirectAccess-NLS.contoso.com (where contoso.com is replaced by your actual internal domain name), and to add a DNS record for the network location server (NLS).
Add a security group named DirectAccessClients in Active Directory, and then add client computers for which you want to provide the DirectAccess functionality. For more information, see Step 4: Create a security group for DirectAccess client computers.
Commands
Important
In Windows Server 2012 R2 Essentials, you do not need to remove the unnecessary IPv6 prefix GPO. Delete the code section with the following label: # [WINDOWS SERVER 2012 ESSENTIALS ONLY] Remove the unnecessary IPv6 prefix GPO
.
# Add Remote Access role if not installed yet
$ra = Get-WindowsFeature RemoteAccess
If ($ra.Installed -eq $FALSE) { Add-WindowsFeature RemoteAccess }
# Server may need to restart if you installed RemoteAccess role in the above step
# Set the internet domain name to access server, replace contoso.com below with your own domain name
$InternetDomain = "www.contoso.com"
#Set the SG name which you create for DA clients
$DaSecurityGroup = "DirectAccessClients"
#Set the internal domain name
$InternalDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name
# Set static IP and DNS settings
$NetConfig = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled=$true"
$CurrentIP = $NetConfig.IPAddress[0]
$SubnetMask = $NetConfig.IPSubnet | Where-Object{$_ -like "*.*.*.*"}
$NetConfig.EnableStatic($CurrentIP, $SubnetMask)
$NetConfig.SetGateways($NetConfig.DefaultIPGateway)
$NetConfig.SetDNSServerSearchOrder($CurrentIP)
# Get physical adapter name and the certificate for NLS server
$Adapter = (Get-WmiObject -Class Win32_NetworkAdapter -Filter "NetEnabled=$true").NetConnectionId
$Certs = dir cert:\LocalMachine\My
$nlscert = $certs | Where-Object{$_.Subject -like "*CN=DirectAccess-NLS*"}
# Add regkey to bypass CA cert for IPsec authentication
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\IKEEXT\Parameters -Name ikeflags -Type DWORD -Value 0x8000
# Install DirectAccess.
Install-RemoteAccess -NoPrerequisite -DAInstallType FullInstall -InternetInterface $Adapter -InternalInterface $Adapter -ConnectToAddress $InternetDomain -nlscertificate $nlscert -force
#Restart Remote Access Management service
Restart-Service RaMgmtSvc
# [WINDOWS SERVER 2012 ESSENTIALS ONLY] Remove the unnecessary IPv6 prefix GPO
gpupdate
$key = Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemoteAccess\config\MachineSIDs | Where-Object{$_.GetValue("IPv6RrasPrefix") -ne $null}
Remove-GPRegistryValue -Name "DirectAccess Server Settings" -Key $key.Name -ValueName IPv6RrasPrefix
gpupdate
# Enable client computers running Windows 7 to use DirectAccess
$allcertsinroot = dir cert:\LocalMachine\root
$rootcert = $allcertsinroot | Where-Object{$_.Subject -like "*-CAA*"}
Set-DAServer –IPSecRootCertificate $rootcert[0]
Set –DAClient –OnlyRemoteComputers Disabled -Downlevel Enabled
#Set the appropriate security group used for DA client computers. Replace the group name below with the one you created for DA clients
Add-DAClient -SecurityGroupNameList $DaSecurityGroup
Remove-DAClient -SecurityGroupNameList "Domain Computers"
# Gather DNS64 IP address information
$Remoteaccess = get-remoteaccess
$IPinterface = get-netipinterface -InterfaceAlias IPHTTPSInterface | get-netipaddress -PrefixLength 128
$DNS64IP=$IPInterface[1].IPaddress
$Natconfig = Get-NetNatTransitionConfiguration
# Configure TCP and UDP firewall rules for the DirectAccess server GPO
$GpoName = 'GPO:'+$InternalDomain+'\DirectAccess Server Settings'
Get-NetFirewallRule -PolicyStore $GpoName -Displayname "Domain Name Server (TCP-IN)"|Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -LocalAddress $DNS64IP
Get-NetFirewallrule -PolicyStore $GpoName -Displayname "Domain Name Server (UDP-IN)"|Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -LocalAddress $DNS64IP
# Configure the name resolution policy settings for the DirectAccess server, replace the DNS suffix below with the one in your domain
$Suffix = '.' + $InternalDomain
set-daclientdnsconfiguration -DNSsuffix $Suffix -DNSIPAddress $DNS64IP
# Change the DNS64 configuration to listen to IP-HTTPS interface
Set-NetDnsTransitionConfiguration -AcceptInterface IPHTTPSInterface
# Copy the necessary files to NLS site folder
XCOPY 'C:\inetpub\wwwroot' 'C:\Program Files\Windows Server\Bin\WebApps\Site\insideoutside' /E /Y
XCOPY 'C:\Program Files\Windows Server\Bin\WebApps\Site\Default.aspx' 'C:\Program Files\Windows Server\Bin\WebApps\Site\insideoutside' /Y
# Reserve ports for the WinNat service
Set-NetNatTransitionConfiguration –IPv4AddressPortPool @("192.168.1.100, 10000-47000")
# Restart the WinNat service
Restart-Service winnat