Compartilhar via


Install-RemoteAccess

Install-RemoteAccess

Performs prerequisite checks for DirectAccess (DA) to ensure that it can be installed, installs DA for remote access (RA) (includes management of remote clients) or for management of remote clients only, and installs VPN (both Remote Access VPN and site-to-site VPN).

Syntax

Parameter Set: DirectAccess
Install-RemoteAccess [-DAInstallType] <String> [-ConnectToAddress] <String> [-AsJob] [-CimSession <CimSession[]> ] [-ClientGpoName <String> ] [-ComputerName <String> ] [-DeployNat] [-Force] [-InternalInterface <String> ] [-InternetInterface <String> ] [-NlsCertificate <X509Certificate2> ] [-NlsUrl <String> ] [-NoPrerequisite] [-PassThru] [-ServerGpoName <String> ] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Parameter Set: DAPrerequisiteChecks
Install-RemoteAccess -Prerequisite [-AsJob] [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Parameter Set: Vpn
Install-RemoteAccess -VpnType <String> [-AsJob] [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-EntrypointName <String> ] [-IPAddressRange <String[]> ] [-IPv6Prefix <String> ] [-MsgAuthenticator <String> ] [-PassThru] [-RadiusPort <UInt16> ] [-RadiusScore <Byte> ] [-RadiusServer <String> ] [-RadiusTimeout <UInt32> ] [-SharedSecret <String> ] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Detailed Description

The Install-RemoteAccess cmdlet performs prerequisite checks for DirectAccess (DA) to ensure that it can be installed, installs DA for remote access (RA) (includes management of remote clients) or for management of remote clients only, and installs VPN (both Remote Access VPN and site-to-site VPN).

Prerequisite Checks.
-- Every prerequisite check results in a terminating, non-terminating error, or a warning.
-- The only terminating error condition is DA server not joined to a domain or the Active Directory server not being reachable and it results in the immediate stopping of the cmdlet.
-- If the cmdlet performs only prerequisite checks, then the user is informed about every check that fails, through an appropriate message.
-- If prerequisite checks are performed just before installation, such as the NoPreRequisite parameter is not specified, then the cmdlet performs all checks one after the other without displaying any messages for failed checks. If one or more terminating or non-terminating errors are encountered, then the cmdlet does not proceed with the installation. If all checks pass or only warnings are encountered, then the cmdlet proceeds with installation.

Re-using Existing Configuration.
If one of the remote access technologies is already installed and the cmdlet is used to install the other technology, then it tries to use as much of the configuration of the installed technology as possible and handles any discrepancies between the two technologies. There are separate parameter sets for DA and VPN installation. If the user specifies parameters, that can be re-used from the existing configuration they are ignored. Example: If VPN is already enabled and a user specifies the internal and internet interfaces ,then when installing DA they are ignored and the cmdlets uses the existing VPN interfaces.

Note: This cmdlet cannot be used to move from one DA installation type to another. Run the Set-DAServer cmdlet to move one DA installation type to another.

DA Installation.
-- Client configuration:
---- By default DA is deployed on all domain laptop and netbook computers that belong to the domain specified in the client GPO. This is achieved by adding the Domain Computers AD group as the client SG and creating a WMI filter to filter out devices that are classified as either non-laptops and netbooks. If a client GPO is not specified then the domain of the DA server is used and a client GPO with default name is created in that domain. If the user running the cmdlet does not have the permissions to create the WMI filter, then no client SG is added.
---- Force tunneling is disabled for the clients.
---- This cmdlet does not deploy DA on down-level clients.
-- DA Server configuration.
---- If a GPO with the specified name or default name is not present, then it is created. If it is found, then it is edited with the DA server settings.
---- Selecting the internal and internet interfaces.
------ The internal and internet interfaces can be specified in the cmdlet. If the user wishes to deploy DA in a single network adapter configuration, then the same name should be specified for both interfaces.
------ If one or none of them is specified, then the cmdlet itself selects the appropriate interfaces based on their configuration.
------ If a VPN is already installed and the interfaces were specified during its installation, then the same interfaces are re-used. If the interfaces were not specified during VPN installation, then the user is allowed to manually specify the interfaces or the cmdlet picks them itself.
---- Transition Technologies: IPHTTPS is always enabled. Teredo is enabled only if 2 consecutive IP addresses are found on the internet interface.
---- User authentication: All DA users are authenticated using their domain user name and password.
---- IPv6 deployment in internal network: If a native IPv6 deployment is detected inside corporate network, then its IPv6 prefix is obtained. Otherwise ISATAP is automatically deployed. Note: That ISATAP will not become effective until the DNS is configured to resolve ISATAP.
---- DA is installed in a PKI-less mode, i.e. no IPsec root certificate is required.
---- A certificate is still required for IPHTTPS: If VPN is already installed, then the SSL certificate for SSTP is re-used. If there is no certificate configured for VPN, then the cmdlet looks for an appropriate certificate on the computer (a certificate that matches the ConnectToAddress parameter value) or generates a self-signed certificate.
-- Infrastructure Server configuration.
---- If the NLS location is not specified in the cmdlet, then it is deployed on the DA server by default. The cmdlet looks for a certificate for which the subject name matches the internal interface of the DA server. If an appropriate certificiate cannot be found, then a self-signed certificate is generated.
---- Health checks are not enabled during installation.
---- Application servers are not configured during installation.
---- If an IPv4 address is detected on the internal interface of the DA server, then the DNS64 or NAT64 configuration is enabled on the DA server which enables DA clients to access corporate network resources that have IPv4 address only by allotting v6 addresses to these hosts.
---- This cmdlet also does an auto-discovery of SCCM servers including Domain Controllers and configures them as the Management Servers.

VPN Installation.
-- Authentication configuration.
By default Windows authentication is enabled. This also includes authentication through NPS installed locally on the VPN server. If a RADIUS server is specified, then external RADIUS authentication is used.
-- IP address assignment configuration.
---- IPv4 addressing with DHCP address assignment is enabled by default. If an IP address range is specified, then static pool addressing is used.
---- IPv6 addressing is disabled by default. If an IPv6 prefix is specified, then v6 addressing is enabled and the prefix is used for the addresses.

Parameters

-AsJob

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-CimSession<CimSession[]>

Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such as the output of a New-CimSession or Get-CimSession cmdlet. The default is the current session on the local computer.

Aliases

Session

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ClientGpoName<String>

Specifies the names of the client GPO. The GPO name is specified in DOMAIN\GPO_NAME format. A domain can be one of the domains deployed in the corporate network.
If a GPO name is not specified, then by default a GPO with following name is created in the domain of the DA server:
-- DirectAccess Client Settings.

Aliases

GpoName

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-ComputerName<String>

Specifies the IPv4 or IPv6 address, or host name, of the computer on which the remote access server computer specific tasks should be run.

Aliases

Cn

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ConnectToAddress<String>

Specifies the DA server or NAT public address to which the clients connect. Specified as a host name or an IPv4 address. If the address is specified, then is must to be public.

Aliases

none

Required?

true

Position?

3

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-DAInstallType<String>

Specifies the configuration in which DA should be installed. The acceptable values for this parameter are:
-- FullInstall: DA is installed for both remote access and for the management of remote clients.
-- ManageOut: DA is installed only for the management of remote clients.

Aliases

none

Required?

true

Position?

2

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-DeployNat

Specifies that DA should be deployed behind a NAT. In a single network adapter configuration scenario the DA server is always deployed behind a NAT and there is no need to specify this parameter.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-EntrypointName<String>

Specifies the identity of a site in a multi-site deployment where VPN needs to be installed. This is required in a scenario where DA with multi-site is already deployed and a user wants to additionally deploy VPN. If this parameter is not specified, then the entry point name to which the server on which the cmdlet is run is used. The server could also be represented using the ComputerName parameter.
If both this parameter and ComputerName parameter are specified and the computer name does not belong to the site represented by the entry point name then this parameter takes precedence and VPN is deployed at the site indicated by it.
Note: A multi-site deployment case VPN can only be installed one site at a time.
Note: In a S2S case, the cmdlet will install it on any one available node in that entry point.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-Force

Forces the command to run without asking for user confirmation.
When suppressed, the cmdlet assumes user confirmation for the following conditions.
-- If an appropriate certificate for NLS is not found, then a self-signed certificate is created.
-- If an appropriate SSL certificate is not found, then a self-signed certificate is created.
Note: If the addresses are not static (such as DHCP), then ShouldContinue can be used.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-IPAddressRange<String[]>

Specifies that static pool IPv4 addressing should be enabled. This parameter contains an IP address range, and consisting of a start IP and an end IP, from which IP addresses are allocated to VPN clients.
In a load balancing scenario only static pool IPv4 addressing is supported for a VPN (DHCP address assignment is not supported). This parameter must be specified and an IPv4 address range should be provided for every node in the cluster. This parameter is specified in the following format:
StartIPRange1, EndIPRange1, StartIPRange2, EndIPRange2, StartIPRange3, EndIPRange3, and so on.
The start and end IPs of each of the ranges must be specified one after the other and separated by commas.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-IPv6Prefix<String>

Enables IPv6 address assignment for a VPN and specifies the prefix to use for the addressing.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-InternalInterface<String>

Specifies the name of the corporate network facing interface. In a single network adapter configuration the same name is specified for both internal and internet interfaces.
If a name is not specified, then the cmdlet attempts to detect the internal interface automatically.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-InternetInterface<String>

Specifies the name of the internet facing interface. In a single network adapter configuration the same name is specified for both internal and internet interfaces.
If name is not specified, then this cmdlet attempts to detect the internet interface automatically.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-MsgAuthenticator<String>

Specifies that the usage of message authenticator should be enabled or disabled. The acceptable values for this parameter are:
-- Enabled.
-- Disabled.
The default value is Disabled.
This parameter is applicable only when a RADIUS server is being configured for authentication.

Aliases

none

Required?

false

Position?

named

Default Value

Disable

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-NlsCertificate<X509Certificate2>

Specifies that the Network Location Server (NLS) should be configured on the DA server itself and represents the certificate to be used. The subject name of the certificate should resolve to an address on the internal interface of the DA server.

Aliases

Certificate

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByValue)

Accept Wildcard Characters?

false

-NlsUrl<String>

Specifies that the NLS is present on a different server and represents the URL on the server that will be used to provide clients with location information.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-NoPrerequisite

Specifies that a prerequisite check should not be performed for DA.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-PassThru

Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-Prerequisite

Specifies that prerequisite checks should be performed. This parameter is part of a separate parameter set used to only run the prerequisite checks for DA.

Aliases

none

Required?

true

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-RadiusPort<UInt16>

Specifies the port number on which the RADIUS server is accepting authentication requests.
The default value is 1813.
This parameter is applicable only when a RADIUS server is being configured for authentication.

Aliases

Port

Required?

false

Position?

named

Default Value

1813

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-RadiusScore<Byte>

Specifies the initial score for the RADIUS server.
The default value is 30.
This parameter is applicable only when a RADIUS server is being configured for authentication.

Aliases

Score

Required?

false

Position?

named

Default Value

30

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-RadiusServer<String>

Specifies the IPv4 or IPv6 address, or host name, of the RADIUS server that is to be used for authentication. Specifying this parameter indicates that RADIUS authentication should be used for VPN.

Aliases

ServerName

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-RadiusTimeout<UInt32>

Specifies the timeout value for the RADIUS server, in seconds.
The default value is 5 seconds.
This parameter is applicable only when a RADIUS server is being configured for authentication.

Aliases

Timeout

Required?

false

Position?

named

Default Value

5

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-ServerGpoName<String>

Specifies the name of the GPO for the DA server. Specified in the format DOMAIN\GPO_NAME.
If a name is not specified, then a GPO with the following name is created in the domain of a DA server:
-- DirectAccess Client Settings.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-SharedSecret<String>

Specifies the shared secret between the RA server and the specified external RADIUS server, which is required for successful communication between the two servers. Note: The secret is specified in plain text.
It is mandatory to specify this parameter if a RADIUS server is being configured for authentication.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-ThrottleLimit<Int32>

Specifies the maximum number of concurrent operations that can be established to run the cmdlet. If this parameter is omitted or a value of 0 is entered, then Windows PowerShell® calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the computer. The throttle limit applies only to the current cmdlet, not to the session or to the computer.

Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-VpnType<String>

Specifies the type of VPN installation. The acceptable values for this parameter are:
-- Vpn.
-- VpnS2S.

Aliases

none

Required?

true

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-Confirm

Prompts you for confirmation before running the cmdlet.

Required?

false

Position?

named

Default Value

false

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Required?

false

Position?

named

Default Value

false

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

<CommonParameters>

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see    about_CommonParameters (https://go.microsoft.com/fwlink/p/?LinkID=113216).

Inputs

The input type is the type of the objects that you can pipe to the cmdlet.

  • None

Outputs

The output type is the type of the objects that the cmdlet emits.

  • Microsoft.Management.Infrastructure.CimInstance#RemoteAccessCommon

    The Microsoft.Management.Infrastructure.CimInstance object is a wrapper class that displays Windows Management Instrumentation (WMI) objects. The path after the pound sign (#) provides the namespace and class name for the underlying WMI object.
    The RemoteAccessCommon object consists of the following properties:
    -- The status of DirectAccess: installed or uninstalled.
    -- The status of VPN: installed or uninstalled.
    -- The status of site-to-site VPN: installed or uninstalled.
    -- The status of load balancing: enabled or disabled.
    -- The name of the internet-facing interface of the Remote Access server.
    -- The name of the internal-facing interface of the Remote Access server.
    -- The SSL certificate which is used for IP-HTTPS and SSTP.

Examples

EXAMPLE 1

This example logs in as a test user who is not a domain user or an administrator on the server. This results in the error specifying that DA can only be configured by a user with local administrator permissions.

PS C:\> Install-RemoteAccess –PreRequisite

EXAMPLE 2

This example installs DA to allow remote clients to connect to corporate network. This cmdlet searches for Internet interface and Internal interfaces. If it finds both these interfaces (as in this example), the cmdlet configures DA in edge topology. In case the cmdlet does not find a public interface and the DeployNat parameter is not specified, the cmdlet will display the following error.

PS C:\> $remAccess = Install-RemoteAccess -DAInstallType FullInstall -ConnectToAddress edge1.contoso.com -PassThru

Note: The cmdlet automatically creates a Server and a Client GPO with Default names in the domain to which the current computer is connected. The Client GPO will be filtered on Domain Computers Security Group by default. The default settings can be modifed using Set-DAClient.
This cmdlet will prompt the user that IPsec and Firewall Policies will be updated. It will automatically try and locate a certificate for NLS and IP-HTTPS (SSL cert), in case it does not find these the cmdlet will prompt the user to create a self-signed certificate for the ones not found.

PS C:\> $remAccess.DAStatus

EXAMPLE 3

This example will deploy DA behind another edge device (NAT box). In the example setup, the DA server has a single network adapter connected to the corporate network named corp.contoso.com. Note: The public interface of the NAT device is the one used in ConnectToAddress parameter. For a single network adapter behind NAT topology, the InternalInterface and InternetInterface parameters need to be mentioned, or the cmdlet will display an error that an external interface was not found.

PS C:\> Install-RemoteAccess -DAInstallType FullInstall -ConnectToAddress nat1.contoso.com -InternalInterface 'Internal Connection' -InternetInterface 'Internal Connection' –DeployNat

EXAMPLE 4

This example uses the ManageOut mode, the network administrators can use DA to provision and manage remote computers without the need of the user to be logged on to the computer. In this mode, however, the clients will not be able to connect to corporate network via DA.

PS C:\> Install-RemoteAccess -DAInstallType ManageOut -ConnectToAddress edge1.contoso.com

EXAMPLE 5

This example installs standard VPN on the current computer. The Ipv6Prefix parameter contains the IPv6 prefix which would be used while assigning v6 addresses to the client. The IPAddressRange parameter is used to allocate a static pool of v4 addresses which will be used to assign v4 addresses to the clients connecting to the corporate network.

PS C:\> Install-RemoteAccess -VPNType VPN -IPv6Prefix 4ffe::/64 -IPAddressRange 10.0.0.100,10.0.0.200

EXAMPLE 6

This example installs a VPN with radius server authentication. In this setup, radius.contoso.com is the RADIUS server and port 1812 is used to connect. Since we are using Radius authentication, the SharedSecret parameter is mandatory.

PS C:\> Install-RemoteAccess -VPNType VPN -IPv6Prefix 4ffe::/64 -IPAddressRange 10.0.0.100,10.0.0.200 -RadiusPort 1812 -RadiusServer radius.contoso.com -SharedSecret s3cret

EXAMPLE 7

This example sets up a site-to-site VPN. The first step is to import the ServerManager module and add the Routing feature. This cmdlet is used to configure the site-to-site VPN. The IPv6Prefix parameter is required to enable IPv6 here. The Add-VPNS2SInterface cmdlet is used to configure endpoints.

PS C:\> ipmo ServerManager
PS C:\> Add-WindowsFeature -Name routing –IncludeManagementTools
PS C:\> ipmo remoteaccess
PS C:\> Install-RemoteAccess -VpnType S2SVPN -IPv6Prefix fe80::/64 -PassThru
PS C:\> Add-VpnS2SInterface –Name EDGE1 -Destination 131.107.0.20 -Protocol IKEv2 -AuthenticationMethod PSKOnly -SharedSecret abc -IPv4Subnet 10.2.0.0/24:100 -IPv6Subnet 2001:db8:2::/64:100

Add-VPNS2SInterface

Get-RemoteAccess

Set-DAClient

Set-DAServer

Set-RemoteAccess

Uninstall-RemoteAccess