Tag Archives: VPN

How to configure Direct Access? – Part 03

In previous post I explain how to install the direct access services. In this post let’s look in to the configuration process in detail level.  If you not read the previous posts yet you can find them in here.

How to configure Direct Access? – Part 01
How to configure Direct Access? – Part 02

Remote Clients

With windows 7 and windows server 2008 R2 Direct access uses a solution accelerator called DCA ( DirectAccess Connectivity Assistant) which will be installed on direct access client computers. It helps to troubleshoot the connectivity problems with direct access servers, identify the connection scope (intranet or internet).

With windows 8, it is replaced with NCA (Network Connectivity Assistant) and it is included with the operating system itself.

In the Direct Access setup we can define who will be using the DirectAccess service in the organization. Let’s see how we can do that.

1)    From the “Remote Access Management Console” under the step 1, click on configure. ( in previous post I explain how to open this wizard )

da1

2)    Then in next window select the option “Deploy full DirectAccess for client access and remote management” and click next. As it explain this option allows directaccess client to connect via internet in to internal network and administrators can manage these clients remotely.

da2

3)    In next window we can define which security groups in organization can use the directaccess services. Click on “add” to proceed. Here in demo I add security group called “Remote Clients” which I already setup in the AD. Once done click next to continue.

da3

da4

Note- If you using forefront UAG with force tunneling make sure you select option “use force tunneling” in the window.

4)    As I explain in beginning, NCA in client computers used to troubleshoot connectivity problems. In here it allows to define a test resource which can use to test the validity of the connection. This must be a FQDN which is always allows for DirectAccesss clients. (For ex- CMS, Billing Portal). In window you also can define the helpdesk email address and name for the DirectAccess connection. Also if you wish to use local dns name resolution make sure you select the option “Allow DirectAccess clients to use local name resolution”. Once you done click on Finish to continue.

da5

Remote Access Server

In direct access setup this server will act as the gateway which connects external network with the internal network. This server typically needs to run with 2 NIC at least which will represent internal and external networks.

To proceed with the configuration,

1)    From the “Remote Access Management Console” under the step 2 (Remote Access Server), click on configure

da6

2)    In the wizard it ask to define the relevant network topology. By default its selected with “Behind an edge device”. I will also use same setup. Also here we need to define the ip address or the FQDN which direct access clients uses to connect. Once configuration done, click next to continue.

da7

3)    In next window, it gives option to define the NIC cards to represent internal and external networks. Note – it is easy to identify them if you rename the network connections on the server. It also gives option to select the digital certificate for IP-HTTPS connections.

If you are not going to use specific SSL, use option ”Use a self-signed certificate created automatically by DirectAccess” and click next.

da8

4)    In next window it gives lot of options to use for the authentication.  You can use AD username and password to connect or else can go with two-factor authentication to use with smart cards or OTP (one time password). If you needs, you can use computer certificates for authentication as well. If company still deals with windows 7 clients make sure you select option “Enable Windows 7 client computers”. If company uses NPS (network protection server) we also can force direct access clients to use NPS using option “Enforce corporate compliance for DirectAccess clients with NAP”. Once done with configuration, click on finish to proceed.

da9

Infrastructure Servers

Now we have the gateway server configured. Now we need infrastructure servers to support DirectAccess setup. For ex- DNS servers, NLS (Network Location Server), WSUS server etc. 

One of the great feature of direct access is it’s automatically detects the location of the client computer. This is doing by the NLS (Network Location Server). Let’s assume we have internal CMS, this can use as the NLS in Direct Access setup. So once client connects it will check if it can connect to given CMS url, if its can it assume client is in local network and automatically disabled direct access components. If its cant access it will assume user connects from external network and enables the direct access connections. But you need to maintain high availability on the NLS.

To proceed with the configuration,

1.    From the “Remote Access Management Console” under the step 3 (Infrastructure Server), click on configure

da10

2.    In wizard, define the NLS url. It needs to be a HTTPS url. Click next to continue.

da11

3.    In next window we can verify the DNS suffixes and internal DNS servers direct access will use. Click next to continue.

da12

4.    In next window make sure domain suffixes are correctly used. Click next to continue.

da13

5.    In next window we can define the management servers such as WSUS. Once done click on finish to proceed.

da14

Application Servers

If required we can add extra level of authentication to the servers which runs with critical data. Using the application servers setup wizard we can define those servers which need extra authentication.

To proceed with the configuration,

1.    From the “Remote Access Management Console” under the step 4 (Application Server), click on configure

da15

2.    To enable it, you need to select option “Extend authentication to selected application servers” option. In here you can select the security groups containing the servers which required extra authentication.

da16

Note – Direct Access is required IPv6 addressing in place to operate. So organization should prepare for this in planning stage and implement any transitioning mechanism required.

This is the end of direct access setup, due to the limitation of the demo environment I can’t show all of the configuration associated with direct access (IPv6 configuration, transitioning methods etc.) but I covered core configuration involves with the direct access setup. if you have any questions feel free to contact me on rebeladm@live.com

How to configure Direct Access? – Part 02

This is the part 02 of the series of articles which explain the setup and configurations of DirectAccess Feature. In Part 01 of the series I explain what is directaccess and use of it. If you not read it yes you can find it here How to configure Direct Access? – Part 01

In here for the demo I am using windows server 2012 R2 and the domain functional level also runs with same version.

Before we move in to any remote access solution configuration (either direct access or VPN) first we need to add the “Remote Access Role”. To do that,

1)    Log in to the server as member of domain administrator or enterprise administrator security group.
2)    Server Manager > Add Roles and Features

da1

3)    It will open up the wizard and click next to continue

da2

4)    Select option “role-based or feature-based installation” and click next

da3

5)    From the server selection I keep the default and click next

da4

6)    From the server roles list, put tick box on “Remote Access” option and click next

da5

7)    From the features list keep default and click next

da6

8)    In next window it gives explanation about  remote access role and click next to continue

da7

9)    On role service list click on “DirectAccess and VPN (RAS)” option to select. Then it will prompt to add related features. Click add feature to add them

da8

10)    If the deployment also need routing services make sure to add “Routing” option too. Then click next to continue

da9

11)    Then it will show description about web server role. Click next to continue
12)    For IIS role services keep default and click next to continue
13)    Then it will give confirmation about roles and features which will add and click install to continue.

da10

14)    Then it will start the installation

da11

15)    After it is completed close the console to exit from the wizard.

Now we have the role services installed. The next step is to configure the directaccess services. To start the process there is 2 options. 

1)    DirectAccess Getting Started Wizard
2)    Remote Access Setup Wizard

DirectAccess Getting Started Wizard” will allow to configure DirectAccess quickly with default recommended settings. But this will not give much control over the options.

These both options can run from the Remote Access Management Console. To open the console,

1)    Go to Server Manager > Tools > Remote Access Management

da12

2)    Then it will load the mmc and from there select DirectAccess and VPN and configuration section in left hand panel

In here for the demonstration I will be using the option “Remote Access Setup Wizard”.

1)    To run the wizard click on the option from Remote access mmc.

da13

2)    Then it will open new wizard to configure remote access. From the console since we only plan to setup directaccess, select option “Deploy DirectAccess Only

da14

3)    Then in next window it shows 4 main steps to complete the configuration. In some setup all 4 options will not apply. For example some time remote access server role will holds by the infrastructure or the application server.

da15

Before go in to the configurations, let’s see what these each steps means.

Step 1 Remote Clients – In here we can define which users, security groups allow to use direct access services. For ex- in organization we only needs to allow Sales group to use the directaccess services.

Step 2 Remote Access Server – This will be the edge server/gateway server for the direct access infrastructure. Basically this server will holds minimum of 2 network interfaces to represent local network and the public network. In here it also possible to specify to use smart cards or the certificate authority for secure communication.

Step 3 Infrastructure Servers – This allows to configure access to infrastructure services. For ex- active directory services, web services, dns services etc.

Step 4 Application Servers – This allow to configure end-to-end secure authentication between applications and directaccess components.

This is the end of part 02 of the direct access configuration series and in next post I will demonstrate configuration of above 4 steps. If you have any questions feel free to contact me on rebeladm@live.com

How to configure Direct Access? – Part 01

If someone in your organization ask how he/she can connect to the internal network from remote location, the solution which will come to your mind (most of time) will be “VPN” (Virtual Private Network). Once you setup VPN server in your local network you can allows the users from any remote location to “dial-in” to the server and make particular device in part of network. This communication will happen via secure channel.

All most all of switch/router/firewall manufactures build their products with integrated VPN servers and also we can find ton of VPN server softwares in internet nowadays. Even this solutions works very well there are few common issues. As we know most of the time the people on travel are either company sales staff or management staff. Unfortunately most of them are not too technical. So you need to spend time on training them how to use VPN client in device. Also the troubleshooting is nightmare if they come up with any sort of error. Believe me most of the time they do not know to tell beyond just “VPN is not working”. No offense but this is what mostly happen. Another issue VPN have is connectivity. We cannot expect “solid” internet connections when you travels. It can be hotel wifi, coffeshop wifi, client’s public wifi etc. which used to dial in to the VPN. If the connection is dropping VPN will kick you off from VPN. So you have to dial it in again. But some time you even not know if you already kick off from VPN. So may be most of you time on travel you spend on clicking on “connect” button on your vpn client.

What is direct access?

Along with windows 7 and windows 2008 R2 Microsoft introduce new feature called “DirectAccess”. It is Microsoft product and it act as “always-on” connection from remote location to local network. So remote clients will be automatically connect to the local network and with each and every connection drop it will establish the connection without user interact. This feature is works based on IPsec and IPv6. So if your network is not yet move in to IPv6 you need to use transition mechanism such as Trendo, 6to4 etc to use it along with IPv4.

Once DirectAccess configured when you switch on a device first it will check if it’s connected to the corporation network with local area network. If it’s not it will automatically make connection with direct access server. As I mentioned before this connection will be made based on IPsec and IPv6. If system is not using IPv6 yet it will use transition mechanism which setup by the corporation. Then if Network Policy Server (NPS) setup with policies, the device health will be checked against them before grant access to the network. If its meets the health requirements to be a part of network it will issue health certificate which will submitted to the direct access server for authentication.

Requirements for DirectAccess

To get direct access up and running in your network needs following,

1)    It must be active directory domain environment and must be running at least with windows 2008 R2 domain functional level.
2)    The server which will run directaccess server role must be added to the domain.
3)    DirectAccess clients must be running Windows 7 Enterprise, Ultimate versions or upper. It will not works with home or starter editions. All devices must be member of domain.
4)    DirectAccess server must be available for access via internet. It means it should be able to access via a public ip address.
5)    If network is not running with IPv6, transitioning technologies such as 6to4, Teredo, ISATAP should be available to use with direct access server.
6)    PKI (public key infrastructure) to issue certificates for devices authentication. Direct access server must have SSL installed and must contain valid FQDN which can be access from internet.

This is the end of Part 1 of series of articles which will explain the setup process of DirectAccess role. If you have any questions feel free to contact me on rebeladm@live.com

How to configure VPN ? Part 2

This is the part 2 of the series of articles which explains complete setup of VPN in windows server environment.

Allow VPN connections to the server ( 25 connections for the setup)

1.    Open remote and routing mmc by start > administrative tools > routing and remote access.
2.    in the routing and remote access mmc, expand the section with server name, and then right click on “ports” and then click “properties”

v1

3.    In the port properties dialog box. Double click “WAN Miniport (SSTP)”

v2

4.    In the configure device – WAN miniport (SSTP) dialog box, assign a value of 25 in the Maximum ports box and click ok.

v3

5.    In routing and remote access dialog box, click yes to continue

v4

6.    In the port properties dialog box, double click WAN Miniport(PPTP), and in the configure device –WAN Miniport (PPTP) dialog box, assign the value of 25 in the maximum ports box and click ok.

v5

7.    In the routing and remote access dialog box, click yes. Then repeat the step to do the same config for WAN Miniport (L2TP)

v6

Configure Network Policy

It is import to apply the network policies to control the access. In this demo I will explain how to make custom network policy on the NPS.

1.    To open NPS mmc go to start > administrative tools > Network policy server

v7

2.    In the mmc expand the “Policies”, right click on “Network Policies” and then click new.

v8

3.    In the next windows type name for the policy in policy name box and in the “type of network access server” drop down list click “remote access server (VPN-Dialup) and then click yes.

v9

4.    On the specify condition page, click add on the select condition dialog box, scroll down and double click on tunnel type.

v10

5.    In tunnel type dialog box type L2TP,PPTP and SSTP click ok .

v11

6.    Also can configure the users group who allowed for the VPN connection. This is a good controlling method and secures method rather than allowing every one for VPN.

7.    To do it again in condition page click add and then from the pop up select “users groups” and double click

v12

8.    On the next window can select the groups’ needs to allow for the connection. Then click ok twice on open windows to continue.

v13

9.    After define conditions, click next to continue.

10.    On the specify access permissions page, leave the default of access granted and click Next.

v14

11.    On the configure authentication methods page, clear MS-CHAP and click yes as in this setup not using it.

v15

12.    On the next page, under constrains, click day and time restrictions and in the detail panel select allow access only on these days and times and click edit.

v16

13.    Using this method it’s possible to control when its open for VPN connections. In the day and time restriction box, click on the first blue rectangle in the left hand corner the represent Sunday midnight to 1am. Hold the mouse button and drag the cursor ot highlight all of Sundays. Click denied. Repeat this for Saturday. The idea of this is to prevent VPN dial in over the weekends. To complete click ok and then next.

v17

14.    On the configuration setting page, under settings click encryption and in details window clear all settings except strongest encryption (MPPE 128-bit). This is the encryption standards which only allow. Click next then finish.

v18

This will create the custom policy to apply for the vpn connections.

WHY VPN ?

When most business grows it mostly will expand in to different branches in different geographical locations. It may be expanding its sales to different areas even to different countries. It creates new situations to apply appropriate networking technology solutions which help for company operations. The branch offices will need to be part of the cooperate network to access company data and continue on operations. There can be sales peoples who conducts demonstrations from remote locations which also need to access cooperate network time to time. Since “virtual office” concept is growing there can be employees who works remotely which also need to be part of the cooperate network.

The old and traditional way of doing this setup is to use “Leased Lines”. In this solution each branch office, sales peoples, remote workers will connect to the cooperate network via dedicated communication links. The connection is almost will be physical connections using cable media and the link will be fully dedicated for communication between those selected points (ex- Cooperate office to Branch office). The connection will be secure and runs with high bandwidth.

vpn1

Even though it’s reliable, high bandwidth secure lines there are some issue involves applying this solution for most of the modern day requirements. Let’s examine few of the issues in details.

Issue

Description

Cost

 

 

 

 


The main particle issue on using these is cost. To create dedicated line between two locations it need more man power, resources. There for the cost for getting such connection is very high. When the distance between locations and required bandwidth increase, the line cost also increases. If it’s between countries it will involves with many different ISP (internet Service providers) which increases implementation and operational cost.

 

No Mobility Sometime sales representatives, management staff can be traveling in to different locations for business presentations, training etc. stay on those locations can be temporally for few hours or days. If they need to get access to cooperate network with leased line it’s impossible. You can’t bring lease line to any place you go. Leased line will be permanent physical connection to particular location and will not support for mobile use.  

Implementation Complexity and Time

The implantation of leased lines can be more complex. Some time you may need to work with few different ISP in different geographical areas. Some time it can take months to perform a lease connection between two locations. It will defiantly effect on company operations. Also let’s say there is manager who is in business trip for certain product presentations. He wants to connect cooperate network to get some data. It is obviously not practical to get leased line for it. Even it’s possible it will not be instant, can take days, weeks to do it.

 

Service Provider Dependency

Once leased line in place between branch offices and cooperate network, let’s assume it get connection issues. To get it fixed you have to get the service provider who provided the link. Even though it’s too critical for operations you have to wait till they fix it. You can’t simply connect through different service provider. Even you switch service providers it can take days, weeks to get them to lay new leased line.

 

Is there any other solution than lease line which can use without these types of issues? Yes it is we called it as VPN (Virtual Private Network). Its simply creates “virtual” private network similar to leased line over public network. So there is no physical leased line, but it creates secure tunnel between two locations over Internet. This we can also call as virtual leased line. Most of ISP, provides VPN solutions which will suite your requirement but you also can create your own VPN solutions based on VPN appliance or based on software such as windows routing and remote access.

vpn2

Even Though its make connection over the internet it is secure tunnel which transfer only encrypted data. There are many security protocols that VPN can configure with.

•    IPSec ( IP Security )
•    L2TP ( Layer 2 tunneling Protocol )
•    PPTP ( Point to Point tunneling Protocol )
•    SSL/TLS ( Secure Socket Layer/Transport Layer Security)

First 3 methods are works on OSI network layer. When use this most of the time it will need a VPN client install on the host to connect to the VPN server or appliance.

The SSL/TSL is works on OSI Transport layer. So it will be working on industry standard SSL port 443 and no need to use custom ports for VPN connections. The connection setup from client end is easy as it can be perform via web browser.

One of the main advantage of VPN is the low implantation and operation cost. If you have public ip with proper internet connection you can simply setup your on VPN server and allow the clients to dial in to it. You do not need to spend money on additional hardware, services, and resources for it. The operation cost also will be very low or null. For ex Microsoft Remote Access solution is comes with the windows server operating system in built. To set it up all you need to do is add the role and configure it. It will not involve any license cost, monthly fees, maintains fees or services charges like we do have with leased connections. 

The other beauty of VPN is that it support for mobility. As we discussed it do not have any physical connection between the locations. If you have internet connection you can use VPN to connect to cooperate network from anywhere in the world. It can be via your mobile, smart phone, pad, laptop etc. This is very best solution for mobile sales peoples, management staff which travels on business matters. All they need is working internet connection. It doesn’t matter if you in hotel, road, airport, bus stop if you connected to VPN you will be part of corporate network.

One of another advantage of using VPN is it will not have dependency on service providers. There are certain situations such as cooperate site-to-site VPN solutions which may use via service provider but majority of the VPN connection solutions are not depend on the service provider. In leased line if you got connection from particular ISP you always have to depend on that service provider to get connected. If line has issues you have to wait till they fix it. But in VPN solutions all you need is working internet connection. It doesn’t matter which ISP you connects from. For ex- In home office let’s assume you using VPN connection to connect to office network. While you working, the DSL connection you using as primary internet connection starts to drop. But you have mobile internet connection from another service provider. You can simply plug in the dongle and connect to VPN via and continue your work. You will not need to change any VPN connection settings to do it.

If you take a leased line solution some time it may be a combination of different ISP, different technologies. There for to maintain/troubleshoot it will take time and complex routine. But on a VPN it’s easier to maintain and troubleshoot. Mostly it will be due to failure of internet connections. Other than that very rarely it involves any complex troubleshooting routine specially because no physical connection.

Considering all these facts it’s obviously VPN is the best solution to use for remote access.

There are different solutions such as Remote desktop Services, Terminal services, Citrix Solutions which can use for the remote access. All those have different pros and cons but here I only compare the leased line solution and the VPN solution.