MCTS 70-680: Windows 7 DirectAccess
Uploaded by itfreetraining on 25.11.2011
Transcript:
Welcome back to your free Windows 7 training course. In this video I will look at DirectAccess.
Now days a lot of users are mobile or work from home. In order to communicate with the
office they often will create a VPN connection back to the head office. This requires the
user to establish a connection back to the office through either a Windows VPN connection
or using 3rd party VPN software. DirectAccess is a new feature in Windows 7
that allows you to automate the process of connecting back to the office. Using DirectAccess
the computer transparently connects back to the corporate network with no interaction
from the user. They don’t even have to enter in a password.
In order to use DirectAccess you need to be running the Enterprise or Ultimate editions
of Windows 7. With DirectAccess you can determine who can use DirectAccess and also which servers
they can connect to. DirectAccess also supports NAP or Network
Access protection. NAP is a system which performs a number of compliance tests on the computer
before it is allowed on the network. These compliance checks can involve ensuring virus
software in installed and enabled, a firewall is operating and the latest Windows updates
have been installed. If you have NAP configured on your network, DirectAccess will first check
with NAP to make sure the computer is compliant before allowing it on the network.
DirectAccess requires IP version 6 and IP sec to run. Even though IP version 6 support
is improving, a lot of networks still don’t support IP version 6. To get around this,
DirectAccess supports IP version 6 transition technology. If the transition technology does
not work, which may be due to firewalls between you and the corporate network, DirectAccess
will use IP over HTTPS. HTTPS uses a very common port and should be open on most firewalls
and also will run over the IP version 4 networks. To start using DirectAccess you need to meet
quiet a lot of requirements. Firstly you need on the back end to be running Windows Server
2008 R2. Unfortunately Windows Server 2008 does not support DirectAccess. You also need
a Windows Server 2008 or 2008 R2 domain controller and DNS infrastructure. On top of this you
also require a public key infrastructure. This will provide the certificates used by
DirectAccess to create the IPSec connection.
If you have all this on your network, then
you are also going to need to install a second network card on the server running DirectAccess.
One network card is used to access the public network while the other network card is used
to access the corporate network. As you can see there is a lot of infrastructure
required to run DirectAccess. Once all this infrastructure is in place you next need to
configure your IPSec polices and IP version 6 transition technologies. There is a lot
that goes into DirectAccess, but before I go through showing you how to configure a
client to use DirectAccess I am first going to look a little bit closer at how DirectAccess
works. When your computer starts up it checks to
see if it is connected to the cooperate network. It does this by trying to connect up to company
resources like a DNS server. In this case it will succeed since it is directly connected
to the corporate network. If I move the computer out of the corporate
network and connect it to the internet, the computer will no longer be able to access
the company’s servers directly. Since the computer can’t connect to the company’s
network it will now automatically attempt to connect to the corporate network using
DirectAccess. If the client is using a public IP version
6 address it will be able to connect directly to the DirectAccess server using the IP version
6 network. If the client is using an IP version 4 address it will then attempt to connect
using a 6 to 4 connection. 6 to 4 does not support NAT so if you are behind a NAT device,
DirectAccess will then use Teredo which can travel over IP version 4 NAT devices. Lastly
if all else fails, maybe you are behind a firewall, DirectAccess will attempt to use
IP HTTPS to make the connection. Now that you understand how DirectAccess works,
let’s have a look at how you would configure it.
First of all I will look at configuring DirectAccess using group policy. To do this, open group
policy from the start menu by running GPEdit.msc. From group policy expand down
through computer configuration, Windows Settings and then to Name resolution policy. From here
select the option DNS settings for DirectAccess. For DirectAccess to work, it needs to be able
to contact a DNS server on your network. Once I enable DNS settings for DirectAccess I can
add some DNS servers that will be used with DirectAccess. These servers need to be accessible
from the internet. If you don’t want to have your DNS severs
directly connected to the internet you can set up a proxy server and access the DNS server
that way. If you want additional protection you can tick the tick box, “use IPSec in
communication between the DNS client and DNS server”. This is of course if you have it
your DNS server configured to use IPSec. DirectAccess does require IP version 6 to
work. Even though support for IP version 6 is improving, the fact is that in most cases
when you are out and about you won’t have a complete IP version 6 network between you
and your office. To get around this, DirectAccess does support
transition technologies for IP version 6. To configure these, go to administrative templates,
network, TCPIP settings and IP version 6 transition technologies.
In here you can see the settings for IP version 6 transition technology. Hopefully the transition
technology will allow DirectAccess to connect back to your office. Group policy is one way
that you can configure DirectAccess. You can also configure DirectAccess using NetSH. Generally
speaking, you will want to use NetSH in scripts or when you only have a few computers to configure.
If you have a lot of computers to configure you are best off using group policy, but NetSH
can also be useful for troubleshooting. Just remember that if you use group policy, this
will over write any settings configured with NetSH.
To use NetSH, first open a command prompt with administrative rights. The first command
I want to look at sets up the Teredo client for use with DirectAccess. This command simply
sets the IP address of the Teredo server that you want to use.
The next command configures the IP address of the 6 to 4 relay if you have 6 to 4 configured
on your network. Lastly you can always configure https to encapsulate the traffic for you.
This command will add the address of your https server.
Once you have configured your DirectAccess client, you can also use NetSH to troubleshoot
problems. The first command I want to look at is NetSH name space show policy. This command
shows the name resolution policy table that is configured on this computer.
Name resolution is important when using DirectAccess. If your computer can’t contact the DNS servers
at your office it will not be able to set up it is DirectAccess connection. This command
does show the settings currently configured for the name resolution policy, but this does
not mean that these are the settings that are currently in use.
The next command shows the effective policy. This command shows you all the settings on
the computer that are currently being used. In this case, the command is telling me that
if this computer was set up on the internal corporate network then DirectAccess would
be disabled. If you are sure that you have configured the settings correctly on the computer,
run this command to find out which settings ended up being applied.
If you are using https to make a connect ion back to your office, run the NetSH command
https tunnel show interfaces. This will show you the current state of the DirectAccess
https connection. The next command, teredo show status, shows
you the current Teredo status. If you are using Teredo, this command will help you determine
if Teredo is working correctly. The same command exists for 6 to 4. This command will show
you the status of 6 to 4 and thus help you hopefully troubleshoot any problems.
In order to start using DirectAccess your also need to configure Windows Server 2008
R2. That topic is beyond the scope of this course to go into this, but hopefully you have learnt
enough in this video to start trouble shooting DirectAccess problems on your network.
In the next video I will look at mobility options in Windows 7. With more and more people
working away from the office or at home on a regular basis, understating the new features
that Windows 7 has in the way of mobility options is an important skill to have.
For more free videos, please check out our web page or you tube channel. Thanks for watching.
Now days a lot of users are mobile or work from home. In order to communicate with the
office they often will create a VPN connection back to the head office. This requires the
user to establish a connection back to the office through either a Windows VPN connection
or using 3rd party VPN software. DirectAccess is a new feature in Windows 7
that allows you to automate the process of connecting back to the office. Using DirectAccess
the computer transparently connects back to the corporate network with no interaction
from the user. They don’t even have to enter in a password.
In order to use DirectAccess you need to be running the Enterprise or Ultimate editions
of Windows 7. With DirectAccess you can determine who can use DirectAccess and also which servers
they can connect to. DirectAccess also supports NAP or Network
Access protection. NAP is a system which performs a number of compliance tests on the computer
before it is allowed on the network. These compliance checks can involve ensuring virus
software in installed and enabled, a firewall is operating and the latest Windows updates
have been installed. If you have NAP configured on your network, DirectAccess will first check
with NAP to make sure the computer is compliant before allowing it on the network.
DirectAccess requires IP version 6 and IP sec to run. Even though IP version 6 support
is improving, a lot of networks still don’t support IP version 6. To get around this,
DirectAccess supports IP version 6 transition technology. If the transition technology does
not work, which may be due to firewalls between you and the corporate network, DirectAccess
will use IP over HTTPS. HTTPS uses a very common port and should be open on most firewalls
and also will run over the IP version 4 networks. To start using DirectAccess you need to meet
quiet a lot of requirements. Firstly you need on the back end to be running Windows Server
2008 R2. Unfortunately Windows Server 2008 does not support DirectAccess. You also need
a Windows Server 2008 or 2008 R2 domain controller and DNS infrastructure. On top of this you
also require a public key infrastructure. This will provide the certificates used by
DirectAccess to create the IPSec connection.
If you have all this on your network, then
you are also going to need to install a second network card on the server running DirectAccess.
One network card is used to access the public network while the other network card is used
to access the corporate network. As you can see there is a lot of infrastructure
required to run DirectAccess. Once all this infrastructure is in place you next need to
configure your IPSec polices and IP version 6 transition technologies. There is a lot
that goes into DirectAccess, but before I go through showing you how to configure a
client to use DirectAccess I am first going to look a little bit closer at how DirectAccess
works. When your computer starts up it checks to
see if it is connected to the cooperate network. It does this by trying to connect up to company
resources like a DNS server. In this case it will succeed since it is directly connected
to the corporate network. If I move the computer out of the corporate
network and connect it to the internet, the computer will no longer be able to access
the company’s servers directly. Since the computer can’t connect to the company’s
network it will now automatically attempt to connect to the corporate network using
DirectAccess. If the client is using a public IP version
6 address it will be able to connect directly to the DirectAccess server using the IP version
6 network. If the client is using an IP version 4 address it will then attempt to connect
using a 6 to 4 connection. 6 to 4 does not support NAT so if you are behind a NAT device,
DirectAccess will then use Teredo which can travel over IP version 4 NAT devices. Lastly
if all else fails, maybe you are behind a firewall, DirectAccess will attempt to use
IP HTTPS to make the connection. Now that you understand how DirectAccess works,
let’s have a look at how you would configure it.
First of all I will look at configuring DirectAccess using group policy. To do this, open group
policy from the start menu by running GPEdit.msc. From group policy expand down
through computer configuration, Windows Settings and then to Name resolution policy. From here
select the option DNS settings for DirectAccess. For DirectAccess to work, it needs to be able
to contact a DNS server on your network. Once I enable DNS settings for DirectAccess I can
add some DNS servers that will be used with DirectAccess. These servers need to be accessible
from the internet. If you don’t want to have your DNS severs
directly connected to the internet you can set up a proxy server and access the DNS server
that way. If you want additional protection you can tick the tick box, “use IPSec in
communication between the DNS client and DNS server”. This is of course if you have it
your DNS server configured to use IPSec. DirectAccess does require IP version 6 to
work. Even though support for IP version 6 is improving, the fact is that in most cases
when you are out and about you won’t have a complete IP version 6 network between you
and your office. To get around this, DirectAccess does support
transition technologies for IP version 6. To configure these, go to administrative templates,
network, TCPIP settings and IP version 6 transition technologies.
In here you can see the settings for IP version 6 transition technology. Hopefully the transition
technology will allow DirectAccess to connect back to your office. Group policy is one way
that you can configure DirectAccess. You can also configure DirectAccess using NetSH. Generally
speaking, you will want to use NetSH in scripts or when you only have a few computers to configure.
If you have a lot of computers to configure you are best off using group policy, but NetSH
can also be useful for troubleshooting. Just remember that if you use group policy, this
will over write any settings configured with NetSH.
To use NetSH, first open a command prompt with administrative rights. The first command
I want to look at sets up the Teredo client for use with DirectAccess. This command simply
sets the IP address of the Teredo server that you want to use.
The next command configures the IP address of the 6 to 4 relay if you have 6 to 4 configured
on your network. Lastly you can always configure https to encapsulate the traffic for you.
This command will add the address of your https server.
Once you have configured your DirectAccess client, you can also use NetSH to troubleshoot
problems. The first command I want to look at is NetSH name space show policy. This command
shows the name resolution policy table that is configured on this computer.
Name resolution is important when using DirectAccess. If your computer can’t contact the DNS servers
at your office it will not be able to set up it is DirectAccess connection. This command
does show the settings currently configured for the name resolution policy, but this does
not mean that these are the settings that are currently in use.
The next command shows the effective policy. This command shows you all the settings on
the computer that are currently being used. In this case, the command is telling me that
if this computer was set up on the internal corporate network then DirectAccess would
be disabled. If you are sure that you have configured the settings correctly on the computer,
run this command to find out which settings ended up being applied.
If you are using https to make a connect ion back to your office, run the NetSH command
https tunnel show interfaces. This will show you the current state of the DirectAccess
https connection. The next command, teredo show status, shows
you the current Teredo status. If you are using Teredo, this command will help you determine
if Teredo is working correctly. The same command exists for 6 to 4. This command will show
you the status of 6 to 4 and thus help you hopefully troubleshoot any problems.
In order to start using DirectAccess your also need to configure Windows Server 2008
R2. That topic is beyond the scope of this course to go into this, but hopefully you have learnt
enough in this video to start trouble shooting DirectAccess problems on your network.
In the next video I will look at mobility options in Windows 7. With more and more people
working away from the office or at home on a regular basis, understating the new features
that Windows 7 has in the way of mobility options is an important skill to have.
For more free videos, please check out our web page or you tube channel. Thanks for watching.