Microsoft Direct Access has just been released and there is always a lot of hype with new solutions. However this one has truly impressed me and I hope to see some serious market uptake.
I recently had the opportunity to assist with New Zealand’s first production implementation of this, in conjunction with Microsoft Prof Services and I'll try to detail the experience below.
The first thing you need to know is that Direct Access is awesome, but comes with some friends. Like the hot blonde you're excited to let into your party, until you see the not-that-hot friends she's bringing too.
In this case I'm referring to IPv6 and Public Key infrastructure (PKI). Both technologies have very nice personalities, but they are a lot of work and aren't good looking enough to sell to your boss. If you create a plan to get these technologies in place properly, in addition to the Direct Access planning, you'll do fine.
Public Key Infrastructure
The catches;
- Whatever server to decide to make your Certificate Authority will be with you for a long, long time. Virtualize if possible and choose a smart name.
- Lots of certificates will be handed out - things like DCs are going to jump on the PKI bandwagon straight away. That’s OK, it doesn't hurt. It will only hurt if you start trying to be clever and stop them.
- Server 2008 R2 - if you can, make it your CA. Newest templates and distribution points out of the box are nice.
For Direct Access use you will have to publish a CRL to the outside world. If you happen to have an ISA box, a web publishing rule is an easy option. But as long as you can get to the CRL how you do it is up to you. And no, you can’t reuse one of the DA boxes external IP addresses.
The one we are particularly interested in is ISATAP. Short version is it creates a IPv6 addresses based on [Address type][network prefix][IPv4 address].
In our case it would look something like 2002:0000:0000:0000:0000:5efe:192.168.1.1 or 2002::5efe:192.168.1.1
What you need to know is;
- Any server taking part in the Direct Access communications will need one of these ISATAP addresses.
- This is supported on Server 2003 and up.
- The address is generated by doing a DNS request to ISATAP.{domain}
- ISATAP.{domain} is blocked by default on your DNS server and will need to be allowed.
- You can bypass this lookup, by configuring the address this resolves to, directly on the ISATAP interface, on the server you are configuring. (NETSH INTERFACE ISATAP SET ROUTER {ipv4 address of DA box})
- You can disable and re-enable this interface to force it to do this DNS query again.
If you are doing IPv6 just for Direct Access the best results have been from leaving ISATAP blocked on your DNS servers and manually configuring the router address on the servers you want to take part in Direct Access. This leaves your other servers unaffected. Up to you though.
Direct Access
The irony of this name shouldn't escape anyone, this access is about as tunnelled as it gets. Packets get packaged in other packets, NATs traversed and the like.
Before you install you should read this. Lots of good info and instructions.
I'm not going to cover the install in details just the highlight and some tips I discovered. RTFM for the how to... and just 'cause you haven't downloaded it yet, click me.
- 2 sequential Public IPv4 addresses both assigned to the same interface.
- Un-firewall access to those IPs (OK if you have to, then check the guide for ports - but open it up for testing)
- If you're doing it as a Hyper-V Virtual Machine use Legacy Network Adapters.
- Use an IP Address, not a hostname for the Location Awareness URL (LAU)*
- Get yourself an external IP for a Windows 7 client that you can stick in your DMZ - great for testing.
- Enable your local admin account on your Windows 7 machines! - When things go wrong you will want to log in locally... and by 'things' I mean net being able to get ANY network comms.
The install of the Direct Access role itself and the configuration wizard are stupidly easy. The skill is in the planning, so be sure you do lots of it.
*Almost forgot. You'll want an IIS website hosted somewhere internal with a Certificate on it matching its IP address (and the PKI is useful again). You should be able to access this site securely and without any warning from the internal network, and not at all externally. The content of the site doesn’t matter, just that it exists. - This is how Windows 7 figures out if it's on the network or not. Location Awareness - pray it never gets it wrong.
Well, have fun and do me a personal favour. Do lots and lots of testing before giving this to your users. If we want this to be a hit in the industry the user experience has to be a good one. So let’s get it right and get people talking about it.
{Written while over Direct Access on Windows 7}
