Virtual Graffiti, Inc - Your Source for Technology Solutions

VG Tuesday Tip - 5 Tips For Effective Directaccess Implementation and Management

Microsoft Direct Access

A successful DirectAccess implementation and management requires careful consideration of many common Microsoft platform technologies as DirectAccess heavily relies on them. These technologies include Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), IPsec, IPv6, and more. DirectAccess also supports several different deployment scenarios to meet the needs of large and small organizations. With so many options and interdependencies, it is easy to make poor design choices and end up implementing a solution that doesn’t work or isn’t supported. In this blog post, we will discuss how you can make your DirectAccess implementation and management smoother.

Streamlining DirectAccess Client Deployment

Planning is an essential component for DirectAccess deployment. You will have to plan for different deployment scenarios and DirectAccess optional configurations. The two components that have a tremendous impact on overall DA architecture include network configuration and supported clients.

In terms of supporting infrastructure, DirectAccess heavily relies on PKI, Active Directory, and Network Location Server. Hence, you need to understand these specific requirements carefully.

DirectAccess is fundamentally implemented via Group Policy Objects (GPOs). All the settings for the DirectAccess clients and servers are handled by Active Directory GPOs. For implementation, it is critical to plan for security groups and GPOs.

Automating Client Provisioning

DirectAccess is a very easy and simple remote access solution for end users. Let’s learn how it can also be made simpler for administrators by automating client provisioning.

Automate Certificate Deployment

It is highly recommended to create automated deployment of certificates for both DirectAccess clients and DirectAccess servers. It eases the operational overhead of deploying and provisioning clients through automated certificate deployments. When DirectAccess computer account is placed in a security group, it automatically gets necessary DA certificates. Also, when you deploy additional DirectAccess servers, it makes the configuration and administration easier if you put the server in the security group, and it automatically gets the machine certificates required for IPSec on the server.

Automate Optional Client Configuration Components

A variety of different settings can be automated for DirectAccess clients such as disabling IPv6 transition protocols that are not in use. Moreover, if your scenario supports manage-out, you need to change the default firewall rule settings on DirectAccess clients, and those can be configured and managed through AD group policies.

Minimizing Downtime with High Availability

DirectAccess Server

High Availability is the key to eliminating any single point of failure in DirectAccess deployments. If you have one DirectAccess Server and if it goes offline, either planned or unplanned, it can be challenging. We can avoid this single point of failure by implementing load balancer for DirectAccess servers. You can add DirectAccess servers that can act as active clusters and can have eight nodes using integrated load balancing (part of the base product) or can have 32 nodes using external load balancer – recommended for larger deployment.

Deployed DirectAccess WITHOUT Windows 10 Enterprise Edition

Celestix SecureAcces extends DirectAccess experience for roaming users even for Windows Professional editions and Mac OSX computers. Learn More

Geographic Redundancy

Another failure point that can be addressed is geographical redundancy. A larger organization that has multiple data centers or physical locations can distribute DirectAccess servers to each of those data centers to support geographic redundancy. This is also known as multisite deployment. Using Global Server Load Balancer (GSLB) can enhance resiliency and provide more granular load balancing.

Make Network Location Server (NLS) highly available

NLS is a web server that resides in your corporate network and DirectAccess clients use it to detect if they are located in the corporate network. If DA clients can connect successfully, they are presumed to be located in the internal network and if they cannot, they will attempt to establish remote access corporate network connectivity using DirectAccess server. If NLS is down, then all the clients will think they are outside and will try to connect remotely and can pose challenges.

Performing Remote Administration

This point discusses performing remote corporate network administration from connected DirectAccess clients. As a network administrator, you can perform administration of corporate network from a corporate issued laptop with DirectAccess. Connecting to a router or switch on a DA client is a little different. If you ping the Application Server with the IP address of a switch or router on the network with IPv4 address, it will not work as DA is an IPv6 only solution. So we should supply IPv6 addresses. If the host name for this device is in DNS, it is simple to connect with the host name. If you do not have a host name in DNS, you cannot use the local host file. Watch the webinar to learn how to convert an IPv4 address to an IPv6 address.

Managing Session Connectivity

Celestix SecureAccess platform offers Remote Access Dashboard to provide an instant view of current DirectAccess and VPN connections. The ‘kill switch’ feature allows an administrator to terminate proactively a remote access session at any time. The feature includes several options, including:

  • Reset Connection– A connection can be reset at any time, forcing the connected client to re-establish the connection. This is useful in troubleshooting scenarios.
  • Disable Connection – When a connection is disabled, the client’s computer account in Active Directory is disabled at the same time, preventing the client from re-establishing a connection. This is useful for scenarios in which a client has become infected with malware. Once the client has been remediated, its computer account in Active Directory can be enabled and the client will re-establish remote network connectivity.
  • Remove Connection– When a connection is removed, the client’s computer account in Active Directory is deleted, permanently preventing the client from establishing a connection. This is useful for scenarios in which a client device is lost or stolen.

Troubleshooting Connectivity Issues

As part of our Celestix SecureAccess solution, we provide the ability for users experience DA connectivity issues to upload data directly into the appliance. This process simplifies troubleshooting and solves the issue of limited email connectivity using the native tools.

Clicking on the DirectAccess Diagnostics brings up the page for review. In here you will be able to manage submitted reports.

To enable clients to submit their information, we provide the link on the same page. When the user clicks on the link, they will click on the “DATestRunner.exe” link, which is a wrapper program for the official Microsoft DA tester. Once the user has run the application, the program will perform all actions necessary, and push the resulting information back into the appliance.

Celestix is the only company that offers a performance-tuned, turn-key Microsoft DirectAccess solution – Celestix SecureAccess.