Chapter 1: DirectAccess Server Best Practices 7
Preparing your Remote Access servers for DirectAccess 8
NIC configuration 8
Configuring internal NIC 8
Configuring external NIC 10
NIC binding 14
MAC address spoofing for virtual machines 16
Adding static routes 17
Hostname and domain membership 20
Prestage the computer account 20
Time for certificates 21
Installing the IP-HTTPS SSL certificate 21
Installing the IPsec machine certificate 23
Adding the roles 25
Don't use the Getting Started Wizard! 28
Running the full Remote Access Setup Wizard 28
Reasons not to use the Getting Started Wizard 30
Self-signed certificates 30
Self-hosted NLS 30
Disables Teredo 30
Applies client policy to the domain computers group 31
No advanced choices 31
Security hardening the server 32
Summary 33
Chapter 2: DirectAccess Environmental Best Practices 35
To NAT or not to NAT? 35
Three is better than one 37
Table of Contents
[ ii ]
Efficiency of Teredo over IP-HTTPS 38
6to4 38
Teredo 38
IP-HTTPS 39
Planning for Certificates (PKI) 40
SSL certificate for NLS 40
SSL certificate for IP-HTTPS 41
Machine certificates for IPsec 42
Requirements for the machine certificate 43
Choosing the CA in the wizards 43
Marking your calendars for certificate expirations 45
Defining your GPOs and security groups 45
Let the wizards take care of it 46
Creating your own GPOs 47
Setting up the Network Location Server (NLS) 50
Do I need IPv6 or ISATAP? 52
Teredo and 6to4 tips and tricks 52
Set Teredo to EnterpriseClient 52
Using Group Policy for this change 53
Disabling the 6to4 adapter on your clients 54
Using Group Policy for this change 55
Summary 55
Chapter 3: Configuring Manage Out to DirectAccess Clients 57
Pulls versus pushes 58
What does Manage Out have to do with IPv6? 58
Creating a selective ISATAP environment 60
Creating a security group and DNS record 62
Creating the GPO 62
Configuring the GPO 64
Adding machines to the group 65
Setting up client-side firewall rules 66
RDP to a DirectAccess client 69
No ISATAP with multisite DirectAccess 70
Summary 70
Chapter 4: General DirectAccess Troubleshooting 71
Remote Access Management Console 72
Windows Firewall with Advanced Security 73
Reading the client logfiles 75
What happened to Teredo? 79
Clients with native IPv6 80
Summary 81
Table of Contents
[ iii ]
Chapter 5: Unique DirectAccess Troubleshooting Scenarios 83
What happens when NLS is offline? 84
The resolution 85
I enabled NLB and DA broke! 85
The resolution 87
IPv4 applications don't connect over DA 87
App46 by IVO Networks 88
Cannot contact some servers 89
Routing 89
Name resolution 90
Checking DNS for strange AAAA records 91
Does it work over IP-HTTPS and not Teredo? 92
Summary 93
Index 95
