Windows Server Direct Access

Sign in to queue

Description

Pre-Conference Seminars require an additional registration fee. If you have not pre-registered for a Pre-Con, please visit TechEd North America Registration to add this to your registration record.

Any time a user connects to the Internet with DirectAccess they are seamlessly connected to the corporate intranet. There is no need for the user to initiate a VPN connection, the user experiences the same connectivity regardless of whether they are connected to the intranet or Internet. DirectAccess was first introduced in Windows Server 2008 R2; however its implementation presented a number of challenges for administrators and to provide an enterprise ready solution inevitably required the use of Forefront Unified Access Gateway (UAG). Windows Server 2012 now includes an enhanced full feature solution for DirectAccess including load balancing, multisite, multidomain and IPv4 support via the inclusion of DNS64 and NAT64. There is even a 3-click wizard to deploy a fully functioning DirectAccess solution for SMBs. This implementation removes the need for PKI and can be configured on a single network card behind NAT. While the Wizard masks the complexities of the technologies involved, a thorough understanding of DirectAccess is required to troubleshoot and build enterprise solutions. John Craddock has worked extensively in the challenging environment of DirectAccess with Windows Server 2008 R2 and UAG. Windows Server 2012 allows the implementation of quicker and more compelling solutions. Come to this pre-con and learn how to deploy and troubleshoot Windows Server 2012 DirectAccess, and realize all the benefits that the Windows Server 2012 implementation has to offer. An IPv6 primer is included to provide you with sufficient knowledge to fully support your DirectAccess implementation. Comprehensive demos accelerate your learning.
For more information, check out this course on Microsoft Virtual Academy:

Day:

0

Session Type:

Pre-Conference Seminar

Code:

PRC04

Room:

Room 293

The Discussion

  • User profile image
    Networking​Guy

    I don't know much about IPv6 and I know this is a big part of Direct Access - will I be OK with the session

  • User profile image
    Networking​Guy

    Forgot to ask, will it cover NAP and Direct Access integration? 

  • User profile image
    BradAgain

    Will it cover 2FA

  • User profile image
    JohnCraddock

    @BradAgain: Hi Brad, I will be covering 2FA directly and with NAP intergration

  • User profile image
    JohnCraddock

    @NetworkingGuy:Yes NAP integration with Direct Access will be covered.

  • User profile image
    JohnCraddock

    @NetworkingGuy:

    The approach that I am taking with this precon is to discover the use of IPv6 as we go through Direct Access. For example I will start with a demo of using the 3-Click Wizard to get  DA up and running in it's simplest form. We'll then do a ping from the external client to one of the intranet servers and see the use of an IPv6 address. At this point you will learn about the IPv6 address format and types. We will then delve into the transition technologies, 6to4, IPHTTPS etc. By the time you leave the sessions you will have learned a lot about IPv6.

    I see this session as not only learning about deploying Direct Access but also learning the key elements of IPv6. And you'll also learn about certificates, NAP and a lot more...

    I hope that helps, If you want to know anything else just let me know.

     

  • User profile image
    JohnCraddock

    If you have any questions about the precon - please ask away

    You can never ask a silly question, you can only get a silly reply! I'll try and give you a sensible reply  Angel

  • User profile image
    Networking​Guy

    Many thanks for the replies John. I think you approach looks very interesting - I look forward to it

  • User profile image
    ensposito

    Can Win 7 and Mac clients connect to Win 2012 server using direct access?

  • User profile image
    Doug_​Kinzinger

    I'm guessing IPv6 all the way is still required, yes?

  • User profile image
    James Smith

    Will this cover a similar capability to Reverse Proxy Web Publishing currently available in UAG 2010 ?

  • User profile image
    JohnCraddock

    @ensposito:Hi, Windows Server 2012 allows Direct Access to be deployed in a single tunnel mode and through the use of a Kerberos proxy the clients authenticate to the tunnel endpoints using Kerberos Tokens. This will only work with Windows 8 clients.

    To support Windows 7 clients the two tunnel mode is deployed. This is also required for OTP, NAP etc. In the precon we will cover all options.

    I am not aware of a MAC DA client, but there may be one I haven't seen. However the DirectAccess server now supports a unified remote access role that allows you to deploy DA and a VPN server together.

  • User profile image
    JohnCraddock

    @douglaskinzinger:Hi Douglas, All client apps need to communicate over the IPv6 stack, so the client connects to the DA server using IPv6 natively or using a transition mechanism (IPv6 over IPv4), such as 6to4, Teredo or IPHTTPS. The DA server now includes NAT64 and DNS64 so your corporate network can remain IPv4 only. Having said that if you want to manage out, the management server/client must talk IPv6 either natively or through ISATAP.

    We will go through all the options in the precon.

    John

     

  • User profile image
    JohnCraddock

    @James Smith:Hi James, The precon will not cover reverse proxy publishing. It is focused on providing DA capabilities. Of course with DA a DA client can connect to all corporate resource or you could limit access through the use of end-to-end IPsec.

  • User profile image
    JohnCraddock

    I just receive a question on the TechEd Europe website and thought it might be useful to include it here:

    "John, to what extent will this be targetted just at Enterprise leve installations?  It'd be useful to have an element of the focussing on what modestly sized organisations who do not have 16 full 42U racks of servers (!) might be able to do to use DA effectively in their businesses (and by extension, how enterprises might implement on a more modest basis)"

    @pjbryant:Hi PJ, The precon will show how DA works and how you configure it irrespective of organizational size. I am starting the day with using the 3-click wizard, from that we will go through and understand all of the technologies involved. We will then progress to the two tunnel mode necessary to support Windows 7 clients and other features. 

    The idea is that you will come away from the day with a good understanding of DA and with that knowledge be able to deploy an installation regardless of size. Towards the end of the day I will be covering the enterprise features of OTP, NAP and multisite deployments etc, but the main focus is to really understand how it all works.

    I hope that helps - please let me know if you need any more information.

    John

  • User profile image
    ipv6girl

    John, what's your view on the use of 6to4 for DA clients?

  • User profile image
    JohnCraddock

    @ipv6girl:

    Hi IPv6Girl, Great question! The quick answer is don't use it.

    6to4, is an IPv6 transition mechanism that is used to transport IPv6 over the IPv4 Internet. When the client has a public IPv4 address, the 6to4 interface on the client is automatically assigned an IPv6 addressed based on the client's unique IPv4 address.

    If the client receives a public IPv4 address when it is not actually directly connected to the Internet and the network doesn't allow IP protocol 41 to be routed to the destination, 6to4 will fail. Examples of where problems occur are mobile phone networks and locations that assign public IPs which route onto the Internet through NAT and firewalls.

    Combine these problems with the fact that 6to4 cannot be used in multisite deployments because of asymmetrical routing issues and you will see why I said don't use it.

    DirectAccess client connections should be supported by the transition mechanisms Teredo and IPHTTPS. The best thing to do is to sign up for the precon where I will go into all the details Big Smile. We will need to understand 6to4 addressing as the DA server derives addresses and prefixes from the 6to4 address of the server's external interface.

    John

     

  • User profile image
    JasonApt

    Looking forward to this session as I was almost ready to utilize UAG for Direct Access.  Doing some research on my own and talking with management, I was able to persuade them to hold off and focus on Server 2010 with Direct Access.  I have knowledge gaps to fill in this section but it will be a great way to start the conference!

  • User profile image
    skarai

    I'd be interested in hw based load balancing (i.e. F5 and DA 2012)

  • User profile image
    Reinhartjas​on

    Hi John

    DA2012 looks to be a huge improvement over DA with UAG on server 2008.  Can you confirm that we were wise in our company to wait for 2012 before rolling DA to our users?

    I will be at the Precon for DA. 

    Thanks

  • User profile image
    ABianucci

    Jason R.

     

    from my experience its 10 fold much nicer in server 2012 and I would if you don't need UAG.

     

    I am here as well, and in the seminar if you want to chat.

     

    Aaron

  • User profile image
    ABianucci

    John

     

    Windows Phone 8 support for DA coming?

  • User profile image
    CSVvalentin​is

    Currently attending your session and attempted to look at the slides via the tinyurl.  It appears that the slides were not uploaded successfully and some repeat.  If possible could you please take a look and see if this is on your end or a problem with how I was attempting to review the slides.  Many Thanks!

  • User profile image
    ABianucci

    @CSVvalentinis

     

    I was able to look at them just fine, I have them up on my surface now,

    AA

  • User profile image
    JohnCraddock

    @Reinhartjason:Hi if you are still having problems let me know. Seems to be OK for me

     

  • User profile image
    JohnCraddock

    Thank you all for coming and being such a great audience. Please don't forget to evaluate the session!

     

  • User profile image
    Gjeff80

    I was registered for this pre-con seminar, however my travel plans got changed last minute and I had to come down to NO on Monday AM.  Is there any way I can still get this seminar (was it recorded) or are the slides available for those of us that registered for a pre-con seminar?

  • User profile image
    TBone2K

    I just got an email from "Precon Deanna Schuler" wanting to share some files with me regarding this course. Is this legit? In case it wasn't, I tried the skydrive.live.com link in the message on an isolated system and it says the files have been removed.

  • User profile image
    Richard Hicks

    For those interested, many of the questions on this thread can be answered by viewing my Windows Server 2012 DirectAccess breakout session here:

    http://channel9.msdn.com/Events/TechEd/Europe/2013/WCA-B339

    Thanks!

Add Your 2 Cents