Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, January 10, 2011 2:31 AM
Is it possible to configure a DirectAccess client manually, off the corpnet? For example, a new client that is being setup at a remote site.
Thanks.
All replies (5)
Tuesday, January 11, 2011 2:10 AM
Hi,
Thank you for your post here.
Technically speaking, it is possible to set up a DirectAccess client manually. You may have to manually configure directaccess group policy settings, distribute user certificates and set DirectAccess IPSec rules.
However, please understand that DirectAccess is a feature that gives users the experience of being seamlessly connected to their corporate network any time they have Internet access. For any comptuer (non-temp client) connected to the corporate network, we assume that those clients have joined to the corporate network and they are manageable.
As a workaround, you can:
1. Set up a RRAS VPN server to accept domain join from remote clients'
2. Follow IT service management standard to distribute domain-joined clients from IT department from the main office to remote sites.
Tuesday, January 11, 2011 3:19 PM
Thanks for your reply.
In my case, I am the IT manager of my company, so I make "the IT service management standard" that you referred to.
My objective is to setup client computers (desktops, not notebooks) at remote sites using a combination of djoin (to join the corporate domain) and manual DirectAcess configuration, so it is not necessary first to physically bring them to the corpnet to join the domain and to get DirectAcess client configuration.
So, it would be good to know the details that you referred to (configure group policy settings, distribute certificates, and set DirectAccess IPSec rules).
What I have found so far is:
1. Do an offline domain join using djoin on a Domain Controller and on the client. This adds the client computer account to the domain, and will allow user Kerberos authentication required by the DirectAccess Policy ClientToCorp firewall rule.
2. Add the client computer's account to the DirectAccessClients security group. This will allow DirectAcess-related Group Policy settings to be applied when secured communication is established.
3. Install the corp root certificate on the DA client.
4. On a Domain Controller or other computer that is already joined to the domain, using a custom certificate template, create a computer certifcate for the DA client, export it as a .pfx file, copy it to the client and install it. This will allow Computer Certificate authentication required by the DirectAccess Policy ClientToCorp firewall rule.
5. Set the prospective DirectAccess client's Teredo (or 6to4) server in the registry. That will allow (unsecured) communication between the client and the DirectAccess server.
6. This is where I have got lost. I have tried exporting DA firewall rules from a working DA client and importing them to the new client, but that seems to result in two sets of firewall rules (the imported one and the one downloaded via Group Policy). Also, I'm not sure if it's necesary to manually set Name Resolution Policy settings in GP on the client.
Tuesday, January 18, 2011 8:22 PM
I suspected this is possible (Windows DirectAccess isn't really its own software module, it's just a wizard that configures other already-existing parts of Windows), but after reading your post I got curious and investigated further.
It turns out this is possible and it's even documented on TechNet: http://technet.microsoft.com/en-us/library/ee649267(WS.10).aspx
The above link doesn't describe the preliminary steps like joining the domain or the the security group, but it does give the commands for actually configuring the client's network access.
The previous section in TechNet (http://technet.microsoft.com/en-us/library/ee649214(WS.10).aspx) describes how to configure the server using command lines as well; the commands to set the client IPSec connection rules in the firewall (whch I think are what you are looking for) are actually near the end of that section.
Wednesday, January 19, 2011 5:50 PM
Thanks for your suggestions. I think steps 1 through 4 from my last post are necessary. The TechNet link you referenced gives a better version of my step 5, and I think it gives direction where I got lost in step 6: you need t o configure NRPT using gpedit.msc. When you configure NRPT, you need to omit reference to your CA. The restart the DNS Client service and the IP Helper service. Then run gpupdate /force. Now DA should work.
I need to try this a couple more times to be sure it's correct.
Wednesday, August 15, 2012 8:29 AM
Hi Sejong,
did you find the right DA client configuration for your scope?
thanks