Setting up DirectAccess Server 2012

I got a mission from my boss to set up a new way for external users to connect to our network. In the past they use Microsoft VPN to connect and the problem is there are places where this VPN port is blocked and they cannot connect.

We then decided to look at DirectAccess from Microsoft. This new version comes as a role that you need to enable in Windows Server 2012 from Server Manager

To set this Direct Server 2012 in your environment, you will need to install a Windows Server 2012 with Remote Access role enabled. For our implementation we also use a root CA, this is to issue Computer Certificates to our workstations here and will be used in the authentication process. 

Once you have the DirectAccess Server ready, you can start the configuration wizard to help you setting it up. It will create two new GPOs for you and by default they are called DirectAccess Server Settings and DirectAccess Client Settings. 
At the end of the wizard, you will be given an opportunity to review the configuration and make some changes if you wish. If you are happy with everything just complete the wizard and that will be enough.


Below is the Configuration page where you can always go back to modify your settings.





The screenshot below shows that you can always change the security group if you want to test it first. 

Make sure you fill up the  Helpdesk email address, otherwise if your Windows 8 clients are having an issue - they won't be able to generate the error log.

On the Remote Access setting part, you need to decide the network  topology that match with your infrastructure.

Also choose a certificate to be used for the IP-HTTPS connection. You can use a self-signed certificate if you wish.

 Because we have a mixed Win 7 and Win 8 environment here, we need to tick the Enable Windows 7 client computers to connect via DirectAccess option. With this option enabled, you will need to use a computer certificate for authentication. 

Note: Windows 7 clients will need a DirectAccess Connectivity Assistant (DCA) 2.0 installed. You will also need to import DCA Group policy template files to your GPO.

Next is to decide where you want to have your Network Location Server. 

You will also need to make exception for a few things you don't want your client to use internal DNS for name resolution.

If everything is working fine, you should get the green tick for all of the components, though this doesn't guarantee your clients will be able to connect to your environment straight away. Please look at the links at the end of this post to help you troubleshoot any issue you may have in your implementation.

1. Click on this link to download DCA 2.0 for Windows 7 clients; after you extract the zip file you will find DCA 2.0 administrator guide to help you with the deployment
2. Click on this link to get more details on how to deploy a single Remote Access Server using the Getting Started Wizard
3. Click on this link if you want to troubleshoot any issue related to DirectAccess Client Cannot Access Intranet Resources