What's New in Windows Server 2012 Networking? (Part 7)

by [Published on 12 Dec. 2013 / Last Updated on 12 Dec. 2013]

In this, Part 7 of the series, we’ll discuss Windows Server 2012’s implementation of the DirectAccess technology we know and love, as well as the new unified Routing and Remote Access (RRAS).

If you would like to read the other parts in this article series please go to:

Introduction

We’re closing in on the finish line with our series of articles on the new features and functionalities in Windows Server 2012 networking technologies. In Parts 1 through 6, we’ve already covered a dozen important changes, improvements and additions. In this, Part 7 of the series, we’ll discuss Windows Server 2012’s implementation of the DirectAccess technology we know and love, as well as the new unified Routing and Remote Access (RRAS).

Here’s our list again, showing the items we’ve already addressed in past articles, those we’ll look at in this article and the one that is yet to come:

Past articles:

  • 802.1x Authenticated Wired and Wireless Access
  • BranchCache
  • Data Center Bridging (DCB)
  • Domain Name System (DNS)
  • DHCP
  • Hyper-V network virtualization
  • IP Address Management (IPAM)
  • Low Latency Workloads technologies
  • Network Load Balancing
  • Network Policy and Access Services
  • NIC Teaming
  • Windows QoS

This article:

  • DirectAccess and Unified RRAS

Future article:

  • Windows Firewall with Advanced Security

Let’s get started!

DirectAccess in Server 2012

DirectAccess has been around since Windows Server 2008 R2 and it’s a great means of providing remote users with a way to connect back to the corporate network without having to deal with VPN settings. The big advantage for administrators is the ability to have much more control over the remote computers, because you can manage them even if the user isn’t logged on, as long as the computer has an Internet connection. That makes it easy to update software or Group Policy when you need to, without waiting for the user to make a VPN connection. It also eases the load on IT for training users to use VPN clients and the tech support calls that you inevitably get when users have problems configuring VPN connections.

As with previous implementations, DirectAccess in Windows Server 2012 encrypts traffic that’s transmitted over the Internet so users have a secure connection to the corporate network.

But DirectAccess has some limitations. It only works for client computers that are running the Enterprise or Ultimate editions of Windows 7 and the Enterprise edition of Windows 8. In addition, those systems must be joined to the domain. That means users whose computers are running the Professional editions of Windows 7 or 8 are unable to connect via DirectAccess and must instead use a traditional VPN connection.

In Windows Server 2008 R2, DirectAccess and Routing and Remote Access (RRAS), where VPN services are configured and managed, are two separate features with different management consoles. Further, RRAS must be run on a different server from the edge server running the DirectAccess service. This complicates the administration of remote access within the enterprise.

Windows Server 2012 goes for a more cohesive approach by combining DirectAccess with RRAS in a new Unified RRAS server role. That means you can configure, manage and monitor both types of remote access services from one centralized location. Now the two roles coexist on the same machine and you don’t have to have separate servers for this purpose.

Easier to deploy and use

Despite all the benefits DirectAccess offered in Server 2008 R2, many network admins were hesitant about rolling it out because of the complexity of the deployment process. There were many prerequisites, such as the need for a public key infrastructure (PKI) and the difficulty of accessing IPv4 computers on the corporate intranet with DirectAccess. Most of those obstacles have been removed or greatly reduced in the implementation of DirectAccess included in Windows Server 2012 and 2012 R2 with Windows 8/8.1 clients.

An important difference is that you no longer have to set up a certification authority and implement a PKI to issue computer certificates to the DA server and clients. While you can still use a PKI for authentication, now it’s optional. Instead, the client computers can send authentication requests to a Kerberos proxy that runs on the DA server and is set up by the Getting Started wizard when you configure DA. Now, there are still some requirements and some caveats. The DA server still needs a certificate, but it’s possible to use a self-signed certificate that you configure during setup. However, the better security practice would be to use a certificate issued by a public certification authority.

Here’s how it works: when you use this simplified deployment model (without a PKI), only one IPsec tunnel is established instead of two. In a traditional deployment, there is an infrastructure tunnel established first that uses the computer certificate and NTLM, then the client gets a Kerberos token and establishes the second tunnel using the computer certificate and Kerberos. Now the Kerberos proxy issues the token so that first tunnel isn’t required.

The drawback to not having an internal PKI is that when you deploy DA this way, you won’t be able to use certain features such as NAP (Network Access Protection) integration and two-factor authentication. You’ll need to weigh the pros and cons and decide whether the trade-off is worth it, but this new capability at least opens up the use of DA to organizations that wouldn’t consider it before because of the PKI requirement.

If you do choose to deploy with a PKI, in addition to smart card support Windows Server 2012/2012 R2 DA supports One Time Password (OTP) tokens, and you can also use virtual smart cards for client computers that have a Trusted Platform Module (TPM).

You also have the option to deploy DA in Windows Server 2012/2012 R2 on a server that’s behind a NAT device, something that was difficult to implement in 2008 R2 DA because two NICS with two consecutive public IPv4 addresses were required. Now you can deploy behind NAT with just one network interface.

Another big improvement is the native support for NAT64 protocol translation to allow DA clients to access those internal resources that are running on IPv4-only machines. This is a big deal because there are many corporate networks that have older file servers and other servers running applications that don’t support IPv6. Previously if you had this type of situation, you were told to use Forefront UAG Gateway Direct Access – but that was an expensive solution so many orgs just didn’t deploy DA at all. Now it’s not only possible; it’s easy. The setup wizard configures NAT64 and DNS64 for you, automatically, if the DA server’s internal NIC has an IPv4 address assigned.

This isn’t the only way in which the new Getting Started wizard really simplifies the whole process of deploying DA. You no longer have to be an expert in the technical details to get it up and running. And you have many more options. Now you can deploy DA in a “manage-out only” configuration. What that means is that you can use DA to deploy updates and manage computers remotely, without users logging in, while keeping your VPN or other more traditional remote access method in place for users to access the corporate resources.

Broader Scope

For large enterprises, a major improvement is that Windows Server 2012/2012 R2’s Direct Access implementation now supports much easier deployment with multiple domains and multiple sites. With Server 2008 R2, you could only configure DA for one domain with the setup wizard, so if you had clients in another domain, they couldn’t use it. It was possible to do it manually but you had to edit DA policies, making it more complicated. Now the setup process supports integration of multiple domains.

Multi-site support has also been improved, so that clients will be able to access the resources they need regardless of where they are physically located. The multi-site configuration assigns DA entry points to Windows 8 computers automatically, and Windows 7 computers can also be assigned automatically if you have Global Server Load Balancing (GSLB) deployed. Then the traffic can be distributed and balanced across the multiple sites.

Support for new technologies

Windows Server has been moving toward a more “minimalist” approach to the GUI, with more and more organizations running a stripped-down Server Core installation to reduce the attack surface and also to enhance performance. At the same time, admins are embracing the command line again, with the increasing sophistication of the PowerShell tool for managing, scripting and automating tasks.

DirectAccess in Server 2012/2012 R2 reflects this trend, with the Server Core role supporting the new Unified RRAS role, including DirectAccess. It also provides full featured PowerShell support so you can set up, configure, manage, monitor and troubleshoot all aspects of the Unified RRAS services.

Speaking of monitoring and troubleshooting, these are tasks that consume a large portion of an admin’s time, and they have been vastly improved for Unified RRAS in Windows Server 2012/2012 R2. There are new diagnostics features, including detailed event logging for DA, tracing and packet capture and log correlation. The accounting and reporting is better, when using a RADIUS server or Windows Internal Database (WID). You can measure specific metrics, such as the number of users connected to the DA server, and create custom reports.

As for monitoring, the dashboard that’s accessed from the RRAS console displays a wealth of information about the status of the DA server and client activity. In Server 2008 R2 DA, you could only do basic health status monitoring.

Summary

These are some of the highlights of the improvements Microsoft has made to DirectAccess in Windows Server 2012. It’s not an all-inclusive list; there are additional improvements that will benefit organizations in particular scenarios, but this should be enough to illustrate that there’s a lot going on with the new DirectAccess and Unified RRAS feature.

Next time, we’ll bring this series to an end with our discussion of the Windows Server 2012 Firewall with Advanced Security.

If you would like to read the other parts in this article series please go to:

Featured Links