Book Image

Microsoft DirectAccess Best Practices and Troubleshooting

By : Jordan Krause
Book Image

Microsoft DirectAccess Best Practices and Troubleshooting

By: Jordan Krause

Overview of this book

DirectAccess is an amazing Microsoft technology that is truly the evolution of VPN; any Microsoft-centric shop needs this technology. DirectAccess is an automatic remote access solution that takes care of everything from planning to deployment. Microsoft DirectAccess Best Practices and Troubleshooting will provide you with the precise steps you need to take for the very best possible implementation of DirectAccess in your network. You will find answers to some of the most frequently asked questions from administrators and explore unique troubleshooting scenarios that you will want to understand in case they happen to you. Microsoft DirectAccess Best Practices and Troubleshooting outlines best practices for configuring DirectAccess in any network. You will learn how to configure Manage Out capabilities to plan, administer, and deploy DirectAccess client computers from inside the corporate network. You will also learn about a couple of the lesser-known capabilities within a DirectAccess environment and the log information that is available on the client machines. This book also focuses on some specific cases that portray unique or interesting troubleshooting scenarios that DirectAccess administrators may encounter. By describing the problem, the symptoms, and the fixes to these problems, the reader will be able to gain a deeper understanding of the way DirectAccess works and why these external influences are important to the overall solution.

Related Content you might be interested in

Current Title:

Small book image
Microsoft DirectAccess Best Practices and Troubleshooting
Jordan Krause
Oct, 2013 | 116 pages
No titles found
Table of Contents (13 chapters)
Microsoft DirectAccess Best Practices and Troubleshooting
Microsoft DirectAccess Best Practices and Troubleshooting
Credits
Credits
Foreword
Foreword
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
DirectAccess Server Best Practices
DirectAccess Server Best Practices
Preparing your Remote Access servers for DirectAccess
NIC configuration
NIC binding
MAC address spoofing for virtual machines
Adding static routes
Hostname and domain membership
Time for certificates
Adding the roles
Don't use the Getting Started Wizard!
Security hardening the server
Summary
2
DirectAccess Environmental Best Practices
DirectAccess Environmental Best Practices
To NAT or not to NAT?
Planning for Certificates (PKI)
Defining your GPOs and security groups
Setting up the Network Location Server (NLS)
Do I need IPv6 or ISATAP?
Teredo and 6to4 tips and tricks
Summary
3
Configuring Manage Out to DirectAccess Clients
Configuring Manage Out to DirectAccess Clients
Pulls versus pushes
What does Manage Out have to do with IPv6?
Creating a selective ISATAP environment
Setting up client-side firewall rules
RDP to a DirectAccess client
No ISATAP with multisite DirectAccess
Summary
4
General DirectAccess Troubleshooting
General DirectAccess Troubleshooting
Remote Access Management Console
Windows Firewall with Advanced Security
Reading the client logfiles
What happened to Teredo?
Clients with native IPv6
Summary
5
Unique DirectAccess Troubleshooting Scenarios
Unique DirectAccess Troubleshooting Scenarios
What happens when NLS is offline?
I enabled NLB and DA broke!
IPv4 applications don't connect over DA
Cannot contact some servers
Summary
Index
Index

MAC address spoofing for virtual machines

If your DirectAccess server is a virtual machine, which doesn't necessarily line up with my idea of a best practice in any way, but I understand that many folks do it; make sure to set your NICs to allow MAC address spoofing. This will be particularly important if and when you decide to create any kind of arrays or load-balanced clusters, but I recommend always making this change right in the beginning, so that you are prepared for those situations and don't have to take troubleshooting steps down the road. To set this setting in Hyper-V, go into your Hyper-V Manager, right-click on your DirectAccess virtual machine, and click on Settings….

Find your network adapter listed on the left and click on the + symbol next to it to drop down some additional options. Click on Advanced Features, and then over on the right, check the checkbox for Enable spoofing of MAC addresses. Depending on your version of Hyper-V, the setting might be in a slightly different section of the network adapter's properties. For example, here it is on a Server 2008 R2 Hyper-V server.

You have to check this setting for both the network adapters that are being used by DirectAccess. Also, keep in mind that changing this setting requires the virtual machine to be turned off. If your MAC address spoofing option is grayed out, shut down the virtual machine and then check it again.

Whew, we're finally finished with all of the NIC configurations. Seems like a lot of text just to make sure something as simple as network settings was configured properly, but it is absolutely critical to make sure you have a solid networking baseline before you try to configure DirectAccess. If you do not, if any of the settings listed are not correct, if there is an incorrect subnet mask listed somewhere, if you have put a default gateway on the internal NIC, and the list goes on and on…if network settings are not configured properly, you will run into error messages, or maybe worse no error message but strange client behavior that can't be explained. Incorrectly configured networking settings can also cause a DirectAccess server to "lose itself", resulting in the console hanging and your only recourse to be a complete server re-prep so that you can start over. Make sure your NICs are configured correctly!

Previous Section
End of Section 5
Next Section