Implement DirectAccess

Learn On Demand
Learn On Demand Pro Series

This IT Pro Challenge hands-on lab develops skills in Windows Server administration. It helps learners understand how to use Windows Server Manager and Windows PowerShell to configure a server with the DirectAccess role that allows DirectAccess clients. As a result, learners will become comfortable using gpupdate and gpresult cmdlets.

Time
1 hour
Difficulty
Beginner
Share
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Overview

In this IT Pro Challenge, learners will understand how to use Windows Server Manager to install the DirectAccess role on a server, and verify the status of the internal interface, as well as how to configure an Edge device, and how to use gpupdate and gpresult cmdlets to update Group Policy to allow remote users to use DirectAccess to connect to the intranet. Learners will also use Windows PowerShell to verify the DirectAccess connection. The skills acquired in this lab are useful for network and system administrators.

Overview

For this hands-on lab, the scenario is that you are a network administrator and you need to configure a DirectAccess server (2 subnets connected by a router) to allow access from remote users. To accomplish your task, you first need to install the DirectAccess role service and then configure the DirectAccess server with security filtering. Finally, you need to verify that a remote user has the correct Group Policy deployed. You will verify that the remote user can use DirectAccess to connect to the private network.

DirectAccess (also known as Unified Remote Access) provides intranet access to client computers. DirectAccess connects automatically when the user accesses the internet. It uses IPv6 technology to provide intranet access over the internet (IPv4).

Group Policy is a Windows feature that allows the administrator to set the environment for both users and computers. It allows the administrator to control applications, user settings, and operating systems.

Configure a DirectAccess server

To begin the lab, you need to configure a DirectAccess server. To do this, on the virtual machine (DC1), you need to create an Active Directory security group and add a user (W10-Admin) to the group. Then, on a server virtual machine (RRAS), you will use the Windows Server Manager to install the DirectAccess role service of the Remote Access role and verify the status of the internal interface. Then you need to configure DirectAccess as an Edge device (in this case, a router) that clients will use to connect to from the internet. You also need to add the DAClients security group to the Remote Clients group, remove the Domain Computers group, and remove the option to use DirectAccess for mobile computers.

You will then switch back to the DC1 virtual machine and verify that security filtering is configured in the Group Policy settings for the DirectAccess servers and clients.

Next, on the RRAS virtual machine, you will use the gpupdate /force cmdlet to update Group Policy and then use the gpresult /r cmdlet to verify that the DirectAccess server settings were applied correctly.

Verify DirectAccess from a client

In the last step of the lab, you will sign into the W10-Admin virtual machine and use the gpupdate /force cmdlet to update Group Policy and then use the gpresult /r cmdlet to verify that the DirectAccess server settings were applied correctly. Then you will run a script that moves W10-Admin to the external network (RRAS). Using PowerShell, you need to run the Get-DAClientExperienceConfiguration command and then use the ipconfig /all command to verify the IP-HTTPS interface. You need to ensure that the admin machine can access the internal network and that the admin is connected to the router.

Summary Conclusion

By taking this hands-on lab, you will learn how to use Windows Server Manager and Windows PowerShell to configure a DirectAccess server that provides external access to internal servers. As proof of concept, you will use DirectAccess to verify access.