DirectAccess serveri paigaldamine ja haldamine Windows Server operatsioonisüsteemis

From ICO wiki
Jump to navigationJump to search

DirectAccess on uus võimalus Windows 7 (Ultimate ja Enterprise versioonid ainult) ja Windows Server 2008 R2 operatsiooni süsteemidel, mis pakub ühendust sisevõrguga kõikidele arvutitele, mis omavad DirectAccess kliendi ja asuvad interneti võrgus. Võrredes tavapärasega VPN ühendusega, kus kasutaja peab seda ise aktiveerima ja lõpetama, DirectAccess konfigureeritud sellisel moel, et ühendust luuakse automaatselt, kui arvuti saab interneti ühendust.

Tehnoloogia

DirectAccess tekitab IPSec tunneli kliendilt DirectAccess serverisse ja kasutab IPv6 protokolli, et jõuda DirectAccess serverisse või teiste DirectAccess klientideni. See tehnoloogia kasutab IPv6 traffikut läbi IPv4 võrgu, et jõuda sisevõrku läbi interneti, mis endiselt baseerub IPv4 protokollil.

Nõudmised

DirectAccess vajab:

  • Ühe või mitme DirectAccess servereid, mis töötavad Windows Server 2008 R2 peal koos kahte võrguadapteriga, millest 1 ühendust otse internetti ja teine otse sisevõrku.
  • DirectAccess serveril kaks järjestiku määratud IPv4 aadressi, need peavad olema määratud adapterile, mis on ühendatud interneti j ei tohi olla NAT!
  • DirectAccess klient, mis jookseb Windows7 peal (ainult Ultimate või Entreprise versioonid)
  • Vähemalt 1 domeeni kontroller ja DNS server, mis jookseb Windows Server 2008 SP2 või Windows 2008 R2 peal.
  • Public key infrastructure (PKI), mis annab välja arvutile sertifikaati.

DirectAccess paigaldamine

Teie saate paigaldada, konfigureerida ja jälgida ühenduste liiklust DirectAccess managment konsooli abil, mida Teie peate installeerima spetsiaalse lisana, kui paigaldate Server Managment osa.

Et paigaldada DirectAccessi võimalust Server Managmenti alt tehke järgmist:

  • DirectAccess serveril, vajutage Start, valige Run, trükkige sisse servermanager.msc, ja siis vajutage ENTER.
  • Põhiaknas Featurues Summary alt vajutage Add features.
  • Select Features lehel valige DirectAccess Management Console.
  • Add Features Wizard aknas vajutage Add Required Features.
  • Select Features lehel, vajutage Next.
  • Confirm Installation Selections lehel, vajutage Install.
  • On the Installation Results lehel vajutage Close.

DirectAccess haldamine

Konfigureerimise viisard: Klient

Esimene seadistamise viisard on päris otsene ja esitab Teile ainult ühe küsimuse: Mis arvutite gruppid Teie soovite lubada DirectAccess kasutamiseks.

Kõige kindlam on luua Active Directory turvagruppi nimega "DirectAccess Enabled computers", mida saab viisardis valida ja lisada gruppi hulka, millel on lubatud DirectAccessi kasutamine. See aitab säästa aja, kuna siis saab gruppi redigeerida vastavalt vajadustele otse Active Directory alt ja siis ei pea uuesti avama viisardi, et muuta gruppe või kasutajaid.

Et alustada vajutage Edit nuppu Client Group valiku all.

Nüüd vajutage Add nuppu ja valike AD turvagruppi, mida Teie soovite lubada DirectAccess kasutamiseks.

Teie saate panna mitu gruppi siia, aga mugavam on lisada ühe gruppi ja siis hiljem juba muuta arvutite nimekirja otse Active Directory alt.

Vajutage Finish nuppu ja sellega algne seadistus saab tehtud.

Konfigureerimise viisard: DirectAccess server

Getting through the DirectAccess Server wizard might be the most challenging becuase it’s behaviour and what it asks for is determined by some dependancy checks that the wizard does in the background. To get started, click the Edit button in the DirectAccess Server group.

NOTE: At the time of this writting, Forefront UAG Update 1 and earlier has a known bug in this particular wizard that can appear when you reach the page about selecting certificates. Microsoft delevopers are aware of the issue as discussed here in the Microsoft Forefront forum but I have been told that there won’t be a fix until UAG Service Pack 1 due for release around the end of 2010. It seems to be fine the first time you go through the wizard but if you select one certificate type and then rerun the wizard and select the other type the wizard will peg the CPU at 100% on the third and any subsequent times that you run the wizard. So the moral of the story here is to get it right the first time and you’ll be fine. Otherwise you may need to wipe the entire UAG Configuration (by running configmgrutil -del) and start all over.

Remember, I am assuming that your internal network infrastructure is running purely IPv4. With that in mind, the first page of this wizard will sort of tell you if you have things set up right…but you have to know what you are looking for. If you notice that the dropdown list for IPv4 is disabled, then you’re missing something. It looks like this:

This usually means the wizard was unable to find an ISATAP router and assumes you are using IPv6 on your internal network becuase, well, without ISATAP to convert IPv6 into IPv4 you would need native IPv6 for DirectAccess to work. Since we do not have IPv6 internally and we want to use ISATAP, there are two things to check in order to correct this:

1.Make sure ISATAP has been removed from the DNS Global Block List (here’s how)
2.Make sure you have an “A record” in DNS for “ISATAP” that points to the internal IP address of your UAG server.

Once you have the DNS considerations for ISATAP taken care of you should see that IPv6 is now grey’d out and the IPv4 dropdown is enabled.

The two dropdown lists should be populated with only one option in each. In the left DDL for the Internet-facing IPv4 address select the first public IP on your server and then you should see the second address appear underneath the drop-down. In the right DDL for the Internal IPv4 address select the server’s intranet address and then the wizard should tell you that it will be enabling ISATAP and that you should create the DNS record for ISATAP. Of course that’s a little ironic being that you needed to do that beforehand.

Next leave both NAT64 and DNS64 checked. If you don’t you will either need to configure your own services or be unable to connect to IPv4 targets. So, yeah, leave those checked.

Finally, you need to select the select the certificate for the server that is issuing the certs to your enterprise. At this point you should have already generated a web certificate to be used for IP-HTTPS and imported it into the Computer account’s Personal Certificates store of the UAG server. Select both certificates and click Finish.

It may be appropriate to point out here that IP-HTTPS, while it is the least desierable connection method due to it’s overhead, it is incredibly useful since it is the option most likely to work in “unusual” scenarios due to popular support for connecting to secure web sites through firewalls. When it comes to the configuration of the UAG server, it does proxy all IP-HTTPS trafic through a local instance of IIS. To accomplish this the UAG Wizard seems to wipe and re-write the IIS settings when activating the UAG configuration. Why is that important? Well, you should not expect to be able to use the IIS installation on the UAG server for anything other than IP-HTTPS. So don’t bother adding another site or try to bind one to a different IP or even make some subdirectories in any existing site. UAG will destroy it and it doesn’t tell you about it either.

Mõned näidis laborid Microsofti veebist:

DirectAccess Configuration - Windows 7 Demo Screencast esimene osa viiest - videomaterjaal DirectAccess konfigureerimisest

Test Lab Guide: Demonstrate DirectAccess - allalaetav DOCX fail, kust saab lugeda näidis konfiguratsiooni

Allikad

Välised lingid

Autor

Artur Kulikov, AK11