DirectAccess - VPN-like technology - begun with Server 2008 R2 / Windows 7
- provides "always on" intranet access for remote users
- rich client monitoring -server console / client PowerShell cmdlets
- unified management wizard
- server Core support
- off-premises provisioning with djoin.exe tool - Djoin
Technical details:
- IPv6 IPSec tunnel between client and DA server
- IPv6 addressing infrastructure no longer required
- DirectAccess protocols - DirectAccess and Teredo Adapter Behavior
- UAG (user access gateway) no longer required - Forefront Unified Access Gateway 2010
- External clients use Name Resolution Policy Table (NRPT)
- Group policy based "hosts" file for internal servers
- Get-DAClientExperienceConfiguration or Netsh - show effective policy
- Win7 Ent / Ultimate OR Win8 Ent only
- run dnscmd /config /globalqueryblocklist wpad command - required for DA
- DirectAccess supports multiple sites - Multisite DirectAccess scenario in Powershell
Network access protection (NAP) - formerly RADIUS (remote authentication dial in user service)
- policy enforcement platform for Win2k8, Win2k12, Windows XP SP3, Win7 & Win8
- components: Health policy server, enforcement points
- PowerShell v3 interface - NPS Cmdlets in Windows PowerShell
- SHA (system health agent), SHV (system health validator)
- enforcement types: VPN (PKI, only host to site), IPSEC (PKI, integrates w DA), 802.1x (PKI), DHCP
- optional - HRA (health registration authority) - IIS box that links PKI/CA to NAP health policies
- first of third party support
- NAP architecture
NAP - Step by step guides
Client setup - clients need to have NAP agent enabled via GPO
Client command - napstat
- provides "always on" intranet access for remote users
- rich client monitoring -server console / client PowerShell cmdlets
- unified management wizard
- server Core support
- off-premises provisioning with djoin.exe tool - Djoin
Technical details:
- IPv6 IPSec tunnel between client and DA server
- IPv6 addressing infrastructure no longer required
- DirectAccess protocols - DirectAccess and Teredo Adapter Behavior
- UAG (user access gateway) no longer required - Forefront Unified Access Gateway 2010
- External clients use Name Resolution Policy Table (NRPT)
- Group policy based "hosts" file for internal servers
- Get-DAClientExperienceConfiguration or Netsh - show effective policy
- Win7 Ent / Ultimate OR Win8 Ent only
- run dnscmd /config /globalqueryblocklist wpad command - required for DA
- DirectAccess supports multiple sites - Multisite DirectAccess scenario in Powershell
Network access protection (NAP) - formerly RADIUS (remote authentication dial in user service)
- policy enforcement platform for Win2k8, Win2k12, Windows XP SP3, Win7 & Win8
- components: Health policy server, enforcement points
- PowerShell v3 interface - NPS Cmdlets in Windows PowerShell
- SHA (system health agent), SHV (system health validator)
- enforcement types: VPN (PKI, only host to site), IPSEC (PKI, integrates w DA), 802.1x (PKI), DHCP
- optional - HRA (health registration authority) - IIS box that links PKI/CA to NAP health policies
- first of third party support
- NAP architecture
NAP - Step by step guides
Client setup - clients need to have NAP agent enabled via GPO
- Computer config > Policies > Windows Settings > Security settings > System Services > Network Access Protection Agent
- Computer config > Policies > Administrative Templates > Windows Components > Security Center > Turn on Security Center
- Computer config > Policies > Windows Settings > Security settings > Network Access Protection > NAP Client configuration > Enforcement Clients
Client command - napstat