1 / 36

How to Troubleshoot DirectAccess

SESSION CODE: # SVR414. Toby Alcock Corporate Network Integration. How to Troubleshoot DirectAccess. Agenda How to Troubleshoot DirectAccess. Understanding all the pieces of the puzzle Troubleshooting steps Useful Tools to assist Troubleshooting demonstrations

ayla
Télécharger la présentation

How to Troubleshoot DirectAccess

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SESSION CODE: # SVR414 Toby Alcock Corporate Network Integration How to Troubleshoot DirectAccess (c) 2011 Microsoft. All rights reserved.

  2. AgendaHow to Troubleshoot DirectAccess • Understanding all the pieces of the puzzle • Troubleshooting steps • Useful Tools to assist • Troubleshooting demonstrations • DirectAccess Connectivity Assistant • Certificates • Name Resolution Policy Table (NRPT) • Where next? (c) 2011 Microsoft. All rights reserved.

  3. DirectAccess: more than a VPN Corporate Network Pre log on Patch management, health check and GPOs Always On Network level computer/user authentication and encryption Automatically connects throughNAT and firewalls VPNs connect the user to the network DirectAccess extends the network to the remote computer and user (c) 2011 Microsoft. All rights reserved.

  4. End-to-End IPv6 Client and Server applications must be IPv6 compatible Client app Server app IPV6 IPV6 Internet Corporate intranet • Not all applications will be IPv6 compatible (c) 2011 Microsoft. All rights reserved.

  5. Simple? Maybe Not… Internet Corporate intranet Tunnelling technologies for the Internet and intranet to support IPv6 over IPv4 Internet tunnelling selection based on client location – Internet, NAT, firewall Encryption/authentication of Internet traffic (end-to-edge/end-to-end) PKI required Client location detection: Internet or corporate intranet (c) 2011 Microsoft. All rights reserved.

  6. Troubleshooting Environment DC1 INET1 DNS DC, DNS,CA APP1 NAT1 Home Corporate intranet Internet WIN7 UAG WIN7 WIN7 (c) 2011 Microsoft. All rights reserved.

  7. IPv4 Only Resources • Applications that are not IPv6 capable will need to be reached via an IPv6/IPv4 translation device such as NAT64 and DNS64 • Examples of IPv4 only resources • Windows 2000 • Built-in applications and services running on Windows XP and Server 2003 • Check with the vendor for IPv6 capabilities • Upgrade where possible (c) 2011 Microsoft. All rights reserved.

  8. Connectivity Summary Forefront Unified Access Gateway (UAG) Corporate Network IPv4 Internet 6to4 tunnel Native IPv6 IPv6 in IPv4 protocol 41 Teredo tunnel ISATAP NAT IPv6 in UDP port 3544 DNS64 IPv6 in IPv4 protocol 41 IPHTTPS tunnel NAT64 IPv4 NAT IPv6 in HTTPS UDP port 3544 blocked (c) 2011 Microsoft. All rights reserved.

  9. Securing the Tunnels Corporate intranet Integrity / encryption / authentication Secured with IP Sec 1StAuth 2nd Auth Infrastructure Tunnel Computer accountcredentials Computer cert Intranet Tunnel Computer certor health cert User / Smartcard / One-time password (c) 2011 Microsoft. All rights reserved.

  10. Main modesecurity association Key life configurable Default: 1 hour Create shared secret between hosts AuthIP AuthIP Uses Diffie-Hellman Authenticate over secure channel AuthIP AuthIP Kerberos / certificatesComputer and/or user authentication Quick mode: IPsec SAKey life configurable Default 1 hour/100 MB Drops after 3 Mins of inactivity Establish IPSec session Keys AuthIP AuthIP Create Security Association for session IPsec SA IPsec SA Integrity or Integrity + encryption IPSec Primer Exchange data (c) 2011 Microsoft. All rights reserved.

  11. Main Mode Association (c) 2011 Microsoft. All rights reserved.

  12. Quick Mode Association (c) 2011 Microsoft. All rights reserved.

  13. DirectAccess Wizard For end-point serversif required GPO(s) GPO GPO GPO creation IPsec Rules NRPT Rules Configuration fortransition Technologies: 6to4 Teredo IPHTTPS Configuration fortransition Technologies: 6to4 Teredo IPHTTPS ISATAP DNS64 NAT64 GPM UAG Wizard UAGServer IPsec Rules Identification of certificates IPHTTPS Root or intermediate (tovalidate client certs) (c) 2011 Microsoft. All rights reserved.

  14. Troubleshooting • NETSH – ITS YOUR NEW BEST FRIEND! • No SA = No IPsec • ICMPv6 is exempt from IPsec • Check connectivity using IPv6 ping • Use Netsh to check: • Transition tunnels • IPv6 configuration • IPsec status (c) 2011 Microsoft. All rights reserved.

  15. Demo: INET1 DC1 DNS DC, DNS,CA Corporate intranet Internet WIN7 UAG APP1 • Windows 7 client cannot connect to intranet resources (c) 2011 Microsoft. All rights reserved.

  16. A Helping Hand • DirectAccess Connectivity Assistant • %ProgramFiles%\Microsoft Forefront Unified Access Gateway\common\bin\da\dca • Microsoft_DirectAccess_Connectivity_Assistant.MSI (c) 2011 Microsoft. All rights reserved.

  17. Group Policy for DCA • DCA Wizard (included with SP1) (c) 2011 Microsoft. All rights reserved.

  18. Demo: Configuring DCA INET1 DC1 DNS DC, DNS,CA Corporate intranet Internet WIN7 UAG APP1 (c) 2011 Microsoft. All rights reserved.

  19. Certificate requirements X X X Web server with CRL IPv6 Host UAGserver NAT Device IPHTTPSHost IPv6intranet IPv4 Internet NAT Tunnel IPv6 in HTTPS Certificate URL of CRL distribution point published in certificate

  20. UAG DirectAccess Wizard HTTPS certificate (c) 2011 Microsoft. All rights reserved.

  21. UAG DirectAccess Wizard Root certificate of client certificate The root certificate must be installed on the client (c) 2011 Microsoft. All rights reserved.

  22. Demo: Troubleshooting IPHTTPS DC1 INET1 DNS DC, DNS,CA APP1 NAT1 Home Corporate intranet Internet WIN7 UAG WIN7 WIN7 (c) 2011 Microsoft. All rights reserved.

  23. Client Location corp.contoso.com zone DNS 1 IP configuredDNS address DNS 2 • To resolve names on the Internet • DirectAccess host queries DNS 1 • To resolve names on the Intranet • DirectAccess host queries DNS 2 Corporate intranet Internet (c) 2011 Microsoft. All rights reserved.

  24. How does that work? • Name Resolution Policy Table (NRPT) • NRPT defines which DNS servers to query based on the namespace to be resolved • The NRPT can send DNS queries for corp.contoso.com to the intranet DNS server • All other DNS queries are sent to the DNS server address configured in the client IP settings (c) 2011 Microsoft. All rights reserved.

  25. NRPT corp.contoso.com zone DNS 2 DNS 1 NLS IP configuredDNS address Internet Corporate intranet NRPT: corp.contoso.com: query DNS 2 All other name spaces query DNS server configured in client IP settings There is a special entry in the table to direct DNS queries for an internal HTTPS website to the DNS servers configured in the client IP settings For example: queries for NLS.corp.contoso.com always go to IP configured DNS address and this is not resolvable on the internet (c) 2011 Microsoft. All rights reserved.

  26. Viewing the NRPT (c) 2011 Microsoft. All rights reserved.

  27. NRPT Inside/Outside • NRPT enabled by default • If the client can access an internal HTTPS website (https://NLS.corp.contoso.com) • Considered to be on the intranet • NRPT disabled • No access to secure website • Considered to be on the Internet • NRPT remains enabled (c) 2011 Microsoft. All rights reserved.

  28. Demo: Troubleshooting DNS DC1 INET1 DNS DC, DNS,CA APP1 NAT1 Home UAG Corporate intranet Internet WIN7 IIS for CRLdistribution WIN7 DirectAccess running (c) 2011 Microsoft. All rights reserved.

  29. Troubleshooting Summary • Determine client location: • 6to4 / Teredo or IPHTTPS • Determine connectivity status: • Do we have Internet connectivity? • Do we have Internet DNS resolution? • Is the adapter status correct for client location? • Use IPv6 ping to validate interface(s) status • Netshinterface <6to4> show state • Netshinterface <6to4> show relay • Check routes • Use NETSH to check IPv6 routes • Netsh interface ipv6 show route (c) 2011 Microsoft. All rights reserved.

  30. Troubleshooting Summary • Check Name resolution • Check NRPT (Name Resolution Policy Table) • Netsh namespace show effectivepolicy • Netshdnsclient show state • Ping known addresses internally • Check IPSec status • Windows Firewall with Advanced Security • Security Event log on UAG (*enable auditing!) • Use NETSH to check status • Netshint https show int • Use the DirectAccess troubleshooter • Use the DirectAccess Connectivity Assistant (c) 2011 Microsoft. All rights reserved.

  31. Where Next? • Create a test lab and deploy in your environment • http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=24144 • http://www.microsoft.com/download/en/confirmation.aspx?id=17146 • TechNet DirectAccess home page • http://technet.microsoft.com/en-us/library/dd758757(WS.10).aspx • DirectAccess Deployment Guide • http://technet.microsoft.com/en-us/library/ee649163(WS.10).aspx • DirectAccess Troubleshooting Guide • http://technet.microsoft.com/en-us/library/ee624056(WS.10).aspx (c) 2011 Microsoft. All rights reserved.

  32. AgendaHow to Troubleshoot DirectAccess • Understanding all the pieces of the puzzle • Troubleshooting steps • Useful Tools to assist • Troubleshooting demonstrations • DirectAccess Connectivity Assistant • Certificates • Name Resolution Policy Table (NRPT) • Where next? (c) 2011 Microsoft. All rights reserved.

  33. Enrol in Microsoft Virtual Academy Today Why Enroll, other than it being free? The MVA helps improve your IT skill set and advance your career with a free, easy to access training portal that allows you to learn at your own pace, focusing on Microsoft technologies. • What Do I get for enrolment? • Free training to make you become the Cloud-Hero in my Organization • Help mastering your Training Path and get the recognition • Connect with other IT Pros and discuss The Cloud Where do I Enrol? www.microsoftvirtualacademy.com Then tell us what you think. TellTheDean@microsoft.com

  34. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. (c) 2011 Microsoft. All rights reserved.

  35. Resources • www.msteched.com/Australia • Sessions On-Demand & Community • www.microsoft.com/australia/learning • Microsoft Certification & Training Resources • http:// technet.microsoft.com/en-au • Resources for IT Professionals • http://msdn.microsoft.com/en-au • Resources for Developers (c) 2011 Microsoft. All rights reserved.

More Related