locked
Server 2012 - DirectAccess - Still 2 tunnels from client to DirectAccess server? RRS feed

 , 
 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote


    Does DirectAccess client in 2012 still create two tunnels to the DirectAccess server? One IPsec Encapsulating Security Payload (ESP) tunnel with IP-TLS (Transport Layer Security) encryption using the machine certificate and one IPsec ESP tunnel with IP-TLS encryption using both the machine certificate and user credentials.  I have been reading this artcile (http://blogs.technet.com/b/meamcs/archive/2012/05/03/windows-server-2012-direct-access-part-1-what-s-new.aspx) and from the way I read it, that is how it worked in Windows 2008 R2 however but it doesn't mention if there are any changes to the way this works in 2012.

    Can anyone point me to a diagram or explanation from Microsoft on this in 2012?

    This is what I have gathered from the above mentioned article but it is referring to Windows Server 2008 R2:

    Direct Access clients create two tunnels to the Direct Access server. The first tunnel, the infrastructure tunnel, provides access to intranet Domain Name System (DNS) servers, Active Directory Domain Services (AD DS) domain controllers, and other infrastructure and management servers. The second tunnel, the intranet tunnel, provides access to intranet resources such as Web sites, file shares, and other application servers.


    image

    Notice that the Direct Access client establishes two IPsec tunnels: 

          IPsec Encapsulating Security Payload (ESP) tunnel with IP-TLS (Transport Layer Security) encryption using the machine certificate. This tunnel provides access to the DNS server and domain controller, allowing the computer to download Group Policy objects and to request authentication on the user’s behalf. 

          IPsec ESP tunnel with IP-TLS encryption using both the machine certificate and user credentials. This tunnel authenticates the user and provides access to internal resources and application servers. For example, this tunnel would need to be established before Microsoft Outlook could download e-mail from the internal Microsoft Exchange Server.

    My Microsoft Core Infrastructure & Systems Management blog - blog.danovich.com.au

    Monday, September 17, 2012 5:40 AM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi,

    If you do a setup where you use machine certificates and two interfaces you will get the same setup as in Windows Server 2008 R2 (Two IPSec tunnels)

    If you use a setup without machine certificates you will get a single IPSec tunnel that uses a mix of kerberos authentication for the machine and user.
    I personally have not have time to go through the different configurations (Single nic, NATed nic, internetfacing in kombination with no machine certificates) in detail yet so cannot say exactly how the authentication is setup in the different scenarios and what you can reach without a logged on user.

    What I know is that a setup with two interfaces and the use of machine certificates will get you IPSec tunnels corresponding to Windows Server 2008 R2.

    Best wishes,
    Jonas Blom

    Jonas Blom | Relevo AB | http://blog.nrpt.se

    • Proposed as answer by Jonas Blom Tuesday, September 18, 2012 6:36 AM
    • Marked as answer by danovich_ Tuesday, September 18, 2012 11:51 PM
    Monday, September 17, 2012 7:33 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Jonas,

    Thanks for your detailed reply. I will be going with the machine certificate option with 2 NICs (can't do the kerberos option as this won't support multi-site).

    Just to confirm - the 2 IPSec tunnels are between the client and the DirectAccess server. The connection between the internal interface of the DirectAccess server and the internal network servers isn't secured with IPSec tunnels unless you specifically set up an additional IPSec Application tunnel?

    My Microsoft Core Infrastructure & Systems Management blog - blog.danovich.com.au

    • Marked as answer by danovich_ Tuesday, September 18, 2012 11:51 PM
    Tuesday, September 18, 2012 12:48 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Yes, that's correct.

    Glad to be able to help.

    Jonas Blom | Relevo AB | http://blog.nrpt.se

    • Marked as answer by danovich_ Tuesday, September 18, 2012 11:51 PM
    Tuesday, September 18, 2012 6:36 AM

All replies

  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi,

    If you do a setup where you use machine certificates and two interfaces you will get the same setup as in Windows Server 2008 R2 (Two IPSec tunnels)

    If you use a setup without machine certificates you will get a single IPSec tunnel that uses a mix of kerberos authentication for the machine and user.
    I personally have not have time to go through the different configurations (Single nic, NATed nic, internetfacing in kombination with no machine certificates) in detail yet so cannot say exactly how the authentication is setup in the different scenarios and what you can reach without a logged on user.

    What I know is that a setup with two interfaces and the use of machine certificates will get you IPSec tunnels corresponding to Windows Server 2008 R2.

    Best wishes,
    Jonas Blom

    Jonas Blom | Relevo AB | http://blog.nrpt.se

    • Proposed as answer by Jonas Blom Tuesday, September 18, 2012 6:36 AM
    • Marked as answer by danovich_ Tuesday, September 18, 2012 11:51 PM
    Monday, September 17, 2012 7:33 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Jonas,

    Thanks for your detailed reply. I will be going with the machine certificate option with 2 NICs (can't do the kerberos option as this won't support multi-site).

    Just to confirm - the 2 IPSec tunnels are between the client and the DirectAccess server. The connection between the internal interface of the DirectAccess server and the internal network servers isn't secured with IPSec tunnels unless you specifically set up an additional IPSec Application tunnel?

    My Microsoft Core Infrastructure & Systems Management blog - blog.danovich.com.au

    • Marked as answer by danovich_ Tuesday, September 18, 2012 11:51 PM
    Tuesday, September 18, 2012 12:48 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Yes, that's correct.

    Glad to be able to help.

    Jonas Blom | Relevo AB | http://blog.nrpt.se

    • Marked as answer by danovich_ Tuesday, September 18, 2012 11:51 PM
    Tuesday, September 18, 2012 6:36 AM