SESSION CODE: # SVR414 Toby Alcock Corporate Network Integration HOW TO TROUBLESHOOT DIRECTACCESS (c) 2011 Microsoft.
Download ReportTranscript SESSION CODE: # SVR414 Toby Alcock Corporate Network Integration HOW TO TROUBLESHOOT DIRECTACCESS (c) 2011 Microsoft.
SESSION CODE: # SVR414 Toby Alcock Corporate Network Integration HOW TO TROUBLESHOOT DIRECTACCESS (c) 2011 Microsoft. All rights reserved. Agenda How to Troubleshoot DirectAccess ► Understanding all the pieces of the puzzle ► Troubleshooting steps – Useful Tools to assist ► Troubleshooting demonstrations – DirectAccess Connectivity Assistant – Certificates – Name Resolution Policy Table (NRPT) ► Where next? (c) 2011 Microsoft. All rights reserved. DirectAccess: more than a VPN Always On Corporate Network Network level computer/user authentication and encryption Automatically connects through NAT and firewalls VPNs connect the user to the network DirectAccess extends the network to the remote computer and user (c) 2011 Microsoft. All rights reserved. End-to-End IPv6 Client and Server applications must be IPv6 compatible Client app Server app IPV6 IPV6 Internet Corporate intranet Not all applications will be IPv6 compatible (c) 2011 Microsoft. All rights reserved. Simple? Maybe Not… Internet Corporate intranet Tunnelling technologies for the Internet and intranet to support IPv6 over IPv4 Internet tunnelling selection based on client location – Internet, NAT, firewall Encryption/authentication of Internet traffic (end-to-edge/end-to-end) PKI required Client location detection: Internet or corporate intranet (c) 2011 Microsoft. All rights reserved. Troubleshooting Environment INET1 DC1 DNS DC, DNS,CA NAT1 Corporate intranet Internet Home WIN7 UAG WIN7 (c) 2011 Microsoft. All rights reserved. WIN7 APP1 IPv4 Only Resources ► Applications that are not IPv6 capable will need to be reached via an IPv6/IPv4 translation device such as NAT64 and DNS64 ► Examples of IPv4 only resources – Windows 2000 – Built-in applications and services running on Windows XP and Server 2003 ► Check with the vendor for IPv6 capabilities ► Upgrade where possible (c) 2011 Microsoft. All rights reserved. Connectivity Summary IPv4 Internet 6to4 tunnel Forefront Unified Access Gateway (UAG) Corporate Network Native IPv6 IPv6 in IPv4 protocol 41 NAT Teredo tunnel IPv6 in UDP port 3544 NAT UDP port 3544 blocked IPHTTPS tunnel ISATAP DNS64 NAT64 IPv6 in HTTPS (c) 2011 Microsoft. All rights reserved. IPv6 in IPv4 protocol 41 IPv4 Securing the Tunnels Corporate intranet Integrity / encryption / authentication Secured with IP Sec 1St Auth 2nd Auth Computer account credentials Infrastructure Tunnel Computer cert Intranet Tunnel Computer cert or health cert (c) 2011 Microsoft. All rights reserved. User / Smartcard / One-time password IPSec Primer AuthIP Create shared secret between hosts Uses Diffie-Hellman AuthIP AuthIP Authenticate over secure channel Kerberos / certificates Computer and/or user authentication AuthIP AuthIP IPsec SA Establish IPSec session Keys Create Security Association for session Exchange data Integrity or Integrity + encryption (c) 2011 Microsoft. All rights reserved. AuthIP IPsec SA Main mode security association Key life configurable Default: 1 hour Quick mode: IPsec SA Key life configurable Default 1 hour/100 MB Drops after 3 Mins of inactivity Main Mode Association (c) 2011 Microsoft. All rights reserved. Quick Mode Association (c) 2011 Microsoft. All rights reserved. DirectAccess Wizard GPO GPO(s) GPO GPO creation IPsec Rules NRPT Rules Configuration for transition Technologies: 6to4 Teredo IPHTTPS GPM UAG Wizard IPsec Rules UAG Server For end-point servers if required Configuration for transition Technologies: 6to4 Teredo IPHTTPS ISATAP DNS64 NAT64 Identification of certificates IPHTTPS (c) 2011 Microsoft. All rights reserved. Root or intermediate (to validate client certs) Troubleshooting ► No SA = No IPsec ► ICMPv6 is exempt from IPsec – Check connectivity using IPv6 ping ► Use Netsh to check: – Transition tunnels – IPv6 configuration – IPsec status • NETSH – ITS YOUR NEW BEST FRIEND! (c) 2011 Microsoft. All rights reserved. Demo: INET1 DC1 DNS DC, DNS,CA Corporate intranet Internet WIN7 UAG APP1 Windows 7 client cannot connect to intranet resources (c) 2011 Microsoft. All rights reserved. A Helping Hand ► DirectAccess Connectivity Assistant – %ProgramFiles%\Microsoft Forefront Unified Access Gateway\common\bin\da\dca – Microsoft_DirectAccess_Connectivity_Assistant.MSI (c) 2011 Microsoft. All rights reserved. Group Policy for DCA ► DCA Wizard (included with SP1) (c) 2011 Microsoft. All rights reserved. Demo: Configuring DCA INET1 DC1 DNS DC, DNS,CA Corporate intranet Internet WIN7 UAG (c) 2011 Microsoft. All rights reserved. APP1 Certificate requirements Web server with CRL XX IPHTTPS Host NAT Device NAT X IPv6 Host UAG server IPv4 Internet IPv6 intranet Tunnel IPv6 in HTTPS Certificate URL of CRL distribution point published in certificate UAG DirectAccess Wizard HTTPS certificate (c) 2011 Microsoft. All rights reserved. UAG DirectAccess Wizard Root certificate of client certificate The root certificate must be installed on the client (c) 2011 Microsoft. All rights reserved. Demo: Troubleshooting IPHTTPS INET1 DC1 DNS DC, DNS,CA NAT1 Corporate intranet Internet Home WIN7 UAG WIN7 (c) 2011 Microsoft. All rights reserved. WIN7 APP1 Client Location DNS 1 IP configured DNS address corp.contoso.com zone DNS 2 Corporate intranet Internet ► To resolve names on the Internet – DirectAccess host queries DNS 1 ► To resolve names on the Intranet – DirectAccess host queries DNS 2 (c) 2011 Microsoft. All rights reserved. How does that work? ► Name Resolution Policy Table (NRPT) ► NRPT defines which DNS servers to query based on the namespace to be resolved – The NRPT can send DNS queries for corp.contoso.com to the intranet DNS server – All other DNS queries are sent to the DNS server address configured in the client IP settings (c) 2011 Microsoft. All rights reserved. NRPT IP configured DNS address DNS 1 Internet corp.contoso.com zone DNS 2 NLS Corporate intranet NRPT: corp.contoso.com: query DNS 2 All other name spaces query DNS server configured in client IP settings There is a special entry in the table to direct DNS queries for an internal HTTPS website to the DNS servers configured in the client IP settings For example: queries for NLS.corp.contoso.com always go to IP configured DNS address and this is not resolvable on the internet (c) 2011 Microsoft. All rights reserved. Viewing the NRPT (c) 2011 Microsoft. All rights reserved. NRPT Inside/Outside ► NRPT enabled by default ► If the client can access an internal HTTPS website (https://NLS.corp.contoso.com) – Considered to be on the intranet – NRPT disabled ► No access to secure website – Considered to be on the Internet – NRPT remains enabled (c) 2011 Microsoft. All rights reserved. Demo: Troubleshooting DNS INET1 DC1 DNS DC, DNS,CA NAT1 UAG Corporate intranet Internet Home IIS for CRL distribution WIN7 DirectAccess running (c) 2011 Microsoft. All rights reserved. WIN7 APP1 Troubleshooting Summary ► Determine client location: – 6to4 / Teredo or IPHTTPS ► Determine connectivity status: – Do we have Internet connectivity? – Do we have Internet DNS resolution? – Is the adapter status correct for client location? • Use IPv6 ping to validate interface(s) status • Netsh interface <6to4> show state • Netsh interface <6to4> show relay ► Check routes – Use NETSH to check IPv6 routes • Netsh interface ipv6 show route (c) 2011 Microsoft. All rights reserved. Troubleshooting Summary ► Check Name resolution – Check NRPT (Name Resolution Policy Table) • Netsh namespace show effectivepolicy • Netsh dnsclient show state – Ping known addresses internally ► Check IPSec status – Windows Firewall with Advanced Security – Security Event log on UAG (*enable auditing!) – Use NETSH to check status • Netsh int https show int ► Use the DirectAccess troubleshooter ► Use the DirectAccess Connectivity Assistant (c) 2011 Microsoft. All rights reserved. Where Next? ► Create a test lab and deploy in your environment – http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=24 144 – http://www.microsoft.com/download/en/confirmation.aspx?id=17146 ► TechNet DirectAccess home page – http://technet.microsoft.com/en-us/library/dd758757(WS.10).aspx ► DirectAccess Deployment Guide – http://technet.microsoft.com/en-us/library/ee649163(WS.10).aspx ► DirectAccess Troubleshooting Guide – http://technet.microsoft.com/en-us/library/ee624056(WS.10).aspx (c) 2011 Microsoft. All rights reserved. Agenda How to Troubleshoot DirectAccess ► Understanding all the pieces of the puzzle ► Troubleshooting steps – Useful Tools to assist ► Troubleshooting demonstrations – DirectAccess Connectivity Assistant – Certificates – Name Resolution Policy Table (NRPT) ► Where next? (c) 2011 Microsoft. All rights reserved. Enrol in Microsoft Virtual Academy Today Why Enroll, other than it being free? The MVA helps improve your IT skill set and advance your career with a free, easy to access training portal that allows you to learn at your own pace, focusing on Microsoft technologies. What Do I get for enrolment? ► Free training to make you become the Cloud-Hero in my Organization ► Help mastering your Training Path and get the recognition ► Connect with other IT Pros and discuss The Cloud Where do I Enrol? www.microsoftvirtualacademy.com Then tell us what you think. [email protected] © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. (c) 2011 Microsoft. All rights reserved. Resources www.msteched.com/Australia www.microsoft.com/australia/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http:// technet.microsoft.com/en-au http://msdn.microsoft.com/en-au Resources for IT Professionals Resources for Developers (c) 2011 Microsoft. All rights reserved.