DirectAccess 2012 with RSA deployment experience

I have just completed a large deployment of DirectAccess for a UK business. They were migrating from UAG and also wanted to implement RSA authentication.

The solution involved two separate load balanced arrays in different sites, RSA OTP authentication, Network Policy Health checks (NAP/HRA), Windows 7 client roaming between sites and ManageOut.

The deployment could have been a smooth experience, but I can across numerous issues, and errors in the Microsoft documentation – particularly when it came to multi-site setup and load balancing.

Microsoft have produced some nice lab guides and walk-throughs, but these are littered with errors, and there appears to be no official ‘meaty’ documentation on the setup; which I found unusual and frustrating. It feels like a they had a great idea with 2012 DA, but rushed it out the door, lacking large amounts of testing and detail.

I am pleased to say that the solution works well however!

Some issues I encountered were:

  • Amount of hacking required with Powershell to make Win7 client roaming work
  • Changing IP-HTTPS encryption certificate in the GUI resets some of that customisation, requiring rerunning of some scripts to ‘fix’ it after the change (Set-NetIPHTTPSConfiguration -PolicyStore PersistentStore -ServerURL “https://+:443/IPHTTPS”)
  • Adding a node to NLB sometimes gets the subnet mask wrong on the dedicated IP. In this case the subnet mask got set to 255.255.255.15 instead of 255.255.255.240. This caused a ‘misconfigured’ error.
  • Detail on a unified IPv6 address for DNS64 across the load balanced servers and sites, was lacking. It feels like a very dirty hack to add a common IPv6 address across all nodes. See 2.1.3.2 here http://technet.microsoft.com/en-us/library/jj735306.aspx
  • I found this custom IPv6 address seemed to ‘disappear’ often
  • Once you setup this custom DNS64 address you can use the GUI to add new DNS suffixes. It insists on an IPv4 address. You have to use powershell to add new ones: Add-DAClientDnsConfiguration -DnsSuffix ‘.domainname.com‘ -DnsIPAddress @(‘customipv6DNS64address‘) -Verbose -ComputerName ‘daservername
  • I also found the Windows 7 IP-HTTPS client sometimes got stuck in an error ‘No Usable Certificate(s) 0x103’. None of the MS blogs contained a solution. Restarting the IP Helper services resolve it – or just booting the laptop with no network connection. It seems to appear if it automatically connects to a 802.1x WPA Enterprise WLAN on startup.

4 thoughts on “DirectAccess 2012 with RSA deployment experience

  1. Hey Ben,.

    I trying to setup GSLB with Windows 7 but I am finding a lack of official documentation. I also noted that the link you posted above doesn’t seem to be active anymore. I was wondering if you had a copy of this anywhere? I’ve not been able to find it anywhere. Your help would be appreciated!

    thanks
    Lu

    Like

    • Hi

      It does appear that MS have killed off all the technet articles! It wasn’t ever an official guide, but a lab-guide on how to set it up. Unfortunately I don’t have a complete copy of them, and even sites like Wayback Machine haven’t archived it.

      Ill keep digging and let you know if I can find anything.

      Ben

      Like

Leave a comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s