DirectAccess 2012 with RSA deployment experience

I have just completed a large deployment of DirectAccess for a UK business. They were migrating from UAG and also wanted to implement RSA authentication.

The solution involved two separate load balanced arrays in different sites, RSA OTP authentication, Network Policy Health checks (NAP/HRA), Windows 7 client roaming between sites and ManageOut.

The deployment could have been a smooth experience, but I can across numerous issues, and errors in the Microsoft documentation – particularly when it came to multi-site setup and load balancing.

Microsoft have produced some nice lab guides and walk-throughs, but these are littered with errors, and there appears to be no official ‘meaty’ documentation on the setup; which I found unusual and frustrating. It feels like a they had a great idea with 2012 DA, but rushed it out the door, lacking large amounts of testing and detail.

I am pleased to say that the solution works well however!

Some issues I encountered were:

  • Amount of hacking required with Powershell to make Win7 client roaming work
  • Changing IP-HTTPS encryption certificate in the GUI resets some of that customisation, requiring rerunning of some scripts to ‘fix’ it after the change (Set-NetIPHTTPSConfiguration -PolicyStore PersistentStore -ServerURL “https://+:443/IPHTTPS”)
  • Adding a node to NLB sometimes gets the subnet mask wrong on the dedicated IP. In this case the subnet mask got set to 255.255.255.15 instead of 255.255.255.240. This caused a ‘misconfigured’ error.
  • Detail on a unified IPv6 address for DNS64 across the load balanced servers and sites, was lacking. It feels like a very dirty hack to add a common IPv6 address across all nodes. See 2.1.3.2 here http://technet.microsoft.com/en-us/library/jj735306.aspx
  • I found this custom IPv6 address seemed to ‘disappear’ often
  • Once you setup this custom DNS64 address you can use the GUI to add new DNS suffixes. It insists on an IPv4 address. You have to use powershell to add new ones: Add-DAClientDnsConfiguration -DnsSuffix ‘.domainname.com‘ -DnsIPAddress @(‘customipv6DNS64address‘) -Verbose -ComputerName ‘daservername
  • I also found the Windows 7 IP-HTTPS client sometimes got stuck in an error ‘No Usable Certificate(s) 0x103’. None of the MS blogs contained a solution. Restarting the IP Helper services resolve it – or just booting the laptop with no network connection. It seems to appear if it automatically connects to a 802.1x WPA Enterprise WLAN on startup.