Chapter 6. Remote Access

With Windows Server 2016, Microsoft brings a whole new way of looking at remote access. Companies have historically relied on third-party tools to connect remote users to the network, such as traditional and SSL VPN provided by appliances from large networking vendors. I'm here to tell you those days are gone. Those of us running Microsoft-centric shops can now rely on Microsoft technologies to connect our remote workforce. Better yet is that these technologies are included with the Server 2016 operating system, and have functionality that is much improved over anything that a traditional VPN can provide.

Regular VPN does still have a place in the remote access space, and the great news is that you can also provide it with Server 2016. We have some recipes on setting up VPN, but our primary focus for this chapter will be DirectAccess (DA). DA is kind of like automatic VPN. There is nothing the user needs to do in order to be connected to work. Whenever they are on the Internet, they are connected automatically to the corporate network. DirectAccess is an amazing way to have your Windows 7, Windows 8, and Windows 10 domain joined systems connected back to the network for data access and for the management of those traveling machines. DA has actually been around since 2008, but the first version came with some steep infrastructure requirements and was not widely used. Server 2016 brings a whole new set of advantages and makes implementation much easier than in the past. I still find many server and networking admins who have never heard of DirectAccess, so let's spend some time together exploring some of the common tasks associated with it.

In this chapter, we will cover the following recipes:

  • DirectAccess planning question and answers
  • Configuring DirectAccess, VPN, or a combination of the two
  • Pre-staging Group Policy Objects to be used by DirectAccess
  • Enhancing the security of DirectAccess by requiring certificate authentication
  • Building your Network Location Server on its own system
  • Enabling Network Load Balancing on your DirectAccess servers
  • Adding VPN to your existing DirectAccess server
  • Replacing your expiring IP-HTTPS certificate
  • Reporting on DirectAccess and VPN connections

Introduction

There are two flavors of remote access available in Windows Server 2016. The most common way to implement the Remote Access role is to provide DirectAccess for your Windows 7, 8, and 10 domain-joined client computers and a VPN for the rest. The DA machines are typically your company-owned corporate assets. One of the primary reasons why DirectAccess is usually only for company assets is that the client machines must be joined to your domain because the DA configuration settings are brought down to the client through a GPO. I doubt you want the home and personal computers joining your domain.

VPN is therefore used for down-level clients such as Windows XP or non-domain-joined Windows 7/8/10, and for home and personal devices that want to access the network. Since this is a traditional VPN listener with all regular protocols available such as PPTP, L2TP, and SSTP, it can even work to connect devices such as smartphones and tablets to your network.

There is a third function available within the Server 2016 Remote Access role called the Web Application Proxy (WAP). This function is not used for connecting remote computers fully into the network, unlike DirectAccess and VPN; rather, WAP is used for publishing internal web resources out to the Internet. For example, if you are running Exchange and SharePoint Server inside your network and want to publish access to these web-based resources to the Internet for external users to connect to, WAP would be a mechanism that could publish access to these resources. The term for publishing to the Internet like this is Reverse Proxy, and WAP can act as such. It can also behave as an ADFS Proxy.

For further information on the WAP role, please visit http://technet.microsoft.com/en-us/library/dn584107.aspx.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.223.106.79