[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 723
  • Last Modified:

Direct Access 2012

Hi All,

I am new to DA and i would like to be able to set up direct access so when you connect you are assigned different address to what currently is distributed from the DHCP server.

for example our internal address is 192.168.14.xx and i would like direct access to give a 192.168.40.XX

how do i configure this.

Thanks.
0
Dan130
Asked:
Dan130
  • 2
  • 2
2 Solutions
 
Cliff GaliherCommented:
You don't. DirectAccess relies on IPv6, not IPv4.
0
 
btanExec ConsultantCommented:
This is a good place to start into the configuration and as expert mentioned, it is IPv6 only hence typically there is need for NAT64 and DNS64 to be in place which they are both supported inherently into 2012 server. Also the use of RRAS  in the past is separate for 2008 so as to provides traditional VPN connectivity for legacy clients and non-domain members.And now 2012 combines the DirectAccess feature and the RRAS role service into a new unified server role. I suggest you check out this test lab guide.

This guide provides step-by-step instructions for configuring DirectAccess using the Getting Started Wizard in a test lab to demonstrate functionality of the simplified deployment experience. You will set up and deploy DirectAccess based on the Windows Server 2012 Base Configuration using five server computers and two client computers. The resulting test lab simulates an intranet, the Internet, and a home network, and demonstrates DirectAccess in different Internet connection scenarios.

MS DA is very PKI driven and that has to be fundamentally stable and setup before you delve into others, note it should be for domain joined client only too. You can check out this Common DirectAccess Implementation Mistakes

The full document set directory is available here and cna come in handy to start delving further into various scenarios
0
 
Dan130Author Commented:
Breadtan, i have configured the RA server already and its working fine but because of the IP address allocations it takes up i would like to assign a separate range DA users the, how is this done. static Routes? how do i remove the auto DHCP assignment,
0
 
Cliff GaliherCommented:
Did you turn on any other remote access features, like PPTP or SSL VPN? That's where you'd adjust any DHCP leases being given to RRAS.

As I mentioned before DA uses IPv6. It does not (and cannot) use IPv4 so no IPv4 addresses are given to DA clients. The server will use NAT64 to give the client access to IPv4 resources on the corpnet, but since NAT64 does the translation, all IPv4 resources would communicate with the DA server and its IPv4 address. All traffic from the DA server ot the DA clients are IPv6 (over a public IPv4 tunnel) and thus no private IPv4 addresses are issues or used.

This has, in fact, been a point of confusion for new DA deployments. There are a few *client* apps that won't work with IPv6, and therefore wouldn't work ith DA, even when the DA connection itself was up and working right, causing much confusion. While most windows services and applications work with IPv6 (file sharing, print sharing, Outlook to Exchange, etc) there were a few third-party apps that refused to talk via IPv6. And even one MS program...Lync 2010 (or OCS pre-Lync) so these DA deployments would not run Lync connectivity properly. As an aside, Lync 2013 finally fully supports IPv6.

I mention all of this to illustrate and drive home the point that DA does *not* issue IPv4 addresses to clients. If you are seeing DHCP leases, they are for other non-DA RRAS features that may also have been turned on.

-Cliff
0
 
btanExec ConsultantCommented:
I suggest you can check our a step by step test lab setup which include setting the interface for the DA as well as the client side to get a clearer picture. The Client IP assignment is not part of DA as it is doing the 6to4 only with the prefix. You can see from the lab information that assignment is based on DHCP/DNS.

Besides the Ipv6 consideration as mentioned earlier by expert, please also be aware of Name Resolution Policy Table. When the DA client has disabled its DA client components, it resolves names based on the DNS server IP address settings on its NIC. However, when the DA client has enabled its DA client configuration, name resolution depends on the settings on the Name Resolution Policy Table or NRPT.

See this for more info http://technet.microsoft.com/en-us/magazine/ff394369.aspx

The lab also shared the configured of the NLS to be excluded. as a whole, I do not see the assignment from the DA aspect and if it is via VPN then the leasing is via the DHCP as already mentioned.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now