NIC configuration
The vast majority of DirectAccess implementations will be of the two-leg fashion, with a Network Interface Card (NIC) for the external network, and another NIC for the internal network. This makes perfect sense, because this is your gateway into the corporate network from the computers in the wild; therefore, to most it is viewed as an edge device, and having separation of internal and external networks is a common network security best practice. So, just make sure my server has two network cards, plug them into the right switches, and configure IP addresses like I do on my desktop, right? No. In the Windows world, you need to take great care when defining your networking topology, particularly with the default gateway setting. If there is one thing that you can take away from this section of the book, it is this: the default gateway setting is only defined on the external NIC. This means that we will have to do some manual work to make sure that the server knows how to contact all the resources it may need to contact, but we'll get to that in a few minutes. First, let's take a look at the NIC configuration settings you will want in place to adhere to best practices. Whether you are new to DirectAccess or want to review an existing configuration that has been running for months, these steps are all relevant to you.
Configuring internal NIC
Let us go ahead and configure our internal interface first, because let's face it, you're already sick of standing in the elevated decibel level of the server room. Once you have the internal card configured with an IP address, assuming you have enabled RDP as on any other server of course, chances are you can run back to the comfort of your own desk and finish the job from there. Keep in mind that because we will NOT be defining a default gateway address on this NIC, you may not have access to this server over the network after simply defining an IP address.
You may have to add some routes before you can get to it from your desk, in which case you'll have to bunker down and endure console access for a little while longer, until we get through the section here about defining your static routes. In any case, before long you can stop sniffing the argon gas.
Tip
Name your NICs intuitively. If you rename your NICs to common-sense conventions like Internal and External instead of Local Area Connection 435, it will save you time during the wizards when you are defining which interface is which.
Open the Properties window of the internal NIC, and head into the Internet Protocol Version 4 (TCP/IPv4) Properties section, the same place where you would define an IP address on any computer. If you are using IPv6 inside your network, then you will be defining that instead, or in addition to IPv4 if you are running dual-stack. And if this is you, I applaud you immensely, because you are one of the very few, in my experience, who have taken this venture into IPv6 on your internal network. I say this only to point out that the overwhelming majority of internal networks are still IPv4, and so my examples and screenshots will be reflecting that scenario during the course of this book.
The fields in the previous window are as follows:
- IP address: You, of course, need to assign your internal IP here.
- Subnet mask: Please provide the appropriate mask; make sure it's accurate!
- Default gateway: Leave this field blank. We will not be defining an internal gateway.
- DNS servers: Yes, do provide your internal DNS server(s) here.
Configuring external NIC
Now we head over to the same properties page on the external NIC, but before we start defining IP addresses, there are a couple of things we can uncheck as they are not necessary, and unbinding anything that is not necessary only helps to improve the security and performance of the solution.
- On your external NIC properties page, try to mirror the following screenshot:
- Mark the following checkboxes from the previous screenshot as shown:
- Client for Microsoft Networks: Uncheck this box
- File and Printer Sharing for Microsoft Networks: Uncheck this box
- After unchecking these couple of boxes, head into the TCP/IPv4 properties, and enter your external IP address information.
- The fields in this window are as follows:
- IP address: Assign your primary external address here.
- Subnet mask: Please provide the appropriate mask; make sure it's accurate!
- Default gateway: Yes, we do need the public/external gateway address defined here. Take special care to ensure this too is accurate.
- DNS servers: No, we do not define the DNS servers for the external connection, only the internal.
Note
The following steps will reflect the most common and recommended implementation path for DirectAccess, utilizing two public IP addresses on the external interface. Other installation scenarios such as single public IP or single private IP, or even for a single NIC implementation, would not require a second IP address to be added here.
- Now click on the Advanced… button to open the Advanced TCP/IP Settings window where we will make a few more changes.
- Assuming that you are taking the install path requiring two public IP addresses, go ahead and click on the Add… button to input your second IP address and Subnet mask. You are not required to input another default gateway, only the IP and mask.
- Now head over to the DNS tab and uncheck the Register this connection's addresses in DNS checkbox.
- Finally, move one more tab over to the WINS tab and here you want to uncheck Enable LMHOSTS lookup and set the radio button for Disable NetBIOS over TCP/IP.
Now you can click on OK three times to bring you back to the Network Connections window where you are looking at your NICs. Before you leave this screen, you want to make sure and set your NIC binding appropriately.