Integrated NAP Functionality in UAG 2010 Service Pack 1 DirectAccess
DirectAccess is the killer new remote access technology that comes with UAG 2010. DirectAccess allows your domain member managed computers to always be connected to the intranet and allows IT to always manage these machines, even when the user hasn't logged on to a VPN. The end result is that DirectAccess clients present a threat profile that's not much different from desktops and laptops that are directly connected on-premises to the intranet.
You might have heard that there are a lot of moving parts to DirectAccess. While that is true, those moving parts are technologies and services that you probably already know a lot about: DNS, DHCP, Certificate Services, Active Directory, Group Policy and basic TCP/IP networking. The things that you might not know so much about, such as IPsec and IPv6, are handled for you automatically by the UAG DirectAccess server. You can deploy DirectAccess easily with UAG using these advanced technologies and get a working solution and then learn about the intricacies of IPsec and IPv6 after your boss and your users have already patted you on the back for deploying DirectAccess and making their lives so much better.
You probably have heard about NAP (Network Access Protection). NAP is a very cool and useful security technology that allows you to control which hosts are allowed on the network. The problem with NAP is that it has a lot of moving parts and the NAP wizard doesn't go far enough to allow a busy network admin to get a working solution that makes sense. Pieces of NAP are hidden behind certificate servers, network policy servers, and other servers and how all the pieces fit together and how you manage the entire solution doesn't always make sense. It's a real shame, because NAP "coulda been a contender".
However, the folks at Microsoft who worked on UAG SP1 were able to use some of the magic that they used to make DirectAccess easy in order to configure and manage to NAP. With UAG SP1, you can easily deploy NAP to control which computers can establish the intranet tunnel to the corpnet. And what's really amazing about the entire solution is that the wizard installs the NAP server components on the UAG server or array and it just works! You don't have to fight with it, you don't have to tweak it, you don't have to spend hours pulling your hair out to try to figure it out; it just works. Of course, this is a limited deployment of NAP, where access control is limited to the intranet tunnel only. But that's exactly what you want in this instance - and you end up getting exactly what you want.
In this article, we'll take advantage of the new Test Lab Guide format that my husband Tom Shinder designed, together with Joe Davies at Microsoft. The network that you end up with after you set up the Base Configuration of the Test Lab using the Test Lab Guide format looks like what you see in the layout below. After you complete the steps in this article you'll have a working UAG SP1 with NAP configuration.
Test Lab Layout
The first step is to complete all the steps in the Test Lab Guide: Demonstrate UAG SP1 RC DirectAccess. After completing the steps in that Test Lab Guide, you will have the core infrastructure required to complete this Test Lab Guide on how to configure UAG DirectAccess with NAP. If you have already completed the steps in that Test Lab Guide and saved a snapshot or disk image of the Test Lab, you can restore the snapshot or image and begin with the next step.
After you complete the steps in the Test Lab Guide to set up DirectAccess, you can install a subordinate Certification Authority on APP1 so that it will be able to create health certificates requested by the Health Registration Authority (HRA) on UAG1 for DirectAccess NAP clients. HRAs are able to request certificates and then forward those certificates to the NAP clients that are requesting the certificates.
- At the APP1 computer or virtual machine, in Server Manager, under Roles Summary, click Add Roles, and then click Next.
- On the Select Server Roles page, select the Active Directory Certificate Services check box, and click Next.
- On the Introduction to Active Directory Certificate Services page, click Next.
- On the Select Role Services page, verify that the Certification Authority check box is selected, and then click Next.
- On the Specify Setup Type page, click Standalone, and then click Next.
- On the Specify CA Type page, click Subordinate CA, and then click Next.
- On the Set Up Private Key page, click Create a new private key, and then click Next.
- On the Configure Cryptography for CA page, click Next.
- On the Configure CA Name page, under Common name for this CA, entercorp-APP1-SubCA, and then click Next.
- On the Request Certificate from a Parent CA page, choose Send a certificate request to a parent CA, and then click Browse.
- In the Select Certification Authority dialog box, click corp-DC1-CA, and then click OK.
- Verify that DC1.corp.contoso.com\corp-DC1-CA is displayed next to Parent CA, and then click Next.
- Click Next to accept the default database settings, and then click Install.
- Verify that all installations were successful, and then click Close.
With the subordinate CA in place, you're ready to configure the subordinate CA on APP1 so that it will automatically grant certificates when the HRA configured on UAG requests them. You will also configure permissions on the CA to enable UAG1 to issue and manage certificates, manage the CA and request certificates.
- On the APP1 computer or virtual machine, click Start, type certsrv.msc, and then press ENTER.
- In the Certification Authority console tree, right-click corp-APP1-SubCA, and then click Properties.
- Click the Policy Module tab, and then click Properties.
- Choose Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate, and then click OK.
- When you are prompted that AD CS must be restarted, click OK twice.
- In the console tree, right-click corp-APP1-SubCA, point to All Tasks, and then click Stop Service.
- Right-click corp-APP1-SubCA, point to All Tasks, and then click Start Service
In the console tree of the Certification Authority snap-in, right-click corp-APP1-SubCA, and then click Properties.
Click the Security tab, and then click Add.
Click Object Types, select Computers, and then click OK.
Type UAG1, and then click OK.
Click UAG1, select the Issue and Manage Certificates, Manage CA, and Request Certificates check boxes under Allow, and then click OK.
- Close the Certification Authority console.
With the subordinate CA now in place and configured with the appropriate security settings, you're ready to reconfigure the DirectAccess settings on UAG1 to support NAP policy enforcement for DirectAccess clients. After you complete this step, UAG1 will be configured as a Network Policy Server (NPS) that provides NAP server functionality, as well as a Health Registration Server (HRA). In addition, the Connection Security Rule on the UAG DirectAccess server that controls access to the intranet tunnel will require DirectAccess clients to present a health certificate (which is delivered to the DirectAccess by the HRA) to successfully authenticate.
- At the UAG1 computer or virtual machine, click Start and then click All Programs. Click Microsoft Forefront UAG and then click Forefront UAG Management.
- In the User Account Control dialog box, click Yes.
- In the Microsoft forefront Unified Access Gateway Management console, click the DirectAccess node in the left pane.
- In the right pane of the console, in the Step 2 DirectAccess Server section, click the Network Access Protection link.
- This starts the Network Access Protection Configuration wizard. On the NAP Enforcement page, put a checkmark in the Use NAP to verify DirectAccess client computers are compliant with network health policies checkbox, and then select the Enforcement mode. Only compliant DirectAccess client can connect option. Click Next.
- On the HRA and NPS page, select the option that says The NPS and HRA roles are installed on this UAG server (UAG configures settings automatically). Put a checkmark in the Use Autoremediation to automatically update non-compliant computers checkbox. In the Clients can link to this URL for troubleshooting compliance issues (optional) text box, enter http://www.contoso.com/troubleshooting.txt. Click Next.
- On the NAP Certification Authority page, click the Add button. In the Add a CA Server dialog box, click the Browse button. In the Select a CA server dialog box, click APP1.corp.contoso.com\corp-APP1-SubCA, and then click OK. In the Add a CA Server dialog box, click OK. Click Finish.
- In the right pane of the console, click Apply Policy.
- On the Forefront UAG DirectAccess Configuration Review page, click Apply Now.
- In the DirectAccess Policy Configuration dialog box, click OK after you see that it says Script run completed with no errors or warnings.
- On the Forefront UAG DirectAccess Configuration Review page, click Close.
- Now open an elevated command prompt. In the Command Prompt window, enter gpupdate /force and press ENTER. Close the Command Prompt window after the command completes successfully.
- In the right pane of the console, click Activate.
- In the Activate Configuration dialog box, click Activate. Click Finish when you see the message that Activation completed successfully.
UAG1 is now set up for NAP enforcement for DirectAccess clients. Let's now confirm that CLIENT1 received the Group Policy settings required for NAP clients and confirm that CLIENT1 received a health certificate from DC1.
- Connect CLIENT1 to the Corpnet subnet. Wait until the network icon in the notification area of the desktop displays a yellow caution sign.
- Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. Click Yes at the User Account Control prompt.
- In the command prompt window, run the gpupdate /target:computer command.
- In the command prompt window, run the netsh nap client show grouppolicy command.
- In Enforcement clients, IPsec Relying Party should be set to Enabled.
- In Trusted server group configuration, URL should be set to https://uag1.contoso.com/domainhra/hcsrvext.dll.
We now need to think about how we're going to test whether or not NAP is working on the DirectAccess client. By default, the UAG SP1 RC DirectAccess wizard has configured the SHV (System Health Validator) on the NAP server to use the default settings. One of these settings is to require that client have an anti-virus application installed and that it is up to date in order to pass NAP inspection. In this step, you will connect CLIENT1 to a live portion of your network so that it can download and install Microsoft Security Essentials.
- Move CLIENT1 to a live portion of your network and assign CLIENT1 a valid IP address that enables it to access the Internet to download Microsoft Security Essentials.
- Open Internet Explorer and browse to Security Essentials. On the Security Essentials web site, click Download Now.
- Close Internet Explorer after the download is complete.
- Double click on the mssefullinstall-amd64fre-en-us-vista-win7 file that you downloaded.
- In the User Account Control dialog box, click Yes.
- On the Welcome to the Microsoft Security Essentials 1.0 Installation Wizard page, click Next.
- On the Microsoft Security Essentials License Agreement page, click I accept.
- On the ready to install Microsoft Security Essentials page, click Install.
- On the Completing the Microsoft Security Essentials Installation Wizard page, click Finish.
- In the Microsoft Security Essentials window, click the Update button.
- After the update is complete, close the Microsoft Security Essentials window.
Now for the fun part! Let's see if any of this stuff actually works. Move CLIENT1 to a Homenet subnet and confirm that CLIENT1 can pass NAP evaluation and access resources on the intranet through the intranet tunnel.
- Move CLIENT1 to the Homenet subnet.
- Open an elevated command prompt. In the Command Prompt window, enter napstat and press ENTER. You will see a balloon that says Network Access Protection and You have full network access. Close the Command Prompt window.
- Click Start, enter mmc in the Search box and press ENTER. In the User Account Control dialog box, click Yes.
- In the Console window, click File and click Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, click Certificates and click Add.
- In the Certificates dialog box, select Computer account and click Next.
- In the Select Computer dialog box, select Local computer and click Finish.
- In the Add or Remove Snap-ins dialog box, click OK.
- In the left pane of the console window, navigate to Certificates (Local Computer)\Personal\Certificates. In the middle pane of the console, notice that there is a certificate issued by corp-APP1-SubCA. Double click on that certificate.
- In the Certificate dialog box, on the General tab, note that in the This certificate is intended for the following purposes(s): section, one of the intended purposes is System Health Authentication. This indicates that CLIENT1 has passed NAP inspection and should now have access to the intranet tunnel.
- In the Certificate dialog box, click OK. Minimize the Console1 window.
- Click Start and in the Search box, enter \\app3\files and press ENTER.
- Double click on the Example file. You can now read the contents of that file. This confirms that you have access to the Corpnet subnet over the intranet tunnel, since APP1 is not a member of the infrastructure servers group. Close the Windows Explorer window that shows the contents of the Files share. Close the Notepad window.
- Click Start and then enter wf.msc in the Search box and press ENTER.
- In the middle pane of the console, note that the Private Profile is Active. DirectAccess clients will only establish their DirectAccess tunnels to the DirectAccess server when either the Public or Private Profiles are active.
- In the right pane of the console, click Properties. In the Windows Firewall with Advanced Security dialog box, click the down arrow next to Firewall state and click Off. Click OK. You will see two balloons appear in the system notification area. One will ask that you turn on the Windows Firewall and the second will inform you that network access may be limited. Note in the middle pane that it says Windows Firewall is off.
Click Refresh in the right pane. NAP auto-remediation automatically enabled the Windows Firewall after it was turned off.
- In the left pane of the console, navigate to Windows Firewall with Advanced Security\Monitoring\Security Associations\Main Mode. Notice the Main Mode entry that has User (Kerberos V5) as the second authentication method. This indicates that the user was able to access the intranet tunnel since the intranet tunnel requires user authentication. In addition, when NAP is enabled for DirectAccess clients, the computer certificate used to authenticate the intranet tunnel is the Health Certificate, indicating that the computer was able to pass NAP inspection.
- Minimize the Windows Firewall with Advanced Security window.
Now let's see what happens when the DirectAccess client is non-compliant. In the test lab, DC1 is accessible through the infrastructure tunnel and APP1 is accessible through the intranet tunnel. When the UAG DirectAccess NAP client fails validation, it can only access resources available through the infrastructure tunnel.
- On CLIENT1, click Start and then in the Search box, enter services.msc and press ENTER.
- In the right pane of the Services console, double click on Microsoft Antimalware Service.
- In the Microsoft Antimalware Service Properties (Local Computer) dialog box, click the Stop button. Click OK and then minimize the Services console.
- Notice that a Network Access Protection balloon appears telling you that Network access might be limited. This indicates that CLIENT1 no longer passes NAP inspection. In the Microsoft Security Essentials dialog box, click the Close control button (the "X" at the upper right) to close the dialog box.
- Restore the console window that has the Certificates snap in installed. Right click the middle pane and click Refresh. Notice that the health certificate no longer appears. When the client does not pass NAP inspection, the certificate is removed from the machine's computer store.
- Restore the Windows Firewall with Advanced Security console and click Refresh in the right pane of the console. Notice that the Main Mode security association using Kerberos V5 as the 2nd Authentication Method is no longer there. This indicates that the client is no longer able to establish the intranet tunnel because it cannot provide a health certificate for computer authentication.
- Click Start and enter \\app1\files in the Search box and press ENTER. After a few moments, you will see a Network Error dialog box indicating that Windows cannot access the share. This is consistent with the fact that CLIENT1 needs access to the intranet tunnel to access APP1 and the fact that the intranet tunnel is not available because CLIENT1 currently does not pass NAP inspection. Click Cancel in the Network Error dialog box.
- Click Start and enter \\dc1\files in the Search box and press ENTER. In this case, the Files share is available. The reason for this is that access to servers in the infrastructure servers list is accessible over the infrastructure tunnel.
- Restore the Services console and right click Microsoft Antimalware Service and click Start.
- Click Start and enter \\app1\files in the Search box and press ENTER. You can now access APP1 over the intranet tunnel because CLIENT1 is able to pass NAP inspection.
- Close all open windows on CLIENT1 and do not save the changes to any of the mmc consoles.
You should save your configuration so that you can come back to it and do more testing if you like. Depending on the virtualization solution that you're using, the method of saving a snapshot will vary. Regardless of what product you use, we recommend that you go ahead and save a snapshot now.
In this article, we went through step by step instructions on how to build a UAG SP1 DirectAccess lab with NAP by taking advantage of the new Test Lab Guide format being deployed by Microsoft. You got to see how to configure the UAG DirectAccess server and how to configure the subordinate CA on the back-end. Then you checked the DirectAccess configuration on the client machine and tested NAP functionality. Best of all, everything worked! I hope you found this useful and if you have any questions about DirectAccess and NAP, let me know! Send me a note at [email protected] and I'll get back to you as soon as possible. Thanks!