1. Home
  2. Docs
  3. SecureAccess Appliance
  4. Configuration
  5. Configure Remote Access

Configure Remote Access

The wizard provides the steps to configure DirectAccess and VPN settings for the Celestix E Series Appliance. Instructions cover the steps common to most deployments, but again, an individual organization may require different or additional configuration.

For setup, the administrator needs access to the following resources:

General Information provides necessary details to complete configuration. The topic Additional Configuration Notes provides details about conditional configuration that applies to some deployments.

General Information

The following deployment notes provide information that qualifies setup processes to understand Remote Access configuration.

Deployment Assumptions

Information presented in the E Series setup instructions is based on the following:

  • The Remote Access with VPN feature has been installed through the web UI.
  • Deployment is a single server.
  • Network planning for appliance placement is complete.
  • Necessary certificates have been acquired for:
    • IPsec
    • IP-HTTPS
    • NLS
  • Certificates have not been previously imported to the certificate store.
  • Firewall rules have been configured to allow traffic if the DirectAccess server is on an IPv4 network:
    • Teredo
    • 6to4
    • IP-HTTPS
    • If the appliance only has one configured network adapter, TCP port 62000 must be opened on the appliance.

Additional firewall configuration details are discussed in the topic Firewall Ports Reference.

  • If using a security group to manage access for clients, the group has been created in AD prior to running the setup up wizard.
  • If customized GPOs will manage settings for clients and servers, they have been created prior to running the setup wizard.
  • AD will be used for DirectAccess authentication and authorization.
  • DNS needs to resolve to either the public host name of the DirectAccess entry point, or the NAT device for the DirectAccess server.

Requirement Checklist

The following items will be required to set up Remote Access. Plan ahead so that items are available when needed to complete configuration.

  • Domain controller – DirectAccess requires Windows Server 2003 or higher.
  • IP address – one or two address have been reserved.
  • Public address – usually an FQDN that clients will use to connect to the network.
  • DirectAccess clients – must be Windows clients that are domain joined. Supported options:
    • 8 Enterprise and higher
    • 7 (Ultimate, Enterprise)
  • SSL certificate – an IPsec root certificate is required for Windows 7 DirectAccess client connections, and is a best practice for Windows 8.
  • Email account – an account will be required to receive diagnostic reports for client access trouble shooting.

Additional Configuration Notes

The notes below discuss options that may apply to some deployments. They exceed the scope of these instructions, but may be helpful to consider when planning.

  • DirectAccess
    • Network Location Server – the wizard will configure a default NLS on the appliance if an external server is not designated.
    • Group Policy Objects – the wizard will create the two required GPOs with default settings unless customized group policies are available to assign.
    • Security group – an AD security group is required to apply customized group polices to client computers. All remote computers in the domain can use DirectAccess unless an AD client group is specified to restrict access.
    • RADIUS – configuration for an external RADIUS server can be included to add strong authentication methods like one-time passwords (OTPs).
  • VPN
    • VPN deployments using static IP addresses for clients need a defined range; otherwise, DHCP should be used.
    • VPN deployments not using Windows authentication need settings for a RADIUS server.

Example Information

To help make the instructions clear, the following examples are used to identify components.

Internal DomainCelestix E Series AppliancePublic Domain
FQDNad01.intexample.comCelestix Edge01.intexample.comda.example.com
Host Namead01Celestix Edge01
Domain Nameintexample.comintexample.com

Use the Setup Wizard

The setup wizard is a walk-through to configure components for Remote Access.

While working through the wizard, the appliance may need to reboot.

Access the screen through the web UI at Celestix E Features Remote Access with VPN Wizard.

Wizard Instructions

Component Selection– select a Remote Access configuration option:

  • Configure both services DirectAccess and VP – select to add access through both DirectAccess and a VPN.
  • Configure DirectAccess services only  – select to add access through DirectAccess connections.
  • Configure VPN services only – select to add access through a VPN connection.

Note: DirectAccess should be enabled for managed clients, while VPN should be enabled to support unmanaged clients.

Configure both services DirectAccess and VPN

  1. DirectAccess
    1. Basic– define the appliance location and the URL that clients will use to access resources.
      1. Select the type of network environment:
        • Edge– requires two network adapters; one to the public Internet and one to the internal network.
        • Behind an edge device (with two network adapters)– one adapter connects to the perimeter network, and the other connects to the internal network.
        • Behind an edge device (with one network adapter)– the adapter connects to the internal network.
      2. Public address– enter the address that external clients will use to connect to the network.
        Note: While using an IP address is supported, the FQDN is a best practice.
        For example: da.example.com
    2. Advanced– define client parameters and assign the appliance network adapter that DirectAccess service will use.
      1. Installation type – select the DirectAccess functionality to deploy:
        • Full DirectAccess installation– bidirectional tunnels for remote client access and management.
        • Client management only– configure tunnel for remote client management.
      2. Client Group– designate an AD security group that will manage devices that connect through DirectAccess; leave blank to include all remote devices.
      3. Network interfaces – select interfaces for DirectAccess traffic.
        1. Internal– specify the internal, or LAN, network adapter in the drop menu.
        2. Internet– optional; if two adapters are used, specify the Internet, or WAN, network adapter in the drop menu.
      4. IP-HTTPS certificate – if a third-party certificate will be used to bind the Internet network adapter, navigate to and select it. If it needs to be imported first, complete the following:
        1. Click the Importbutton.
        2. Certificate Import– navigate to and select the certificate that will be used for authentication.
        3. Password– enter the certificate passphrase.
        4. Click the Importbutton.
        5. The imported certificate should display in the Certificate field. If not, use the drop menu to select it.
    3. GPO and NLS
      1. Group Policy Object (GPO) – leave fields blank to configure the default options, otherwise designate predefined AD policy groups that will manage settings for devices and servers.
        1. Client GPO– specify the name for the AD policy that will manage client access.
        2. Server GPO– specify the name for the AD policy that will manage access to the DirectAccess server.
      2. Network Location Server – the NLS server will be installed on the appliance unless an external server is designated.
        1. NLS Certificate– if an SSL certificate will be used, navigate to and select it. If it needs to be imported first, complete the following:
          1. Click the Import button.
          2. Certificate Import– navigate to and select the certificate that will be used for authentication.
          3. Password– enter the certificate passphrase.
          4. Click the Import button.
          5. The imported certificate should display in the Certificate field. If not, use the drop menu to select it.
        2. NLS URL– if an external NLS server is deployed, enter the HTTPS URL.
    4. Client Settings
      1. Connection Name– create a name for the network connection that end users will recognize.
      2. Support Email– enter the email account that will receive diagnostic reports created by the DirectAccess Diagnostics tool.
      3. Allow local name resolution– select to allow users to temporarily disconnect the intranet connection and use local DNS servers for Internet traffic.Notes:
        • Force tunneling must be disabled to employ this feature.
        • The infrastructure connection remains active, so manage out capabilities are not affected.
      4. Enable for mobile computers only– allow only mobile computers in the specified security groups to connect through DirectAccess.Important: Remote Access will create a WMI filter that will only allow mobile computers to join DirectAccess security groups. This setting requires that the administrator account configured for Remote Access have create/modify privileges.
      5. Enable Windows 7 Client Support– select for environments that require support for Windows 7 clients.
      6. IPsec Root Certificate– conditional; designate a certificate to validate authentication for client connections; required for Windows 7 users, and recommended for Windows 8. See the following:
        • If GPOs are used to push security certificates to domain servers, use the Certificate drop menu to select the certificate issued from the domain root CA.
        • If the certificate needs to be added manually, use the import feature:
          1. Click the Import button.
            1. Certificate Import– navigate to and select the certificate that will be used for authentication.
            2. Password– enter the certificate passphrase.
            3. Click the Import button.
          2. The imported certificate should display in the Certificate field. If not, use the drop menu to select it.
      7. Intermediate CA– select if the certificate was not imported from the domain root CA.Click Next.
  2. VPN
    1. Address Assignment
      1. Assign addresses automatically– use DHCP to assign client addresses.
      2. Assign addresses from a static address pool– enter a range of IP addresses that RRAS will assign to clients when they connect to the network.Enter the start and end IP addresses to define the range.
    2. Authentication
      1. Use Windows Authentication– use AD to authenticate users.
      2. Use RADIUS Authentication– configure VPN connections to use RADIUS authentication.
        1. Radius Server– designate the server name or IP address.
        2. Shared Secret– create a secret to authenticate communication between the appliance and RADIUS server.
        3. Confirm– confirm the shared secret.
        4. Timeout– the default is usually sufficient, but customize the duration the appliance will try to connect to the RADIUS server as necessary.
        5. Score– the default is usually sufficient, but customize the initial responsiveness score as necessary.
        6. Port– the default is UPD 1812 for authentication. Legacy RADIUS servers may use 1646.
        7. Always use message authenticator– select if the attribute Request must contain the Message Authenticator attribute has been configured on the RADIUS server.
  3. Finish– review the settings; click Next to configure.

Configure DirectAccess services only 

  1. DirectAccess
    1. Basic– define the appliance location and the URL that clients will use to access resources.
      1. Select the type of network environment:
        • Edge– requires two network adapters; one to the public Internet and one to the internal network.
        • Behind an edge device (with two network adapters)– one adapter connects to the perimeter network, and the other connects to the internal network.
        • Behind an edge device (with one network adapter)– the adapter connects to the internal network.
      2. Public address– enter the address that external clients will use to connect to the network.Note: While using an IP address is supported, the FQDN is a best practice. For example: da.example.com
    2. Advanced– define client parameters and assign the appliance network adapter that DirectAccess service will use.
      1. Installation type – select the DirectAccess functionality to deploy:
        • Full DirectAccess installation– bidirectional tunnels for remote client access and management.
        • Client management only– configure tunnel for remote client management.
      2. Client Group– designate an AD security group that will manage devices that connect through DirectAccess; leave blank to include all remote devices.
      3. Network Interfaces – select interfaces for DirectAccess traffic.
        1. Internal– specify the internal, or LAN, network adapter in the drop menu.
        2. Internet– optional; if two adapters are used, specify the Internet, or WAN, network adapter in the drop menu.
      4. IP-HTTPS certificate – if a third-party certificate will be used to bind the Internet network adapter, navigate to and select it. If it needs to be imported first, complete the following:
        1. Click the Import button.
        2. Certificate Import– navigate to and select the certificate that will be used for authentication.
        3. Password– enter the certificate passphrase.
        4. Click the Import button.
        5. The imported certificate should display in the Certificate field. If not, use the drop menu to select it.
    3. GPO and NLS
      1. Group Policy Object (GPO) – leave fields blank to configure the default options, otherwise designate predefined AD policy groups that will manage settings for devices and servers.
        1. Client GPO– specify the name for the AD policy that will manage client access.
        2. Server GPO– specify the name for the AD policy that will manage access to the DirectAccess server.
      2. Network Location Server – the NLS server will be installed on the appliance unless an external server is designated.
        1. NLS Certificate– if an SSL certificate will be used, navigate to and select it. If it needs to be imported first, complete the following:
          1. Click the Import button.
          2. Certificate Import– navigate to and select the certificate that will be used for authentication.
          3. Password– enter the certificate passphrase.
          4. Click the Import button.
          5. The imported certificate should display in the Certificate field. If not, use the drop menu to select it.
        2. NLS URL– if an external NLS server is deployed, enter the HTTPS URL.
    4. Client Settings
      1. Connection Name– create a name for the network connection that end users will recognize.
      2. Support Email– enter the email account that will receive diagnostic reports created by the DirectAccess Diagnostics tool.
      3. Allow local name resolution– select to allow users to temporarily disconnect the intranet connection and use local DNS servers for Internet traffic.
        Notes:

        • Force tunneling must be disabled to employ this feature.
        • The infrastructure connection remains active, so manage out capabilities are not affected.
      4. Enable for mobile computers only– allow only mobile computers in the specified security groups to connect through DirectAccess.Important: Remote Access will create a WMI filter that will only allow mobile computers to join DirectAccess security groups. This setting requires that the administrator account configured for Remote Access have create/modify privileges.
      5. Enable Windows 7 Client Support– select for environments that require support for Windows 7 clients.
      6. IPsec Root Certificate– conditional; designate a certificate to validate authentication for client connections; required for Windows 7 users, and recommended for Windows 8. See the following:
        • If GPOs are used to push security certificates to domain servers, use the Certificate drop menu to select the certificate issued from the domain root CA.
        • If the certificate needs to be added manually, use the import feature:
          1. Click the Import button.
            1. Certificate Import– navigate to and select the certificate that will be used for authentication.
            2. Password– enter the certificate passphrase.
            3. Click the Import button.
          2. The imported certificate should display in the Certificate field. If not, use the drop menu to select it.
      7. Intermediate CA– select if the certificate was not imported from the domain root CA.
      8. Click Next.
  2. Finish – review the settings; click Next to configure.

Configure VPN services only

  1. VPN
    1. Address Assignment
      1. Assign addresses automatically– use DHCP to assign client addresses.
      2. Assign addresses from a static address pool– enter a range of IP addresses that RRAS will assign to clients when they connect to the network.
        Enter the start and end IP addresses to define the range.
      3. Authentication
        1. Use Windows Authentication– use AD to authenticate users.
        2. Use RADIUS Authentication– configure VPN connections to use RADIUS authentication.
          1. Radius Server– designate the server name or IP address.
          2. Shared Secret– create a secret to authenticate communication between the appliance and RADIUS server.
          3. Confirm– confirm the shared secret.
          4. Timeout– the default is usually sufficient, but the duration the appliance will try to connect to the RADIUS server can be customized as necessary.
          5. Score– the default is usually sufficient, but the initial responsiveness score can be customized as necessary.
          6. Port– the default is UPD 1812 for authentication. Legacy RADIUS servers may use 1646.
          7. Always use the same message authenticator– select if the attribute Request must contain the Message Authenticator attribute has been configured on the RADIUS server.
    2. Finish– review the settings; click Next to configure.

The wizard is complete when the congratulations screen displays. Depending on the configuration to be completed, this may take some time.

The base level setup for Remote Access options is now complete. Clients can now be configured to access resources.