Once you perform the setup in the DirectAccess console, you need to configure firewall rules to enable NAP for DirectAccess. When you run the DirectAccess setup through the console, it creates 6 firewall rules, 3 for the client and 3 for the server. You will need to modify these rules for your configuration. These rules can’t be configured through the Windows Firewall with Advanced Security snap-in; instead you need to configure the rules via the command line.

• On the DA server policy , on the rule named “DirectAccess Policy-DaServerToCorp” you need to set the following:
  • Auth1 Health cert = yes
  • Apply Authorization = yes
  • Auth 1 Cert mapping = yes
• On the DA server policy, on the rule named “DirectAccess Policy-DaServerToDnsDc”  you need to include the IPv6 address of the HRA server to endpoint1.
• On the DA client policy, on the rule named “DirectAccess Policy-ClientToDnsDc” you need to include the IPv6 address of the HRA server to endpoint2.
• On the client and DA server, if you don’t need a tunnel for management server you can remove “DirectAccess Policy-ClientToMgmt” and “DirectAccess Policy-DaServerToMgmt.”

DirectAccess can use Network Access Protection (NAP) to secure access to internal resources. In my experience, NAP can’t be installed on one of the other servers you are already using for NAP. When using DirectAccess you need to add an additional server to your DirectAccess configuration. In my previous post, I discussed the four server needed for a minimum DirectAccess configuration. So with the addition of NAP, you will need five servers. The NAP server needs to have two network adapters: one connected to the corporate network and one connected to the internet.

I installed the HRA on the NAP server. When creating a certificate for the Health Registration Authority (HRA) server, you need to ensure you use the Fully Qualified Domain Name (FQDN) of the HRA/NAP server.

Stay tuned for my next post where I will discuss firewall rules for NAP with DirectAccess.

In my last post I talked about the Get-Command cmdlet and how it helps you discover what cmdlets are available. Now we will review the Get-Help cmdlet and how it gives you detailed information on how the cmdlets are used.

Windows PowerShell provides a robust online Help system that can be accessed by typing get-help. This provides basic information about how the Windows PowerShell Help system works, along with examples of how to get more specific help in using Windows PowerShell.

Get-Help

To get help about a specific cmdlet, use Get-Help, followed by the name of the cmdlet. We will get help on the Get-Command cmdlet, which will display a list of built-in PowerShell commands that are available to us.

Get-Help Get-Command

The synopsis explains conceptually what a PowerShell command does, and the syntax section gives details about how to actually use the command and what parameters it takes.

The most detailed Help level in Windows PowerShell is available when you use the full parameter. This not only gives syntax and examples, it also describes each argument in great detail, including whether an argument is required, whether it will accept input from the command pipeline, and whether wildcard characters can be used.

Where a parameter accepts only particular values, the full parameter of Get-Help will also show you the valid values for the parameter.

Get-Help Get-Command -full

In my next Post we will look talk about snapins in Windows PowerShell.

In my last post I introduced Windows PowerShell and talked about a couple of basic concepts. Knowing what cmdlets are available and being able to get some detail on them enables you to figure out how to accomplish some basic commands on your own. There are two cmdlets that help you get these basic pieces of information, Get-Command and Get-Help.

The Get-Command cmdlet gets basic information about cmdlets and other elements of Windows PowerShell commands in the session, such as aliases, functions, filters, scripts, and applications.

Get-Command gets its data directly from the code of a cmdlet, function, script, or alias, unlike Get-Help, which gets its information from help topic files.

Without parameters, “Get-Command” gets all of the cmdlets and functions in the current session.

Get-Command

You can the Get-Command cmdlet to retrieve a list of cmdlets or other elements of Windows PowerShell commands in a variety of ways. One method is to get information about all of the cmdlets and functions with the verb “Add”.

Get-Command -Verb Add

Another method is to search for cmdlets that are related to what you want to work with based on the noun in the cmdlet. For example, you can search for all cmdlets related to Services using a wildcard.

Get-Command *-Service

In my next Post we will look at the Get-Help cmdlet.

I installed DirectAccess in a virtual environment. In my configuration, I used a minimum number of servers to get DirectAccess working. I had four virtual machines:

• A Domain Controller – connected only to the corporate network
• A DirectAccess server – 2 network adapters, one connected to the corporate network and one connected to the internet
• An application server with the certificate revocation list – 2 network adapters, one connected to the corporate network and one connected to the internet
• A client – 2 network adapters, one connected to the corporate network and one connected to the internet

Of course, your environment may have more servers based on your needs. For example, you could have a separate application server on the corporate network that the clients can access while not on the corporate network.

The setup for DirectAccess is mostly performed through the DirectAccess console on the Windows Server 2008 server. This console needs to be installed through the Server Manager Features wizard on the DirectAccess server.

After you complete the setup wizard, you need to go into the DNS console and ensure both an IPv4 and an IPv4 address are listed for each computer in your configuration.

Windows Server 2008 and Windows 7 introduce a new feature called DirectAccess. When I started working with DirectAccess, I didn’t know what it was. Once I got past a few setup issues, I was pleasantly surprised by the usefulness of this feature. Why would you be interested in this feature? Well, for an employee, with DirectAccess you don’t have to wait for VPN dial up access to corporate resources. It means that you can have anywhere, anytime access to documents and other resources you need. For an employer, you have control over who has access to information, and you can secure your resources using DirectAccess with Network Access Protection.

DirectAccess requires some setup by the company’s IT staff. However, the employee won’t need to run any setup, click any buttons, or wait to connect to the resources.  Instead, the employee will automatically be connected to the resources when connected to the internet.

I am going to discuss some of the tips and tricks I have learned while working with DirectAccess. Stay tuned to the next blog entry for some tips on how to setup DirectAccess.

There is a lot of Windows PowerShell info out there but I wanted to write about how I learned PowerShell without having a strong coding background. I used to write code back in the business basic days and just started using the visual languages when I made a switch to work as an IT Pro. Many years after that Windows PowerShell 1.0 came and I started to dabble. Then I started using it for very specific functions\tasks and learned just enough to do what I needed. Obviously I developed many gaps in my basic PowerShell knowledge and I have been trying to close those gaps ever since.

What I want to do with these blog posts is to help someone who has none or very little coding experience to learn the basics of Windows PowerShell so that they can utilize in their own environment. I don’t know everything about PowerShell but I do have some knowledge that I feel I can pass along for beginners.

If you don’t know what Windows PowerShell is then go here first Windows PowerShell. This will give you an introduction to what it is and if you start to dig you will find a lot of other information as well.

I will start with two things you should also know about PowerShell:

1. PowerShell commands uses and processes objects instead of just text. What does this mean? It means that when you deal with data (PowerShell leverages the .NET object model. .NET is a unifying object representation that is being used across all of Microsoft.) the data has associated properties, which are like characteristics, and methods, which are actions that you can perform on the object. The properties could tell you things like the current status of the object and the methods could allow you to perform actions on the object such as to stop it.
2. Windows PowerShell uses a “verb-noun” naming system, where each cmdlet name consists of a standard verb hyphenated with a specific noun. The verbs express specific actions in Windows PowerShell such as Get, Set, Stop, etc. The nouns basically tell you want kind of object it is designed for such as Service, Process, etc. Combine those two parts and you have your cmdlet: Get-Service, Stop-Process, etc.

This figure shows the structure of a basic command.

In my next Post we will look at how to get help and other useful commands.