Mastering Windows Server 2016 by Jordan Krause

Author:Jordan Krause [Krause, Jordan]
Language: eng
Format: epub
Publisher: Packt Publishing
Published: 2016-10-24T22:00:00+00:00

Network Location Server

This major component in a DirectAccess infrastructure is something that does not even exist on the DA server itself, or at least it shouldn't if you are setting things up properly. The Network Location Server (NLS) is simply a website that is running inside the corporate network. This website does not need to be available for access over the Internet, in fact it should not be. NLS is used as part of the inside/outside detection mechanism on the DirectAccess client computers. Every time a DA client gets a network connection, it starts looking for the NLS website. If it can see the site, then it knows that you are inside the corporate network, and DirectAccess is not required, so it turns itself off. However, if your NLS website cannot be contacted, it means you are outside of the corporate network, and the DirectAccess components will start turning themselves on.

This prerequisite is easily met; all you need to do is spin up a VM and install IIS on it to host this new website, or you can even add a new website onto an existing web server in your network. There are only two things to watch out for when setting up your NLS website. The first is that it must be an HTTPS site, and so it requires an SSL certificate. We will discuss the certificates used in DA, including this one, in our next section of this chapter. In addition to making sure that the website is accessible via HTTPS, you must also make sure that the DNS name you are using in order to contact this website is unique. You want to do this because whatever name you choose for the NLS website, that name will not be resolvable when the client computers are outside of the corporate network. This is by design, because you obviously don't want your DA clients to be able to successfully contact the NLS website when they are working remotely, as that would then turn off their DirectAccess connection.

The reason I bring up the unique DNS name is that I often see new DirectAccess admins utilize an existing internal website as their NLS website. For example, if you have https://intranet running as a SharePoint site, you could simply use this in the DA config as the NLS server definition. However, once you set it up this way, you will quickly realize that nobody who is working remotely can access the https://intranet website. This is by design, because the DA environment now considers your intranet website to be the NLS server, and you cannot resolve to it while you are mobile. The solution to this problem? Make sure that you choose a new DNS name to use for this NLS website. Something like https://nls.contoso.local is appropriate.

The most important part about the Network Location Server that I want to stress is that you should absolutely implement this website on a server in your network that is not the DirectAccess server itself. When you

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.