How to get Windows 7 to work with DirectAccess Server 2012
To get Windows 7 to work, you have to:
- Enable auto-enrollment in GPO
- Create a certificate template for clients and Remote Access server, and enable the templates to be issued.
- Enable Windows 7 client computers to connect via DirectAccess and select the root certificate in Step 2 (in remote access management console).
- To enable auto-enrollment, go to your domain controller and open Group Policy Management.
- Go to Computer configuration -> Policies -> Windows Settings -> Security Settings.
- Select Public Key Policies. Enable this and check both the boxes.
PS: It might be a good idea to make two different security groups in AD, one for Windows 8 and the other for Windows 7. This is because in the steps below, you have to define which clients should receive the certificates. Windows 8 clients does not need any certificates, and I am not sure if this will cause problems (not tested).
Start off by installing AD CS (Certificate Services). For testing purposes, I usually install AD CS on the domaincontroller.
- For certificate templates, open Certification Authority, expand Contoso-RootCA and right click on Certificate Templates. Click on Manage.
- Go to Certificate Templates Console and right click on Workstation Authentication.
- Select Duplicate Template. I chose Windows server 2008 and Windows 7 as the minimum compatibility.
- Use DirectAccess IPSec Client as the template display name. Then move over to Security tab and add the security group you have for your DirectAccess clients. Mine is DA_Klienter
- Under Permissions, select Read, Enroll and Autoenroll and click OK.
- Now we’re going to make a new template for the DA server. Duplicate the workstation Authentication template and use the same minimum compatibility.
- Use DirectAccess IPSec Server as the template display name, then go to Extensions and select Application Policies. Click Edit and add Server Authentication.
- Go to the Subject Name Tab
- Under Subject name format select Common name
- Go to the security tab and add your DirectAccess server.
- Under permissions, select Read, Enroll and Autoenroll
- Right click on Certificate Templates, select New and then Certificate Template to Issue.
- Select both DirectAccess IPSec Client and DirectAccess IPSec Server. Click OK.
- Close the console.
Modify Step 2
- Open Remote Access Management and then the configuration screen.
- Modify Step 2 and click next untill you reach the Authentication page.
- Check the box for Enable Windows 7 client computer to connect via DirectAccess
- Select your root CA and finish.