{'Description':'IPv4/IPv6 address or hostname of the machine on which the DirectAccess server machine specific tasks should be executed','In':True}
EntrypointName
string
1
✓
-
{'Description':'Entrypoint refers to the identity of a site in a multi-site deployment and when specified indicates that the configuration of the DirectAccess server at that site should be retrieved.
If an entrypoint is not specified in a multi-site deployment then the entrypoint to which the server on which the cmdlet is executed is used. The server could also be represented by using the ComputerName parameter.
If both entrypoint and computername are specified and the ComputerName doesnt belong to the site represented by the entrypoint then the entrypoint takes precedence and the configuration is returned for it.','In':True}
{'Description':'The output object contains the following properties
1. Type of DirectAccess installed - Full install or manage-out
2. Authentication type
3. Internal IPv6 prefix
4. Client IPHTTPS IPv6 prefix
5. Usage of machine cert auth for 1st tunnel (enabled/disabled)
6. IPsec root cert
7. Whether the IPsec root certificate is an intermediate root certificate
8. Status of Teredo (enabled or disabled)
9. Whether the DirectAcess server is deployed behind NAT
10. Whether the configuration in which DirectAccess is deployed is sing-NIC or double-NIC
11. Name of the DirectAccess server GPO
12. Status of health check
','EmbeddedInstance':'DAServer','Out':True}
Description
'This cmdlet displays the properties of the DirectAccess Server'
{'Description':'IPv4/IPv6 address or hostname of the machine on which the DirectAccess server machine specific tasks should be executed','In':True}
PassThru
boolean
1
✓
-
{'Description':'Returns an object that conveys the properties of the DirectAccess server. By default this cmdlet does not generate any output','In':True}
Force
boolean
2
✓
-
{'Description':'Switch parameter used to suppress user confirmation prompts for the following conditions. When suppressed the cmdlet assumes user confirmation for the following changes
1. ConnectTo change would result in a change in the SSL certificate
2. During SSL certificate change if an appropriate certificate is not found then a self-signed certificate is created
3. Changing DirectAccess installation type','In':True}
DAInstallType
string
3
✓
-
{'Description':'This parameter is used to change the configuration in which DirectAccess has been deployed. It can take one of the following values
1. FullInstall
2. ManageOut
The DAInstallType is a global configuration and applies to the entire DirectAccess deployment.','In':True,'ValueMap':['FullInstall', 'ManageOut'],'Values':['FullInstall', 'ManageOut']}
{'Description':'The output object contains the following properties
1. Type of DirectAccess installed - Full install or manage-out
2. Authentication type
3. Internal IPv6 prefix
4. Client IPHTTPS IPv6 prefix
5. Usage of machine cert auth for 1st tunnel (enabled/disabled)
6. IPsec root cert
7. Whether the IPsec root certificate is an intermediate root certificate
8. Status of Teredo (enabled or disabled)
9. Whether the DirectAcess server is deployed behind NAT
10. Whether the configuration in which DirectAccess is deployed is sing-NIC or double-NIC
11. Name of the DirectAccess server GPO
12. Status of health check','EmbeddedInstance':'DAServer','Out':True}
Description
'This cmdlet sets the properties specific to the DirectAccess server '
implemented
True
static
True
SetByChangeDAInstallationType method is in 1 class (PS_DAServer) of ROOT\Microsoft\Windows\RemoteAccess and in 2 namespaces
{'Description':'IPv4/IPv6 address or hostname of the machine on which the DirectAccess server machine specific tasks should be executed','In':True}
PassThru
boolean
1
✓
-
{'Description':'Returns an object that conveys the properties of the DirectAccess server. By default this cmdlet does not generate any output','In':True}
Force
boolean
2
✓
-
{'Description':'Switch parameter used to suppress user confirmation prompts for the following conditions. When suppressed the cmdlet assumes user confirmation for the following changes
1. ConnectTo change would result in a change in the SSL certificate
2. During SSL certificate change if an appropriate certificate is not found then a self-signed certificate is created
3. Changing DirectAccess installation type','In':True}
InternalIPv6Prefix
string
3
✓
-
{'Description':'Represents the native IPv6 prefixes used in the internal network (in the corporate network). The list of prefixes specified always overwrites the existing list of prefixes.
The list of internal IPv6 prefixes is a global configuration and applies to the entire DirectAccess deployment','In':True}
ClientIPv6Prefix
string
4
✓
-
{'Description':'Represents the prefix from which IPv6 addresses are assigned to the connecting clients in case of IP-HTTPS.
The client IPv6 prefix configuration is applicable per-server or per-site (in the case of multisite deployments).','In':True}
DisableComputerCertAuthentication
boolean
5
✓
-
{'Description':'Using this switch parameter indicates that computer certificate authentication is to be disabled. Disabling this setting disables PKI for the DirectAccess deployment
Following are conditions around computer certificate authentication
1. Computer certificate authentication cannot be disabled if health checks are enabled (HealthCheck parameter) or TwoFactor authentication is used for user authentication or when multisite deployment is enabled.
2. User authentication configuration is automatically changed to UserPasswd when computer certificate authentication is disabled.
Computer certificate authentication is re-enabled by configured an IPsec root certificate using the IPsecRootCertificate parameter.
Disabling of computer certificate authentication is a global configuration that applies to the entire DirectAccess deployment','In':True}
TeredoState
string
6
✓
-
{'Description':'This parameter is used to configure Teredo. It can take one of the following values
1. Enabled
2. Disabled
Following are the behavioral aspects of Teredo State
1. Teredo can be enabled only if two consecutive IP addresses are present on the Internet interface of the server.
2. In a load balancing scenario
a. If a 3rd party load balancer is being used and Teredo has to be enabled then the load balancer should have two consecutive IP addresses
b. If Teredo needs to be enabled in a cluster then the cluster should be destroyed first and two consecutive IPs should be configured on the DirectAccess server
3. The Teredo configuration is applicable per-computer or per-site (in the case of multisite deployments)','In':True,'ValueMap':['Enabled', 'Disabled'],'Values':['Enabled', 'Disabled']}
ConnectToAddress
string
7
✓
-
{'Description':'Indicates the DirectAccess server or NAT public (if DirectAccess server is deployed behind a NAT) address that clients connect to. Specified as hostname or IPv4 address.
When the ConnectTo address is changed the SSL certificate is also changed appropriately. Following are the rules associated with assigning a proper certificate
1. Cmdlet looks for an appropriate SSL certificate on the computer.
2. If an appropriate SSL certificate is not found then a self-signed certificate is created.
3. In a load balancing scenario if all computers are up and an appropriate SSL certificate is found only on some computers then the cmdlet fails the operation of changing the ConnectTo address. If none of the computers has a proper SSL cert then a self-signed certificate is created on all computers and the ConnectTo change goes through. If one or more computers are down then the certificate is updated only on the other computers. But the DirectAccess server Group Policy object is updated to ensure that when these machines come up load balancing is in stopped state on them due to a certificate mismatch. For the certificate change (and in turn the ConnectTo address change) to take effect the admin needs to install a similar certificate on them and re-run this cmdlet
4. In a multi-site scenario, the cmdlet doesnt create a self-signed certificate and always expects a proper certificate to be present on the machine itself.
The ConnectTo address is applicable per-machine or per-site (in the case of multisite deployments)','In':True}
{'Description':'The output object contains the following properties
1. Type of DirectAccess installed - Full install or manage-out
2. Authentication type
3. Internal IPv6 prefix
4. Client IPHTTPS IPv6 prefix
5. Usage of machine cert auth for 1st tunnel (enabled/disabled)
6. IPsec root cert
7. Whether the IPsec root certificate is an intermediate root certificate
8. Status of Teredo (enabled or disabled)
9. Whether the DirectAcess server is deployed behind NAT
10. Whether the configuration in which DirectAccess is deployed is sing-NIC or double-NIC
11. Name of the DirectAccess server GPO
12. Status of health check','EmbeddedInstance':'DAServer','Out':True}
Description
'This cmdlet sets the properties specific to the DirectAccess server '
implemented
True
static
True
SetByDisableComputerCertAuth method is in 1 class (PS_DAServer) of ROOT\Microsoft\Windows\RemoteAccess and in 2 namespaces
{'Description':'IPv4/IPv6 address or hostname of the machine on which the DirectAccess server machine specific tasks should be executed','In':True}
PassThru
boolean
1
✓
-
{'Description':'Returns an object that conveys the properties of the DirectAccess server. By default this cmdlet does not generate any output','In':True}
Force
boolean
2
✓
-
{'Description':'Switch parameter used to suppress user confirmation prompts for the following conditions. When suppressed the cmdlet assumes user confirmation for the following changes
1. ConnectTo change would result in a change in the SSL certificate
2. During SSL certificate change if an appropriate certificate is not found then a self-signed certificate is created
3. Changing DirectAccess installation type','In':True}
UserAuthentication
string
3
✓
-
{'Description':'This parameter sets the type of authentication that is used to authenticate a DirectAccess user. It can take one of the following values
1. TwoFactor
2. UserPasswd
Here two-factor refers to certificate authentication or OTP authentication. However, note that to setup OTP authentication enabling two-factor alone is not enough. It needs to be configured separately using the DAOtpAuth cmdlets
User authentication is a global configuration that applies to the entire DirectAccess deployment','In':True,'ValueMap':['TwoFactor', 'UserPasswd'],'Values':['TwoFactor', 'UserPasswd']}
IPsecRootCertificate
uint8
4
✓
-
{'Description':'Specifies the root certificate to which DirectAccess and VPN clients should chain. This parameter is used
1. to change the IPsec root certificate or
2. to enable PKI if there is no IPsec root certificate already configured
IPsec root certificate is a global configuration, i.e. the same certificate is found on all nodes in the DirectAccess deployment. Hence, configuring the root certificate updates it on all DirectAccess servers. If the specified certificate is not found on one or more servers then the IPsec root certificate is not updated on any of the servers and the cmdlet errors out. In a load balancing scenario if one or more nodes is down when the cmdlet is run then the certificate is only updated on the nodes that are running. But the DirectAccess server Group Policy object is updated to ensure that when these computers come up load balancing is in stopped state on them due to a certificate mismatch. For the certificate change to take effect, the admin needs to install a similar certificate on them and re-run this cmdlet ','In':True}
IntermediateRootCertificate
boolean
5
✓
-
{'Description':'This switch parameter when specified indicates that the IPsec root certificate specified is an intermediate root certificate
','In':True}
EntrypointName
string
6
✓
-
{'Description':'Entrypoint refers to the identity of a site in a multisite deployment and when specified indicates that the DirectAccess server properties should be configured for that site. Only the following properties are applicable at the site level. The rest of them are global properties and hence the entrypoint parameter has no meaning to them.
1. ClientIPv6Prefix
2. ConnectToAddress
3. TeredoState
If an entrypoint is not specified in a multisite deployment then the entrypoint to which the server on which the cmdlet is executed belongs is used. The server could also be represented by using the ComputerName parameter.
If both entrypoint and computername are specified and the ComputerName doesnt belong to the site represented by the entrypoint then the entrypoint takes precedence and the authentication type is configured for it.','In':True}
ClientIPv6Prefix
string
7
✓
-
{'Description':'Represents the prefix from which IPv6 addresses are assigned to the connecting clients in case of IP-HTTPS.
The client IPv6 prefix configuration is applicable per-server or per-site (in the case of multisite deployments).','In':True}
ConnectToAddress
string
8
✓
-
{'Description':'Indicates the DirectAccess server or NAT public (if DirectAccess server is deployed behind a NAT) address that clients connect to. Specified as hostname or IPv4 address.
When the ConnectTo address is changed the SSL certificate is also changed appropriately. Following are the rules associated with assigning a proper certificate
1. Cmdlet looks for an appropriate SSL certificate on the computer.
2. If an appropriate SSL certificate is not found then a self-signed certificate is created.
3. In a load balancing scenario if all computers are up and an appropriate SSL certificate is found only on some computers then the cmdlet fails the operation of changing the ConnectTo address. If none of the computers has a proper SSL cert then a self-signed certificate is created on all computers and the ConnectTo change goes through. If one or more computers are down then the certificate is updated only on the other computers. But the DirectAccess server Group Policy object is updated to ensure that when these machines come up load balancing is in stopped state on them due to a certificate mismatch. For the certificate change (and in turn the ConnectTo address change) to take effect the admin needs to install a similar certificate on them and re-run this cmdlet
4. In a multi-site scenario, the cmdlet doesnt create a self-signed certificate and always expects a proper certificate to be present on the machine itself.
The ConnectTo address is applicable per-machine or per-site (in the case of multisite deployments)','In':True}
InternalIPv6Prefix
string
9
✓
-
{'Description':'Represents the native IPv6 prefixes used in the internal network (in the corporate network). The list of prefixes specified always overwrites the existing list of prefixes.
The list of internal IPv6 prefixes is a global configuration and applies to the entire DirectAccess deployment','In':True}
TeredoState
string
10
✓
-
{'Description':'This parameter is used to configure Teredo. It can take one of the following values
1. Enabled
2. Disabled
Following are the behavioral aspects of Teredo State
1. Teredo can be enabled only if two consecutive IP addresses are present on the Internet interface of the server.
2. In a load balancing scenario
a. If a 3rd party load balancer is being used and Teredo has to be enabled then the load balancer should have two consecutive IP addresses
b. If Teredo needs to be enabled in a cluster then the cluster should be destroyed first and two consecutive IPs should be configured on the DirectAccess server
3. The Teredo configuration is applicable per-computer or per-site (in the case of multisite deployments)','In':True,'ValueMap':['Enabled', 'Disabled'],'Values':['Enabled', 'Disabled']}
HealthCheck
string
11
✓
-
{'Description':'This parameter is used to enable/disable health checks for DirectAccess clients. It can take one of the following values
1. Enabled
2. Disabled
Following are important behavioral aspects for health checks:
1. In order to enable health checks machine certificate authentication should already be enabled, i.e., an IPsec root certificate should be deployed.
2. On disabling health checks if neither of the following is already enabled then machine certificate authentication is automatically disabled:
a. Multisite, i.e. multisite is not deployed/enabled
b User authentication is not two-factor
c. Support for down-level clients is not enabled
3. Healthcheck is a global configuration that applies to the entire DirectAccess deployment.','In':True,'ValueMap':['Enabled', 'Disabled'],'Values':['Enabled', 'Disabled']}
{'Description':'The output object contains the following properties
1. Type of DirectAccess installed - Full install or manage-out
2. Authentication type
3. Internal IPv6 prefix
4. Client IPHTTPS IPv6 prefix
5. Usage of machine cert auth for 1st tunnel (enabled/disabled)
6. IPsec root cert
7. Whether the IPsec root certificate is an intermediate root certificate
8. Status of Teredo (enabled or disabled)
9. Whether the DirectAcess server is deployed behind NAT
10. Whether the configuration in which DirectAccess is deployed is sing-NIC or double-NIC
11. Name of the DirectAccess server GPO
12. Status of health check','EmbeddedInstance':'DAServer','Out':True}
Description
'This cmdlet sets the properties specific to the DirectAccess server '
implemented
True
static
True
SetByEnableComputerCertAuth method is in 1 class (PS_DAServer) of ROOT\Microsoft\Windows\RemoteAccess and in 2 namespaces