45077789 da design dep guide

8/2/2019 45077789 DA Design Dep Guide

1/309

DirectAccess for Windows Server 2008 R2

Design, Deployment, and Troubleshooting GuidesMicrosoft Corporation

Published: December 2009

Updated: September 2010

Author: Joe Davies

Editor: Scott Somahano

Abstract

This document contains the Design Guide, Deployment Guide, and Troubleshooting Guide for

DirectAccess in Windows Server 2008 R2. These guides help you to design and deploy

DirectAccess servers, DirectAccess clients, and infrastructure servers on your intranet andtroubleshoot common DirectAccess problems. Use the Design Guide to answer the What,

Why, and When questions a deployment design team might ask before deploying

DirectAccess in a production environment. Use the Deployment Guide to answer the How

questions a deployment team might ask when implementing a DirectAccess design. Use the

Troubleshooting Guide for task-oriented information to help you identify and resolve problems

quickly and perform root-cause analysis of incidents and problems with the elements of a

DirectAccess infrastructure.


2/309

The information contained in this document represents the current view of Microsoft Corporation

on the issues discussed as of the date of publication. Because Microsoft must respond to

changing market conditions, it should not be interpreted to be a commitment on the part of

Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the

date of publication.

The DirectAccess Design, Deployment, and Troubleshooting Guides are for informational

purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY,

AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, no part of this document may be reproduced, stored in or introduced into a

retrieval system, or transmitted in any form or by any means (electronic, mechanical,

photocopying, recording, or otherwise), or for any purpose, without the express written permission

of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in anywritten license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the companies, organizations, products, domain names, e-mail

addresses, logos, people, places, and events depicted in examples herein are fictitious. No

association with any real company, organization, product, domain name, e-mail address, logo,

person, place, or event is intended or should be inferred.

2009 Microsoft Corporation. All rights reserved.

Microsoft, Windows, Windows Server, Windows Vista, and Active Directory are either registered

trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of theirrespective owners.

This white paper reflects content that was published on Microsoft TechNet as of September 1,

2010. The corresponding content published on TechNet after this date might contain changes. For

the latest information, see the following documents:

DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkID=161985)

DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=166398)

DirectAccess Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=165904)
http://go.microsoft.com/fwlink/?LinkID=161985http://go.microsoft.com/fwlink/?LinkId=166398http://go.microsoft.com/fwlink/?LinkId=165904http://go.microsoft.com/fwlink/?LinkID=161985http://go.microsoft.com/fwlink/?LinkId=166398http://go.microsoft.com/fwlink/?LinkId=165904


3/309

Contents

DirectAccess for Windows Server 2008 R2 ..............................................................................1

Design, Deployment, and Troubleshooting Guides ................................................................ ..1

Abstract.................................................................................................................................1

Contents ..........................................................................................................................................3

DirectAccess Design Guide ................................................................................................. .........13

About this guide .........................................................................................................................13

Understanding the DirectAccess Design Process .........................................................................14

Identifying Your DirectAccess Deployment Goals ..................................................................... ....15

Transparent and Automatic Remote Access for DirectAccess Clients ..........................................16

Ongoing Management of Remote DirectAccess Clients ............................................................ ...16

Efficient Routing of Intranet and Internet Traffic ............................................................................17

Reduction of Remote Access-based Servers in your Edge Network ............................................ .17

End-to-end Traffic Protection ..................................................................................................... ...18

Multi-factor Credentials for Intranet Access ...................................................................................18

Mapping Your Deployment Goals to a DirectAccess Design ..................................................... ....19

Evaluating DirectAccess Design Examples ...................................................................................20

Full Intranet Access Example ........................................................................................................20

Full Intranet Access with Smart Cards Example ...........................................................................21

Selected Server Access Example .................................................................................................22

Using authentication with null encapsulation for selected server access ...................................23

End-to-end Access Example .........................................................................................................24

Planning a DirectAccess Deployment Strategy .............................................................................25

Resources Available to DirectAccess Clients ................................................................................26

IPv6 resources on your intranet.................................................................................................26

IPv4-only resources on the intranet...........................................................................................27

Using an IPv4-only intranet........................................................................................................28

Limiting connectivity to selected resources ................................................................................28

IPv6 resources on the IPv6 Internet...........................................................................................29


4/309

Choose an Intranet IPv6 Connectivity Design ...............................................................................30

No existing IPv6 infrastructure ...................................................................................................30

Existing ISATAP infrastructure ............................................................................................. ..... .31

Existing native IPv6 infrastructure ..............................................................................................31

Choose Solutions for IPv4-only Intranet Resources ......................................................................32

Choose an Access Model..............................................................................................................34

Full Intranet Access .......................................................................................................................34

Selected Server Access ................................................................................................................35

End-to-End Access ........................................................................................................... ............36

Choose a Configuration Method ............................................................................................. ......37

DirectAccess Management Console ..........................................................................................37

Custom configuration using the Network Shell (Netsh) command-line tool and Group Policy .. .37

Design for Remote Management..................................................................................................38

Design for Intranet Server Availability Prior to User Logon .................................................. .........39

Design Packet Filtering for DirectAccess ................................................................................... ...41

Packet Filters for Your Internet Firewall.........................................................................................41

Packet Filters for Your Intranet Firewall.........................................................................................43

Confining ICMPv6 Traffic to the Intranet.......................................................................................43

Packet filters for Teredo Connectivity ............................................................................................45

Packet filters to allow inbound ICMP Echo Requests on all computers .....................................45

Enable edge traversal on inbound management traffic ..............................................................46

Enable inbound ICMPv6 Echo Requests for management traffic ..............................................46

Packet Filters for Management Computers ...................................................................................46

DirectAccess and Third-party Host Firewalls ......................................................................... .......47

Choose an Authentication and Authorization Scheme ........................................................... .......48

Additional end-to-end peer authentication for selected server access .......................................49

Peer authentication for end-to-end access ................................................................................49

Smart cards for additional authorization ....................................................................................50

Allowing access for users with unusable smart cards ................................................... .........50

Prompts for smart card credentials while on the intranet........................................................50

Under the covers: Smart card authorization ...........................................................................51

Design Addressing and Routing for the DirectAccess Server .......................................................52

IPv4 address and routing configuration .....................................................................................52


5/309

IPv6 address and routing configuration .....................................................................................53

Design Active Directory for DirectAccess ......................................................................................54

Active Directory and the DirectAccess server ............................................................................55

Active Directory Sites and Services configuration ............................................................... ......55DirectAccess and user profiles for remote users .............................................................. .........56

Design Your DNS Infrastructure for DirectAccess .........................................................................57

Split-brain DNS ..........................................................................................................................57

DNS server requirements for ISATAP ..................................................................................... ...58

AAAA records for servers that do not perform DNS dynamic update .........................................58

Local name resolution behavior for DirectAccess clients ...........................................................59

NRPT rules ................................................................................................................................59

DNS server querying behavior for DirectAccess clients .............................................................61

Unqualified, single-label names and DNS search suffixes .........................................................61

External DNS .............................................................................................................................62

Design Your PKI for DirectAccess .................................................................................................62

Autoenrollment for computer certificates ................................................................................ ...62

Manual enrollment for network location server and IP-HTTPS certificates ................................63

Certificate revocation checking and CRL distribution points ..................................................... .64

Using a commercial CA for the IP-HTTPS certificate .............................................................. ...65

Enabling strong CRL checking for IPsec authentication ........................................................ ....65

Smart cards for additional authorization ....................................................................................66

Using Suite B certificates for DirectAccess ................................................................................66

Design Your Web Servers for DirectAccess ................................................................................. .66

Choose an Internet Traffic Separation Design ................................................................... ...........68

Configure IPv4 Internet access ..................................................................................................69

Enable force tunneling ...............................................................................................................69

Modify the NRPT .......................................................................................................................70

Configure the use of IP-HTTPS .................................................................................................70

Modify Internet firewall settings ........................................................................................ .........70

Design Protection for Traffic between DirectAccess Clients ..........................................................71

Design Your Intranet for Corporate Connectivity Detection ...........................................................73

Choose a DirectAccess and VPN Coexistence Design .................................................................74

DirectAccess and third-party VPN clients ..................................................................................75

Use the DirectAccess Connectivity Assistant (DCA) .....................................................................76

Planning the Placement of a DirectAccess Server ........................................................................76

When to Install a DirectAccess Server ..........................................................................................77


6/309

Where to Place the DirectAccess Server ................................................................................... ...77

Planning Redundancy for a DirectAccess Server .........................................................................78

Planning the Placement of a Network Location Server .................................................................79

Where to Place the Network Location Server ......................................................................... ......80

Highly available intranet Web server as the network location server .........................................81

Authentication and authorization for the network location URL .......................................... .......82

DirectAccess server as the network location server ................................................................. .82

Planning Redundancy for a Network Location Server ...................................................................83

Planning the Placement of CRL Distribution Points ..................................................................... .83

Where to Place the CRL Distribution Points ............................................................................ ..... .84

Intranet location for intranet detection ........................................................................................84

Internet location for IP-HTTPS connections ...............................................................................84

Planning Redundancy for CRL Distribution Points ........................................................................85

Planning DirectAccess with Network Access Protection (NAP) .....................................................85

Configuration changes for the infrastructure tunnel...................................................................86

Configuration changes for the intranet tunnel............................................................................87

Planning DirectAccess with an Existing Server and Domain Isolation Deployment......................88

Planning DirectAccess with Microsoft Forefront Threat Management Gateway ............................89

DirectAccess Capacity Planning ...................................................................................................89

Capacity Planning for DirectAccess Servers .................................................................................90

Increasing the number of concurrent Teredo clients ..................................................................90

Moving the IPsec gateway function to a separate server ...........................................................90

Using DirectAccess with UAG ............................................................................................. ......92

Capacity Planning for Network Location Servers ..........................................................................93

Capacity Planning for CRL Distribution Points ..............................................................................93

Planning for Multi-site DirectAccess ..............................................................................................94

IPv6 connectivity for multi-site DirectAccess ................................................................. ............96

Native IPv6 connectivity ................................................................................................... ......96ISATAP connectivity ........................................................................................................ .......96

Active Directory for multi-site DirectAccess ...............................................................................99

DNS for multi-site DirectAccess ............................................................................................. ....99

Intranet DNS records ......................................................................................................... ...100

Internet DNS records ......................................................................................................... ...100

NRPT .............................................................................................................................. .....100


7/309

PKI for multi-site DirectAccess ..................................................................................... ...........101

Intranet CRL distribution points ......................................................................................... ...101

Certificate requirements for network location certificates .....................................................102

Internet CRL distribution point..............................................................................................102

Certificate requirements for IP-HTTPS certificates ............................................................ ...102Network location servers for multi-site DirectAccess ...............................................................103

Force tunneling for multi-site DirectAccess ..............................................................................104

Connection security rules for multi-site DirectAccess ..............................................................104

Additional DirectAccess Resources ......................................................................................... ...106

Appendix A: DirectAccess Requirements ....................................................................................106

Appendix B: Reviewing Key DirectAccess Concepts ............................................................... ...108

IPv6 .........................................................................................................................................109

IPv6 connectivity across the IPv4 Internet............................................................................109

6to4 ...................................................................................................................................109Teredo ....................................................................................................................... ..... ...109

IP-HTTPS ..........................................................................................................................109

IPv6 connectivity across an IPv4-only intranet.....................................................................110

IPsec ........................................................................................................................................110

Encryption .............................................................................................................................111

Data integrity .........................................................................................................................111

Separation of DNS traffic ................................................................................................. ........112

NRPT exemptions .................................................................................................................113

Network location detection .......................................................................................................113

The network location server ..................................................................................................113

How network location detection works ..................................................................................114

Appendix C: Documenting Your DirectAccess Design .................................................................115

Concepts ..................................................................................................................................115

Goals .................................................................................................................................... ...115

Infrastructure design plan ..................................................................................................... ...116

Custom configuration plan .......................................................................................................116

Integration strategy ............................................................................................................ ......116

Staging strategy .......................................................................................................................117

Lessons learned .......................................................................................................................117

DirectAccess Deployment Guide .................................................................................................117

About this guide .................................................................................................................... ...118

Planning Your DirectAccess Deployment.............................................................................. ......118

Reviewing your DirectAccess design .......................................................................................119

Reviewing DirectAccess concepts ...........................................................................................119

Implementing Your DirectAccess Design Plan ............................................................................120


8/309

How to implement your DirectAccess design using this guide .................................................120

Checklist: Staging a DirectAccess Deployment..........................................................................122

Checklist: Preparing Your Infrastructure for DirectAccess ...........................................................123

Checklist: Preparing Your DirectAccess Server ............................................................... ...........125

Checklist: Implementing a DirectAccess Design for Full Intranet Access ....................................128

Checklist: Implementing a DirectAccess Design for Selected Server Access .............................130

Checklist: Implementing a DirectAccess Design for End-to-End Access .....................................132

Checklist: Implementing a Redundant DirectAccess Design .......................................................133

Checklist: Configuring Network Access Protection (NAP) with DirectAccess ..............................134

Checklist: Moving the IPsec Gateway to Another Server ............................................................136

Procedures Used in this Guide ................................................................................................ ...137

Add Servers that are Available to DirectAccess Clients before User Logon ................................138

Configure a CRL Distribution Point for Certificates .....................................................................140

Configure Active Directory Certificate Services for CRL Locations ....................................... ......142

Configure Client Authentication and Certificate Mapping for IP-HTTPS Connections .................144

Configure Computer Certificate Autoenrollment..........................................................................145

Configure Connection Security Rules for End-to-end Access ................................................ .....146

Configure Connection Security Rules for Traffic Between DirectAccess Clients .........................148

Configure Corporate Connectivity Detection Settings .................................................................149

Configure DirectAccess Connection Security Rules for NAP ......................................................151

Configure Firewall Rules to Prevent Traffic between Proxy Servers and DirectAccess Servers . 153

Configure Force Tunneling for DirectAccess Clients ...................................................................155

Configure IIS for Network Location ............................................................................................ .156

Configure Packet Filters to Allow ICMP Traffic ................................................................. ..... ..... .158

Configure Packet Filters to Allow Management Traffic to DirectAccess Clients ....................... ...159

Configure Packet Filters to Block Access to Domain Controllers ................................................161

Configure Permissions on the Web Server Certificate Template .................................................162


9/309

Configure Settings to Confine ICMPv6 Traffic to the Intranet......................................................163

Configure Strong Certificate Revocation Checking for IPsec Authentication ...............................164

Configure the DirectAccess IPsec Gateway on a Different Server ..............................................166

Configure the Intra-Server Subnet..............................................................................................166

Configure the IPv6 Connectivity Server ......................................................................................167

Configure the IPsec Gateway Server ..........................................................................................168

Configure the DirectAccess Server as the Network Location Server ....................................... ...169

Configure the DirectAccess Setup Wizard for End-to-End Access ..............................................170

Configure the DirectAccess Setup Wizard for Full Intranet Access .............................................173

Configure the DirectAccess Setup Wizard for Selected Server Access ............................. .........176

Configure the NRPT for an IPv6/IPv4 DNS Gateway ..................................................................179

Configure the NRPT with Group Policy .......................................................................................180

Connect to the IPv6 Internet.......................................................................................................181

Create DirectAccess Groups in Active Directory .........................................................................182

Install a Network Location Server Certificate on the DirectAccess Server ............................... ...183

Install an IP-HTTPS Certificate ...................................................................................................185

Install and Configure IIS for a Network Location Server Certificate ................................. ...........186

Install the DirectAccess Feature ......................................................................................... ........187

Remove ISATAP from the DNS Global Query Block List.............................................................188

Appendix A Manual DirectAccess Server Configuration ...........................................................189

Configure Internet access components .................................................................................. .189

Configure intranet access components ....................................................................................190

Configure IPsec DoSP .............................................................................................................191

Configure connection security rules .........................................................................................192

DirectAccess server configuration (full intranet access model) ....................................... .....192

Connection security rules for client configuration (full intranet access model) ............. ...... ..192

Appendix B Manual DirectAccess Client Configuration ............................................................193

IPv6 transition technology settings .................................................................................. ........194

NRPT .......................................................................................................................................195

Appendix C - DirectAccess User Interface Scripting ...................................................................195


10/309

Script usage .............................................................................................................................196

Log file .....................................................................................................................................196

Limitation of the script..............................................................................................................197

Appendix D - DirectAccessConfig.xsd ..................................................................................... ...197

DirectAccess Troubleshooting Guide ..........................................................................................211

In this guide ..............................................................................................................................211

Introduction to Troubleshooting DirectAccess .............................................................................212

When to use this guide ............................................................................................................212

How to use this guide ......................................................................................................... .....212

Additional resources ................................................................................................................212

A-Z List of Problem Topics for DirectAccess ...............................................................................213

Tools for Troubleshooting DirectAccess ..................................................................................... .213

Network Diagnostics and Tracing ............................................................................................. ...214

Windows Network Diagnostics ..................................................................................... ...........214

Troubleshooting item in Control Panel.....................................................................................214

Network tracing for DirectAccess .............................................................................................215

Windows Firewall tracing .........................................................................................................215

Command Line Tools ..................................................................................................................216

The Netsh.exe Command Line Tool............................................................................................216

netsh dnsclient show state .......................................................................................................217

netsh namespace show effectivepolicy and netsh namespace show policy ............................217

netsh interface 6to4 show relay ...............................................................................................219

netsh interface teredo show state ............................................................................................219

netsh interface httpstunnel show interfaces .............................................................................221

netsh interface istatap show state and netsh interface istatap show router .............................222

netsh advfirewall monitor show mmsa .....................................................................................222

netsh advfirewall monitor show qmsa ......................................................................................226

netsh advfirewall monitor show consec rule name=all.............................................................229

netsh advfirewall monitor show currentprofile ..........................................................................233

netsh interface ipv6 show interfaces ........................................................................................234

netsh interface ipv6 show interfaces level=verbose .................................................................234

netsh interface ipv6 show route ...............................................................................................241

The Ping.exe Command Line Tool..............................................................................................243

The Nslookup.exe Command Line Tool......................................................................................244

The Ipconfig.exe Command Line Tool.........................................................................................244

The Certutil.exe Command Line Tool..........................................................................................247


11/309

The Nltest.exe Command Line Tool............................................................................................248

Snap-in Tools ............................................................................................................................. .249

DirectAccess Management...................................................................................................... ...249

Log files of the DirectAccess Management snap-in .................................................................250

Group Policy Management Console and Editor ....................................................................... ...250

NRPT rules ..............................................................................................................................251

IPv6 Transition Technologies settings ................................................................................. .....251

Intranet connectivity settings ............................................................................................. ......252

Connection security rules ........................................................................................................253

Windows Firewall with Advanced Security ..................................................................................253

Event Viewer ...............................................................................................................................254

Certificates ..................................................................................................................................255

DirectAccess Connectivity Assistant (DCA) ............................................................................. ...255

General Methodology for Troubleshooting DirectAccess Connections ...................................... .256

Troubleshooting DirectAccess Problems ............................................................................... .....261

Problems with the DirectAccess Setup Wizard ...........................................................................262

Fixing problems that Prevent You from Running the DirectAccess Setup Wizard .......................262

Fixing Problems Encountered during the Steps of the DirectAccess Setup Wizard ....................264

Step 2-DirectAccess Server .....................................................................................................264Connectivity page .................................................................................................................264

Prefix Configuration page .....................................................................................................266

Certificate Components page ...............................................................................................267

Step 3-Infrastructure Servers ...................................................................................................268

Location page .......................................................................................................................268

DNS and Domain Controller page ........................................................................................269

Step 4-Application Servers ................................................................................................ ......269

Fixing Problems Encountered when Applying the Settings of the DirectAccess Setup Wizard .. .269

Problems with DirectAccess Connections ...................................................................................270

Fixing Connectivity Issues Between the DirectAccess Client and the DirectAccess Server over the

Internet................................................................................................................................. ...271

Cannot Reach the DirectAccess Server from the IPv6 Internet..................................................271

Cannot Reach the DirectAccess Server with 6to4 ..................................................................... .272


12/309

Cannot Reach the DirectAccess Server with Teredo ...................................................................276

Cannot Reach the DirectAccess Server with IP-HTTPS .............................................................280

IP-HTTPS and authenticating proxies ..................................................................................... .284

DirectAccess Client Connection is Slow ......................................................................................284

Fixing Issues with Creating Protected Connections to the DirectAccess Server .........................285

DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server ................................285

IPsec and certificate revocation checking ................................................................................289

NAP health enforcement for the intranet tunnel.......................................................................289

Smart card authorization ..........................................................................................................290

NTLM authentication failures ...................................................................................................290

Detailed analysis of IPsec negotiation .................................................................................. ...290

DirectAccess Client Cannot Resolve Names with Intranet DNS Servers ....................................290

Fixing Issues with Connecting to an Intranet Resource ............................................................. .292

DirectAccess Client Cannot Access Intranet Resources .............................................................292

Intranet Management Server Cannot Connect to a DirectAccess Client.....................................297

Fixing Problems with Creating Protected Connections to an Intranet Resource .........................299

Selected server access model.................................................................................................299

End-to-end access model........................................................................................................301

Fixing Issues with Network Location Detection ...........................................................................302

DirectAccess Client Determines that it is on the Intranet When on the Internet..........................302

DirectAccess Client Determines that it is on the Internet When on the Intranet..........................303

DirectAccess Technical Reference ........................................................................................... ...306

Network Location Detection ..................................................................................................... ...306

Network location detection process .........................................................................................307

Network location detection failures and their consequences ...................................................308

Troubleshooting network location detection .............................................................................309


13/309

DirectAccess Design Guide

This topic describes design considerations for DirectAccess in Windows Server 2008 R2.

For the design considerations of DirectAccess in Microsoft Forefront Unified Access

Gateway (UAG), see the Forefront UAG DirectAccess Design Guide

(http://go.microsoft.com/fwlink/?LinkId=179988).

DirectAccess is one of the most anticipated features of the Windows Server 2008 R2 operating

system. DirectAccess allows remote users to securely access intranet shares, Web sites, and

applications without connecting to a virtual private network (VPN). DirectAccess establishes bi-

directional connectivity with a users intranet every time a users DirectAccess-enabled portable

computer connects to the Internet, even before the user logs on. Users never have to think about

connecting to the intranet, and information technology (IT) administrators can manage remote

computers outside the office, even when the computers are not connected to the VPN.

DirectAccess is supported by Windows 7 Enterprise, Windows 7 Ultimate, and Windows

Server 2008 R2.

The following are the key elements of a DirectAccess solution:

DirectAccess client. A domain-joined computer running Windows 7 Enterprise,

Windows 7 Ultimate, or Windows Server 2008 R2 that can automatically and transparently

connect to an intranet through a DirectAccess server.

DirectAccess server. A domain-joined computer running Windows Server 2008 R2 that

accepts connections from DirectAccess clients and facilitates communication with intranet

resources. Network location server. A server that a DirectAccess client uses to determine whether

it is located on the intranet or the Internet.

Certificate revocation list (CRL) distribution points. Servers that provide access to

the CRL that is published by the certification authority (CA) issuing certificates for

DirectAccess.

For more information, seeAppendix B: Reviewing Key DirectAccess Concepts.

About this guideThis guide is intended for use by an infrastructure specialist or system architect. The guide

provides recommendations to help you plan a new DirectAccess deployment based on therequirements of your organization and the particular design that you want to create. It highlights

your main decision points as you plan your DirectAccess deployment. Before you read this guide,

you should have a good understanding of your organizational requirements and the capabilities

and requirements of DirectAccess.

This guide describes a set of deployment goals that are based on the primary DirectAccess

access methods. It helps you determine the most appropriate access method and corresponding

Important

13
http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988


14/309

design for your environment. You can use these deployment goals to create a comprehensive

DirectAccess design that meets the needs of your environment.

Once you have determined your DirectAccess design, you can use theDirectAccess Deployment

Guide to plan and implement your design.

This guide, combined with the DirectAccess Deployment and Troubleshooting Guides, is alsoavailable as a Microsoft Word file(http://go.microsoft.com/fwlink/?LinkId=163662) in the Microsoft

Download Center.

Understanding the DirectAccess DesignProcess





To begin the DirectAccess design process, you must first identify your DirectAccess deployment

goals. This guide contains some predefined deployment goals so that you can understand the

ways in which DirectAccess can benefit your organization. After evaluating these goals, you can

select a DirectAccess design that meets your DirectAccess deployment objectives. Each design

includes examples to help you understand fundamental DirectAccess processes such as client

access or remote management.

The following topics explain how to identify and evaluate a DirectAccess deployment design foryour organization:

Identifying Your DirectAccess Deployment Goals

Mapping Your Deployment Goals to a DirectAccess Design

Evaluating DirectAccess Design Examples

After you identify your deployment goals and map them to a DirectAccess design, you can begin

documenting your design, based on the processes that are described in the following topics:

Planning a DirectAccess Deployment Strategy

Planning the Placement of a DirectAccess Server

Planning the Placement of a Network Location Server

Planning the Placement of CRL Distribution Points

Planning DirectAccess with Network Access Protection (NAP)

Planning DirectAccess with an Existing Server and Domain Isolation Deployment

DirectAccess Capacity Planning

Additional DirectAccess Resources

Appendix A: DirectAccess Requirements

Important

14
http://go.microsoft.com/fwlink/?LinkId=163662http://go.microsoft.com/fwlink/?LinkId=163662http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=163662http://go.microsoft.com/fwlink/?LinkId=179988


15/309

Appendix B: Reviewing Key DirectAccess Concepts

Identifying Your DirectAccess Deployment

Goals





Correctly identifying your DirectAccess deployment goals is essential for the success of your

DirectAccess design project. Depending on the size of your organization and the level of

involvement you are expecting from the information technology (IT) staff in any partnerorganizations, form a project team that can clearly articulate real-world deployment issues in a

vision statement. Make sure that the members of this team understand the direction in which your

deployment project must move in order to reach your DirectAccess deployment goals.

When you write your vision statement, take steps to identify, clarify, and refine your deployment

goals. Prioritize and, if necessary, combine your deployment goals so that you can design and

deploy DirectAccess by using an iterative approach. You can take advantage of existing,

documented, and predefined DirectAccess deployment goals that are relevant to the

DirectAccess designs and develop a working solution for your scenarios.

The following table lists the three main tasks for articulating, refining, and documenting your

DirectAccess deployment goals.

Deployment goal tasks Reference links

Evaluate predefined DirectAccess deployment

goals that are provided in this section of the

guide and combine one or more goals to reach

your organizational objectives.

Transparent and Automatic Remote Access for

DirectAccess Clients

Ongoing Management of Remote DirectAccess

Clients

Efficient Routing of Intranet and Internet Traffic

Reduction of Remote Access-based Servers in

your Edge Network

End-to-end Traffic Protection

Multi-factor Credentials for Intranet Access

Map one goal or a combination of any of the

predefined DirectAccess deployment goals to a

DirectAccess design.

Mapping Your Deployment Goals to a

DirectAccess Design

Document your deployment goals and other Appendix C: Documenting Your DirectAccess

Important

15


16/309

Deployment goal tasks Reference links

important details for your DirectAccess design. Design

Transparent and Automatic Remote Accessfor DirectAccess Clients





DirectAccess enhances the productivity of mobile workers by connecting their computers

automatically and seamlessly to their intranet any time Internet access is available. The user

does not have to remember to initiate a virtual private network (VPN) connection every time that

they need to access intranet resources. With DirectAccess, intranet file shares, Web sites, and

line-of-business applications can remain accessible wherever you have an Internet connection in

the same way as if you were directly connected to the intranet.

Ongoing Management of Remote

DirectAccess Clients





With current virtual private network (VPN) solutions, the remote computer is connected to the

intranet only intermittently. This model of user-initiated connections makes it difficult for

information technology (IT) staff to manage remote computers with the latest updates and

security policies. Remote computer management can be mitigated by checking for and requiring

system health updates before completing the VPN connection. However, such requirements can

add substantial wait times to the VPN connection process.

With DirectAccess, IT staff can manage mobile computers by updating Group Policy settings and

distributing software updates any time the mobile computer has Internet connectivity, even if the

user is not logged on. This flexibility allows IT staff to manage remote computers as if they were

Important

Important

16
http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988


17/309

directly connected to the intranet and ensures that mobile users stay up-to-date with security and

system health policies.

Efficient Routing of Intranet and InternetTraffic





DirectAccess separates intranet from Internet traffic, which reduces unnecessary traffic on the

intranet by sending only traffic destined for the intranet through the DirectAccess server. Somevirtual private network (VPN) solutions use Network layer routing table entries to separate intranet

from Internet traffic, in a configuration known as split-tunneling. DirectAccess solves this problem

in the Application layer through more intelligent name resolution and in the Network layer by

summarizing the IPv6 address space of an entire organization with IPv6 address prefixes. Rather

than directing traffic solely based on a destination address, DirectAccess clients also direct traffic

based on the name needed by the application.

DirectAccess clients use a Name Resolution Policy Table (NRPT) that contains Domain Name

System (DNS) namespace rules and a corresponding set of intranet DNS servers that resolve

names for that DNS namespace. When an application on a DirectAccess client attempts to

resolve a name, it first compares the name with the rules in the NRPT. If there is a match, the

DirectAccess client uses a protected query to the specified intranet DNS servers to resolve the

name to intranet addresses and establish connections. If there are no matches, the DirectAccess

client uses Internet DNS servers to resolve the name to Internet addresses and establish

connections.

Reduction of Remote Access-based Serversin your Edge Network





Important

Important

17


18/309

With DirectAccess, you can reduce your dependence on remote access and application edge

servers, leading to an edge network with fewer servers that provide access to intranet resources

or applications. For example, the number of application edge servers can be reduced as the

number of DirectAccess clients increase because DirectAccess clients can now directly access

the corresponding application servers on the intranet.

End-to-end Traffic Protection





You can specify that the traffic between DirectAccess clients and intranet applications servers is

protected from end-to-end. In most virtual private network (VPN) solutions, the protection only

extends to the VPN server. This capability for end-to-end traffic protection provides additional

security for computers that are outside of the intranet. Additionally, by leveraging the flexibility and

control that is possible with connection security rules in Windows Firewall with Advanced Security,

you can specify that the end-to-end protection include encryption and not require that the traffic

be tunneled to the DirectAccess server.

Multi-factor Credentials for Intranet Access





In typically deployed access models, DirectAccess clients create two tunnels to the DirectAccess

server. The first tunnel, the infrastructure tunnel, provides access to intranet Domain Name

System (DNS) servers, Active Directory Domain Services (AD DS) domain controllers, and other

infrastructure and management servers. The second tunnel, the intranet tunnel, provides access

to intranet resources such as Web sites, file shares, and other application servers.

To provide an additional layer of security for traffic sent over the intranet tunnel, you can specify

that the intranet tunnel also require smart card authorization, which enforces the use of multiple

sets of credentials to access intranet resources. Multi-factor credentials for the intranet tunnel

uses the new tunnel-mode authorization feature of Windows Firewall with Advanced security in

Important

Important

18


19/309

Windows 7 and Windows Server 2008 R2, which allows you to specify that only authorized

computers or users can establish an inbound tunnel.

Mapping Your Deployment Goals to aDirectAccess Design





After you have reviewed the DirectAccess deployment goals and determined which are

appropriate for your organization, you can map those goals to a specific design.

The following table shows how well the DirectAccess designs meet the deployment goals

discussed in Identifying Your DirectAccess Deployment Goals.

DirectAccess deployment goal DirectAccess elements or features

Transparent and automatic remote access for

DirectAccess clients

Functionality in the DirectAccess server and

clients

Ongoing management of remote DirectAccess

clients

Bidirectional connections whenever the

computer is connected to the Internet

Efficient routing of intranet and Internet traffic Use of the Name Resolution Policy Table(NRPT) and Internet Protocol version 6 (IPv6)

to separate Internet and intranet traffic

Reduction of remote access-based servers in

your edge network

Access to intranet resources through the

DirectAccess server

End-to-end traffic protection The selected server and end-to-end access

models

Multi-factor credentials for intranet access Smart card authorization on the intranet tunnel

Important

19


20/309

Evaluating DirectAccess Design Examples





The following design examples illustrate the way in which DirectAccess deployment scenarios

work to provide transparent access to intranet resources.

Full Intranet Access Example

Full Intranet Access with Smart Cards Example

Selected Server Access Example

End-to-end Access Example

You can use these examples to determine the design or combination of designs that best suits

the needs of your organization.

Full Intranet Access Example



Gateway (UAG), see the Forefront UAG DirectAccess Design Guide(http://go.microsoft.com/fwlink/?LinkId=179988).

Full intranet access allows DirectAccess clients to connect to all of the Internet Protocol version 6

(IPv6)-reachable resources inside the intranet. The DirectAccess client uses Internet Protocol

security (IPsec) to create two encrypted tunnels to the Internet interface of the DirectAccess

server. The first tunnel, known as the infrastructure tunnel, allows the DirectAccess client to

access Domain Name System (DNS) servers, Active Directory Domain Services (AD DS) domain

controllers, and other infrastructure and management servers. The second tunnel, known as the

intranet tunnel, allows the DirectAccess client to access intranet resources. The infrastructure

tunnel uses computer authentication and the intranet tunnel uses both computer and user

authentication.

After the intranet tunnel is established, the DirectAccess client can exchange traffic with intranet

application servers. This traffic is encrypted by the tunnel for its journey across the Internet. By

default, the DirectAccess server is acting as an IPsec gateway, terminating the IPsec tunnels for

the DirectAccess client.

The following figure shows an example of full intranet access.

Important

Important

20


21/309

When the DirectAccess client starts up and determines that it is on the Internet, it creates the

tunnels to the DirectAccess server and begins normal communications with intranet infrastructure

servers such as AD DS domain controllers and application servers as if it were directly connectedto the intranet.

This design does not require IPsec protection for traffic on the intranet and is structurally very

similar to current remote access virtual private network (VPN) scenarios.

To demonstrate full intranet access for DirectAccess, set up the DirectAccess test lab

(http://go.microsoft.com/fwlink/?Linkid=150613).

Full Intranet Access with Smart CardsExample





Full intranet access with smart cards is the full intranet access design and the use of smart cards

to provide an additional level of authorization for the intranet tunnel. The DirectAccess server

enforces the use of smart card credentials when the DirectAccess client computer attempts to

access an intranet resource.

The following figure shows an example of full intranet access with smart cards.

Note

Important

21
http://go.microsoft.com/fwlink/?Linkid=150613http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?Linkid=150613http://go.microsoft.com/fwlink/?LinkId=179988


22/309

When a user on the DirectAccess client logs on to their computer with the smart card, they obtain

transparent access to intranet resources. If they log in to the computer using domain credentials,

such as a username and password combination, and attempt to access the intranet, Windowsdisplays a message in the notification area instructing them to enter their smart card credentials.

The user then inserts their smart card and provides their smart card personal identifier (PIN) to

access intranet resources.

This notification message will fade away in five seconds or may be covered by other notifications

in a shorter amount of time, but an icon displaying a pair of keys will stay in the notification area.

If the user misses the notification, the keys icon will be available in the overflow tray, which will

allow them to launch the credential prompt again by clicking on it.

If the user closes the smart card credential prompt from the notification area, there is noway of relaunching it, nor will the keys show up in the overflow tray again. The user must

lock their computer and then unlock it with their smart card to access the intranet.

Selected Server Access Example





Selected server access allows you to confine the access of DirectAccess clients to a specific set

of intranet application servers and deny access to all other locations on the intranet. Intranet

access requires end-to-end Internet Protocol security (IPsec) protection from the DirectAccess

client to the specified servers. This provides an additional layer of IPsec peer authentication and

Note

Important

22


23/309

data integrity for end-to-end traffic so that DirectAccess clients can verify that they are

communicating with specific servers.

The following figure shows an example of selected server access.

The DirectAccess client and selected servers by default perform IPsec peer authentication using

computer credentials and protect the traffic with Encapsulating Security Payload (ESP)-NULL for

data integrity.

You can also use selected server access to require end-to-end IPsec protection from the

DirectAccess client to specified servers and allow access to all other locations on the intranet.

Traffic to other intranet application servers is not protected with IPsec peer authentication and

data integrity. The intranet tunnel between the DirectAccess client and server provides encryption

for both types of intranet traffic across the Internet.

To demonstrate selected server access, configure theDirectAccess test lab

(http://go.microsoft.com/fwlink/?Linkid=150613) with the Selected Server Access

extension (http://go.microsoft.com/fwlink/?LinkId=192278).

Using authentication with null encapsulation forselected server access

Authentication with null encapsulation is a new feature of Windows Firewall with Advanced

Security for Windows 7 and Windows Server 2008 R2. Some intranets contain hardware that

cannot parse or forward IPsec-protected traffic. With authentication with null encapsulation

enabled, IPsec peers perform normal IPsec peer authentication and include IPsec data integrity

on the first packet exchanged. Subsequent packets are sent as clear text with no IPsec

protection. This feature allows you to use IPsec for peer authentication in environments that do

not support IPsec-protected traffic flows. You can enable authentication with null encapsulation

for DirectAccess when using selected server access.

Note

23
http://go.microsoft.com/fwlink/?Linkid=150613http://go.microsoft.com/fwlink/?Linkid=150613http://go.microsoft.com/fwlink/?LinkId=192278http://go.microsoft.com/fwlink/?LinkId=192278http://go.microsoft.com/fwlink/?Linkid=150613http://go.microsoft.com/fwlink/?LinkId=192278http://go.microsoft.com/fwlink/?LinkId=192278


24/309

Authentication with null encapsulation is not the same as using ESP-NULL for per-packet

data integrity.

End-to-end Access Example





End-to-end access removes the infrastructure and intranet tunnels to the DirectAccess server. Allintranet traffic is end-to-end between DirectAccess clients and intranet application servers and is

encrypted with Internet Protocol security (IPsec). In this configuration, the DirectAccess server is

no longer terminating IPsec tunnels. It is acting as a pass-through device, allowing the IPsec-

protected traffic to pass between the DirectAccess client and the application servers. A

component of the DirectAccess server, known as IPsec Denial of Service Protection (DoSP),

monitors the IPsec traffic to help prevent malicious users on the Internet from launching DoS

attacks against intranet resources.

The following figure shows an example of end-to-end access.

The DirectAccess client and intranet application servers should be configured to perform IPsecpeer authentication using computer credentials and to protect the traffic with Encapsulating

Security Payload (ESP) for data confidentiality (encryption) and integrity.

Note

Important

24


25/309

Planning a DirectAccess DeploymentStrategy





The following are some critical questions to consider as you develop a deployment strategy for

DirectAccess, with links to corresponding topics in this Design Guide. Answering these questions

will help you create a strategy that is cost-effective and resource-efficient.

Which intranet resources will be available to DirectAccess clients? For more information,

see Resources Available to DirectAccess Clients.

How do I either enable Internet Protocol version 6 (IPv6) on my intranet or have

DirectAccess use my existing IPv6 infrastructure? For more information, seeChoose an

Intranet IPv6 Connectivity Design.

What options do I have to make Internet Protocol version 4 (IPv4)-only resources

available for DirectAccess clients? For more information, see Choose Solutions for IPv4-only

Intranet Resources.

Which access models are there to choose from? For more information, see Choose an

Access Model.

What options do I have to configure DirectAccess? For more information, see Choose a

Configuration Method.

Which computers do I need to designate as management servers that will initiate

connections to DirectAccess clients? For more information, see Design for Remote

Management.

What packet filters do I need to add to my firewalls and computers in my organization?

For more information, see Design Packet Filtering for DirectAccess.

What packet filters do I need to add to my firewalls and computers in my organization?

For more information, see Design Packet Filtering for DirectAccess.

What support is needed from third-party host firewalls? For more information, see

DirectAccess and Third-party Host Firewalls.

What authentication and authorization options do I have? For more information, see

Choose an Authentication and Authorization Scheme.

What addressing and routing do I need to configure on my DirectAccess server? Formore information, seeDesign Addressing and Routing for the DirectAccess Server.

How does DirectAccess leverage or utilize Active Directory Domain Services (AD DS)?

For more information, see Choose an Authentication and Authorization Scheme.

How do I design my Domain Name System (DNS) infrastructure for DirectAccess? For

more information, seeDesign Your DNS Infrastructure for DirectAccess.

Important

25


26/309

How do I design my public key infrastructure (PKI) for DirectAccess? For more

information, see Design Your PKI for DirectAccess.

How do I design my internal and external Web infrastructure for DirectAccess? For more

information, see Design Your Web Servers for DirectAccess.

What options are there for separating or combining intranet and Internet traffic forDirectAccess clients? For more information, see Choose an Internet Traffic Separation

Design.

How do I ensure that traffic between DirectAccess clients on the Internet is protected?

For more information, see Design Protection for Traffic between DirectAccess Clients.

How do I ensure that DirectAccess clients can detect connectivity to the intranet? For

more information, seeDesign Your Intranet for Corporate Connectivity Detection.

How does DirectAccess co-exist with my current remote access virtual private network

(VPN) solution? For more information, see Choose a DirectAccess and VPN Coexistence

Design.

Should I use the DirectAccess Connectivity Assistant (DCA)? For more information, see

Use the DirectAccess Connectivity Assistant (DCA).

Resources Available to DirectAccess Clients





When designing your DirectAccess deployment, you must determine how DirectAccess clients

will reach all of the desired intranet resources.

IPv6 resources on your intranetDirectAccess relies on Internet Protocol version 6 (IPv6) for end-to-end connectivity between the

DirectAccess client and an intranet endpoint. DirectAccess clients only send IPv6 traffic across

the connection to the DirectAccess server. Therefore, DirectAccess clients can only communicate

using applications that support IPv6 and connect to intranet resources that are reachable with

IPv6. Internet Protocol version 4 (IPv4)-only applications on the DirectAccess client cannot be

used to access intranet application servers with DirectAccess.The recommended configuration for your intranet is to have IPv6 connectivity to your intranet

resources. This requires the following:

An intranet infrastructure that supports the forwarding of IPv6 traffic.

IPv6-capable applications on computers that run an operating system that supports an

IPv6 protocol stack.

Important

26


27/309

An intranet infrastructure that supports forwarding IPv6 traffic can be achieved in the following

ways:

Configure your intranet infrastructure to support native IPv6 addressing and routing.

Computers running Windows Vista, Windows Server 2008, Windows 7, or Windows

Server 2008 R2 use IPv6 by default. Although few organizations today have a native IPv6infrastructure, this is the preferred and recommended connectivity method. For the most

seamless intranet connectivity for DirectAccess clients, organizations should deploy a native

IPv6 infrastructure, typically alongside their existing IPv4 infrastructure.

Deploy Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) on your intranet.

Without a native IPv6 infrastructure, you can use ISATAP to make intranet servers and

applications reachable by tunneling IPv6 traffic over your IPv4-only intranet. Deploying

ISATAP consists of setting up one or more ISATAP routers that provide address configuration

and default routing for ISATAP hosts on your intranet. Computers running Windows 7 or

Windows Server 2008 R2 support ISATAP host functionality and can be configured to act as

ISATAP routers.

If you do not have a native IPv6 infrastructure or ISATAP on your intranet, the DirectAccess Setup

Wizard will automatically configure the DirectAccess server as the ISATAP router for your

intranet.

Applications that are end-to-end reachable by DirectAccess clients must be IPv6-capable and

running on an operating system that supports an IPv6 protocol stack with native IPv6 or ISATAP

host capability.

For applications running on versions of Windows:

Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

support an IPv6 protocol stack and all built-in components and system services are IPv6-

capable. These versions of Windows are highly recommended.

Windows XP and Windows Server 2003 have an IPv6 protocol stack, but many built-in

components and system services and applications are not IPv6-capable. Therefore, in most

cases, applications running on computers running Windows XP or Windows Server 2003 are

not reachable by DirectAccess clients over IPv6. For the solutions for providing DirectAccess

connectivity to applications running on Windows XP and Windows Server 2003-based

computers, see Choose Solutions for IPv4-only Intranet Resources.

For applications running on non-Windows operating systems, verify that both the operating

system and the applications support IPv6 and are reachable over native IPv6 or ISATAP.

IPv4-only resources on the intranetBecause DirectAccess clients only send IPv6 traffic to the DirectAccess server, users on

DirectAccess clients cannot use IPv4-only client applications to reach IPv4-only resources on

your intranet. Examples of IPv4-only resources are the following:

Applications running on Windows 2000 or prior versions of Windows.

27


28/309

The built-in applications and system services running on Windows XP and Windows

Server 2003 that are not IPv6-capable.

For applications that are not built-in to Windows, check with the software vendor to

ensure that the application is IPv6-capable. Applications that only use IPv4, such as Office

Communications Server (OCS), cannot by default be reached by DirectAccess clients.

However, IPv6-capable applications can reach IPv4-only resources on your intranet by using an

IPv6/IPv4 translation device or service such as a NAT64/DNS64. For the solutions for providing

connectivity for DirectAccess clients to IPv4-only resources, seeChoose Solutions for IPv4-only

Intranet Resources.

Using an IPv4-only intranetIt is possible to use DirectAccess with an IPv4-only intranet, but you must use a NAT64/DNS64

device between your DirectAccess clients and your intranet and you no longer have the ability to

remotely manage DirectAccess clients from the intranet. For information about providing

connectivity for DirectAccess clients to an IPv4-only intranet, see Choose Solutions for IPv4-onlyIntranet Resources.

When the DirectAccess client physically connects to your IPv4-only intranet or an IPv4-only

subnet of your intranet, it is possible in some situations for the client to use Internet Protocol over

Secure Hypertext Transfer Protocol (IP-HTTPS) to access the intranet through a proxy server and

the DirectAccess server, instead of using normal IPv4-based connectivity. This can cause

problems for some applications. To prevent this behavior, configure Windows Firewall rules to

block traffic between your proxy servers and your DirectAccess servers. For more information,

see Configure Firewall Rules to Prevent Traffic between Proxy Servers and DirectAccess

Servers.

Limiting connectivity to selected resourcesWith the selected server access model, you can limit the access of DirectAccess clients to a

specific set of servers identified by membership in Active Directory security groups. The following

figure shows an example of using selected server access to restrict intranet access to specific

application servers.

28


29/309

For more information, see Selected Server Access Example.

IPv6 resources on the IPv6 InternetBy default, Windows 7 and Windows Server 2008 R2-based computers attempt to resolve the

name 6to4.ipv6.microsoft.com to determine the IPv4 address of a 6to4 relay and

teredo.ipv6.microsoft.com to determine the IPv4 addresses of Teredo servers on the IPv4

Internet. With the 6to4 relay at 6to4.ipv6.microsoft.com and the Teredo servers at

teredo.ipv6.microsoft.com, Windows 7-based clients on the IPv4 Internet can reach the IPv6

Internet.

When Windows 7 and Windows Server 2008 R2-based computers are configured as

DirectAccess clients, the DirectAccess server becomes the 6to4 relay and the Teredo server sothat DirectAccess clients can tunnel IPv6 traffic destined for the intranet to the DirectAccess

server. If the DirectAccess server does not also forward default route traffic to the IPv6 Internet,

DirectAccess clients will not be able to reach the IPv6 Internet.

If you want DirectAccess clients to reach the IPv6 Internet, configure the DirectAccess server with

one of the following:

A direct, native connection to the IPv6 Internet

Configure the DirectAccess server to forward default route traffic using its native connection

to the IPv6 Internet. You can also use a separate router for your connection to the IPv6

Internet and configure the DirectAccess server to forward its default route traffic to the router.

A 6to4-tunneled connection to the IPv6 InternetConfigure the DirectAccess server to forward default route traffic using the Microsoft 6to4

Adapter interface to a 6to4 relay on the IPv4 Internet. You can configure a DirectAccess

server for the IPv4 address of the Microsoft 6to4 relay on the IPv4 Internet with the netsh

interface ipv6 6to4 set relay name=192.88.99.1 state=enabled command. Use

192.88.99.1, the IPv4 anycast address of 6to4 relays on the Internet, unless your Internet

29


30/309

service provider recommends a specific unicast IPv4 address of the 6to4 relay that they

maintain.

For more information, see Connect to the IPv6 Internet in the DirectAccess Deployment Guide.

Choose an Intranet IPv6 Connectivity Design

This topic describes desi

45077789 da design dep guide

Documents