45077789 da design dep guide
TRANSCRIPT
-
8/2/2019 45077789 DA Design Dep Guide
1/309
DirectAccess for Windows Server 2008 R2
Design, Deployment, and Troubleshooting GuidesMicrosoft Corporation
Published: December 2009
Updated: September 2010
Author: Joe Davies
Editor: Scott Somahano
Abstract
This document contains the Design Guide, Deployment Guide, and Troubleshooting Guide for
DirectAccess in Windows Server 2008 R2. These guides help you to design and deploy
DirectAccess servers, DirectAccess clients, and infrastructure servers on your intranet andtroubleshoot common DirectAccess problems. Use the Design Guide to answer the What,
Why, and When questions a deployment design team might ask before deploying
DirectAccess in a production environment. Use the Deployment Guide to answer the How
questions a deployment team might ask when implementing a DirectAccess design. Use the
Troubleshooting Guide for task-oriented information to help you identify and resolve problems
quickly and perform root-cause analysis of incidents and problems with the elements of a
DirectAccess infrastructure.
-
8/2/2019 45077789 DA Design Dep Guide
2/309
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
The DirectAccess Design, Deployment, and Troubleshooting Guides are for informational
purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY,
AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission
of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in anywritten license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted in examples herein are fictitious. No
association with any real company, organization, product, domain name, e-mail address, logo,
person, place, or event is intended or should be inferred.
2009 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Windows Server, Windows Vista, and Active Directory are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of theirrespective owners.
This white paper reflects content that was published on Microsoft TechNet as of September 1,
2010. The corresponding content published on TechNet after this date might contain changes. For
the latest information, see the following documents:
DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkID=161985)
DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=166398)
DirectAccess Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=165904)
http://go.microsoft.com/fwlink/?LinkID=161985http://go.microsoft.com/fwlink/?LinkId=166398http://go.microsoft.com/fwlink/?LinkId=165904http://go.microsoft.com/fwlink/?LinkID=161985http://go.microsoft.com/fwlink/?LinkId=166398http://go.microsoft.com/fwlink/?LinkId=165904 -
8/2/2019 45077789 DA Design Dep Guide
3/309
Contents
DirectAccess for Windows Server 2008 R2 ..............................................................................1
Design, Deployment, and Troubleshooting Guides ................................................................ ..1
Abstract.................................................................................................................................1
Contents ..........................................................................................................................................3
DirectAccess Design Guide ................................................................................................. .........13
About this guide .........................................................................................................................13
Understanding the DirectAccess Design Process .........................................................................14
Identifying Your DirectAccess Deployment Goals ..................................................................... ....15
Transparent and Automatic Remote Access for DirectAccess Clients ..........................................16
Ongoing Management of Remote DirectAccess Clients ............................................................ ...16
Efficient Routing of Intranet and Internet Traffic ............................................................................17
Reduction of Remote Access-based Servers in your Edge Network ............................................ .17
End-to-end Traffic Protection ..................................................................................................... ...18
Multi-factor Credentials for Intranet Access ...................................................................................18
Mapping Your Deployment Goals to a DirectAccess Design ..................................................... ....19
Evaluating DirectAccess Design Examples ...................................................................................20
Full Intranet Access Example ........................................................................................................20
Full Intranet Access with Smart Cards Example ...........................................................................21
Selected Server Access Example .................................................................................................22
Using authentication with null encapsulation for selected server access ...................................23
End-to-end Access Example .........................................................................................................24
Planning a DirectAccess Deployment Strategy .............................................................................25
Resources Available to DirectAccess Clients ................................................................................26
IPv6 resources on your intranet.................................................................................................26
IPv4-only resources on the intranet...........................................................................................27
Using an IPv4-only intranet........................................................................................................28
Limiting connectivity to selected resources ................................................................................28
IPv6 resources on the IPv6 Internet...........................................................................................29
-
8/2/2019 45077789 DA Design Dep Guide
4/309
Choose an Intranet IPv6 Connectivity Design ...............................................................................30
No existing IPv6 infrastructure ...................................................................................................30
Existing ISATAP infrastructure ............................................................................................. ..... .31
Existing native IPv6 infrastructure ..............................................................................................31
Choose Solutions for IPv4-only Intranet Resources ......................................................................32
Choose an Access Model..............................................................................................................34
Full Intranet Access .......................................................................................................................34
Selected Server Access ................................................................................................................35
End-to-End Access ........................................................................................................... ............36
Choose a Configuration Method ............................................................................................. ......37
DirectAccess Management Console ..........................................................................................37
Custom configuration using the Network Shell (Netsh) command-line tool and Group Policy .. .37
Design for Remote Management..................................................................................................38
Design for Intranet Server Availability Prior to User Logon .................................................. .........39
Design Packet Filtering for DirectAccess ................................................................................... ...41
Packet Filters for Your Internet Firewall.........................................................................................41
Packet Filters for Your Intranet Firewall.........................................................................................43
Confining ICMPv6 Traffic to the Intranet.......................................................................................43
Packet filters for Teredo Connectivity ............................................................................................45
Packet filters to allow inbound ICMP Echo Requests on all computers .....................................45
Enable edge traversal on inbound management traffic ..............................................................46
Enable inbound ICMPv6 Echo Requests for management traffic ..............................................46
Packet Filters for Management Computers ...................................................................................46
DirectAccess and Third-party Host Firewalls ......................................................................... .......47
Choose an Authentication and Authorization Scheme ........................................................... .......48
Additional end-to-end peer authentication for selected server access .......................................49
Peer authentication for end-to-end access ................................................................................49
Smart cards for additional authorization ....................................................................................50
Allowing access for users with unusable smart cards ................................................... .........50
Prompts for smart card credentials while on the intranet........................................................50
Under the covers: Smart card authorization ...........................................................................51
Design Addressing and Routing for the DirectAccess Server .......................................................52
IPv4 address and routing configuration .....................................................................................52
-
8/2/2019 45077789 DA Design Dep Guide
5/309
IPv6 address and routing configuration .....................................................................................53
Design Active Directory for DirectAccess ......................................................................................54
Active Directory and the DirectAccess server ............................................................................55
Active Directory Sites and Services configuration ............................................................... ......55DirectAccess and user profiles for remote users .............................................................. .........56
Design Your DNS Infrastructure for DirectAccess .........................................................................57
Split-brain DNS ..........................................................................................................................57
DNS server requirements for ISATAP ..................................................................................... ...58
AAAA records for servers that do not perform DNS dynamic update .........................................58
Local name resolution behavior for DirectAccess clients ...........................................................59
NRPT rules ................................................................................................................................59
DNS server querying behavior for DirectAccess clients .............................................................61
Unqualified, single-label names and DNS search suffixes .........................................................61
External DNS .............................................................................................................................62
Design Your PKI for DirectAccess .................................................................................................62
Autoenrollment for computer certificates ................................................................................ ...62
Manual enrollment for network location server and IP-HTTPS certificates ................................63
Certificate revocation checking and CRL distribution points ..................................................... .64
Using a commercial CA for the IP-HTTPS certificate .............................................................. ...65
Enabling strong CRL checking for IPsec authentication ........................................................ ....65
Smart cards for additional authorization ....................................................................................66
Using Suite B certificates for DirectAccess ................................................................................66
Design Your Web Servers for DirectAccess ................................................................................. .66
Choose an Internet Traffic Separation Design ................................................................... ...........68
Configure IPv4 Internet access ..................................................................................................69
Enable force tunneling ...............................................................................................................69
Modify the NRPT .......................................................................................................................70
Configure the use of IP-HTTPS .................................................................................................70
Modify Internet firewall settings ........................................................................................ .........70
Design Protection for Traffic between DirectAccess Clients ..........................................................71
Design Your Intranet for Corporate Connectivity Detection ...........................................................73
Choose a DirectAccess and VPN Coexistence Design .................................................................74
DirectAccess and third-party VPN clients ..................................................................................75
Use the DirectAccess Connectivity Assistant (DCA) .....................................................................76
Planning the Placement of a DirectAccess Server ........................................................................76
When to Install a DirectAccess Server ..........................................................................................77
-
8/2/2019 45077789 DA Design Dep Guide
6/309
Where to Place the DirectAccess Server ................................................................................... ...77
Planning Redundancy for a DirectAccess Server .........................................................................78
Planning the Placement of a Network Location Server .................................................................79
Where to Place the Network Location Server ......................................................................... ......80
Highly available intranet Web server as the network location server .........................................81
Authentication and authorization for the network location URL .......................................... .......82
DirectAccess server as the network location server ................................................................. .82
Planning Redundancy for a Network Location Server ...................................................................83
Planning the Placement of CRL Distribution Points ..................................................................... .83
Where to Place the CRL Distribution Points ............................................................................ ..... .84
Intranet location for intranet detection ........................................................................................84
Internet location for IP-HTTPS connections ...............................................................................84
Planning Redundancy for CRL Distribution Points ........................................................................85
Planning DirectAccess with Network Access Protection (NAP) .....................................................85
Configuration changes for the infrastructure tunnel...................................................................86
Configuration changes for the intranet tunnel............................................................................87
Planning DirectAccess with an Existing Server and Domain Isolation Deployment......................88
Planning DirectAccess with Microsoft Forefront Threat Management Gateway ............................89
DirectAccess Capacity Planning ...................................................................................................89
Capacity Planning for DirectAccess Servers .................................................................................90
Increasing the number of concurrent Teredo clients ..................................................................90
Moving the IPsec gateway function to a separate server ...........................................................90
Using DirectAccess with UAG ............................................................................................. ......92
Capacity Planning for Network Location Servers ..........................................................................93
Capacity Planning for CRL Distribution Points ..............................................................................93
Planning for Multi-site DirectAccess ..............................................................................................94
IPv6 connectivity for multi-site DirectAccess ................................................................. ............96
Native IPv6 connectivity ................................................................................................... ......96ISATAP connectivity ........................................................................................................ .......96
Active Directory for multi-site DirectAccess ...............................................................................99
DNS for multi-site DirectAccess ............................................................................................. ....99
Intranet DNS records ......................................................................................................... ...100
Internet DNS records ......................................................................................................... ...100
NRPT .............................................................................................................................. .....100
-
8/2/2019 45077789 DA Design Dep Guide
7/309
PKI for multi-site DirectAccess ..................................................................................... ...........101
Intranet CRL distribution points ......................................................................................... ...101
Certificate requirements for network location certificates .....................................................102
Internet CRL distribution point..............................................................................................102
Certificate requirements for IP-HTTPS certificates ............................................................ ...102Network location servers for multi-site DirectAccess ...............................................................103
Force tunneling for multi-site DirectAccess ..............................................................................104
Connection security rules for multi-site DirectAccess ..............................................................104
Additional DirectAccess Resources ......................................................................................... ...106
Appendix A: DirectAccess Requirements ....................................................................................106
Appendix B: Reviewing Key DirectAccess Concepts ............................................................... ...108
IPv6 .........................................................................................................................................109
IPv6 connectivity across the IPv4 Internet............................................................................109
6to4 ...................................................................................................................................109Teredo ....................................................................................................................... ..... ...109
IP-HTTPS ..........................................................................................................................109
IPv6 connectivity across an IPv4-only intranet.....................................................................110
IPsec ........................................................................................................................................110
Encryption .............................................................................................................................111
Data integrity .........................................................................................................................111
Separation of DNS traffic ................................................................................................. ........112
NRPT exemptions .................................................................................................................113
Network location detection .......................................................................................................113
The network location server ..................................................................................................113
How network location detection works ..................................................................................114
Appendix C: Documenting Your DirectAccess Design .................................................................115
Concepts ..................................................................................................................................115
Goals .................................................................................................................................... ...115
Infrastructure design plan ..................................................................................................... ...116
Custom configuration plan .......................................................................................................116
Integration strategy ............................................................................................................ ......116
Staging strategy .......................................................................................................................117
Lessons learned .......................................................................................................................117
DirectAccess Deployment Guide .................................................................................................117
About this guide .................................................................................................................... ...118
Planning Your DirectAccess Deployment.............................................................................. ......118
Reviewing your DirectAccess design .......................................................................................119
Reviewing DirectAccess concepts ...........................................................................................119
Implementing Your DirectAccess Design Plan ............................................................................120
-
8/2/2019 45077789 DA Design Dep Guide
8/309
How to implement your DirectAccess design using this guide .................................................120
Checklist: Staging a DirectAccess Deployment..........................................................................122
Checklist: Preparing Your Infrastructure for DirectAccess ...........................................................123
Checklist: Preparing Your DirectAccess Server ............................................................... ...........125
Checklist: Implementing a DirectAccess Design for Full Intranet Access ....................................128
Checklist: Implementing a DirectAccess Design for Selected Server Access .............................130
Checklist: Implementing a DirectAccess Design for End-to-End Access .....................................132
Checklist: Implementing a Redundant DirectAccess Design .......................................................133
Checklist: Configuring Network Access Protection (NAP) with DirectAccess ..............................134
Checklist: Moving the IPsec Gateway to Another Server ............................................................136
Procedures Used in this Guide ................................................................................................ ...137
Add Servers that are Available to DirectAccess Clients before User Logon ................................138
Configure a CRL Distribution Point for Certificates .....................................................................140
Configure Active Directory Certificate Services for CRL Locations ....................................... ......142
Configure Client Authentication and Certificate Mapping for IP-HTTPS Connections .................144
Configure Computer Certificate Autoenrollment..........................................................................145
Configure Connection Security Rules for End-to-end Access ................................................ .....146
Configure Connection Security Rules for Traffic Between DirectAccess Clients .........................148
Configure Corporate Connectivity Detection Settings .................................................................149
Configure DirectAccess Connection Security Rules for NAP ......................................................151
Configure Firewall Rules to Prevent Traffic between Proxy Servers and DirectAccess Servers . 153
Configure Force Tunneling for DirectAccess Clients ...................................................................155
Configure IIS for Network Location ............................................................................................ .156
Configure Packet Filters to Allow ICMP Traffic ................................................................. ..... ..... .158
Configure Packet Filters to Allow Management Traffic to DirectAccess Clients ....................... ...159
Configure Packet Filters to Block Access to Domain Controllers ................................................161
Configure Permissions on the Web Server Certificate Template .................................................162
-
8/2/2019 45077789 DA Design Dep Guide
9/309
Configure Settings to Confine ICMPv6 Traffic to the Intranet......................................................163
Configure Strong Certificate Revocation Checking for IPsec Authentication ...............................164
Configure the DirectAccess IPsec Gateway on a Different Server ..............................................166
Configure the Intra-Server Subnet..............................................................................................166
Configure the IPv6 Connectivity Server ......................................................................................167
Configure the IPsec Gateway Server ..........................................................................................168
Configure the DirectAccess Server as the Network Location Server ....................................... ...169
Configure the DirectAccess Setup Wizard for End-to-End Access ..............................................170
Configure the DirectAccess Setup Wizard for Full Intranet Access .............................................173
Configure the DirectAccess Setup Wizard for Selected Server Access ............................. .........176
Configure the NRPT for an IPv6/IPv4 DNS Gateway ..................................................................179
Configure the NRPT with Group Policy .......................................................................................180
Connect to the IPv6 Internet.......................................................................................................181
Create DirectAccess Groups in Active Directory .........................................................................182
Install a Network Location Server Certificate on the DirectAccess Server ............................... ...183
Install an IP-HTTPS Certificate ...................................................................................................185
Install and Configure IIS for a Network Location Server Certificate ................................. ...........186
Install the DirectAccess Feature ......................................................................................... ........187
Remove ISATAP from the DNS Global Query Block List.............................................................188
Appendix A Manual DirectAccess Server Configuration ...........................................................189
Configure Internet access components .................................................................................. .189
Configure intranet access components ....................................................................................190
Configure IPsec DoSP .............................................................................................................191
Configure connection security rules .........................................................................................192
DirectAccess server configuration (full intranet access model) ....................................... .....192
Connection security rules for client configuration (full intranet access model) ............. ...... ..192
Appendix B Manual DirectAccess Client Configuration ............................................................193
IPv6 transition technology settings .................................................................................. ........194
NRPT .......................................................................................................................................195
Appendix C - DirectAccess User Interface Scripting ...................................................................195
-
8/2/2019 45077789 DA Design Dep Guide
10/309
Script usage .............................................................................................................................196
Log file .....................................................................................................................................196
Limitation of the script..............................................................................................................197
Appendix D - DirectAccessConfig.xsd ..................................................................................... ...197
DirectAccess Troubleshooting Guide ..........................................................................................211
In this guide ..............................................................................................................................211
Introduction to Troubleshooting DirectAccess .............................................................................212
When to use this guide ............................................................................................................212
How to use this guide ......................................................................................................... .....212
Additional resources ................................................................................................................212
A-Z List of Problem Topics for DirectAccess ...............................................................................213
Tools for Troubleshooting DirectAccess ..................................................................................... .213
Network Diagnostics and Tracing ............................................................................................. ...214
Windows Network Diagnostics ..................................................................................... ...........214
Troubleshooting item in Control Panel.....................................................................................214
Network tracing for DirectAccess .............................................................................................215
Windows Firewall tracing .........................................................................................................215
Command Line Tools ..................................................................................................................216
The Netsh.exe Command Line Tool............................................................................................216
netsh dnsclient show state .......................................................................................................217
netsh namespace show effectivepolicy and netsh namespace show policy ............................217
netsh interface 6to4 show relay ...............................................................................................219
netsh interface teredo show state ............................................................................................219
netsh interface httpstunnel show interfaces .............................................................................221
netsh interface istatap show state and netsh interface istatap show router .............................222
netsh advfirewall monitor show mmsa .....................................................................................222
netsh advfirewall monitor show qmsa ......................................................................................226
netsh advfirewall monitor show consec rule name=all.............................................................229
netsh advfirewall monitor show currentprofile ..........................................................................233
netsh interface ipv6 show interfaces ........................................................................................234
netsh interface ipv6 show interfaces level=verbose .................................................................234
netsh interface ipv6 show route ...............................................................................................241
The Ping.exe Command Line Tool..............................................................................................243
The Nslookup.exe Command Line Tool......................................................................................244
The Ipconfig.exe Command Line Tool.........................................................................................244
The Certutil.exe Command Line Tool..........................................................................................247
-
8/2/2019 45077789 DA Design Dep Guide
11/309
The Nltest.exe Command Line Tool............................................................................................248
Snap-in Tools ............................................................................................................................. .249
DirectAccess Management...................................................................................................... ...249
Log files of the DirectAccess Management snap-in .................................................................250
Group Policy Management Console and Editor ....................................................................... ...250
NRPT rules ..............................................................................................................................251
IPv6 Transition Technologies settings ................................................................................. .....251
Intranet connectivity settings ............................................................................................. ......252
Connection security rules ........................................................................................................253
Windows Firewall with Advanced Security ..................................................................................253
Event Viewer ...............................................................................................................................254
Certificates ..................................................................................................................................255
DirectAccess Connectivity Assistant (DCA) ............................................................................. ...255
General Methodology for Troubleshooting DirectAccess Connections ...................................... .256
Troubleshooting DirectAccess Problems ............................................................................... .....261
Problems with the DirectAccess Setup Wizard ...........................................................................262
Fixing problems that Prevent You from Running the DirectAccess Setup Wizard .......................262
Fixing Problems Encountered during the Steps of the DirectAccess Setup Wizard ....................264
Step 2-DirectAccess Server .....................................................................................................264Connectivity page .................................................................................................................264
Prefix Configuration page .....................................................................................................266
Certificate Components page ...............................................................................................267
Step 3-Infrastructure Servers ...................................................................................................268
Location page .......................................................................................................................268
DNS and Domain Controller page ........................................................................................269
Step 4-Application Servers ................................................................................................ ......269
Fixing Problems Encountered when Applying the Settings of the DirectAccess Setup Wizard .. .269
Problems with DirectAccess Connections ...................................................................................270
Fixing Connectivity Issues Between the DirectAccess Client and the DirectAccess Server over the
Internet................................................................................................................................. ...271
Cannot Reach the DirectAccess Server from the IPv6 Internet..................................................271
Cannot Reach the DirectAccess Server with 6to4 ..................................................................... .272
-
8/2/2019 45077789 DA Design Dep Guide
12/309
Cannot Reach the DirectAccess Server with Teredo ...................................................................276
Cannot Reach the DirectAccess Server with IP-HTTPS .............................................................280
IP-HTTPS and authenticating proxies ..................................................................................... .284
DirectAccess Client Connection is Slow ......................................................................................284
Fixing Issues with Creating Protected Connections to the DirectAccess Server .........................285
DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server ................................285
IPsec and certificate revocation checking ................................................................................289
NAP health enforcement for the intranet tunnel.......................................................................289
Smart card authorization ..........................................................................................................290
NTLM authentication failures ...................................................................................................290
Detailed analysis of IPsec negotiation .................................................................................. ...290
DirectAccess Client Cannot Resolve Names with Intranet DNS Servers ....................................290
Fixing Issues with Connecting to an Intranet Resource ............................................................. .292
DirectAccess Client Cannot Access Intranet Resources .............................................................292
Intranet Management Server Cannot Connect to a DirectAccess Client.....................................297
Fixing Problems with Creating Protected Connections to an Intranet Resource .........................299
Selected server access model.................................................................................................299
End-to-end access model........................................................................................................301
Fixing Issues with Network Location Detection ...........................................................................302
DirectAccess Client Determines that it is on the Intranet When on the Internet..........................302
DirectAccess Client Determines that it is on the Internet When on the Intranet..........................303
DirectAccess Technical Reference ........................................................................................... ...306
Network Location Detection ..................................................................................................... ...306
Network location detection process .........................................................................................307
Network location detection failures and their consequences ...................................................308
Troubleshooting network location detection .............................................................................309
-
8/2/2019 45077789 DA Design Dep Guide
13/309
DirectAccess Design Guide
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
DirectAccess is one of the most anticipated features of the Windows Server 2008 R2 operating
system. DirectAccess allows remote users to securely access intranet shares, Web sites, and
applications without connecting to a virtual private network (VPN). DirectAccess establishes bi-
directional connectivity with a users intranet every time a users DirectAccess-enabled portable
computer connects to the Internet, even before the user logs on. Users never have to think about
connecting to the intranet, and information technology (IT) administrators can manage remote
computers outside the office, even when the computers are not connected to the VPN.
DirectAccess is supported by Windows 7 Enterprise, Windows 7 Ultimate, and Windows
Server 2008 R2.
The following are the key elements of a DirectAccess solution:
DirectAccess client. A domain-joined computer running Windows 7 Enterprise,
Windows 7 Ultimate, or Windows Server 2008 R2 that can automatically and transparently
connect to an intranet through a DirectAccess server.
DirectAccess server. A domain-joined computer running Windows Server 2008 R2 that
accepts connections from DirectAccess clients and facilitates communication with intranet
resources. Network location server. A server that a DirectAccess client uses to determine whether
it is located on the intranet or the Internet.
Certificate revocation list (CRL) distribution points. Servers that provide access to
the CRL that is published by the certification authority (CA) issuing certificates for
DirectAccess.
For more information, seeAppendix B: Reviewing Key DirectAccess Concepts.
About this guideThis guide is intended for use by an infrastructure specialist or system architect. The guide
provides recommendations to help you plan a new DirectAccess deployment based on therequirements of your organization and the particular design that you want to create. It highlights
your main decision points as you plan your DirectAccess deployment. Before you read this guide,
you should have a good understanding of your organizational requirements and the capabilities
and requirements of DirectAccess.
This guide describes a set of deployment goals that are based on the primary DirectAccess
access methods. It helps you determine the most appropriate access method and corresponding
Important
13
http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988 -
8/2/2019 45077789 DA Design Dep Guide
14/309
design for your environment. You can use these deployment goals to create a comprehensive
DirectAccess design that meets the needs of your environment.
Once you have determined your DirectAccess design, you can use theDirectAccess Deployment
Guide to plan and implement your design.
This guide, combined with the DirectAccess Deployment and Troubleshooting Guides, is alsoavailable as a Microsoft Word file(http://go.microsoft.com/fwlink/?LinkId=163662) in the Microsoft
Download Center.
Understanding the DirectAccess DesignProcess
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
To begin the DirectAccess design process, you must first identify your DirectAccess deployment
goals. This guide contains some predefined deployment goals so that you can understand the
ways in which DirectAccess can benefit your organization. After evaluating these goals, you can
select a DirectAccess design that meets your DirectAccess deployment objectives. Each design
includes examples to help you understand fundamental DirectAccess processes such as client
access or remote management.
The following topics explain how to identify and evaluate a DirectAccess deployment design foryour organization:
Identifying Your DirectAccess Deployment Goals
Mapping Your Deployment Goals to a DirectAccess Design
Evaluating DirectAccess Design Examples
After you identify your deployment goals and map them to a DirectAccess design, you can begin
documenting your design, based on the processes that are described in the following topics:
Planning a DirectAccess Deployment Strategy
Planning the Placement of a DirectAccess Server
Planning the Placement of a Network Location Server
Planning the Placement of CRL Distribution Points
Planning DirectAccess with Network Access Protection (NAP)
Planning DirectAccess with an Existing Server and Domain Isolation Deployment
DirectAccess Capacity Planning
Additional DirectAccess Resources
Appendix A: DirectAccess Requirements
Important
14
http://go.microsoft.com/fwlink/?LinkId=163662http://go.microsoft.com/fwlink/?LinkId=163662http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=163662http://go.microsoft.com/fwlink/?LinkId=179988 -
8/2/2019 45077789 DA Design Dep Guide
15/309
Appendix B: Reviewing Key DirectAccess Concepts
Identifying Your DirectAccess Deployment
Goals
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Correctly identifying your DirectAccess deployment goals is essential for the success of your
DirectAccess design project. Depending on the size of your organization and the level of
involvement you are expecting from the information technology (IT) staff in any partnerorganizations, form a project team that can clearly articulate real-world deployment issues in a
vision statement. Make sure that the members of this team understand the direction in which your
deployment project must move in order to reach your DirectAccess deployment goals.
When you write your vision statement, take steps to identify, clarify, and refine your deployment
goals. Prioritize and, if necessary, combine your deployment goals so that you can design and
deploy DirectAccess by using an iterative approach. You can take advantage of existing,
documented, and predefined DirectAccess deployment goals that are relevant to the
DirectAccess designs and develop a working solution for your scenarios.
The following table lists the three main tasks for articulating, refining, and documenting your
DirectAccess deployment goals.
Deployment goal tasks Reference links
Evaluate predefined DirectAccess deployment
goals that are provided in this section of the
guide and combine one or more goals to reach
your organizational objectives.
Transparent and Automatic Remote Access for
DirectAccess Clients
Ongoing Management of Remote DirectAccess
Clients
Efficient Routing of Intranet and Internet Traffic
Reduction of Remote Access-based Servers in
your Edge Network
End-to-end Traffic Protection
Multi-factor Credentials for Intranet Access
Map one goal or a combination of any of the
predefined DirectAccess deployment goals to a
DirectAccess design.
Mapping Your Deployment Goals to a
DirectAccess Design
Document your deployment goals and other Appendix C: Documenting Your DirectAccess
Important
15
http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988 -
8/2/2019 45077789 DA Design Dep Guide
16/309
Deployment goal tasks Reference links
important details for your DirectAccess design. Design
Transparent and Automatic Remote Accessfor DirectAccess Clients
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
DirectAccess enhances the productivity of mobile workers by connecting their computers
automatically and seamlessly to their intranet any time Internet access is available. The user
does not have to remember to initiate a virtual private network (VPN) connection every time that
they need to access intranet resources. With DirectAccess, intranet file shares, Web sites, and
line-of-business applications can remain accessible wherever you have an Internet connection in
the same way as if you were directly connected to the intranet.
Ongoing Management of Remote
DirectAccess Clients
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
With current virtual private network (VPN) solutions, the remote computer is connected to the
intranet only intermittently. This model of user-initiated connections makes it difficult for
information technology (IT) staff to manage remote computers with the latest updates and
security policies. Remote computer management can be mitigated by checking for and requiring
system health updates before completing the VPN connection. However, such requirements can
add substantial wait times to the VPN connection process.
With DirectAccess, IT staff can manage mobile computers by updating Group Policy settings and
distributing software updates any time the mobile computer has Internet connectivity, even if the
user is not logged on. This flexibility allows IT staff to manage remote computers as if they were
Important
Important
16
http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988 -
8/2/2019 45077789 DA Design Dep Guide
17/309
directly connected to the intranet and ensures that mobile users stay up-to-date with security and
system health policies.
Efficient Routing of Intranet and InternetTraffic
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
DirectAccess separates intranet from Internet traffic, which reduces unnecessary traffic on the
intranet by sending only traffic destined for the intranet through the DirectAccess server. Somevirtual private network (VPN) solutions use Network layer routing table entries to separate intranet
from Internet traffic, in a configuration known as split-tunneling. DirectAccess solves this problem
in the Application layer through more intelligent name resolution and in the Network layer by
summarizing the IPv6 address space of an entire organization with IPv6 address prefixes. Rather
than directing traffic solely based on a destination address, DirectAccess clients also direct traffic
based on the name needed by the application.
DirectAccess clients use a Name Resolution Policy Table (NRPT) that contains Domain Name
System (DNS) namespace rules and a corresponding set of intranet DNS servers that resolve
names for that DNS namespace. When an application on a DirectAccess client attempts to
resolve a name, it first compares the name with the rules in the NRPT. If there is a match, the
DirectAccess client uses a protected query to the specified intranet DNS servers to resolve the
name to intranet addresses and establish connections. If there are no matches, the DirectAccess
client uses Internet DNS servers to resolve the name to Internet addresses and establish
connections.
Reduction of Remote Access-based Serversin your Edge Network
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Important
Important
17
http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988 -
8/2/2019 45077789 DA Design Dep Guide
18/309
With DirectAccess, you can reduce your dependence on remote access and application edge
servers, leading to an edge network with fewer servers that provide access to intranet resources
or applications. For example, the number of application edge servers can be reduced as the
number of DirectAccess clients increase because DirectAccess clients can now directly access
the corresponding application servers on the intranet.
End-to-end Traffic Protection
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
You can specify that the traffic between DirectAccess clients and intranet applications servers is
protected from end-to-end. In most virtual private network (VPN) solutions, the protection only
extends to the VPN server. This capability for end-to-end traffic protection provides additional
security for computers that are outside of the intranet. Additionally, by leveraging the flexibility and
control that is possible with connection security rules in Windows Firewall with Advanced Security,
you can specify that the end-to-end protection include encryption and not require that the traffic
be tunneled to the DirectAccess server.
Multi-factor Credentials for Intranet Access
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
In typically deployed access models, DirectAccess clients create two tunnels to the DirectAccess
server. The first tunnel, the infrastructure tunnel, provides access to intranet Domain Name
System (DNS) servers, Active Directory Domain Services (AD DS) domain controllers, and other
infrastructure and management servers. The second tunnel, the intranet tunnel, provides access
to intranet resources such as Web sites, file shares, and other application servers.
To provide an additional layer of security for traffic sent over the intranet tunnel, you can specify
that the intranet tunnel also require smart card authorization, which enforces the use of multiple
sets of credentials to access intranet resources. Multi-factor credentials for the intranet tunnel
uses the new tunnel-mode authorization feature of Windows Firewall with Advanced security in
Important
Important
18
http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988 -
8/2/2019 45077789 DA Design Dep Guide
19/309
Windows 7 and Windows Server 2008 R2, which allows you to specify that only authorized
computers or users can establish an inbound tunnel.
Mapping Your Deployment Goals to aDirectAccess Design
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
After you have reviewed the DirectAccess deployment goals and determined which are
appropriate for your organization, you can map those goals to a specific design.
The following table shows how well the DirectAccess designs meet the deployment goals
discussed in Identifying Your DirectAccess Deployment Goals.
DirectAccess deployment goal DirectAccess elements or features
Transparent and automatic remote access for
DirectAccess clients
Functionality in the DirectAccess server and
clients
Ongoing management of remote DirectAccess
clients
Bidirectional connections whenever the
computer is connected to the Internet
Efficient routing of intranet and Internet traffic Use of the Name Resolution Policy Table(NRPT) and Internet Protocol version 6 (IPv6)
to separate Internet and intranet traffic
Reduction of remote access-based servers in
your edge network
Access to intranet resources through the
DirectAccess server
End-to-end traffic protection The selected server and end-to-end access
models
Multi-factor credentials for intranet access Smart card authorization on the intranet tunnel
Important
19
http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988 -
8/2/2019 45077789 DA Design Dep Guide
20/309
Evaluating DirectAccess Design Examples
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The following design examples illustrate the way in which DirectAccess deployment scenarios
work to provide transparent access to intranet resources.
Full Intranet Access Example
Full Intranet Access with Smart Cards Example
Selected Server Access Example
End-to-end Access Example
You can use these examples to determine the design or combination of designs that best suits
the needs of your organization.
Full Intranet Access Example
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide(http://go.microsoft.com/fwlink/?LinkId=179988).
Full intranet access allows DirectAccess clients to connect to all of the Internet Protocol version 6
(IPv6)-reachable resources inside the intranet. The DirectAccess client uses Internet Protocol
security (IPsec) to create two encrypted tunnels to the Internet interface of the DirectAccess
server. The first tunnel, known as the infrastructure tunnel, allows the DirectAccess client to
access Domain Name System (DNS) servers, Active Directory Domain Services (AD DS) domain
controllers, and other infrastructure and management servers. The second tunnel, known as the
intranet tunnel, allows the DirectAccess client to access intranet resources. The infrastructure
tunnel uses computer authentication and the intranet tunnel uses both computer and user
authentication.
After the intranet tunnel is established, the DirectAccess client can exchange traffic with intranet
application servers. This traffic is encrypted by the tunnel for its journey across the Internet. By
default, the DirectAccess server is acting as an IPsec gateway, terminating the IPsec tunnels for
the DirectAccess client.
The following figure shows an example of full intranet access.
Important
Important
20
http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988 -
8/2/2019 45077789 DA Design Dep Guide
21/309
When the DirectAccess client starts up and determines that it is on the Internet, it creates the
tunnels to the DirectAccess server and begins normal communications with intranet infrastructure
servers such as AD DS domain controllers and application servers as if it were directly connectedto the intranet.
This design does not require IPsec protection for traffic on the intranet and is structurally very
similar to current remote access virtual private network (VPN) scenarios.
To demonstrate full intranet access for DirectAccess, set up the DirectAccess test lab
(http://go.microsoft.com/fwlink/?Linkid=150613).
Full Intranet Access with Smart CardsExample
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Full intranet access with smart cards is the full intranet access design and the use of smart cards
to provide an additional level of authorization for the intranet tunnel. The DirectAccess server
enforces the use of smart card credentials when the DirectAccess client computer attempts to
access an intranet resource.
The following figure shows an example of full intranet access with smart cards.
Note
Important
21
http://go.microsoft.com/fwlink/?Linkid=150613http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?Linkid=150613http://go.microsoft.com/fwlink/?LinkId=179988 -
8/2/2019 45077789 DA Design Dep Guide
22/309
When a user on the DirectAccess client logs on to their computer with the smart card, they obtain
transparent access to intranet resources. If they log in to the computer using domain credentials,
such as a username and password combination, and attempt to access the intranet, Windowsdisplays a message in the notification area instructing them to enter their smart card credentials.
The user then inserts their smart card and provides their smart card personal identifier (PIN) to
access intranet resources.
This notification message will fade away in five seconds or may be covered by other notifications
in a shorter amount of time, but an icon displaying a pair of keys will stay in the notification area.
If the user misses the notification, the keys icon will be available in the overflow tray, which will
allow them to launch the credential prompt again by clicking on it.
If the user closes the smart card credential prompt from the notification area, there is noway of relaunching it, nor will the keys show up in the overflow tray again. The user must
lock their computer and then unlock it with their smart card to access the intranet.
Selected Server Access Example
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Selected server access allows you to confine the access of DirectAccess clients to a specific set
of intranet application servers and deny access to all other locations on the intranet. Intranet
access requires end-to-end Internet Protocol security (IPsec) protection from the DirectAccess
client to the specified servers. This provides an additional layer of IPsec peer authentication and
Note
Important
22
http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988 -
8/2/2019 45077789 DA Design Dep Guide
23/309
data integrity for end-to-end traffic so that DirectAccess clients can verify that they are
communicating with specific servers.
The following figure shows an example of selected server access.
The DirectAccess client and selected servers by default perform IPsec peer authentication using
computer credentials and protect the traffic with Encapsulating Security Payload (ESP)-NULL for
data integrity.
You can also use selected server access to require end-to-end IPsec protection from the
DirectAccess client to specified servers and allow access to all other locations on the intranet.
Traffic to other intranet application servers is not protected with IPsec peer authentication and
data integrity. The intranet tunnel between the DirectAccess client and server provides encryption
for both types of intranet traffic across the Internet.
To demonstrate selected server access, configure theDirectAccess test lab
(http://go.microsoft.com/fwlink/?Linkid=150613) with the Selected Server Access
extension (http://go.microsoft.com/fwlink/?LinkId=192278).
Using authentication with null encapsulation forselected server access
Authentication with null encapsulation is a new feature of Windows Firewall with Advanced
Security for Windows 7 and Windows Server 2008 R2. Some intranets contain hardware that
cannot parse or forward IPsec-protected traffic. With authentication with null encapsulation
enabled, IPsec peers perform normal IPsec peer authentication and include IPsec data integrity
on the first packet exchanged. Subsequent packets are sent as clear text with no IPsec
protection. This feature allows you to use IPsec for peer authentication in environments that do
not support IPsec-protected traffic flows. You can enable authentication with null encapsulation
for DirectAccess when using selected server access.
Note
23
http://go.microsoft.com/fwlink/?Linkid=150613http://go.microsoft.com/fwlink/?Linkid=150613http://go.microsoft.com/fwlink/?LinkId=192278http://go.microsoft.com/fwlink/?LinkId=192278http://go.microsoft.com/fwlink/?Linkid=150613http://go.microsoft.com/fwlink/?LinkId=192278http://go.microsoft.com/fwlink/?LinkId=192278 -
8/2/2019 45077789 DA Design Dep Guide
24/309
Authentication with null encapsulation is not the same as using ESP-NULL for per-packet
data integrity.
End-to-end Access Example
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
End-to-end access removes the infrastructure and intranet tunnels to the DirectAccess server. Allintranet traffic is end-to-end between DirectAccess clients and intranet application servers and is
encrypted with Internet Protocol security (IPsec). In this configuration, the DirectAccess server is
no longer terminating IPsec tunnels. It is acting as a pass-through device, allowing the IPsec-
protected traffic to pass between the DirectAccess client and the application servers. A
component of the DirectAccess server, known as IPsec Denial of Service Protection (DoSP),
monitors the IPsec traffic to help prevent malicious users on the Internet from launching DoS
attacks against intranet resources.
The following figure shows an example of end-to-end access.
The DirectAccess client and intranet application servers should be configured to perform IPsecpeer authentication using computer credentials and to protect the traffic with Encapsulating
Security Payload (ESP) for data confidentiality (encryption) and integrity.
Note
Important
24
http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988 -
8/2/2019 45077789 DA Design Dep Guide
25/309
Planning a DirectAccess DeploymentStrategy
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The following are some critical questions to consider as you develop a deployment strategy for
DirectAccess, with links to corresponding topics in this Design Guide. Answering these questions
will help you create a strategy that is cost-effective and resource-efficient.
Which intranet resources will be available to DirectAccess clients? For more information,
see Resources Available to DirectAccess Clients.
How do I either enable Internet Protocol version 6 (IPv6) on my intranet or have
DirectAccess use my existing IPv6 infrastructure? For more information, seeChoose an
Intranet IPv6 Connectivity Design.
What options do I have to make Internet Protocol version 4 (IPv4)-only resources
available for DirectAccess clients? For more information, see Choose Solutions for IPv4-only
Intranet Resources.
Which access models are there to choose from? For more information, see Choose an
Access Model.
What options do I have to configure DirectAccess? For more information, see Choose a
Configuration Method.
Which computers do I need to designate as management servers that will initiate
connections to DirectAccess clients? For more information, see Design for Remote
Management.
What packet filters do I need to add to my firewalls and computers in my organization?
For more information, see Design Packet Filtering for DirectAccess.
What packet filters do I need to add to my firewalls and computers in my organization?
For more information, see Design Packet Filtering for DirectAccess.
What support is needed from third-party host firewalls? For more information, see
DirectAccess and Third-party Host Firewalls.
What authentication and authorization options do I have? For more information, see
Choose an Authentication and Authorization Scheme.
What addressing and routing do I need to configure on my DirectAccess server? Formore information, seeDesign Addressing and Routing for the DirectAccess Server.
How does DirectAccess leverage or utilize Active Directory Domain Services (AD DS)?
For more information, see Choose an Authentication and Authorization Scheme.
How do I design my Domain Name System (DNS) infrastructure for DirectAccess? For
more information, seeDesign Your DNS Infrastructure for DirectAccess.
Important
25
http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988 -
8/2/2019 45077789 DA Design Dep Guide
26/309
How do I design my public key infrastructure (PKI) for DirectAccess? For more
information, see Design Your PKI for DirectAccess.
How do I design my internal and external Web infrastructure for DirectAccess? For more
information, see Design Your Web Servers for DirectAccess.
What options are there for separating or combining intranet and Internet traffic forDirectAccess clients? For more information, see Choose an Internet Traffic Separation
Design.
How do I ensure that traffic between DirectAccess clients on the Internet is protected?
For more information, see Design Protection for Traffic between DirectAccess Clients.
How do I ensure that DirectAccess clients can detect connectivity to the intranet? For
more information, seeDesign Your Intranet for Corporate Connectivity Detection.
How does DirectAccess co-exist with my current remote access virtual private network
(VPN) solution? For more information, see Choose a DirectAccess and VPN Coexistence
Design.
Should I use the DirectAccess Connectivity Assistant (DCA)? For more information, see
Use the DirectAccess Connectivity Assistant (DCA).
Resources Available to DirectAccess Clients
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
When designing your DirectAccess deployment, you must determine how DirectAccess clients
will reach all of the desired intranet resources.
IPv6 resources on your intranetDirectAccess relies on Internet Protocol version 6 (IPv6) for end-to-end connectivity between the
DirectAccess client and an intranet endpoint. DirectAccess clients only send IPv6 traffic across
the connection to the DirectAccess server. Therefore, DirectAccess clients can only communicate
using applications that support IPv6 and connect to intranet resources that are reachable with
IPv6. Internet Protocol version 4 (IPv4)-only applications on the DirectAccess client cannot be
used to access intranet application servers with DirectAccess.The recommended configuration for your intranet is to have IPv6 connectivity to your intranet
resources. This requires the following:
An intranet infrastructure that supports the forwarding of IPv6 traffic.
IPv6-capable applications on computers that run an operating system that supports an
IPv6 protocol stack.
Important
26
http://go.microsoft.com/fwlink/?LinkId=179988http://go.microsoft.com/fwlink/?LinkId=179988 -
8/2/2019 45077789 DA Design Dep Guide
27/309
An intranet infrastructure that supports forwarding IPv6 traffic can be achieved in the following
ways:
Configure your intranet infrastructure to support native IPv6 addressing and routing.
Computers running Windows Vista, Windows Server 2008, Windows 7, or Windows
Server 2008 R2 use IPv6 by default. Although few organizations today have a native IPv6infrastructure, this is the preferred and recommended connectivity method. For the most
seamless intranet connectivity for DirectAccess clients, organizations should deploy a native
IPv6 infrastructure, typically alongside their existing IPv4 infrastructure.
Deploy Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) on your intranet.
Without a native IPv6 infrastructure, you can use ISATAP to make intranet servers and
applications reachable by tunneling IPv6 traffic over your IPv4-only intranet. Deploying
ISATAP consists of setting up one or more ISATAP routers that provide address configuration
and default routing for ISATAP hosts on your intranet. Computers running Windows 7 or
Windows Server 2008 R2 support ISATAP host functionality and can be configured to act as
ISATAP routers.
If you do not have a native IPv6 infrastructure or ISATAP on your intranet, the DirectAccess Setup
Wizard will automatically configure the DirectAccess server as the ISATAP router for your
intranet.
Applications that are end-to-end reachable by DirectAccess clients must be IPv6-capable and
running on an operating system that supports an IPv6 protocol stack with native IPv6 or ISATAP
host capability.
For applications running on versions of Windows:
Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008
support an IPv6 protocol stack and all built-in components and system services are IPv6-
capable. These versions of Windows are highly recommended.
Windows XP and Windows Server 2003 have an IPv6 protocol stack, but many built-in
components and system services and applications are not IPv6-capable. Therefore, in most
cases, applications running on computers running Windows XP or Windows Server 2003 are
not reachable by DirectAccess clients over IPv6. For the solutions for providing DirectAccess
connectivity to applications running on Windows XP and Windows Server 2003-based
computers, see Choose Solutions for IPv4-only Intranet Resources.
For applications running on non-Windows operating systems, verify that both the operating
system and the applications support IPv6 and are reachable over native IPv6 or ISATAP.
IPv4-only resources on the intranetBecause DirectAccess clients only send IPv6 traffic to the DirectAccess server, users on
DirectAccess clients cannot use IPv4-only client applications to reach IPv4-only resources on
your intranet. Examples of IPv4-only resources are the following:
Applications running on Windows 2000 or prior versions of Windows.
27
-
8/2/2019 45077789 DA Design Dep Guide
28/309
The built-in applications and system services running on Windows XP and Windows
Server 2003 that are not IPv6-capable.
For applications that are not built-in to Windows, check with the software vendor to
ensure that the application is IPv6-capable. Applications that only use IPv4, such as Office
Communications Server (OCS), cannot by default be reached by DirectAccess clients.
However, IPv6-capable applications can reach IPv4-only resources on your intranet by using an
IPv6/IPv4 translation device or service such as a NAT64/DNS64. For the solutions for providing
connectivity for DirectAccess clients to IPv4-only resources, seeChoose Solutions for IPv4-only
Intranet Resources.
Using an IPv4-only intranetIt is possible to use DirectAccess with an IPv4-only intranet, but you must use a NAT64/DNS64
device between your DirectAccess clients and your intranet and you no longer have the ability to
remotely manage DirectAccess clients from the intranet. For information about providing
connectivity for DirectAccess clients to an IPv4-only intranet, see Choose Solutions for IPv4-onlyIntranet Resources.
When the DirectAccess client physically connects to your IPv4-only intranet or an IPv4-only
subnet of your intranet, it is possible in some situations for the client to use Internet Protocol over
Secure Hypertext Transfer Protocol (IP-HTTPS) to access the intranet through a proxy server and
the DirectAccess server, instead of using normal IPv4-based connectivity. This can cause
problems for some applications. To prevent this behavior, configure Windows Firewall rules to
block traffic between your proxy servers and your DirectAccess servers. For more information,
see Configure Firewall Rules to Prevent Traffic between Proxy Servers and DirectAccess
Servers.
Limiting connectivity to selected resourcesWith the selected server access model, you can limit the access of DirectAccess clients to a
specific set of servers identified by membership in Active Directory security groups. The following
figure shows an example of using selected server access to restrict intranet access to specific
application servers.
28
-
8/2/2019 45077789 DA Design Dep Guide
29/309
For more information, see Selected Server Access Example.
IPv6 resources on the IPv6 InternetBy default, Windows 7 and Windows Server 2008 R2-based computers attempt to resolve the
name 6to4.ipv6.microsoft.com to determine the IPv4 address of a 6to4 relay and
teredo.ipv6.microsoft.com to determine the IPv4 addresses of Teredo servers on the IPv4
Internet. With the 6to4 relay at 6to4.ipv6.microsoft.com and the Teredo servers at
teredo.ipv6.microsoft.com, Windows 7-based clients on the IPv4 Internet can reach the IPv6
Internet.
When Windows 7 and Windows Server 2008 R2-based computers are configured as
DirectAccess clients, the DirectAccess server becomes the 6to4 relay and the Teredo server sothat DirectAccess clients can tunnel IPv6 traffic destined for the intranet to the DirectAccess
server. If the DirectAccess server does not also forward default route traffic to the IPv6 Internet,
DirectAccess clients will not be able to reach the IPv6 Internet.
If you want DirectAccess clients to reach the IPv6 Internet, configure the DirectAccess server with
one of the following:
A direct, native connection to the IPv6 Internet
Configure the DirectAccess server to forward default route traffic using its native connection
to the IPv6 Internet. You can also use a separate router for your connection to the IPv6
Internet and configure the DirectAccess server to forward its default route traffic to the router.
A 6to4-tunneled connection to the IPv6 InternetConfigure the DirectAccess server to forward default route traffic using the Microsoft 6to4
Adapter interface to a 6to4 relay on the IPv4 Internet. You can configure a DirectAccess
server for the IPv4 address of the Microsoft 6to4 relay on the IPv4 Internet with the netsh
interface ipv6 6to4 set relay name=192.88.99.1 state=enabled command. Use
192.88.99.1, the IPv4 anycast address of 6to4 relays on the Internet, unless your Internet
29
-
8/2/2019 45077789 DA Design Dep Guide
30/309
service provider recommends a specific unicast IPv4 address of the 6to4 relay that they
maintain.
For more information, see Connect to the IPv6 Internet in the DirectAccess Deployment Guide.
Choose an Intranet IPv6 Connectivity Design
This topic describes desi