Академический Документы
Профессиональный Документы
Культура Документы
Microsoft Corporation
Published: August 14, 2009
Author: Joe Davies
Editor: Scott Somohano
Abstract
This guide provides recommendations to help you plan a DirectAccess deployment using the
Windows Server® 2008 R2 operating system. It is intended for use by infrastructure specialists or
system architects who are planning a new DirectAccess deployment. This guide covers
DirectAccess deployment goals and design considerations for Internet Protocol version 6 (IPv6)
connectivity, access models, packet filtering, infrastructure requirements, and server placement,
redundancy, and capacity planning.
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This Design Guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission
of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted in examples herein are fictitious. No
association with any real company, organization, product, domain name, e-mail address, logo,
person, place, or event is intended or should be inferred.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Windows Server, Windows 7, Windows Vista, and Windows XP are trademarks of the
Microsoft group of companies.
All other trademarks are property of their respective owners.
Contents
DirectAccess Design Guide............................................................................................................1
Abstract....................................................................................................................................1
Contents..........................................................................................................................................3
End-to-End Access.......................................................................................................................26
7
Understanding the DirectAccess Design
Process
To begin the DirectAccess design process, you must first identify your DirectAccess deployment
goals. This guide contains some predefined deployment goals so that you can understand the
ways in which DirectAccess can benefit your organization. After evaluating these goals, you can
select a DirectAccess design that meets your DirectAccess deployment objectives. Each design
includes examples to help you understand fundamental DirectAccess processes such as client
access or remote management.
The following topics explain how to identify and evaluate a DirectAccess deployment design for
your organization:
• Identifying Your DirectAccess Deployment Goals
• Mapping Your Deployment Goals to a DirectAccess Design
• Evaluating DirectAccess Design Examples
After you identify your deployment goals and map them to a DirectAccess design, you can begin
documenting your design, based on the processes that are described in the following topics:
• Planning a DirectAccess Deployment Strategy
• Planning the Placement of a DirectAccess Server
• Planning the Placement of a Network Location Server
• Planning the Placement of CRL Distribution Points
• Planning DirectAccess with Network Access Protection (NAP)
• Planning DirectAccess with an Existing Server and Domain Isolation Deployment
• DirectAccess Capacity Planning
• Additional DirectAccess Resources
• Appendix A: DirectAccess Requirements
• Appendix B: Reviewing Key DirectAccess Concepts
Evaluate predefined DirectAccess deployment Transparent and Automatic Remote Access for
goals that are provided in this section of the DirectAccess Clients
guide and combine one or more goals to reach Ongoing Management of Remote DirectAccess
your organizational objectives. Clients
Efficient Routing of Intranet and Internet Traffic
Reduction of Remote Access-based Servers in
your Edge Network
End-to-end Traffic Protection
Multi-factor Credentials for Intranet Access
Map one goal or a combination of any of the Mapping Your Deployment Goals to a
predefined DirectAccess deployment goals to a DirectAccess Design
DirectAccess design.
Document your deployment goals and other Appendix C: Documenting Your DirectAccess
important details for your DirectAccess design. Design
10
End-to-end Traffic Protection
You can specify that the traffic between DirectAccess clients and intranet applications servers is
protected from end-to-end. In most virtual private network (VPN) solutions, the protection only
extends to the VPN server. This capability for end-to-end traffic protection provides additional
security for computers that are outside of the intranet. Additionally, by leveraging the flexibility and
control that is possible with connection security rules in Windows Firewall with Advanced Security,
you can specify that the end-to-end protection include encryption and not require that the traffic
be tunneled to the DirectAccess server.
Transparent and automatic remote access for Functionality in the DirectAccess server and
DirectAccess clients clients
Efficient routing of intranet and Internet traffic Use of the Name Resolution Policy Table
(NRPT) and Internet Protocol version 6 (IPv6)
to separate Internet and intranet traffic
11
DirectAccess deployment goal DirectAccess elements or features
Multi-factor credentials for intranet access Smart card authorization on the intranet tunnel
12
When the DirectAccess client starts up and determines that it is on the Internet, it creates the
tunnels to the DirectAccess server and begins normal communications with intranet infrastructure
servers such as AD DS domain controllers and application servers as if it were directly connected
to the intranet.
This design does not require IPsec protection for traffic on the intranet and is structurally very
similar to current remote access virtual private network (VPN) scenarios.
13
When a user on the DirectAccess client logs on to their computer with the smart card, they obtain
transparent access to intranet resources. If they log in to the computer using domain credentials,
such as a username and password combination, and attempt to access the intranet, Windows
displays a message in the notification area instructing them to enter their smart card credentials.
The user then inserts their smart card and provides their smart card personal identifier (PIN) to
access intranet resources.
This notification message will fade away in five seconds or may be covered by other notifications
in a shorter amount of time, but an icon displaying a pair of keys will stay in the notification area.
If the user misses the notification, the keys icon will be available in the overflow tray, which will
allow them to launch the credential prompt again by clicking on it.
Note
If the user closes the smart card credential prompt from the notification area, there is no
way of relaunching it, nor will the keys show up in the overflow tray again. The user must
lock their computer and then unlock it with their smart card to access the intranet.
14
The DirectAccess client and selected servers by default perform IPsec peer authentication using
computer credentials and protect the traffic with Encapsulating Security Protocol (ESP)-NULL for
data integrity.
You can also use selected server access to require end-to-end IPsec protection from the
DirectAccess client to specified servers and allow access to all other locations on the intranet.
Traffic to other intranet application servers is not protected with IPsec peer authentication and
data integrity. The intranet tunnel between the DirectAccess client and server provides encryption
for both types of intranet traffic across the Internet.
Note
Authentication with null encapsulation is not the same as using ESP-NULL for per-packet
data integrity.
15
The DirectAccess client and intranet application servers should be configured to perform IPsec
peer authentication using computer credentials and to protect the traffic with Encapsulating
Security Protocol (ESP) for data confidentiality (encryption) and integrity.
16
• What authentication and authorization options do I have? For more information, see Choose
an Authentication and Authorization Scheme.
• How does DirectAccess leverage or utilize Active Directory Domain Services (AD DS)? For
more information, see Choose an Authentication and Authorization Scheme.
• How do I design my Domain Name System (DNS) infrastructure for DirectAccess? For more
information, see Design Your DNS Infrastructure for DirectAccess.
• How do I design my public key infrastructure (PKI) for DirectAccess? For more information,
see Design Your PKI for DirectAccess.
• How do I design my internal and external Web infrastructure for DirectAccess? For more
information, see Design your Web Servers for DirectAccess.
• What options are there for separating or combining intranet and Internet traffic for
DirectAccess clients? For more information, see Choose an Internet Traffic Separation
Design.
• How do I ensure that traffic between DirectAccess clients on the Internet is protected? For
more information, see Design Protection for Traffic between DirectAccess Clients.
• How do I ensure that DirectAccess clients can detect connectivity to the intranet? For more
information, see Design Your Intranet for Corporate Connectivity Detection.
• How does DirectAccess co-exist with my current remote access virtual private network (VPN)
solution? For more information, see Choose a DirectAccess and VPN Coexistence Design.
18
Limiting connectivity to selected resources
With the selected server access model, you can limit the access of DirectAccess clients to a
specific set of servers identified by membership in Active Directory security groups. The following
figure shows an example of using selected server access to restrict intranet access to specific
application servers.
19
Configure the DirectAccess server to forward default route traffic using the Microsoft 6to4
Adapter interface to a 6to4 relay on the IPv4 Internet. You can configure a DirectAccess
server for the IPv4 address of the Microsoft 6to4 relay on the IPv4 Internet with the netsh
interface ipv6 6to4 set relay name=192.88.99.1 state=enabled command. Use
192.88.99.1, the IPv4 anycast address of 6to4 relays on the Internet, unless your Internet
service provider recommends a specific unicast IPv4 address of the 6to4 relay that they
maintain.
Note
By default, DNS servers running Windows Server 2008 R2 or Windows Server 2008
block the resolution of the name ISATAP with the global query block list. To enable
ISATAP, you must remove the name ISATAP from the block list. For more information,
see Update the global query block list (http://go.microsoft.com/fwlink/?LinkId=157589).
Windows-based ISATAP hosts that can resolve the name ISATAP perform address
autoconfiguration with the DirectAccess server, resulting in the automatic configuration of the
following:
• An ISATAP-based IPv6 address on an ISATAP tunneling interface.
• A 64-bit route that provides connectivity to the other ISATAP hosts on the intranet.
• A default IPv6 route that points to the DirectAccess server.
The default IPv6 route ensures that intranet ISATAP hosts can reach DirectAccess clients.
When your Windows-based ISATAP hosts obtain an ISATAP-based IPv6 address, they begin to
use ISATAP-encapsulated traffic to communicate if the destination is also an ISATAP host.
20
Because ISATAP uses a single 64-bit subnet for your entire intranet, your communication goes
from a segmented, multi-subnet Internet Protocol version 4 (IPv4) communication model to a flat,
single-subnet communication model with IPv6. This can affect the behavior of Active Directory
Domain Services (AD DS) and other applications that rely on your Active Directory Sites and
Services configuration. For example, if you used the Active Directory Sites and Services snap-in
to configure sites, IPv4-based subnets, and inter-site transports for forwarding of requests to
servers within sites, this configuration is not used by ISATAP hosts.
To configure Active Directory sites and services for forwarding within sites for ISATAP hosts, you
have to configure an IPv6 subnet object equivalent to each IPv4 subnet object, in which the IPv6
address prefix for the subnet expresses the same range of ISATAP host addresses as the IPv4
subnet.
For example, for the IPv4 subnet 192.168.99.0/24 and the 64-bit ISATAP address prefix
2002:836b:1:0:1::/64, the equivalent IPv6 address prefix for the IPv6 subnet object is
2002:836b:1:1:0:5efe:192.168.99.0/120. For an arbitrary IPv4 prefix length (set to 24 in the
example), the corresponding IPv6 prefix length is 96 + IPv4PrefixLength.
For the IPv6 addresses of DirectAccess clients, you should add the following:
• An IPv6 subnet for the range 2001:0:WWXX:YYZZ::/64, in which WWXX:YYZZ is the colon-
hexadecimal version of the first consecutive public IPv4 address (w.x.y.z) assigned to the
Internet interface of the DirectAccess server. This IPv6 prefix is for Teredo-based
DirectAccess clients.
• If you have a native IPv6 infrastructure, an IPv6 subnet for the range 48-
bitIntranetPrefix:5555::/64, in which 48-bitIntranetPrefix is the 48-bit native IPv6 prefix that is
being used on your intranet. This IPv6 prefix is for Internet Protocol over Secure Hypertext
Transfer Protocol (IP-HTTPS)-based DirectAccess clients.
• If you are using a 6to4-based IPv6 prefix on your intranet, an IPv6 subnet for the range
2002:WWXX:YYZZ:2::/64, in which WWXX:YYZZ is the colon-hexadecimal version of the first
consecutive public IPv4 address (w.x.y.z) assigned to the Internet interface of the
DirectAccess server. This IPv6 prefix is for IP-HTTPS-based DirectAccess clients.
• A series of 6to4-based IPv6 prefixes that begin with 2002: and represent the regional, public
IPv4 address prefixes that are administered by Internet Assigned Numbers Authority (IANA)
and regional registries. The 6to4-based prefix for a public IPv4 address prefix w.x.y.z/n is
2002:WWXX:YYZZ::/[16+n], in which WWXX:YYZZ is the colon-hexadecimal version of
w.x.y.z. For example, the 7.0.0.0/8 range is administered by American Registry for Internet
Numbers (ARIN) for North America. The corresponding 6to4-based prefix for this public IPv6
address range is 2002:700::/24. For information about the IPv4 public address space, see
IANA IPv4 Address Space Registry (http://www.iana.org/assignments/ipv4-address-
space/ipv4-address-space.xml). These IPv6 prefixes are for 6to4-based DirectAccess clients.
21
that DirectAccess clients are reachable from the intranet, you will need to modify your IPv6
routing infrastructure so that default route traffic is forwarded to the DirectAccess server.
Note
If you are using IPv6 addresses that are not based on a 6to4 prefix on your intranet, a
6to4-based DirectAccess client computer that uses IP-HTTPS to connect to the
DirectAccess server will not be able to reach intranet locations. To correct this condition,
add a 6to4 route (2002::/16) to your intranet that points to the DirectAccess server or
reconfigure the DirectAccess server to use IPv6 addresses from your intranet prefix on its
Internet interface rather than 6to4 addresses and change the client and server tunnel
endpoints in your DirectAccess client and server Group Policy objects to the assigned
IPv6 address.
22
The end result is that an IPv6-capable client application on a DirectAccess client can use IPv4 to
access an IPv4-only server application while connected to the intranet, but cannot by default
reach the same server application when connected to the Internet.
The solutions for providing connectivity for IPv6-capable applications on DirectAccess clients to
IPv4-only intranet applications are the following:
• Upgrade or update the IPv4-only intranet application to support IPv6. This update might
include updating the operating system of the server, updating the application running on the
server, or both. This is the recommended solution. For built-in applications and system
services on computers running Windows XP or Windows Server 2003, you must upgrade
Windows XP to Windows 7 or Windows Vista and upgrade Windows Server 2003 to Windows
Server 2008 R2 or Windows Server 2008.
• Use a conventional remote access virtual private network (VPN) connection on the
DirectAccess client to reach the IPv4-only application.
• Use a Network Address Translation-Protocol Translation (NAT-PT) or NAT64 device on your
intranet. NAT-PTs and NAT64s perform IPv6-to-IPv4 DNS name resolution and IPv6/IPv4
traffic translation services for traffic between DirectAccess clients and IPv4-only intranet
application servers.
The types of DirectAccess connectivity that are possible for IPv6-capable and IPv4-only client
and server applications are summarized in the following:
• IPv6-capable client application on the DirectAccess client with an IPv6-capable server
application on the intranet
End-to-end connectivity for DirectAccess clients.
• IPv6-capable client application on the DirectAccess client with an IPv4-only server application
on the intranet
Translated connectivity for DirectAccess clients only with a NAT-PT or NAT64.
• IPv4-only client application on the DirectAccess client with either an IPv6-capable or IPv4-
only server application on the intranet
No connectivity for DirectAccess clients.
When you deploy a NAT-PT or NAT64, you typically configure it to provide coverage for specific
portions of your intranet DNS namespace. Once deployed, the NAT-PT or NAT64 will make the
necessary DNS resolutions and IPv6/IPv4 traffic translations, allowing IPv6-capable applications
on DirectAccess clients to access IPv4-only resources located within that portion of the DNS
namespace.
The following figure shows an example of using a separate NAT-PT or NAT64 device to provide
access to IPv4-only application servers on an intranet.
23
If you are using a NAT-PT or NAT64 in your DirectAccess deployment, you must identify the
portions of your intranet namespace that contain IPv4-only application servers and add them to
the Name Resolution Policy Table (NRPT) of your DirectAccess clients with the IPv6 addresses of
your NAT-PT or NAT-64.
Because Windows Server 2008 R2 does not provide NAT-PT or NAT64 functionality, the
configuration of these devices is beyond the scope of this design guide. Microsoft Forefront
Unified Access Gateway (UAG) includes NAT-PT functionality and can be used in conjunction
with a DirectAccess deployment. For more information, see UAG and DirectAccess
(http://go.microsoft.com/fwlink/?LinkId=159955). NAT-PT or NAT64 devices are also available
from Layer 2 and Layer 3 switch and router vendors.
24
• Does not require intranet application servers that are running Windows Server 2008 or later.
Works with any IPv6-capable application servers.
• Most closely resembles current virtual private network (VPN) architecture and is typically
easier to deploy.
• Can be used with smart cards for an additional level of authorization.
• Is fully configurable with the DirectAccess Setup Wizard.
• Does not require IPsec-protected traffic on the intranet.
The following are the limitations of the full intranet access model:
• Does not provide end-to-end authentication or data protection with intranet servers.
• Because the DirectAccess server is terminating the IPsec tunnels, there is extra processing
load on DirectAccess server to perform encryption and decryption. This load can be mitigated
by moving the IPsec gateway function to a different server with IPsec offload network
adapters. For more information, see Capacity Planning for DirectAccess Servers.
End-to-End Access
The end-to-end access model allows you to configure DirectAccess clients so that
communications between DirectAccess clients and all intranet servers perform IPsec peer
authentication, data confidentiality (encryption), and data integrity from the DirectAccess client to
the intranet resource. The traffic sent between DirectAccess clients and servers is encrypted over
both the Internet and the intranet. For more information, see the End-to-end Access Example.
The following are the benefits of the end-to-end access model:
• Provides additional end-to-end authentication, data integrity, and data confidentiality beyond
that provided with traditional virtual private network (VPN) connections.
• There is less processing overhead on the DirectAccess server, which is acting only as a
router and providing denial of service protection (DoSP) for the IPsec-encrypted DirectAccess
traffic.
• By customizing the default Windows Firewall with Advanced Security connection security
rules created by the DirectAccess Setup Wizard, you can define policies that restrict certain
users or computers from accessing particular application servers or specify that certain
applications will not be able to access intranet resources remotely. However, customization of
the default connection security rules requires knowledge of and experience with connection
security rule design and configuration.
The following are the limitations of the end-to-end access model:
• All intranet application servers accessible to DirectAccess clients must run Windows
Server 2008 or later. Application servers cannot run Windows Server 2003 or earlier.
• Your intranet must allow the forwarding of IPsec-encrypted traffic.
• Is not fully configurable with the DirectAccess Setup Wizard. You use the DirectAccess Setup
Wizard to create the initial set of DirectAccess client and server Group Policy objects and
settings and then you must customize the default Windows Firewall with Advanced Security
connection security rules.
• Cannot use smart cards for an additional level of authorization.
• Cannot access IPv4-only intranet resources, even with a Network Address Translation-
Protocol Translation (NAT-PT) or NAT64.
26
Choose a Configuration Method
You can use the following methods to deploy and configure DirectAccess:
• The DirectAccess Management console
• Scripted installation using the Network Shell (Netsh) command-line tool
• Manual configuration using Group Policy
The following sections describe the benefits and limitations of each of these methods.
27
Intranet management servers that client computers use to keep themselves current can consist of
the following:
• Microsoft System Center Configuration Manager 2007 servers
• Windows Update servers
• Servers for anti-malware updates, such as antivirus servers
In some cases, intranet servers or computers must initiate connections to DirectAccess clients.
For example, helpdesk department computers can use remote desktop connections to connect to
and troubleshoot remote DirectAccess clients. To ensure that DirectAccess clients will accept
incoming traffic from these types of computers and require the protection of that traffic over the
Internet, you must identify the set of these intranet management computers and configure their
addresses in Step 3 of the DirectAccess Setup Wizard.
Once you have identified the computers, record their names, their Internet Protocol version 4
(IPv4) addresses (if you have no Internet Protocol version 6 (IPv6) infrastructure), or their IPv6
addresses (if you have an IPv6 infrastructure, either their public native or Intra-Site Automatic
Tunnel Addressing Protocol [ISATAP] addresses) and configure them in Step 3 of the
DirectAccess Setup Wizard.
Because DirectAccess clients can be behind network address translators (NATs) and use Teredo
for the IPv6 connectivity across the Internet, any inbound rules for Windows Firewall with
Advanced Security that permit unsolicited incoming traffic from management computers must be
modified to enable edge traversal and must have an inbound ICMPv6 Echo Request rule with
edge traversal enabled. For more information, see Packet Filters for Management Computers
Notes
• When you are using end-to-end peer authentication with data integrity and remote
management traffic is sent within the intranet tunnel, you should use Encapsulating Security
Protocol (ESP)-Null instead of Authentication Header (AH) for data integrity.
• If the computer that is managing a DirectAccess client from the intranet is running
Windows Vista or Windows Server 2008 and IPsec transport mode is required between the
managing computer and the DirectAccess client, both computers must have the same quick
mode lifetimes.
28
• Management server traffic to DirectAccess clients
The following topics describe the required packet filtering for each of these types of traffic:
• Packet Filters for Your Internet Firewall
• Packet Filters for Your Intranet Firewall
• Confining ICMPv6 Traffic to the Intranet
• Packet filters for Teredo Connectivity
• Packet Filters for Management Computers
29
the encapsulation headers required for IPv6 transition technologies. In the IPv6 header, the
Protocol field is set to 50 to indicate an ESP-protected payload.
• UDP destination port 500 inbound and UDP source port 500 outbound
DirectAccess on the IPv6 Internet uses the Internet Key Exchange (IKE) and Authenticated
Internet Protocol (AuthIP) protocols to negotiate IPsec security settings. The DirectAccess
server is listening on UDP port 500 for incoming IKE and AuthIP traffic.
• All Internet Control Message Protocol for IPv6 (ICMPv6) traffic inbound and outbound
30
These default settings allow Teredo-based DirectAccess clients to perform Teredo discovery of
intranet resources. However, these settings also allow the following:
• Any computer with a Teredo or 6to4 client can send Internet Control Message Protocol for
IPv6 (ICMPv6) traffic to intranet locations through the DirectAccess server to probe for valid
intranet destination IPv6 addresses. The amount of this traffic is limited by the Denial of
Service Protection (DoSP) component of the DirectAccess server.
• A malicious user on the same subnet as a Teredo-based DirectAccess client can determine
the IPv6 addresses of intranet servers by capturing ICMPv6 Echo Request and Echo Reply
message exchanges.
To prevent these possible security issues, you can modify the default configuration for the
following:
• Configure the global IPsec settings for the Group Policy object for DirectAccess clients to not
exempt ICMP traffic from IPsec protection (from the IPsec Settings tab for the properties of
the Windows Firewall with Advanced Security snap-in).
• Configure the global IPsec settings for the Group Policy object for the DirectAccess server to
not exempt ICMP traffic from IPsec protection (from the IPsec Settings tab for the properties
of the Windows Firewall with Advanced Security snap-in).
• For the Group Policy object for the DirectAccess server, create a new connection security rule
that exempts ICMPv6 traffic when it is tunneled from the DirectAccess server.
• For the Group Policy object for DirectAccess clients, create a new connection security rule
that exempts ICMPv6 traffic when it is tunneled to the DirectAccess server.
With these modifications:
• All ICMPv6 traffic sent through the DirectAccess server must be sent using a tunnel. Only
DirectAccess clients can send ICMPv6 traffic to intranet locations.
• Malicious users on the same subnet as the DirectAccess client will only be able to determine
the IPv6 addresses of the DirectAccess client and the DirectAccess server. Intranet IPv6
addresses will be tunneled and encrypted with IPsec.
Although these modifications address the security issues of the default configuration, Teredo
discovery messages can no longer pass through the DirectAccess server and DirectAccess
clients cannot use Teredo as a connectivity method. Therefore, if you make these changes, you
must also do the following:
• Disable Teredo client functionality on your DirectAccess clients
From the Group Policy object for DirectAccess clients, set Computer
Configuration\Administrative Templates\Networking\TCPIP Settings\IPv6 Transition
Technologies\Teredo State to Disabled.
• Disable Teredo server and relay functionality on your DirectAccess server
Type the netsh interface teredo set state state=disabled command from an administrator-
level command prompt on your DirectAccess server.
If you previously added a packet filter on your Internet firewall to allow Teredo traffic to and
from the DirectAccess server, remove it.
31
Without Teredo connectivity, DirectAccess clients that are located behind network address
translators (NATs) will use Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS)
for IPv6 connectivity to the DirectAccess server. However, IP-HTTPS-based connections have
lower performance and higher overhead than Teredo-based connections.
32
Enable inbound ICMPv6 Echo Requests for
management traffic
For a computer that is being managed to be reachable over Teredo, ensure that the computer has
an inbound rule for ICMPv6 Echo Request messages with edge traversal enabled. The Network
Shell (Netsh) command-line tool command for this rule is the following:
netsh advfirewall firewall add rule name="Inbound ICMPv6 Echo Request with Edge
traversal" protocol=icmpv6:128,0 dir=in action=allow edge=yes profile=public,private
33
To use the security=authenc setting, ensure that there is a connection security rule that protects
the connection between the remote desktop computer and the DirectAccess client.
Note
If the computer that is managing a DirectAccess client from the intranet is running
Windows Vista or Windows Server 2008 and Internet Protocol security (IPsec) transport
mode is required between the managing computer and the DirectAccess client, both
computers must have the same quick mode lifetimes.
34
For more information about third-party firewall requirements for Teredo, see Teredo co-existence
with third-party firewalls (http://go.microsoft.com/fwlink/?Linkid=157705).
Note
If you modify the connection security rules created by the DirectAccess Setup Wizard,
you must use Network Shell (Netsh) commands. There are connection security rule
settings that cannot be modified with the Windows Firewall with Advanced Security snap-
in. If you modify these connection security rules with the Windows Firewall with Advanced
Security snap-in, they will be overwritten with default values, which can result in
incompatible connection security rules that prevent DirectAccess connections.
35
• First authentication: Computer certificate or Computer (Kerberos V5)
• Second authentication: User (Kerberos V5)
Note
If you modify the connection security rules created by the DirectAccess Setup Wizard,
you must use Network Shell (Netsh) commands. There are connection security rule
settings that cannot be modified with the Windows Firewall with Advanced Security snap-
in. If you modify these connection security rules with the Windows Firewall with Advanced
Security snap-in, they will be overwritten with default values, which can result in
incompatible connection security rules that prevent DirectAccess connections.
36
Prompts for smart card credentials while on the intranet
Due to the timing between intranet detection and the automatic establishment of tunnels to the
DirectAccess server, it is possible for users of DirectAccess clients using smart cards to be
prompted for smart card credentials when they are directly connected to the intranet. This is a
prompt that users can ignore without loss of connectivity. The solutions to this issue are the
following:
• Move the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) routing function to a
separate server and then add packet filters to this server that block all User Datagram
Protocol (UDP) traffic for Internet Key Exchange (IKE) and AuthIP from the Internet Protocol
version 6 (IPv6) address prefix of the intranet to the IPv6 address of the DirectAccess
server’s tunnel endpoint. These filters will drop the tunnel establishment traffic sent by
DirectAccess clients while intranet detection is in progress. For an example of moving the
ISATAP routing function to another server, see Capacity Planning for DirectAccess Servers.
• Add a connection security rule that sends tunnel endpoint traffic to an invalid destination while
intranet detection is occurring. For example, use the following Network Shell (netsh)
command-line tool command: netsh advfirewall consec add rule name="Corp
connectivity to prevent smart card prompt" endpoint1=IntranetIPv6Prefix
endpoint2=IntranetIPv6Prefix localtunnelendpoint=InvalidIPv6Address mode=tunnel
action=requireinrequireout auth1=computercert auth1ca="CN=NonExistentCA".
Both of these solutions prevent the tunnel negotiation with the DirectAccess server during intranet
detection when the DirectAccess client is on the intranet. By preventing tunnel negotiation, smart
card authorization will never occur and the user will not be prompted for their smart card
credentials.
37
Note
If you manually configure this setting with the Users tab, you must specify the name
LocalComputerName\This Organization Certificate rather than NT AUTHORITY\This
Organization Certificate.
To perform the equivalent configuration of the DirectAccess Setup Wizard with the Network Shell
(Netsh) command-line tool, use the following commands:
netsh advfirewall consec add rule name=”Smart card tunnel” endpoint1=Intranet IPv6
address space endpoint2=Any localtunnelendpoint=DirectAccess server IPv6 address
remotetunnelendpoint=any auth1=Computercert auth1ca=”Certificate Auth name
certmapping:yes” auth2=userkerb applyauthz=yes
netsh advfirewall set global ipsec authzusergrp=O:LSD:(A;;CC;;;S-1-5-65-1)
38
If you must have an Active Directory domain controller that is on the perimeter network, and
therefore reachable from the Internet interface of DirectAccess server, you can prevent the
DirectAccess server from reaching it by adding packet filters on the Internet interface of the
DirectAccess server that prevent connectivity to the Internet Protocol (IP) address of the
perimeter network domain controller.
Because the DirectAccess server is an IPv6 router, if you have a native IPv6 infrastructure, the
Internet interface can also reach the domain controllers on the intranet. In this case, add packet
filters to the Internet interface that prevent connectivity to the intranet domain controllers.
Split-brain DNS
Split-brain DNS is the use of the same DNS domain for both Internet and intranet resources. For
example, the Contoso Corporation is using split brain DNS; contoso.com is the domain name for
intranet resources and Internet resources. Internet users use http://www.contoso.com to access
Contoso’s public Web site and Contoso employees on the Contoso intranet use
http://www.contoso.com to access Contoso’s intranet Web site. A Contoso employee with their
laptop that is not a DirectAccess client on the intranet that accesses http://www.contoso.com sees
the intranet Contoso Web site. When they take their laptop to the local coffee shop and access
that same URL, they will see the public Contoso Web site.
When a DirectAccess client is on the Internet, the Name Resolution Policy Table (NRPT) sends
DNS name queries for intranet resources to intranet DNS servers. A typical NRPT for
DirectAccess will have a rule for the namespace of the organization, such as contoso.com for the
Contoso Corporation, with the Internet Protocol version 6 (IPv6) addresses of intranet DNS
servers. With just this rule in the NRPT, when a user on a DirectAccess client on the Internet
attempts to access the uniform resource locator (URL) for their Web site (such as
39
http://www.contoso.com), they will see the intranet version. Because of this rule, they will never
see the public version of this URL when they are on the Internet.
If you want users on DirectAccess clients to see the public version of this URL when they are on
the Internet, you must add the fully qualified domain name (FQDN) of the URL as an exemption
rule to the NRPT of DirectAccess clients. However, if you add this exemption rule, users on
DirectAccess clients will never see the intranet version of this URL when they are on the Internet.
For split-brain DNS deployments, you must list the FQDNs that are duplicated on the Internet and
intranet and decide which resources the DirectAccess client should reach, the intranet version or
the public (Internet) version. For each name that corresponds to a resource for which you want
DirectAccess clients to reach the public version, you must add the corresponding FQDN as an
exemption rule to the NRPT for your DirectAccess clients.
In a split-brain DNS environment, if you want both versions of the resource to be available,
configure your intranet resources with alternate names that are not duplicates of the names that
are being used on the Internet and instruct your users to use the alternate name when on the
Intranet. For example, configure and use the alternate name www.internal.contoso.com for the
intranet name www.contoso.com.
In a non-split-brain DNS environment, the Internet namespace is different from the intranet
namespace. For example, the Contoso Corporation uses contoso.com on the Internet and
corp.contoso.com on the intranet. Because all intranet resources use the corp.contoso.com DNS
suffix, the NRPT rule for corp.contoso.com routes all DNS name queries for intranet resources to
intranet DNS servers. DNS name queries for names with the contoso.com suffix do not match the
corp.contoso.com intranet namespace rule in the NRPT and are sent to Internet DNS servers.
With a non-split-brain DNS deployment, because there is no duplication of FQDNs for intranet
and Internet resources, there is no additional configuration needed for the NRPT. DirectAccess
clients can access both Internet and intranet resources for their organization.
40
AAAA records for servers that do not perform
DNS dynamic update
For servers running IPv6-capable non-Windows operating systems that do not support DNS
dynamic update for IPv6 addresses, manually add AAAA records for the names and IPv6
addresses of these servers.
41
NRPT rules
In step 3 of the DirectAccess Setup Wizard, you configure the rules in the NRPT, an internal table
used by the DNS Client service to determine where to send DNS name queries. The
DirectAccess Setup Wizard automatically creates two rules for DirectAccess clients:
• A DNS suffix rule for the domain name of the DirectAccess server and the IPv6 addresses
corresponding to the intranet DNS servers configured on the DirectAccess server. For
example, if the DirectAccess server is a member of the corp.contoso.com domain, the
DirectAccess Setup Wizard creates a rule for the .corp.contoso.com DNS suffix.
• An exemption rule for the FQDN of the network location server. For example, if the network
location server URL is https://nls.corp.contoso.com, the DirectAccess Setup Wizard creates
an exemption rule for the FQDN nls.corp.contoso.com.
You might need to configure additional NRPT rules in step 3 of the DirectAccess Setup Wizard in
the following cases:
• You need to add more DNS suffixes for your intranet namespace.
• If the FDQN of your intranet and Internet CRL distribution points are based on your intranet
namespace, you must add exemption rules for the FQDNs of your Internet and intranet CRL
distribution points.
• If you have a split-brain DNS environment, you must add exemption rules for the names of
resources for which you want DirectAccess clients located on the Internet to access the
public (Internet) version, rather than the intranet version.
• If you are redirecting traffic to an external Web site through your intranet Web proxy servers,
the external Web site is only available from the intranet, and the external Web site is using
the addresses of your Web proxy servers to permit the inbound requests, then you must add
an exemption rule for the FQDN of the external Web site and specify that the rule use your
intranet Web proxy server, rather than the IPv6 addresses of intranet DNS servers.
For example, the Contoso Corporation is testing an external Web site named
test.contoso.com. This name is not resolvable via Internet DNS servers, but Contoso’s Web
proxy server knows how to resolve the name and to direct requests for the Web site to the
external Web server. To prevent users who are not on the Contoso intranet from accessing
the site, the external Web site only allows requests from the Internet Protocol version 4 (IPv4)
Internet address of the Contoso Web proxy. Therefore, intranet users can access the Web
site because they are using the Contoso Web proxy but DirectAccess users cannot because
they are not using the Contoso Web proxy. By configuring an NRPT exemption rule for
test.contoso.com that uses the Contoso Web proxy, Web page requests for test.contoso.com
will be routed to the intranet Web proxy server over the IPv4 Internet.
You can also configure NRPT rules from Computer Configuration\Policies\Windows
Settings\Name Resolution Policy in the Group Policy object for DirectAccess clients.
Notes
42
If you are configuring namespace rules and your DNS servers are located outside of the
intranet, you should protect the DNS queries to these servers with either Internet Protocol
security (IPsec) or DNS Security Extensions (DNSSEC).
Note
Note
If the name of a server on the local subnet is a duplicate of a server name on the intranet,
the DirectAccess client will always connect to the intranet resource. For example, if your
home network server is named Server1 and there is an intranet server of the same name,
you will always connect to the intranet Server1. To connect to the local subnet resource,
append “.local” to the name of the server. For example, to connect to the local subnet
server named Server1, use the name Server1.local.
External DNS
The DirectAccess Setup wizard configures DirectAccess clients with the IPv4 addresses of the
6to4 relay and the Teredo server with Group Policy settings in Computer
Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition
Technologies. For the URL for the Internet Protocol over Secure Hypertext Transfer Protocol (IP-
HTTPS) server (the IP-HTTPS State setting), the DirectAccess Setup Wizard configures
https://Subject:443/IPHTTPS, in which Subject is the Subject field of the HTTPS certificate that
you specify in Step 2 of the DirectAccess Setup Wizard. If the Subject field of the IP-HTTPS
certificate is an FQDN, you must ensure that the FQDN is resolvable using Internet DNS servers.
43
If you modify the 6to4 Relay Name or Teredo Server Name Group Policy settings to use FQDNs
rather than an IPv4 address, you must ensure that the FQDNs are resolvable using Internet DNS
servers.
You must also ensure that the FQDNs for your Internet-accessible certificate revocation list (CRL)
distribution points are resolvable using Internet DNS servers. For example, if the URL
http://crl.contoso.com/crld/corp-DC1-CA.crl is in the CRL Distribution Points field of the IP-HTTPS
certificate of the DirectAccess server, you must ensure that the FQDN crld.contoso.com is
resolvable using Internet DNS servers.
44
• For the CRL Distribution Points field, a CRL distribution point that is accessible by
DirectAccess clients that are connected to the intranet.
If the DirectAccess server is the network location server, you need an additional certificate for
HTTPS authentication. You cannot use the IP-HTTPS certificate for the network location server
HTTPS certificate. You should configure both certificates with friendly names that indicate their
purpose so that they are easier to select in the DirectAccess Setup Wizard.
Note
If your intranet CRL distribution points are only reachable over IPv6, you must configure a
Windows Firewall with Advanced Security connection security rule to exempt IPsec
protection from the IPv6 address space of your intranet to the IPv6 addresses of your
CRL distribution points.
45
Enabling strong CRL checking for IPsec
authentication
By default, the DirectAccess server uses weak CRL checking when performing certificate-based
IPsec peer authentication with DirectAccess clients. With weak CRL checking, certificate
revocation checking fails only if the validating computer confirms that the certificate has been
revoked in the CRL. The DirectAccess client does not perform certificate revocation checking by
default. Revoking computer certificates is one way of blocking DirectAccess for specific
DirectAccess clients. A simpler and preferred method is to disable the computer account in Active
Directory. This method immediately prevents DirectAccess connections, such as when a laptop
computer is lost or stolen, and does not have the delay associated with propagating CRL updates
to CRL distribution points.
For an additional level of protection, you can configure strong CRL checking, in which certificate
revocation checking fails if the validating computer confirms that the certificate has been revoked
or for any error encountered during certificate revocation checking, including the inability to
access the CRL distribution point.
Notes
If you enable strong CRL checking and the DirectAccess server cannot reach the CRL
distribution point, certificate-based IPsec authentication for all DirectAccess connections
will fail.
If you are using Network Access Protection (NAP) with DirectAccess and you enable
strong CRL checking, certificate-based IPsec authentication for all DirectAccess
connections will fail. Health certificates do not contain CRL distribution points because
their lifetime is on the order of hours, instead of years for computer certificates.
Note
You should design your PKI to replicate the entire smart card certificate chain to the
current user certificate store in a timely manner. If the PKI is slow in replicating the
certificate chain, users will obtain a smart card certificate and leave the intranet, but be
unable to use smart card authorization. To correct this condition, they might have to
return to the intranet and logon with their smart card credentials to force the PKI to install
the entire certificate chain in the local user’s certificate store.
46
Design your Web Servers for DirectAccess
You will need Web locations for the following resources:
• The network location server through a Secure Hypertext Transfer Protocol (HTTPS)-based
uniform resource locator (URL) (required)
• An HTTP-based certificate revocation list (CRL) distribution point for the HTTPS certificate of
the network location server that is accessible on the intranet (optional)
• An HTTP-based CRL distribution point for the Internet Protocol over HTTPS (IP-HTTPS)
certificate of the DirectAccess server that is accessible on the Internet (optional)
Note
The intranet and Internet CRL distribution points can also be based on a universal
naming convention (UNC) path of a file server.
In all of these cases, the Web server providing these resources must be highly available. If these
resources cannot be reached, the following occurs:
• If the DirectAccess client on the intranet is unable to reach the HTTPS-based URL of the
network location server, a DirectAccess client cannot detect when it is on the intranet and
might not be able to access intranet resources.
• If the DirectAccess client on the intranet is unable to reach the intranet CRL distribution point
to perform certificate revocation checking for the network location server, a DirectAccess
client cannot detect when it is on the intranet and might not be able to access intranet
resources.
• If the DirectAccess client on the Internet is unable to reach the Internet CRL distribution point
to perform certificate revocation checking for the IP-HTTPS certificate, a DirectAccess client
cannot use IP-HTTPS. Because IP-HTTPS is the last transition technology that is used for
Internet Protocol version 6 (IPv6) connectivity to the DirectAccess server, DirectAccess
clients will not be able to establish a connection to the DirectAccess server when behind a
firewall or Web proxy or behind a network address translator (NAT) when the Teredo client
has been disabled.
• If you configure strong CRL checking on the DirectAccess server and it cannot reach the CRL
distribution points in the DirectAccess client’s certificate, certificate-based authentication for
the IPsec tunnels will fail and DirectAccess clients will be unable to access intranet
resources.
For Internet Information Services (IIS)-based Web servers, see Planning Redundancy for a
Network Location Server and Planning Redundancy for CRL Distribution Points for information
about high availability for Web servers.
47
• Domain Name System (DNS) name queries for intranet fully qualified domain names
(FQDNs) and all intranet traffic is exchanged over the tunnels created with the DirectAccess
server or directly with intranet servers. Intranet traffic from DirectAccess clients is IPv6 traffic.
• DNS name queries for FQDNs that correspond to exemption rules or do not match the
intranet namespace and all traffic to Internet servers is exchanged over the physical interface
that is connected to the Internet. Internet traffic from DirectAccess clients is typically Internet
Protocol version 4 (IPv4) traffic.
This is the default and recommended operation of DirectAccess.
In contrast, some remote access virtual private network (VPN) implementations, including the
VPN client in Windows 7, by default send all of their traffic—both intranet and Internet—over the
remote access VPN connection. Internet-bound traffic is routed by the VPN server to intranet
IPv4 Web proxy servers for access to IPv4 Internet resources. It is possible to separate the
intranet and Internet traffic for remote access VPN clients using split tunneling, in which you
configure the Internet Protocol (IP) routing table on VPN clients so that traffic to intranet locations
is sent over the VPN connection and traffic to all other locations is sent using the physical
interface connected to the Internet.
You can configure DirectAccess clients to send all of their traffic through the tunnels to the
DirectAccess server with force tunneling. When force tunneling is configured, DirectAccess
clients that detect that they are on the Internet modify their IPv4 default route so that default route
IPv4 traffic is not sent. With the exception of local subnet traffic, all traffic sent by the
DirectAccess client is IPv6 traffic that goes through tunnels to the DirectAccess server.
Enabling force tunneling has the following consequences:
• DirectAccess clients use only Internet Protocol over Secure Hypertext Transfer Protocol (IP-
HTTPS) to obtain IPv6 connectivity to the DirectAccess server over the IPv4 Internet. IP-
HTTPS-based connections have lower performance and higher overhead on the
DirectAccess server than 6to4 and Teredo-based connections.
• The only locations that a DirectAccess client can reach by default with IPv4 traffic are those
on its local subnet. All other traffic sent by the applications and services running on the
DirectAccess client is IPv6 traffic sent over the DirectAccess connection. Therefore, IPv4-only
applications on the DirectAccess client cannot be used to reach Internet resources, except
those on the local subnet.
• Connectivity to the IPv4 Internet must be done through servers and devices on the intranet
that translate the IPv6 traffic from DirectAccess clients to IPv4 traffic for the IPv4 Internet. If
you do not have the appropriate servers or translators, your DirectAccess clients will not have
access to IPv4 Internet resources, even though they are directly connected to the IPv4
Internet.
To configure force tunneling, you must enable force tunneling on DirectAccess clients through
Group Policy and add a special entry in the NRPT.
To enable force tunneling with Group Policy, enable the Computer
Configuration\Policies\Administrative Templates\Network\Network Connections\Route all
traffic through the internal network setting in the Group Policy object for DirectAccess clients.
48
To make IPv4-based Internet resources available to DirectAccess clients that use force tunneling,
you can do one of the following:
• Use a dual protocol (IPv4 and IPv6) proxy server, which can receive IPv6-based requests for
Internet resources and translate them to requests for IPv4-based Internet resources.
• Place a Network Address Translation-Protocol Translation (NAT-PT) or NAT64 in front of your
IPv4-based proxy server. The NAT-PT or NAT64 will translate IPv6-based proxy requests to
IPv4-based requests before they are serviced by your IPv4-based proxy server.
To route DNS name resolution and connection traffic to these servers or devices for translation
and forwarding to the IPv4 Internet, you must add a rule to the NRPT for DirectAccess clients that
specifies any DNS suffix and the IPv6 address of the translation server or device.
If you are configuring the NRPT through the DirectAccess Setup Wizard, add a rule for the
following:
• Name suffix is set to “.”
• DNS server IPv4 or IPv6 addresses are set to the static IPv4 or IPv6 addresses of the dual-
protocol proxy server, NAT-PT, or NAT64
If you are configuring the NRPT through the Computer Configuration\Policies\Windows
Settings\Name Resolution Policy Group Policy setting, create a rule with the following:
• The Any suffix
• Enabled for DirectAccess
• For DNS servers, add the static IPv6 addresses of the dual-protocol proxy server, NAT-PT, or
NAT64
With this NRPT rule, a DirectAccess client sends DNS name queries that do not match any of the
other rules in the NRPT to the IPv6 address of the dual-protocol proxy server, NAT-PT, or NAT64.
Notes
Due to the infrastructure requirements and reduced performance for accessing IPv4
Internet resources, Microsoft does not recommend the use of force tunneling for
DirectAccess.
Force tunneling relies on modifying the IPv4 default route in the IPv4 routing table to
prevent the DirectAccess client computer from sending traffic directly to IPv4 Internet
locations. A user with administrative rights can modify their IPv4 default route to point to
their Internet service provider’s router on the subnet.
50
outbound connections instead of Request authentication for inbound and outbound
connections.
• For the Network Shell (Netsh) command, specify the action=requireinrequestout parameter
instead of action=requestinrequestout.
With this additional protection, outbound connections to other DirectAccess clients is encrypted
regardless of the application. Outbound connections to Internet destinations and non-
DirectAccess clients is sent as clear text.
51
DirectAccess client and the intranet resources that it is trying to reach. This additional
configuration also aids in diagnosing DirectAccess connections.
To configure settings and infrastructure needed for DirectAccess clients to access a specific
intranet Web site, do the following:
1. Determine a Web site on your intranet that is not accessible from the Internet, is highly
available, and is reachable with IPv6. To ensure its ongoing reachability with IPv6, either
assign a static IPv6 address if you have a native IPv6 infrastructure or a static Internet
Protocol version 4 (IPv4) address if you are using Intra-Site Automatic Tunnel Addressing
Protocol (ISATAP). For example, the Contoso Corporation uses cweb.corp.contoso.com as its
central, highly-available intranet Web site. This Web server uses ISATAP and a static IPv4
address.
2. Enable the Computer Configuration/Policies/Administrative
Templates/Network/Network Connectivity Status Indicator/Corporate Website Probe
URL Group Policy setting in the Group Policy object for DirectAccess clients and configure it
for the highly available intranet URL. For example, enable and configure the Corporate
Website Probe URL setting with http://cweb.corp.contoso.com.
Note
If the name of the highly-available intranet Web site changes, you will have to update the
Corporate Website Probe URL setting with the new URL.
You also need to add the IPv6 address for the infrastructure tunnel endpoint to the Computer
Configuration/Policies/Administrative Templates/Network/Network Connectivity Status
Indicator/Corporate Site Prefix List Group Policy setting in the Group Policy object (GPO) for
DirectAccess clients. The IPv6 address for the infrastructure tunnel endpoint is configured in the
Windows Firewall with Advanced Security connection security rule named DirectAccess Policy-
ClientToDnsDc in the GPO for DirectAccess clients.
Note
If you use the Use local name resolution if the internal network DNS servers
determined that the name does not exist or if the internal network DNS servers are
not reachable and the DirectAccess client computer is on a private network option
for local host name resolution, the Corporate Website Probe URL setting must be
specified as a FQDN, rather than an unqualified, single-label name. If you use an
unqualified, single-label name, corporate connectivity detection might incorrectly detect
that corporate connectivity exists and diagnostics for DirectAccess can be affected.
52
used simultaneously for different sets of clients. For example, intranet client computers running
Windows Vista or Windows XP can continue to use your remote access VPN solution and
computers running Windows 7 can begin to use DirectAccess.
If a computer running Windows 7 is both a DirectAccess client and a remote access VPN client,
ensure the following:
• The remote access VPN server is not blocking access to the network location server on the
intranet, even when the network access of VPN clients is restricted. When the remote access
VPN connection is active, the DirectAccess client should successfully detect that it is located
on the intranet, regardless of its VPN-based network access status (restricted or full access).
• Firewall or connection security rules of the DirectAccess client should not block access to
locations needed to remediate the system health of the computer when it has its access
restricted as a remote access VPN client.
• The fully qualified domain name (FQDN) of the VPN server on the Internet either does not
match the intranet namespace or there is a corresponding exemption rule for the FQDN in the
Name Resolution Policy Table (NRPT).
The same computer acting as a DirectAccess server and a remote access VPN server with
Routing and Remote Access is not a supported configuration, except when used with Microsoft
Forefront Unified Access Gateway (UAG). For more information, see Overview of Forefront UAG
(http://go.microsoft.com/fwlink/?LinkId=160322).
The DirectAccess server must be joined to an Active Directory domain, running Windows
Server 2008 R2, and have at least two physical network adapters installed.
The DirectAccess server must have at least two, consecutive public Internet Protocol version 4
(IPv4) addresses assigned to the interface that is connected to the perimeter network, or, in the
54
absence of an Internet firewall, connected directly to the Internet. Addresses in the ranges
10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 are private IPv4 addresses and cannot be used.
The DirectAccess server requires two consecutive public IPv4 addresses so that it can act as a
Teredo server and Windows-based Teredo clients can use the DirectAccess server to perform
detection of the type of network address translator (NAT) that they are behind. For more
information, see Teredo Overview (http://go.microsoft.com/fwlink/?Linkid=157322).
Note
The DirectAccess Management console sorts the public IPv4 addresses assigned to the
Internet adapter lexigraphically, rather than numerically. In a lexigraphic sort, numbers are
sorted alphabetically. Therefore, the DirectAccess Management console does not
consider the following sets of addresses as consecutive: w.x.y.9 and w.x.y.10, which is
sorted as w.x.y.10, w.x.y.9; w.x.y.99 and w.x.y.100, which is sorted as w.x.y.100, w.x.y.99;
w.x.y.1, w.x.y.2, and w.x.y.10, which is sorted as w.x.y.1, w.x.y.10, w.x.y.2. Use a different
set of consecutive addresses.
On the DirectAccess server, you install the DirectAccess Management Console feature through
Server Manager. You use the DirectAccess management console to configure DirectAccess
settings for the DirectAccess server and clients and monitor the status of the DirectAccess server.
DirectAccess servers should not host any other primary functions; they should be dedicated to
DirectAccess.
55
• The Hyper-V servers are joined to the domain and connected to the appropriate
networks.
• Ensure that the Hyper-V nodes are enabled to support Data Execution Prevention and
Processor Virtualization.
Make the following Hyper-V configuration settings:
• To improve overall performance, configure the following in the properties for the virtual
machine in Failover Cluster Manager:
• Do not set a preferred owner.
• Set Failback to Prevent Failback. If Failback is enabled, unnecessary outages may occur
when the DirectAccess VM resource is migrated or recovers from a node failure.
• To speed up client reconnection in the event of a quick migration or node failure, set the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\
Oakley\NLBSFlags registry value to 1 on the DirectAccess virtual machine for faster idle
timeout of IPsec security associations (SAs). With the NLBSFlags registry value set to 1, the
total time it takes for IPsec to fail over is two minutes; one minute for the idle time to expire
plus one minute for IKE to renegotiate SAs. The Hyper-V nodes do not need this
configuration change.
With Hyper-V and Failover Clustering the primary failover mechanisms are the following:
• Live migration
There should be no discernable client connectivity outage when the clustered DA server is
live migrated.
• Quick migration
With the NLBSFlags registry value set to 1, the maximum client connectivity outage on a
quick migration should be less than two minutes.
• Resource move
With the NLBSFlags registry value set to 1, the maximum client connectivity outage on a
manual resource move should be less than two minutes.
Hyper-V and Failover Clustering also support automatic recovery from a single node failure.
When failover occurs, a client should get reconnected within two minutes; there is no action
needed from the user to get reconnected. If the NLBSFlags registry value is set to 1 and the host
is back online in less than two minutes, the maximum client connectivity outage on a mode failure
should be less than two minutes.
56
Where to Place the Network Location Server
The network location server is a critical part of a DirectAccess deployment. If DirectAccess client
computers on the intranet cannot successfully locate and access the secure Web page on the
network location server, they might not be able to access intranet resources.
When DirectAccess clients obtain a physical connection to the intranet or experience a network
status change on the intranet (such as an address change when roaming between subnets), they
attempt a Secure Hypertext Transfer Protocol (HTTPS) connection to a configured uniform
resource locator (URL). If the DirectAccess client can successfully obtain an HTTPS connection
to the location in the configured URL, including a revocation check of the Web server’s certificate,
they determine that they are on the intranet.
To ensure that the FQDN of the network location server is reachable for a DirectAccess client with
DirectAccess-based rules in the NRPT, the DirectAccess Setup Wizard by default adds the FQDN
of the network location server as an exemption rule to the NRPT. When the DirectAccess client
attempts to resolve the FQDN of the network location server, the FQDN matches the exemption
rule in the NRPT and the DirectAccess client uses interface-configured DNS servers, which are
reachable to resolve the name and connect to the network location server.
Note
Because the FQDN of network location URL is added as an exemption rule to the NRPT,
the intranet Web server at that FQDN will not be accessible to DirectAccess clients on the
Internet.
To ensure that DirectAccess clients can correctly detect when they are on the Internet,
DirectAccess clients on the Internet must not be able to successfully access the network location
URL. You can accomplish this by ensuring that the FQDN cannot be resolved using Internet DNS
servers, configuring the Web server to deny connections from Internet-based clients, or by
ensuring that the certificate validation process fails when DirectAccess clients are on the Internet.
In the DirectAccess Setup Wizard, you can specify that the DirectAccess server act as the
network location server or you can type the HTTPS-based URL for network location, specifying a
network location server that is separate from the DirectAccess server. Using a separate network
location server that is a highly available intranet Web server is strongly recommended.
57
The certificate used by the Web server to act as a network location server has the following
requirements:
• In the Subject field, either an Internet Protocol (IP) address of the intranet interface of the
Web server or the FQDN of the network location URL.
• For the Enhanced Key Usage field, the Server Authentication object identifier (OID).
• For the CRL Distribution Points field, a certificate revocation list (CRL) distribution point that is
accessible by DirectAccess clients that are connected to the intranet.
The FQDN in the URL or the universal naming convention (UNC) path of the CRL distribution
point location should either match an exemption rule or no rules in the NRPT so that the
DirectAccess client can use interface-configured intranet DNS servers to resolve the name. If the
DirectAccess client cannot resolve the FQDN in the URL or UNC of the CRL distribution point,
access the CRL distribution point, and verify that the network location server’s certificate has not
been revoked, intranet detection fails.
58
Overview of the Network Load Balancing Deployment Process (http://go.microsoft.com/fwlink/?
LinkId=159956).
59
Planning Redundancy for CRL Distribution
Points
If the intranet certificate revocation list (CRL) distribution point becomes unavailable, intranet
detection will fail for DirectAccess clients on the intranet. If the Internet CRL distribution point
becomes unavailable, DirectAccess clients on the Internet will be unable to use Internet Protocol
over Secure Hypertext Transfer Protocol (IP-HTTPS)-based connections to the DirectAccess
server.
For CRL distribution point redundancy, you can do the following:
• For a single CRL distribution point, you can configure redundancy for Internet Information
Services (IIS)-based Web servers or Windows Server 2008 R2 or Windows Server 2008-
based file servers with Network Load Balancing. For more information, see Overview of the
Network Load Balancing Deployment Process (http://go.microsoft.com/fwlink/?
LinkId=159956).
• You can also configure multiple CRL distribution points on different Web or file servers on
your intranet or the Internet.
60
Note
To prevent timing problems that might occur when obtaining Kerberos authentication and
accessing the Web location on the intranet HRA, you can configure Internet Information
Services (IIS) on the HRA to use NTLM authentication with the %windir
%\system32\inetsrv\appcmd.exe set config
-section:system.webServer/security/authentication/windowsAuthentication
/-providers.[value='Negotiate'] command.
Note
If you modify the connection security rules created by the DirectAccess Setup Wizard,
you must use Network Shell (Netsh) commands. There are connection security rule
settings that cannot be modified with the Windows Firewall with Advanced Security snap-
in. If you modify these connection security rules with the Windows Firewall with Advanced
Security snap-in, they will be overwritten with default values, which can result in
incompatible connection security rules that prevent DirectAccess connections.
61
• In deferred enforcement mode, DirectAccess clients will be able to perform peer
authentication for the intranet tunnel on the DirectAccess server even when they are not
compliant with system health requirements. However, users on noncompliant DirectAccess
clients receive a notification that they are not compliant and a date by which they will no
longer be able to connect if they are still noncompliant.
• In full enforcement mode, DirectAccess clients will not be able to perform peer authentication
for the intranet tunnel when they are not compliant with system health requirements. Users on
noncompliant DirectAccess clients will receive a notification that they are not compliant.
For reporting mode and deferred enforcement mode, there are no changes that need to be made
to the settings of the Group Policy objects for the intranet tunnel. For full enforcement mode, you
must make the following configuration changes:
• For the GPO for DirectAccess servers, require health certificates for the Computer certificate
authentication method in the DirectAccess Policy-DaServerToDnsDc connection security rule.
• For the GPO for DirectAccess servers, require health certificates for the Computer certificate
authentication method in the DirectAccess Policy-DaServerToMgmt connection security rule.
• For the GPO for DirectAccess servers, require health certificates for the Computer certificate
authentication method and enable authorization for IPsec tunneling in the DirectAccess
Policy-DaServerToCorp connection security rule.
Note
If you modify the connection security rules created by the DirectAccess Setup Wizard,
you must use Network Shell (Netsh) commands. There are connection security rule
settings that cannot be modified with the Windows Firewall with Advanced Security snap-
in. If you modify these connection security rules with the Windows Firewall with Advanced
Security snap-in, they will be overwritten with default values, which can result in
incompatible connection security rules that prevent DirectAccess connections.
62
Setup Wizard to determine whether they are compatible. A mismatch in global IPsec or
connection security rule settings between DirectAccess and SDI can cause an IPsec negotiation
failure and a lack of connectivity when a DirectAccess client attempts to access an intranet
resource protected with SDI.
For example, you need to ensure that the global main mode IPsec settings of your DirectAccess
clients match the global main mode IPsec settings of your SDI deployment. The DirectAccess
Setup Wizard will configure default global main mode IPsec settings for DirectAccess clients to
match those of the default global main mode IPsec settings for Windows Vista and Windows
Server 2008. If you have changed the global main mode IPsec settings for your SDI deployment
from their default values, you need to configure the global main mode IPsec settings of the Group
Policy object for DirectAccess clients created by the DirectAccess Setup Wizard to match them.
Additional design considerations for deploying DirectAccess in an existing SDI environment are
the following:
• To allow for Teredo client discovery, you should exempt Internet Control Message Protocol
(ICMP) from IPsec protection in your SDI deployment.
• If you are only using SDI for data integrity, you must use Encapsulating Security Protocol
(ESP)-NULL, rather than Authentication Header (AH). If you are using AH, you should
reconfigure your SDI deployment to use ESP-NULL before deploying DirectAccess.
63
• Move the Internet Protocol security (IPsec) gateway function to a separate server that has
IPsec offload hardware
• Use DirectAccess with Microsoft Forefront Unified Access Gateway (UAG)
64
In this example, Server 1 provides the 6to4 relay, Teredo server, and IP-HTTPS server functions
and Server 2 provides ISATAP router and IPsec gateway functions. DirectAccess clients use
Server 1 to tunnel traffic across the IPv4 Internet and establish the infrastructure and intranet
IPsec tunnels with Server 2. Intranet computers forward traffic to DirectAccess clients to Server 2.
The requirements of this configuration are the following:
• Both Server 1 and Server 2 must have two physical interfaces, one classified as a public
interface and one classified as a domain interface. Server 1 has its public interface on the
Internet.
• The subnet for the link between the Server 1 and Server 2, the intra-server subnet, must use
native IPv6 addressing. You cannot use 6to4 or ISATAP tunneling on this link. You must pick
a unique 64-bit prefix for your intranet and configure static IPv6 addresses for each interface
on this subnet.
• You must configure a default IPv6 route (::/0) on Server 2 that points to Server 1’s interface
on the intra-server subnet.
• Because Server 2 computer is a native IPv6 router, you must configure outbound firewall
rules on the interface on the intra-server subnet to prevent reachability to intranet domain
controllers.
• The tunnel endpoints in the Group Policy objects for the DirectAccess clients and server must
specify the native IPv6 address of Server 2’s interface on the intra-server subnet.
With this configuration, Server 2 acts as the IPsec intranet and infrastructure tunnel endpoint,
providing decryption services for packets from DirectAccess clients and encryption services for
packets to DirectAccess clients.
The following figure shows an example of the traffic between DirectAccess clients and intranet
servers for the full intranet access model.
The traffic over the Internet between the DirectAccess client and Server 2 is encrypted through
the intranet tunnel. The traffic over the intranet between Server 2 and intranet servers is clear
text.
The recommended method to deploy this configuration is the following:
1. While configured with two consecutive public IPv4 addresses, complete the DirectAccess
Setup Wizard on Server 2.
65
2. Set up the intra-server subnet and the static IPv6 addressing of Server 1. Reconfigure Server
2 with the appropriate IPv4 addresses for the intra-server subnet and remove the two
consecutive public IPv4 addresses. Configure Server 1 with the two consecutive public IPv4
addresses on the Internet interface.
3. Configure Server 1 as a default advertising router for the intra-server subnet, and a 6to4
relay, Teredo server and relay, and IP-HTTPS server on the Internet.
4. Disable the 6to4 relay, Teredo server and relay, and IP-HTTPS server functionality on Server
2.
5. Configure Group Policy settings for the new IPsec tunnel endpoint on Server 2.
66
Services roles on Windows Server 2008 R2 or Windows Server 2008 for recommendations on
scaling capacity.
Element Requirements
67
Element Requirements
Note
There are no built-in limitations on the
number of simultaneous DirectAccess
connections that a DirectAccess server
can support.
Domain Name System (DNS) server At least one running Windows Server 2008 R2,
Windows Server 2008 with the Q958194 hotfix
(http://go.microsoft.com/fwlink/?LinkID=159951),
Windows Server 2008 SP2 or later, or a third-
party DNS server that supports DNS message
exchanges over the Intra-Site Automatic Tunnel
68
Element Requirements
IPv6
IPv6 is the new version of the Network layer of the TCP/IP protocol stack that is designed to
replace Internet Protocol version 4 (IPv4), which is in wide use today on intranets and the
Internet. IPv6 provides an address space large enough to accommodate end-to-end addressing
of nodes on the IPv6 Internet, and with IPv6 transition technologies, of nodes on the IPv4
Internet. DirectAccess uses this capability to provide end-to-end addressing from DirectAccess
clients on the IPv4 or IPv6 Internet to computers on an intranet.
Because most of the current Internet is IPv4-based and many organizations have not deployed
native IPv6 addressing and routing on their intranets, DirectAccess uses IPv6 transition
technologies to provide IPv6 connectivity over these IPv4-only networks. Teredo, 6to4, Internet
Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS), and the Intra-Site Automatic
Tunnel Addressing Protocol (ISATAP) are examples of IPv6 transition technologies. These
technologies allow you to use IPv6 on the IPv4 Internet and your IPv4-only intranet. IPv6
transition technologies can simplify and reduce the costs of an IPv6 deployment.
6to4
6to4, defined in RFC 3056, is an IPv6 transition technology that provides IPv6 connectivity across
the IPv4 Internet for hosts or sites that have a public IPv4 address. For more information, see
IPv6 Transition Technologies (http://go.microsoft.com/fwlink/?Linkid=117205).
69
Teredo
Teredo, defined in RFC 4380, is an IPv6 transition technology that provides IPv6 connectivity
across the IPv4 Internet for hosts that are located behind an IPv4 network address translation
(NAT) device and are assigned a private IPv4 address. For more information, see Teredo
Overview (http://go.microsoft.com/fwlink/?Linkid=157322).
IP-HTTPS
IP-HTTPS is a new protocol for Windows 7 and Windows Server 2008 R2 that allows hosts
behind a Web proxy server or firewall to establish connectivity by tunneling IPv6 packets inside
an IPv4-based HTTPS session. HTTPS is used instead of HTTP so that Web proxy servers will
not attempt to examine the data stream and terminate the connection. IP-HTTPS is typically used
only if the client is unable to connect to the DirectAccess server using the other IPv6 connectivity
methods or if force tunneling has been configured.
For the details of IP-HTTPS, see the IP over HTTPS (IP-HTTPS) Tunneling Protocol Specification
(http://go.microsoft.com/fwlink/?Linkid=157309).
Note
ISATAP can also be used to provide IPv6 connectivity when the client is at a remote
location. ISATAP deployments can either connect to the IPv6 Internet or use 6to4 to
transfer IPv6 traffic across the IPv4 Internet.
IPsec
IPsec is a framework of open standards for ensuring private, secure communications over
Internet Protocol (IP) networks through the use of cryptographic security services. IPsec provides
aggressive protection against attacks through end-to-end security. The only computers that must
know about IPsec protection are the sender and receiver in the communication. IPsec provides
the ability to protect communication between workgroups, local area network computers, domain
clients and servers, branch offices (which might be physically remote), extranets, and roaming
clients.
IPsec protection can be used in two different modes: transport mode and tunnel mode. Transport
mode is designed to protect an Internet Protocol (IP) packet payload. Tunnel mode is designed to
protect an entire IP packet. For more information, see IPsec Protocol Types
(http://go.microsoft.com/fwlink/?Linkid=157319).
70
DirectAccess uses IPsec settings in the form of connection security rules in the Windows Firewall
with Advanced Security snap-in and the Network Shell (Netsh) command-line tool advfirewall
context for peer authentication, data integrity, and data confidentiality (encryption) of
DirectAccess connections. Multiple rules can be applied to a computer simultaneously, each
providing a different function. The result of all of these rules working together is a DirectAccess
client that can have protected communications with the DirectAccess server and intranet servers,
encrypting traffic sent over the Internet and optionally protecting traffic from end-to-end.
Note
Windows Server 2003 and earlier versions of Windows Server do not fully support the
use of IPsec with IPv6. IPv6-capable resources on servers running Windows Server 2003
will only be available to DirectAccess clients if you use the full intranet access model.
IPv4-only resources on servers running Windows Server 2003, including most built-in
applications and system services, require a Network Address Translation-Protocol
Translation (NAT-PT) or NAT-64 to be available to DirectAccess clients.
Encryption
When a DirectAccess client sends data to the intranet, the traffic is encrypted over the Internet.
For the full intranet and selected server access models, multiple connection security rules
configured on the DirectAccess client defines tunnel mode IPsec settings for communication
between the DirectAccess client and the intranet:
• The first rule for the infrastructure tunnel requires authentication with a computer certificate
and encrypts traffic with IPsec and the Encapsulating Security Payload (ESP). This rule
provides protected communication with Active Directory domain controllers, DNS servers, and
other intranet resources before the user has logged on.
• The second rule for the intranet tunnel requires authentication with a computer certificate and
user-based Kerberos credentials. This rule provides protected communication to intranet
resources after the user has logged on.
For the full intranet and selected server access models, termination of IPsec tunnels between the
DirectAccess client and the intranet is done by the IPsec Gateway component on the
DirectAccess server. This component can be located on a separate server with an IPsec offload
network adapter to increase performance.
Data integrity
Data integrity allows the receiving IPsec peer to cryptographically verify that the packet was not
changed in transit. When encrypting data with IPsec, data integrity is also provided. It is possible
to specify data integrity without encryption. This might be helpful in order to mitigate the threat of
spoofing or man-in-the-middle attacks and allow you to ensure that DirectAccess clients are
connecting to their intended servers.
When sensitive data is being transmitted, IPsec with only data integrity should only be
Note
71
to-end data integrity using transport mode rules while using end-to-edge encryption for
the tunnel mode rules, which is how the selected server access model works.
DirectAccess accomplishes data integrity through the use of transport and tunnel mode IPsec
settings. These settings can be applied to DirectAccess clients, DirectAccess servers, or
application servers and provide data integrity by requiring ESP-NULL (recommended) or
Authentication Header (AH) for IPsec-protected communications. Some network infrastructure
devices or traffic monitoring and inspection solutions might not be able to parse packets with an
IPsec ESP or AH header. In this case, you can use authentication with null encapsulation to
perform IPsec peer authentication, but no per-packet data integrity.
72
NRPT exemptions
There are some names that need to be treated differently from all others with regards to name
resolution; these names must not be resolved using intranet DNS servers. To ensure that these
names are resolved with interface-configured DNS servers, you must add them as NRPT
exemptions.
If no DNS server addresses are specified in the NRPT rule, the rule is an exemption. If a DNS
name matches a rule in the NRPT that does not contain addresses of DNS servers or does not
match a rule in the NRPT, the DirectAccess client sends the name query to interface-configured
DNS servers.
If any of the following servers have a name suffix that matches an NRPT rule for the intranet
namespace, that server name must be an NRPT exemption:
• Network location servers
• Intranet certificate revocation list (CRL) distribution points
• System health remediation servers
These servers must always be resolved with interface-configured DNS servers.
73
authenticating the DirectAccess client’s access to the URL, use anonymous authentication or
NTLM. Certificate verification includes validating the certificate and verifying that it has not been
revoked by accessing the CRL location defined in the Web server’s certificate. When the
DirectAccess client successfully accesses the HTTPS-based URL of the network location server,
it determines that it is on the intranet. The DirectAccess client then removes the DirectAccess
NRPT rules from the active table and the DirectAccess client uses interface-configured DNS
servers to resolve all names.
Note
Just like the URL for the network location server, the FQDN in the URL or the universal
naming convention (UNC) path for the CRL distribution point should either match an
exemption rule or no rules in the NRPT so that the DirectAccess client can use interface-
configured intranet DNS servers to resolve the name. If the DirectAccess client cannot
resolve the FQDN for the CRL distribution point, intranet location detection fails.
Concepts
Provide a brief description of how DirectAccess works or use the following description:
DirectAccess gives users the experience of being seamlessly connected to their corporate
network (intranet) any time they have Internet access. With DirectAccess, users are able to
access intranet resources (such as e-mail servers, shared folders, or intranet Web sites)
securely without connecting to a virtual private network (VPN). DirectAccess provides
increased productivity for mobile workforce by offering the same connectivity experience both
in and outside of the office. DirectAccess is on whenever the user has an Internet connection,
giving users access to intranet resources whether they are traveling, at the local coffee shop,
or at home. DirectAccess is supported by Windows 7 Ultimate or later, Windows 7 Enterprise
or later, and Windows Server 2008 R2 or later.
Goals
List your reasons for deploying DirectAccess and state how your design plan will achieve these
goals. Also provide the following:
• Benefits. Describe the pre-deployment state of the network and the benefits you expect to
see as a result of the DirectAccess deployment.
74
• Requirements. List what is required to achieve your goals. Examples include operating
system updates, equipment purchases, training, cross-team collaboration, and project
schedules.
• Progress. Describe your current progress.
For more information, see Identifying Your DirectAccess Deployment Goals.
Integration strategy
Describe your design for integrating DirectAccess with the following technologies and solutions:
• VPN. Describe the changes made to your VPN configuration to accommodate DirectAccess
detection of the intranet when connected and for third-party VPN clients.
75
• NAP. Describe the changes to DirectAccess settings and connection security rules for
Network Access Protection (NAP) health evaluation and enforcement of DirectAccess
connections.
• Server and domain isolation. Describe changes made to your existing server and domain
isolation deployment to accommodate DirectAccess client connectivity to intranet resources.
Staging strategy
Describe how you staged the deployment of DirectAccess in your organization. Include the
following information:
• Staging milestones. List the set of infrastructure and deployment milestones and their
requirements.
• Timeline. Provide details of your proposed timeline to deploy DirectAccess on your intranet.
Include your initial timeline and any deviation from that timeline.
• Staging results. Provide the results for each stage of your DirectAccess deployment.
• Trends. Describe any trends in connectivity issues encountered.
Lessons learned
Use this section to describe problems that were encountered and solutions that were
implemented during your DirectAccess deployment.
76