Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Abstract
This document contains the Design Guide, Deployment Guide, and Troubleshooting Guide for
DirectAccess in Windows Server 2008 R2. These guides help you to design and deploy
DirectAccess servers, DirectAccess clients, and infrastructure servers on your intranet and
troubleshoot common DirectAccess problems. Use the Design Guide to answer the “What,”
“Why,” and “When” questions a deployment design team might ask before deploying
DirectAccess in a production environment. Use the Deployment Guide to answer the “How”
questions a deployment team might ask when implementing a DirectAccess design. Use the
Troubleshooting Guide for task-oriented information to help you identify and resolve problems
quickly and perform root-cause analysis of incidents and problems with the elements of a
DirectAccess infrastructure.
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
The DirectAccess Design, Deployment, and Troubleshooting Guides are for informational
purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY,
AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission
of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted in examples herein are fictitious. No
association with any real company, organization, product, domain name, e-mail address, logo,
person, place, or event is intended or should be inferred.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Windows Server, Windows Vista, and Active Directory are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
This white paper reflects content that was published on Microsoft TechNet as of September 1,
2010. The corresponding content published on TechNet after this date might contain changes. For
the latest information, see the following documents:
• DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkID=161985)
• DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=166398)
• DirectAccess Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=165904)
Contents
DirectAccess for Windows Server 2008 R2..............................................................................1
Design, Deployment, and Troubleshooting Guides..................................................................1
Abstract.................................................................................................................................1
Contents..........................................................................................................................................3
End-to-End Access.......................................................................................................................36
Add Servers that are Available to DirectAccess Clients before User Logon................................138
Configure Firewall Rules to Prevent Traffic between Proxy Servers and DirectAccess Servers. 153
Appendix D - DirectAccessConfig.xsd........................................................................................197
Snap-in Tools..............................................................................................................................249
DirectAccess Management.........................................................................................................249
Log files of the DirectAccess Management snap-in.................................................................250
Event Viewer...............................................................................................................................254
Certificates..................................................................................................................................255
Fixing problems that Prevent You from Running the DirectAccess Setup Wizard.......................262
Fixing Problems Encountered during the Steps of the DirectAccess Setup Wizard....................264
Step 2-DirectAccess Server.....................................................................................................264
Connectivity page.................................................................................................................264
Prefix Configuration page.....................................................................................................266
Certificate Components page...............................................................................................267
Step 3-Infrastructure Servers...................................................................................................268
Location page.......................................................................................................................268
DNS and Domain Controller page........................................................................................269
Step 4-Application Servers......................................................................................................269
Fixing Problems Encountered when Applying the Settings of the DirectAccess Setup Wizard...269
Fixing Connectivity Issues Between the DirectAccess Client and the DirectAccess Server over the
Internet....................................................................................................................................271
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
DirectAccess is one of the most anticipated features of the Windows Server 2008 R2 operating
system. DirectAccess allows remote users to securely access intranet shares, Web sites, and
applications without connecting to a virtual private network (VPN). DirectAccess establishes bi-
directional connectivity with a user’s intranet every time a user’s DirectAccess-enabled portable
computer connects to the Internet, even before the user logs on. Users never have to think about
connecting to the intranet, and information technology (IT) administrators can manage remote
computers outside the office, even when the computers are not connected to the VPN.
DirectAccess is supported by Windows 7 Enterprise, Windows 7 Ultimate, and Windows
Server 2008 R2.
The following are the key elements of a DirectAccess solution:
• DirectAccess client. A domain-joined computer running Windows 7 Enterprise,
Windows 7 Ultimate, or Windows Server 2008 R2 that can automatically and transparently
connect to an intranet through a DirectAccess server.
• DirectAccess server. A domain-joined computer running Windows Server 2008 R2 that
accepts connections from DirectAccess clients and facilitates communication with intranet
resources.
• Network location server. A server that a DirectAccess client uses to determine whether
it is located on the intranet or the Internet.
• Certificate revocation list (CRL) distribution points. Servers that provide access to
the CRL that is published by the certification authority (CA) issuing certificates for
DirectAccess.
For more information, see Appendix B: Reviewing Key DirectAccess Concepts.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
To begin the DirectAccess design process, you must first identify your DirectAccess deployment
goals. This guide contains some predefined deployment goals so that you can understand the
ways in which DirectAccess can benefit your organization. After evaluating these goals, you can
select a DirectAccess design that meets your DirectAccess deployment objectives. Each design
includes examples to help you understand fundamental DirectAccess processes such as client
access or remote management.
The following topics explain how to identify and evaluate a DirectAccess deployment design for
your organization:
• Identifying Your DirectAccess Deployment Goals
• Mapping Your Deployment Goals to a DirectAccess Design
• Evaluating DirectAccess Design Examples
After you identify your deployment goals and map them to a DirectAccess design, you can begin
documenting your design, based on the processes that are described in the following topics:
• Planning a DirectAccess Deployment Strategy
• Planning the Placement of a DirectAccess Server
• Planning the Placement of a Network Location Server
• Planning the Placement of CRL Distribution Points
• Planning DirectAccess with Network Access Protection (NAP)
• Planning DirectAccess with an Existing Server and Domain Isolation Deployment
• DirectAccess Capacity Planning
• Additional DirectAccess Resources
• Appendix A: DirectAccess Requirements
14
• Appendix B: Reviewing Key DirectAccess Concepts
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Correctly identifying your DirectAccess deployment goals is essential for the success of your
DirectAccess design project. Depending on the size of your organization and the level of
involvement you are expecting from the information technology (IT) staff in any partner
organizations, form a project team that can clearly articulate real-world deployment issues in a
vision statement. Make sure that the members of this team understand the direction in which your
deployment project must move in order to reach your DirectAccess deployment goals.
When you write your vision statement, take steps to identify, clarify, and refine your deployment
goals. Prioritize and, if necessary, combine your deployment goals so that you can design and
deploy DirectAccess by using an iterative approach. You can take advantage of existing,
documented, and predefined DirectAccess deployment goals that are relevant to the
DirectAccess designs and develop a working solution for your scenarios.
The following table lists the three main tasks for articulating, refining, and documenting your
DirectAccess deployment goals.
Evaluate predefined DirectAccess deployment Transparent and Automatic Remote Access for
goals that are provided in this section of the DirectAccess Clients
guide and combine one or more goals to reach Ongoing Management of Remote DirectAccess
your organizational objectives. Clients
Efficient Routing of Intranet and Internet Traffic
Reduction of Remote Access-based Servers in
your Edge Network
End-to-end Traffic Protection
Multi-factor Credentials for Intranet Access
Map one goal or a combination of any of the Mapping Your Deployment Goals to a
predefined DirectAccess deployment goals to a DirectAccess Design
DirectAccess design.
Document your deployment goals and other Appendix C: Documenting Your DirectAccess
15
Deployment goal tasks Reference links
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
DirectAccess enhances the productivity of mobile workers by connecting their computers
automatically and seamlessly to their intranet any time Internet access is available. The user
does not have to remember to initiate a virtual private network (VPN) connection every time that
they need to access intranet resources. With DirectAccess, intranet file shares, Web sites, and
line-of-business applications can remain accessible wherever you have an Internet connection in
the same way as if you were directly connected to the intranet.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
With current virtual private network (VPN) solutions, the remote computer is connected to the
intranet only intermittently. This model of user-initiated connections makes it difficult for
information technology (IT) staff to manage remote computers with the latest updates and
security policies. Remote computer management can be mitigated by checking for and requiring
system health updates before completing the VPN connection. However, such requirements can
add substantial wait times to the VPN connection process.
With DirectAccess, IT staff can manage mobile computers by updating Group Policy settings and
distributing software updates any time the mobile computer has Internet connectivity, even if the
user is not logged on. This flexibility allows IT staff to manage remote computers as if they were
16
directly connected to the intranet and ensures that mobile users stay up-to-date with security and
system health policies.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
DirectAccess separates intranet from Internet traffic, which reduces unnecessary traffic on the
intranet by sending only traffic destined for the intranet through the DirectAccess server. Some
virtual private network (VPN) solutions use Network layer routing table entries to separate intranet
from Internet traffic, in a configuration known as split-tunneling. DirectAccess solves this problem
in the Application layer through more intelligent name resolution and in the Network layer by
summarizing the IPv6 address space of an entire organization with IPv6 address prefixes. Rather
than directing traffic solely based on a destination address, DirectAccess clients also direct traffic
based on the name needed by the application.
DirectAccess clients use a Name Resolution Policy Table (NRPT) that contains Domain Name
System (DNS) namespace rules and a corresponding set of intranet DNS servers that resolve
names for that DNS namespace. When an application on a DirectAccess client attempts to
resolve a name, it first compares the name with the rules in the NRPT. If there is a match, the
DirectAccess client uses a protected query to the specified intranet DNS servers to resolve the
name to intranet addresses and establish connections. If there are no matches, the DirectAccess
client uses Internet DNS servers to resolve the name to Internet addresses and establish
connections.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
17
With DirectAccess, you can reduce your dependence on remote access and application edge
servers, leading to an edge network with fewer servers that provide access to intranet resources
or applications. For example, the number of application edge servers can be reduced as the
number of DirectAccess clients increase because DirectAccess clients can now directly access
the corresponding application servers on the intranet.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
You can specify that the traffic between DirectAccess clients and intranet applications servers is
protected from end-to-end. In most virtual private network (VPN) solutions, the protection only
extends to the VPN server. This capability for end-to-end traffic protection provides additional
security for computers that are outside of the intranet. Additionally, by leveraging the flexibility and
control that is possible with connection security rules in Windows Firewall with Advanced Security,
you can specify that the end-to-end protection include encryption and not require that the traffic
be tunneled to the DirectAccess server.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
In typically deployed access models, DirectAccess clients create two tunnels to the DirectAccess
server. The first tunnel, the infrastructure tunnel, provides access to intranet Domain Name
System (DNS) servers, Active Directory Domain Services (AD DS) domain controllers, and other
infrastructure and management servers. The second tunnel, the intranet tunnel, provides access
to intranet resources such as Web sites, file shares, and other application servers.
To provide an additional layer of security for traffic sent over the intranet tunnel, you can specify
that the intranet tunnel also require smart card authorization, which enforces the use of multiple
sets of credentials to access intranet resources. Multi-factor credentials for the intranet tunnel
uses the new tunnel-mode authorization feature of Windows Firewall with Advanced security in
18
Windows 7 and Windows Server 2008 R2, which allows you to specify that only authorized
computers or users can establish an inbound tunnel.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
After you have reviewed the DirectAccess deployment goals and determined which are
appropriate for your organization, you can map those goals to a specific design.
The following table shows how well the DirectAccess designs meet the deployment goals
discussed in Identifying Your DirectAccess Deployment Goals.
Transparent and automatic remote access for Functionality in the DirectAccess server and
DirectAccess clients clients
Efficient routing of intranet and Internet traffic Use of the Name Resolution Policy Table
(NRPT) and Internet Protocol version 6 (IPv6)
to separate Internet and intranet traffic
Multi-factor credentials for intranet access Smart card authorization on the intranet tunnel
19
Evaluating DirectAccess Design Examples
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The following design examples illustrate the way in which DirectAccess deployment scenarios
work to provide transparent access to intranet resources.
• Full Intranet Access Example
• Full Intranet Access with Smart Cards Example
• Selected Server Access Example
• End-to-end Access Example
You can use these examples to determine the design or combination of designs that best suits
the needs of your organization.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Full intranet access allows DirectAccess clients to connect to all of the Internet Protocol version 6
(IPv6)-reachable resources inside the intranet. The DirectAccess client uses Internet Protocol
security (IPsec) to create two encrypted tunnels to the Internet interface of the DirectAccess
server. The first tunnel, known as the infrastructure tunnel, allows the DirectAccess client to
access Domain Name System (DNS) servers, Active Directory Domain Services (AD DS) domain
controllers, and other infrastructure and management servers. The second tunnel, known as the
intranet tunnel, allows the DirectAccess client to access intranet resources. The infrastructure
tunnel uses computer authentication and the intranet tunnel uses both computer and user
authentication.
After the intranet tunnel is established, the DirectAccess client can exchange traffic with intranet
application servers. This traffic is encrypted by the tunnel for its journey across the Internet. By
default, the DirectAccess server is acting as an IPsec gateway, terminating the IPsec tunnels for
the DirectAccess client.
The following figure shows an example of full intranet access.
20
When the DirectAccess client starts up and determines that it is on the Internet, it creates the
tunnels to the DirectAccess server and begins normal communications with intranet infrastructure
servers such as AD DS domain controllers and application servers as if it were directly connected
to the intranet.
This design does not require IPsec protection for traffic on the intranet and is structurally very
similar to current remote access virtual private network (VPN) scenarios.
Note
To demonstrate full intranet access for DirectAccess, set up the DirectAccess test lab
(http://go.microsoft.com/fwlink/?Linkid=150613).
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Full intranet access with smart cards is the full intranet access design and the use of smart cards
to provide an additional level of authorization for the intranet tunnel. The DirectAccess server
enforces the use of smart card credentials when the DirectAccess client computer attempts to
access an intranet resource.
The following figure shows an example of full intranet access with smart cards.
21
When a user on the DirectAccess client logs on to their computer with the smart card, they obtain
transparent access to intranet resources. If they log in to the computer using domain credentials,
such as a username and password combination, and attempt to access the intranet, Windows
displays a message in the notification area instructing them to enter their smart card credentials.
The user then inserts their smart card and provides their smart card personal identifier (PIN) to
access intranet resources.
This notification message will fade away in five seconds or may be covered by other notifications
in a shorter amount of time, but an icon displaying a pair of keys will stay in the notification area.
If the user misses the notification, the keys icon will be available in the overflow tray, which will
allow them to launch the credential prompt again by clicking on it.
Note
If the user closes the smart card credential prompt from the notification area, there is no
way of relaunching it, nor will the keys show up in the overflow tray again. The user must
lock their computer and then unlock it with their smart card to access the intranet.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Selected server access allows you to confine the access of DirectAccess clients to a specific set
of intranet application servers and deny access to all other locations on the intranet. Intranet
access requires end-to-end Internet Protocol security (IPsec) protection from the DirectAccess
client to the specified servers. This provides an additional layer of IPsec peer authentication and
22
data integrity for end-to-end traffic so that DirectAccess clients can verify that they are
communicating with specific servers.
The following figure shows an example of selected server access.
The DirectAccess client and selected servers by default perform IPsec peer authentication using
computer credentials and protect the traffic with Encapsulating Security Payload (ESP)-NULL for
data integrity.
You can also use selected server access to require end-to-end IPsec protection from the
DirectAccess client to specified servers and allow access to all other locations on the intranet.
Traffic to other intranet application servers is not protected with IPsec peer authentication and
data integrity. The intranet tunnel between the DirectAccess client and server provides encryption
for both types of intranet traffic across the Internet.
Note
Authentication with null encapsulation is not the same as using ESP-NULL for per-packet
data integrity.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
End-to-end access removes the infrastructure and intranet tunnels to the DirectAccess server. All
intranet traffic is end-to-end between DirectAccess clients and intranet application servers and is
encrypted with Internet Protocol security (IPsec). In this configuration, the DirectAccess server is
no longer terminating IPsec tunnels. It is acting as a pass-through device, allowing the IPsec-
protected traffic to pass between the DirectAccess client and the application servers. A
component of the DirectAccess server, known as IPsec Denial of Service Protection (DoSP),
monitors the IPsec traffic to help prevent malicious users on the Internet from launching DoS
attacks against intranet resources.
The following figure shows an example of end-to-end access.
The DirectAccess client and intranet application servers should be configured to perform IPsec
peer authentication using computer credentials and to protect the traffic with Encapsulating
Security Payload (ESP) for data confidentiality (encryption) and integrity.
24
Planning a DirectAccess Deployment
Strategy
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The following are some critical questions to consider as you develop a deployment strategy for
DirectAccess, with links to corresponding topics in this Design Guide. Answering these questions
will help you create a strategy that is cost-effective and resource-efficient.
• Which intranet resources will be available to DirectAccess clients? For more information,
see Resources Available to DirectAccess Clients.
• How do I either enable Internet Protocol version 6 (IPv6) on my intranet or have
DirectAccess use my existing IPv6 infrastructure? For more information, see Choose an
Intranet IPv6 Connectivity Design.
• What options do I have to make Internet Protocol version 4 (IPv4)-only resources
available for DirectAccess clients? For more information, see Choose Solutions for IPv4-only
Intranet Resources.
• Which access models are there to choose from? For more information, see Choose an
Access Model.
• What options do I have to configure DirectAccess? For more information, see Choose a
Configuration Method.
• Which computers do I need to designate as management servers that will initiate
connections to DirectAccess clients? For more information, see Design for Remote
Management.
• What packet filters do I need to add to my firewalls and computers in my organization?
For more information, see Design Packet Filtering for DirectAccess.
• What packet filters do I need to add to my firewalls and computers in my organization?
For more information, see Design Packet Filtering for DirectAccess.
• What support is needed from third-party host firewalls? For more information, see
DirectAccess and Third-party Host Firewalls.
• What authentication and authorization options do I have? For more information, see
Choose an Authentication and Authorization Scheme.
• What addressing and routing do I need to configure on my DirectAccess server? For
more information, see Design Addressing and Routing for the DirectAccess Server.
• How does DirectAccess leverage or utilize Active Directory Domain Services (AD DS)?
For more information, see Choose an Authentication and Authorization Scheme.
• How do I design my Domain Name System (DNS) infrastructure for DirectAccess? For
more information, see Design Your DNS Infrastructure for DirectAccess.
25
• How do I design my public key infrastructure (PKI) for DirectAccess? For more
information, see Design Your PKI for DirectAccess.
• How do I design my internal and external Web infrastructure for DirectAccess? For more
information, see Design Your Web Servers for DirectAccess.
• What options are there for separating or combining intranet and Internet traffic for
DirectAccess clients? For more information, see Choose an Internet Traffic Separation
Design.
• How do I ensure that traffic between DirectAccess clients on the Internet is protected?
For more information, see Design Protection for Traffic between DirectAccess Clients.
• How do I ensure that DirectAccess clients can detect connectivity to the intranet? For
more information, see Design Your Intranet for Corporate Connectivity Detection.
• How does DirectAccess co-exist with my current remote access virtual private network
(VPN) solution? For more information, see Choose a DirectAccess and VPN Coexistence
Design.
• Should I use the DirectAccess Connectivity Assistant (DCA)? For more information, see
Use the DirectAccess Connectivity Assistant (DCA).
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
When designing your DirectAccess deployment, you must determine how DirectAccess clients
will reach all of the desired intranet resources.
26
An intranet infrastructure that supports forwarding IPv6 traffic can be achieved in the following
ways:
• Configure your intranet infrastructure to support native IPv6 addressing and routing.
Computers running Windows Vista, Windows Server 2008, Windows 7, or Windows
Server 2008 R2 use IPv6 by default. Although few organizations today have a native IPv6
infrastructure, this is the preferred and recommended connectivity method. For the most
seamless intranet connectivity for DirectAccess clients, organizations should deploy a native
IPv6 infrastructure, typically alongside their existing IPv4 infrastructure.
• Deploy Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) on your intranet.
Without a native IPv6 infrastructure, you can use ISATAP to make intranet servers and
applications reachable by tunneling IPv6 traffic over your IPv4-only intranet. Deploying
ISATAP consists of setting up one or more ISATAP routers that provide address configuration
and default routing for ISATAP hosts on your intranet. Computers running Windows 7 or
Windows Server 2008 R2 support ISATAP host functionality and can be configured to act as
ISATAP routers.
If you do not have a native IPv6 infrastructure or ISATAP on your intranet, the DirectAccess Setup
Wizard will automatically configure the DirectAccess server as the ISATAP router for your
intranet.
Applications that are end-to-end reachable by DirectAccess clients must be IPv6-capable and
running on an operating system that supports an IPv6 protocol stack with native IPv6 or ISATAP
host capability.
For applications running on versions of Windows:
• Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008
support an IPv6 protocol stack and all built-in components and system services are IPv6-
capable. These versions of Windows are highly recommended.
• Windows XP and Windows Server 2003 have an IPv6 protocol stack, but many built-in
components and system services and applications are not IPv6-capable. Therefore, in most
cases, applications running on computers running Windows XP or Windows Server 2003 are
not reachable by DirectAccess clients over IPv6. For the solutions for providing DirectAccess
connectivity to applications running on Windows XP and Windows Server 2003-based
computers, see Choose Solutions for IPv4-only Intranet Resources.
For applications running on non-Windows operating systems, verify that both the operating
system and the applications support IPv6 and are reachable over native IPv6 or ISATAP.
27
• The built-in applications and system services running on Windows XP and Windows
Server 2003 that are not IPv6-capable.
• For applications that are not built-in to Windows, check with the software vendor to
ensure that the application is IPv6-capable. Applications that only use IPv4, such as Office
Communications Server (OCS), cannot by default be reached by DirectAccess clients.
However, IPv6-capable applications can reach IPv4-only resources on your intranet by using an
IPv6/IPv4 translation device or service such as a NAT64/DNS64. For the solutions for providing
connectivity for DirectAccess clients to IPv4-only resources, see Choose Solutions for IPv4-only
Intranet Resources.
28
For more information, see Selected Server Access Example.
29
service provider recommends a specific unicast IPv4 address of the 6to4 relay that they
maintain.
For more information, see Connect to the IPv6 Internet in the DirectAccess Deployment Guide.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The combinations of intranet Internet Protocol version 6 (IPv6) connectivity prior to deploying
DirectAccess are the following:
• There is no existing IPv6 infrastructure
• You have an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)-based IPv6
infrastructure
• You have an existing native IPv6 infrastructure
In each of these combinations, you will need to ensure that the IPv6 routing infrastructure can
forward packets between DirectAccess clients and intranet resources.
Note
By default, DNS servers running Windows Server 2008 R2 or Windows Server 2008
block the resolution of the name ISATAP with the global query block list. To enable
ISATAP, you must remove the name ISATAP from the block list. For more information,
see Remove ISATAP from the DNS Global Query Block List in the DirectAccess
Deployment Guide.
Windows-based ISATAP hosts that can resolve the name ISATAP perform address
autoconfiguration with the DirectAccess server, resulting in the automatic configuration of the
following:
• An ISATAP-based IPv6 address on an ISATAP tunneling interface.
• A 64-bit route that provides connectivity to the other ISATAP hosts on the intranet.
30
• A default IPv6 route that points to the DirectAccess server.
The default IPv6 route ensures that intranet ISATAP hosts can reach DirectAccess clients.
Note
Note
If you are using IPv6 addresses that are not based on a 6to4 prefix on your intranet, a
6to4-based DirectAccess client computer that uses IP-HTTPS to connect to the
DirectAccess server will not be able to reach intranet locations. To correct this condition,
add a 6to4 route (2002::/16) to your intranet that points to the DirectAccess server or
reconfigure the DirectAccess server to use IPv6 addresses from your intranet prefix on its
Internet interface rather than 6to4 addresses and change the client and server tunnel
endpoints in your DirectAccess client and server Group Policy objects to the assigned
IPv6 address.
31
Choose Solutions for IPv4-only Intranet
Resources
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
A DirectAccess client sends only Internet Protocol version 6 (IPv6) traffic to the DirectAccess
server. When DirectAccess clients send Domain Name System (DNS) name query requests
across the infrastructure tunnel to the IPv6 address of an intranet DNS server, they request only
IPv6 records (AAAA DNS records). Internet Protocol version 4 (IPv4)-only applications on the
DirectAccess client will never send IPv4 traffic across the DirectAccess intranet tunnel. The same
DirectAccess client, when directly connected to the intranet, sends DNS name queries to intranet
DNS servers and requests all records, both IPv4 and IPv6. For an IPv4-only server application,
intranet DNS servers send back IPv4 records and the client application uses IPv4 to
communicate.
The end result is that an IPv6-capable client application on a DirectAccess client can use IPv4 to
access an IPv4-only server application while connected to the intranet, but cannot by default
reach the same server application when connected to the Internet.
The solutions for providing connectivity for IPv6-capable applications on DirectAccess clients to
IPv4-only intranet applications are the following:
• Upgrade or update the IPv4-only intranet application to support IPv6. This update might
include updating the operating system of the server, updating the application running on the
server, or both. This is the recommended solution. For built-in applications and system
services on computers running Windows XP or Windows Server 2003, you must upgrade
Windows XP to Windows 7 or Windows Vista and upgrade Windows Server 2003 to Windows
Server 2008 R2 or Windows Server 2008.
• Use a conventional remote access virtual private network (VPN) connection on the
DirectAccess client to reach the IPv4-only application.
• Use an IPv6/IPv4 translator and IPv6/IPv4 DNS gateway, which perform IPv6/IPv4 traffic
translation and IPv6-to-IPv4 DNS name resolution services for traffic between DirectAccess
clients and IPv4-only intranet application servers. A combination of IPv6/IPv4 translator with
IPv6/IPv4 DNS gateway is a NAT64 with DNS64.
The types of DirectAccess connectivity that are possible for IPv6-capable and IPv4-only client
and server applications are summarized in the following:
• IPv6-capable client application on the DirectAccess client with an IPv6-capable server
application on the intranet
End-to-end connectivity for DirectAccess clients.
• IPv6-capable client application on the DirectAccess client with an IPv4-only server
application on the intranet
32
Translated connectivity for DirectAccess clients only with an IPv6/IPv4 translator and
IPv6/IPv4 DNS gateway.
• IPv4-only client application on the DirectAccess client with either an IPv6-capable or
IPv4-only server application on the intranet
No connectivity for DirectAccess clients.
When you deploy an IPv6/IPv4 translator and IPv6/IPv4 DNS gateway, you typically configure it
to provide coverage for specific portions of your intranet DNS namespace. Once deployed, the
IPv6/IPv4 translator and IPv6/IPv4 DNS gateway will make the necessary DNS resolutions and
IPv6/IPv4 traffic translations, allowing IPv6-capable applications on DirectAccess clients to
access IPv4-only resources located within that portion of the DNS namespace.
The following figure shows an example of using a separate NAT64 and DNS64 device to provide
IPv6/IPv4 traffic translation and access to IPv4-only application servers on an intranet.
If you are using an IPv6/IPv4 translator and IPv6/IPv4 DNS gateway in your DirectAccess
deployment, you must identify the portions of your intranet namespace that contain IPv4-only
application servers and add them to the Name Resolution Policy Table (NRPT) of your
DirectAccess clients with the IPv6 addresses of your IPv6/IPv4 DNS gateway. For more
information, see Configure the NRPT for an IPv6/IPv4 DNS Gateway in the DirectAccess
Deployment Guide.
Because Windows Server 2008 R2 does not provide IPv6/IPv4 translator or IPv6/IPv4 DNS
gateway functionality, the configuration of these devices is beyond the scope of this design guide.
Microsoft Forefront Unified Access Gateway (UAG) includes NAT64 and DNS64 functionality and
can be used in conjunction with a DirectAccess deployment. For more information, see UAG and
DirectAccess (http://go.microsoft.com/fwlink/?LinkId=159955). IPv6/IPv4 translator and IPv6/IPv4
DNS gateway devices are also available from Layer 2 and Layer 3 switch and router vendors.
33
Choose an Access Model
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The three access models for DirectAccess, as previously described in Evaluating DirectAccess
Design Examples, are the following:
• Full Intranet Access
• Selected Server Access
• End-to-End Access
The following topics describe the benefits and limitations of these access models.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The full intranet access model allows DirectAccess clients to connect to Internet Protocol version
6 (IPv6)-reachable resources inside your intranet and provides Internet Protocol security (IPsec)-
based end-to-edge peer authentication and encryption that terminates at the DirectAccess server.
See Full Intranet Access Example for more information.
The following are the benefits of the full intranet access model:
• Does not require intranet application servers that are running Windows Server 2008 or
later. Works with any IPv6-capable application servers.
• Most closely resembles current virtual private network (VPN) architecture and is typically
easier to deploy.
• Can be used with smart cards for an additional level of authorization.
• Is fully configurable with the DirectAccess Setup Wizard.
• Does not require IPsec-protected traffic on the intranet.
The following are the limitations of the full intranet access model:
• Does not provide end-to-end authentication or data protection with intranet servers.
• Because the DirectAccess server is terminating the IPsec tunnels, there is extra
processing load on DirectAccess server to perform encryption and decryption. This load can
34
be mitigated by moving the IPsec gateway function to a different server with IPsec offload
network adapters. For more information, see Capacity Planning for DirectAccess Servers.
Note
To demonstrate full intranet access for DirectAccess, set up the DirectAccess test lab
(http://go.microsoft.com/fwlink/?Linkid=150613).
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The DirectAccess Setup Wizard allows you to configure one of the following for the selected
server access model:
• The only servers that DirectAccess clients can communicate with are selected intranet
servers using Internet Protocol security (IPsec) peer authentication and end-to-end data
integrity.
• The only servers that DirectAccess clients can communicate with are selected intranet
servers using IPsec peer authentication but no IPsec protection.
• Communications between DirectAccess clients and selected intranet servers must
perform IPsec peer authentication and end-to-end data integrity. Communications with all
other intranet endpoints use clear text.
• Communications between DirectAccess clients and intranet servers must perform IPsec
peer authentication but no IPsec protection. Communications with all other intranet endpoints
use clear text.
In each of these cases, the traffic sent between the DirectAccess client and the DirectAccess
server is encrypted over the Internet. See Selected Server Access Example for more information.
The following are the benefits of the selected server access model:
• You can easily confine the access of DirectAccess clients to specific application servers.
• Provides additional end-to-end authentication and data protection beyond that provided
with traditional virtual private network (VPN) connections.
• Can be used with smart cards for an additional level of authorization.
• Is fully configurable with the DirectAccess Setup Wizard.
• By customizing the default Windows Firewall with Advanced Security connection security
rules created by the DirectAccess Setup Wizard, you can restrict certain users or computers
from accessing particular application servers or specify that certain client applications will not
be able to access intranet resources remotely. However, customization of connection security
35
rules requires knowledge of and experience with connection security rule design and
configuration.
The following are the limitations of the selected server access model:
• Selected servers must run Windows Server 2008 or later. Selected servers cannot run
Windows Server 2003 or earlier.
• Selected servers when using IPsec peer authentication without IPsec protection must be
running Windows Server 2008 R2 or later.
Note
End-to-End Access
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The end-to-end access model allows you to configure DirectAccess clients so that
communications between DirectAccess clients and all intranet servers perform IPsec peer
authentication, data confidentiality (encryption), and data integrity from the DirectAccess client to
the intranet resource. The traffic sent between DirectAccess clients and servers is encrypted over
both the Internet and the intranet. For more information, see the End-to-end Access Example.
The following are the benefits of the end-to-end access model:
• Provides additional end-to-end authentication, data integrity, and data confidentiality
beyond that provided with traditional virtual private network (VPN) connections.
• There is less processing overhead on the DirectAccess server, which is acting only as a
router and providing denial of service protection (DoSP) for the IPsec-encrypted DirectAccess
traffic.
• By customizing the default Windows Firewall with Advanced Security connection security
rules created by the DirectAccess Setup Wizard, you can define policies that restrict certain
users or computers from accessing particular application servers or specify that certain
applications will not be able to access intranet resources remotely. However, customization of
the default connection security rules requires knowledge of and experience with connection
security rule design and configuration.
The following are the limitations of the end-to-end access model:
• All intranet application servers accessible to DirectAccess clients must run Windows
Server 2008 or later. Application servers cannot run Windows Server 2003 or earlier.
36
• Your intranet must allow the forwarding of IPsec-encrypted traffic.
• Is not fully configurable with the DirectAccess Setup Wizard. You use the DirectAccess
Setup Wizard to create the initial set of DirectAccess client and server Group Policy objects
and settings and then you must customize the default Windows Firewall with Advanced
Security connection security rules.
• Cannot use smart cards for an additional level of authorization.
• Cannot access IPv4-only intranet resources, even with an IPv6/IPv4 translator and
IPv6/IPv4 DNS gateway.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
You can use the following methods to deploy and configure DirectAccess:
• The DirectAccess Management console
• Custom configuration using the Network Shell (Netsh) command-line tool and Group
Policy
The following sections describe the benefits and limitations of each of these methods.
37
and the creation of unique solutions, including many permutations that are not covered in this
Design Guide.
For information about Netsh commands for DirectAccess, see Appendix A – Manual DirectAccess
Server Configuration and Appendix B – Manual DirectAccess Client Configuration. For
information about Group Policy settings for DirectAccess, see Group Policy Management
Console and Editor.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Because DirectAccess client computers are connected to the intranet whenever the DirectAccess
client is connected to the Internet, regardless of whether the user has logged on to the computer,
they can be more easily managed as intranet resources and kept current with Group Policy
changes, operating system updates, anti-malware software updates, and other changes.
Intranet management servers that client computers use to keep themselves current can consist of
the following:
• Microsoft System Center Configuration Manager 2007 servers
• Windows Update servers
• Servers for anti-malware updates, such as antivirus servers
In some cases, intranet servers or computers must initiate connections to DirectAccess clients.
For example, helpdesk department computers can use remote desktop connections to connect to
and troubleshoot remote DirectAccess clients. To ensure that DirectAccess clients will accept
incoming traffic from these types of computers and require the protection of that traffic over the
Internet, you must identify the set of these intranet management computers and configure their
addresses in Step 3 of the DirectAccess Setup Wizard.
Once you have identified the computers, record their names, their Internet Protocol version 4
(IPv4) addresses (if you have no Internet Protocol version 6 (IPv6) infrastructure), or their IPv6
addresses (if you have an IPv6 infrastructure, either their public native or Intra-Site Automatic
Tunnel Addressing Protocol [ISATAP] addresses) and configure them in Step 3 of the
DirectAccess Setup Wizard. The DirectAccess Setup Wizard creates an additional set of
connection security rules for a management tunnel between DirectAccess clients and the
DirectAccess server. This management tunnel is encrypted with Internet Protocol security (IPsec),
uses computer credentials for authentication, and is separate from the intranet and infrastructure
tunnels in the full intranet and selected server access models.
Because DirectAccess clients can be behind network address translators (NATs) and use Teredo
for the IPv6 connectivity across the Internet, any inbound rules for Windows Firewall with
38
Advanced Security that permit unsolicited incoming traffic from management computers must be
modified to enable edge traversal and must have an inbound ICMPv6 Echo Request rule with
edge traversal enabled. For more information, see Packet Filters for Management Computers
Notes
When you are using end-to-end peer authentication with data integrity and remote
management traffic is sent within the intranet tunnel, you should use Encapsulating
Security Payload (ESP)-Null instead of Authentication Header (AH) for data integrity.
If the computer that is managing a DirectAccess client from the intranet is running
Windows Vista or Windows Server 2008 and IPsec transport mode is required between
the managing computer and the DirectAccess client, both computers must have the same
quick mode lifetimes.
To demonstrate remote management, configure the DirectAccess test lab
(http://go.microsoft.com/fwlink/?Linkid=150613) with the Remote Management extension
(http://go.microsoft.com/fwlink/?LinkId=192280).
39
management servers in Step 3 of the DirectAccess Setup Wizard. If you do not configure
management servers, these computers will not be able to initiate communications with
DirectAccess clients until the user has logged on.
The security settings for the connection security rules for the infrastructure and management
tunnels are the same. Therefore, DirectAccess clients can also use the management tunnel rule
to initiate communications with intranet servers in the same way as the infrastructure tunnel rule.
Because these connection security rules do not use user account-based credentials,
DirectAccess client computers will only have connectivity to those intranet endpoints that are
specified for the infrastructure and management tunnel rules before user logon.
Additional computers that should be available to DirectAccess client computers prior to user
logon are the following:
• Domain controllers, which are not DNS servers and have already been configured in Step
3 of the DirectAccess wizard
• Additional intranet DNS servers that have not been configured in Step 3 of the
DirectAccess wizard
• When using Network Access Protection (NAP), Health Registration Authorities (HRAs)
and remediation servers
• Servers needed for computer logon operations and system health updates, such as
operating system and anti-malware update servers
• If you have configured force tunneling and DirectAccess client computers need to access
the Internet prior to user logon, your intranet proxy servers
One way to determine the additional intranet servers that must be made available to the services
of a DirectAccess client computer is to analyze the Windows Logs and Application and Services
Logs with Event Viewer and note the system services that were unable to start or complete
operations prior to computer logon. If the cause of the problem is due to an inability to reach an
intranet server and if these failed system services are crucial to the operation of the computer, the
intranet server for that service should be added to list of servers that are available prior to user
logon.
To add to the set of servers that are available prior to user logon, you can do the following:
• Use the Management page of step 3 of the DirectAccess Setup Wizard, which adds
more Internet Protocol version 6 (IPv6) addresses to the list of permitted endpoints for the
management tunnel.
This is the recommended method because it is much easier to configure, especially if you are
not managing a customized DirectAccess deployment and can run the DirectAccess Setup
Wizard without modifying one or more custom settings. For more information, see Add
Servers that are Available to DirectAccess Clients before User Logon.
• Use Netsh.exe commands to manually add more IPv6 addresses to the list of permitted
endpoints on the infrastructure or management tunnels
This is not recommended because it must be done manually with multiple commands and if
done incorrectly can impair connectivity. However, if you are managing a customized
DirectAccess deployment and cannot run the DirectAccess Setup Wizard without modifying
one or more custom settings, you must use this method. If you have not already defined
40
management servers with the DirectAccess Setup Wizard, use the infrastructure tunnel.
Otherwise, use the management tunnel. For more information, see Add Servers that are
Available to DirectAccess Clients before User Logon.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Packet filtering must be modified for multiple components on your network to allow the following
types of traffic:
• DirectAccess client traffic to and from DirectAccess servers on the Internet
• DirectAccess server traffic to and from the intranet
• Encapsulated DirectAccess client traffic to and from the intranet
• Teredo discovery traffic for DirectAccess clients located behind network address
translators (NATs)
• Management server traffic to DirectAccess clients
The following topics describe the required packet filtering for each of these types of traffic:
• Packet Filters for Your Internet Firewall
• Packet Filters for Your Intranet Firewall
• Confining ICMPv6 Traffic to the Intranet
• Packet filters for Teredo Connectivity
• Packet Filters for Management Computers
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Most organizations use an Internet firewall between the Internet and the computers on their
perimeter network. This firewall is typically configured with packet filters that only allow specific
types of traffic to and from the perimeter network computers. When you add a DirectAccess
server to your perimeter network, you must configure additional packet filters to allow the traffic to
41
and from the DirectAccess server for all of the types of traffic that a DirectAccess client uses to
obtain Internet Protocol version 6 (IPv6) connectivity to the DirectAccess server.
If your DirectAccess server is on the Internet Protocol version 4 (IPv4) Internet, the DirectAccess
server must have two consecutive, public IPv4 addresses and your Internet firewall must pass the
traffic to the DirectAccess server without translating addresses or port numbers. Configure packet
filters on your Internet firewall to allow the following types of IPv4 traffic for the DirectAccess
server:
• Protocol 41 inbound and outbound
For DirectAccess clients that use the 6to4 IPv6 transition technology to encapsulate IPv6
packets with an IPv4 header. In the IPv4 header, the Protocol field is set to 41 to indicate an
IPv6 packet payload.
• User Datagram Protocol (UDP) destination port 3544 inbound and UDP source port 3544
outbound
For DirectAccess clients that use the Teredo IPv6 transition technology to encapsulate IPv6
packets with an IPv4 and UDP header. The DirectAccess server is listening on UDP port
3544 for traffic from Teredo-based DirectAccess clients.
• Transmission Control Protocol (TCP) destination port 443 inbound and TCP source port
443 outbound
For DirectAccess clients that use Internet Protocol over Secure Hypertext Transfer Protocol
(IP-HTTPS) to encapsulate IPv6 packets within an IPv4-based HTTPS session. The
DirectAccess server is listening on TCP port 443 for traffic from IP-HTTPS-based
DirectAccess clients.
If your DirectAccess server is on the IPv6 Internet, you must configure packet filters on your
Internet firewall to allow the following types of IPv6 traffic for the DirectAccess server:
• Protocol 50
DirectAccess on the IPv6 Internet uses the Internet Protocol security (IPsec) Encapsulating
Security Payload (ESP) to protect the packets to and from the DirectAccess server without
the encapsulation headers required for IPv6 transition technologies. In the IPv6 header, the
Protocol field is set to 50 to indicate an ESP-protected payload.
• UDP destination port 500 inbound and UDP source port 500 outbound
DirectAccess on the IPv6 Internet uses the Internet Key Exchange (IKE) and Authenticated
Internet Protocol (AuthIP) protocols to negotiate IPsec security settings. The DirectAccess
server is listening on UDP port 500 for incoming IKE and AuthIP traffic.
• UDP destination port 4500 inbound and UDP source port 4500 outbound
To support IPsec NAT-Traversal (NAT-T) for translated IPv6 clients on the IPv6 Internet, the
DirectAccess server is listening on UDP port 4500 for incoming IPsec NAT-T traffic.
• All Internet Control Message Protocol for IPv6 (ICMPv6) traffic inbound and outbound
42
Packet Filters for Your Intranet Firewall
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Some organizations use an additional intranet firewall between the perimeter network and the
intranet to filter out malicious traffic that makes it past the Internet firewall and perimeter network
servers. If you use an intranet firewall and the DirectAccess server is on the Internet Protocol
version 4 (IPv4) Internet, you must configure the following additional packet filters:
• All IPv4 and Internet Protocol version 6 (IPv6) traffic to and from the DirectAccess server
The DirectAccess server must reach and be reachable by Active Directory Domain Services
(AD DS) domain controllers, management servers, and other intranet resources. You can
begin with this initial filter and then refine the filter over time to allow the subset of traffic
needed by the DirectAccess server.
For AD DS, the DirectAccess server must be able to communicate with the domain controller
that is acting as the primary domain controller (PDC) emulator for the domain in which the
DirectAccess server is a member. The DirectAccess server must also be able to reach at
least one domain controller and at least one global catalog for each domain in which
DirectAccess client computer accounts are members.
• Protocol 41 inbound and outbound
Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) encapsulates IPv6 packets with an
IPv4 header. In the IPv4 header, the Protocol field is set to 41 to indicate an IPv6 packet
payload. Use this packet filter if you are using ISATAP to send IPv6 traffic across your IPv4-
only intranet.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
By default, the DirectAccess Setup Wizard creates Group Policy objects for DirectAccess clients
and servers for settings that allow the following behaviors:
43
• Internet Control Message Protocol (ICMP) traffic, for both Internet Protocol version 4
(IPv4) and Internet Protocol version 6 (IPv6), is exempted from Internet Protocol security
(IPsec) protection
• Teredo discovery traffic does not travel within the IPsec tunnels between DirectAccess
clients and servers
These default settings allow Teredo-based DirectAccess clients to perform Teredo discovery of
intranet resources. However, these settings also allow the following:
• Any computer with a Teredo or 6to4 client can send Internet Control Message Protocol for
IPv6 (ICMPv6) traffic to intranet locations through the DirectAccess server to probe for valid
intranet destination IPv6 addresses. The amount of this traffic is limited by the Denial of
Service Protection (DoSP) component of the DirectAccess server.
• A malicious user on the same subnet as a Teredo-based DirectAccess client can
determine the IPv6 addresses of intranet servers by capturing ICMPv6 Echo Request and
Echo Reply message exchanges.
To prevent these possible security issues, you can modify the default configuration for the
following:
• Configure the global IPsec settings for the Group Policy object for DirectAccess clients to
not exempt ICMP traffic from IPsec protection (from the IPsec Settings tab for the properties
of the Windows Firewall with Advanced Security snap-in).
• Configure the global IPsec settings for the Group Policy object for the DirectAccess
server to not exempt ICMP traffic from IPsec protection (from the IPsec Settings tab for the
properties of the Windows Firewall with Advanced Security snap-in).
• For the Group Policy object for the DirectAccess server, create a new connection security
rule that exempts ICMPv6 traffic when it is tunneled from the DirectAccess server.
• For the Group Policy object for DirectAccess clients, create a new connection security
rule that exempts ICMPv6 traffic when it is tunneled to the DirectAccess server.
The last two connection security rules allow unprotected ICMPv6 traffic to and from the IPv6
addresses of the DirectAccess client and server on the Internet to aid in troubleshooting. For
example, you can use the Ping.exe tool from the DirectAccess client to test reachability to the
DirectAccess server without IPsec protection.
With these modifications:
• All ICMPv6 traffic sent through the DirectAccess server must be sent using a tunnel. Only
DirectAccess clients can send ICMPv6 traffic to intranet locations.
• Malicious users on the same subnet as the DirectAccess client will only be able to
determine the IPv6 addresses of the DirectAccess client and the DirectAccess server.
Intranet IPv6 addresses will be tunneled and encrypted with IPsec.
For the steps to configure the global IPsec settings and connection security rules, see Configure
Settings to Confine ICMPv6 Traffic to the Intranet in the DirectAccess Deployment Guide.
Although these modifications address the security issues of the default configuration, Teredo
discovery messages can no longer pass through the DirectAccess server and DirectAccess
clients cannot use Teredo as a connectivity method. Therefore, if you make these changes, you
must also do the following:
• Disable Teredo client functionality on your DirectAccess clients
44
From the Group Policy object for DirectAccess clients, set Computer
Configuration\Administrative Templates\Networking\TCPIP Settings\IPv6 Transition
Technologies\Teredo State to Disabled.
• Disable Teredo server and relay functionality on your DirectAccess server
Type the netsh interface teredo set state state=disabled command from an administrator-
level command prompt on your DirectAccess server.
If you previously added a packet filter on your Internet firewall to allow Teredo traffic to and
from the DirectAccess server, remove it.
Without Teredo connectivity, DirectAccess clients that are located behind network address
translators (NATs) will use Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS)
for IPv6 connectivity to the DirectAccess server. However, IP-HTTPS-based connections have
lower performance and higher overhead than Teredo-based connections.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The following packet filters facilitate traffic for DirectAccess clients that use Teredo. If you do not
configure these packet filters, DirectAccess clients that are behind a network address translator
(NAT) will not by default be able to connect to intranet resources or be managed by intranet
management servers.
The alternative is to disable the Teredo client on DirectAccess clients. However, without Teredo
connectivity, DirectAccess clients that are located behind NAT will use Internet Protocol over
Secure Hypertext Transfer Protocol (IP-HTTPS) for Internet Protocol version 6 (IPv6) connectivity
to the DirectAccess server. IP-HTTPS-based connections have lower performance and higher
overhead than Teredo-based connections.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
To allow management computers to initiate connections with your intranet computers, you might
already have in place a set of inbound firewall rules for management traffic on your intranet. To
allow DirectAccess clients to be managed in the same way when they are on the Internet, you
can do one of the following:
• Configure your existing set of inbound firewall rules for management traffic so that they
also apply to the public and private profiles and have edge traversal enabled. Although easier
to configure, this option is not recommended because the inbound rules might allow greater
exposure what is intended for DirectAccess management functionality.
46
• Create a duplicate set of inbound firewall rules for your management traffic in the Group
Policy object for DirectAccess clients so that they only apply to the public and private profiles,
have the appropriate source Internet Protocol version 6 (IPv6) addresses of management
computers or the IPv6 prefix of your intranet, and have edge traversal enabled. This is the
recommended option because it applies the rules only to DirectAccess clients, is scoped for
your intranet IPv6 addresses or prefix, and does not affect other domain computers on the
intranet or Internet.
For information about creating inbound rules, see Create an Inbound Program or Service Rule
(http://go.microsoft.com/fwlink/?LinkId=159864). For more information, see Configure Packet
Filters to Allow Management Traffic to DirectAccess Clients in the DirectAccess Deployment
Guide.
You can enable edge traversal for a Windows Firewall inbound rule in the following ways:
• Using the Windows Firewall with Advanced Security snap-in, obtain properties of an
inbound rule. On the Advanced tab, in Edge traversal, select Allow edge traversal.
• Use the edge=yes option for the netsh advfirewall firewall command when adding or
changing an inbound rule.
Here is an example of how to use a Network Shell (Netsh) command-line tool command to enable
edge traversal for the built-in Remote Desktop (TCP-In) inbound rule:
netsh advfirewall firewall set rule name=”Remote Desktop (TCP-In)” dir=in new edge=yes
To further ensure that the Remote Desktop connection is authenticated and encrypted, use the
following Netsh command:
netsh advfirewall firewall set rule name=”Remote Desktop (TCP-In)” dir=in new
security=authenc edge=yes
To use the security=authenc setting, ensure that there is a connection security rule that protects
the connection between the remote desktop computer and the DirectAccess client.
Note
If the computer that is managing a DirectAccess client from the intranet is running
Windows Vista or Windows Server 2008 and Internet Protocol security (IPsec) transport
mode is required between the managing computer and the DirectAccess client, both
computers must have the same quick mode lifetimes.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
47
Because DirectAccess relies on Internet Protocol security (IPsec), Authenticated Internet Protocol
(AuthIP), and Windows Firewall connection security rules, Microsoft recommends that you do not
disable the Windows Firewall service when using a third-party host firewall. When Windows
Firewall is enabled, DirectAccess clients can use the built-in IPsec functionality and Windows
Firewall connection security rules to protect DirectAccess connections and traffic.
Your third-party firewall should be certified by the Microsoft Driver Logo Program for seamless
DirectAccess functionality. For a list of logo requirements and certified third-party host firewalls,
see Windows Quality Online Services (http://go.microsoft.com/fwlink/?Linkid=18084). Check with
your host firewall vendor to see if it supports one of the following options for seamless
DirectAccess functionality:
• Uses Windows Firewall functionality.
Microsoft Forefront Client Security is an example.
• Uses Windows Firewall categories and does not replace Windows Firewall connection
security (IPsec).
Windows Firewall categories allow third-party host firewalls in Windows 7 to selectively
replace specific elements of Windows Firewall functionality while retaining others. Categories
make it possible for third-party host firewalls to operate side-by-side with Windows Firewall.
To determine if Windows Firewall is providing connection security when a third-party host
firewall is installed, type netsh advfirewall monitor show firewall at a command prompt. In
Global Settings, in the Categories section, Windows Firewall should be listed for the
ConSecRuleRuleCategory category.
Third-party host firewalls should also support edge traversal to allow intranet servers and
computers to initiate connections to Teredo-based DirectAccess clients for remote management.
Check the documentation for your third-party host firewall to determine if edge traversal is
supported and how to enable it. If supported, the documentation for your third-party firewall
typically refers to this setting as NAT traversal, enabling Teredo, or IPv6 transition technologies.
For more information, see Enabling Third Party Firewall DirectAccess Clients
(http://go.microsoft.com/fwlink/?LinkId=163777).
For more information about Windows Firewall categories, see INetFwProduct Interface
(http://go.microsoft.com/fwlink/?LinkId=157401).
For more information about third-party firewall requirements for Teredo, see Teredo co-existence
with third-party firewalls (http://go.microsoft.com/fwlink/?Linkid=157705).
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
48
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
By default, the DirectAccess Setup Wizard configures Windows Firewall with Advanced Security
connection security rules that specify the use of the following types of credentials when
negotiating the Internet Protocol security (IPsec) security associations for the tunnels to the
DirectAccess server:
• The infrastructure tunnel uses Computer certificate credentials for the first
authentication and User (NTLMv2) for the second authentication. User (NTLMv2) credentials
force the use of Authenticated Internet Protocol (AuthIP) and provide access to a Domain
Name System (DNS) server and domain controller before the DirectAccess client can use
Kerberos credentials for the intranet tunnel.
• The intranet tunnel uses Computer certificate credentials for the first authentication and
User (Kerberos V5) for the second authentication.
You can also specify additional authentication with selected server access, peer authentication
methods for end-to-end access, and the use of smart cards for additional authorization.
Note
If you modify the connection security rules created by the DirectAccess Setup Wizard,
you must use Network Shell (Netsh) commands. There are connection security rule
settings that cannot be modified with the Windows Firewall with Advanced Security snap-
in. If you modify these connection security rules with the Windows Firewall with Advanced
Security snap-in, they will be overwritten with default values, which can result in
incompatible connection security rules that prevent DirectAccess connections.
49
in. If you modify these connection security rules with the Windows Firewall with Advanced
Security snap-in, they will be overwritten with default values, which can result in
incompatible connection security rules that prevent DirectAccess connections.
50
version 6 (IPv6) address prefix of the intranet to the IPv6 address of the DirectAccess
server’s tunnel endpoint. These filters will drop the tunnel establishment traffic sent by
DirectAccess clients while intranet detection is in progress. For an example of moving the
ISATAP routing function to another server, see Capacity Planning for DirectAccess Servers.
• Add a connection security rule that sends tunnel endpoint traffic to an invalid destination
while intranet detection is occurring. For example, use the following Network Shell (netsh)
command-line tool command: netsh advfirewall consec add rule name="Corp
connectivity to prevent smart card prompt" endpoint1=IntranetIPv6Prefix
endpoint2=IntranetIPv6Prefix localtunnelendpoint=InvalidIPv6Address mode=tunnel
action=requireinrequireout auth1=computercert auth1ca="CN=NonExistentCA".
Both of these solutions prevent the tunnel negotiation with the DirectAccess server during intranet
detection when the DirectAccess client is on the intranet. By preventing tunnel negotiation, smart
card authorization will never occur and the user will not be prompted for their smart card
credentials.
Note
If you manually configure this setting with the Users tab, you must specify the name
LocalComputerName\This Organization Certificate rather than NT AUTHORITY\This
Organization Certificate.
To perform the equivalent configuration of the DirectAccess Setup Wizard with the Network Shell
(Netsh) command-line tool, use the following commands:
netsh advfirewall consec add rule name=”Smart card tunnel”
endpoint1=IntranetIPv6AddressSpace endpoint2=Any
localtunnelendpoint=DirectAccessServerIPv6Address remotetunnelendpoint=any
51
auth1=Computercert auth1ca=”Certificate Auth name certmapping:yes”
auth2=userkerb applyauthz=yes
netsh advfirewall set global ipsec authzusergrp=O:LSD:(A;;CC;;;S-1-5-65-1)
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The DirectAccess server must be configured with addressing and routing to support the following:
• Reachability from the Internet Protocol version 4 (IPv4) Internet
• Reachability from your intranet for IPv4 traffic
• If your intranet is connected to the Internet Protocol version 6 (IPv6) Internet, reachability
from the IPv6 Internet for native IPv6 traffic
• If your intranet has deployed native IPv6 connectivity, reachability from your intranet for
native IPv6 traffic
The following sections describe the address and routing configuration of the DirectAccess server
to support these reachability requirements.
52
not consider the following sets of addresses as consecutive: w.x.y.9 and w.x.y.10, which
is sorted as w.x.y.10, w.x.y.9; w.x.y.99 and w.x.y.100, which is sorted as w.x.y.100,
w.x.y.99; w.x.y.1, w.x.y.2, and w.x.y.10, which is sorted as w.x.y.1, w.x.y.10, w.x.y.2. Use a
different set of consecutive addresses.
For intranet interfaces on the DirectAccess server that are connected to your IPv4-based intranet,
manually configure the following:
• An IPv4 intranet address with the appropriate subnet mask.
• A connection-specific DNS suffix of your intranet namespace.
Important
Note
53
the IPv6 routing table. You can obtain the InterfaceIndex of your intranet interfaces from the
display of the netsh interface show interface command.
Additionally, you must configure a connection-specific DNS suffix of your intranet namespace on
the intranet interface.
To configure the DirectAccess server to reach all the IPv6 locations on your intranet, do the
following:
1. List the IPv6 address spaces for all the locations on your intranet.
2. Use the netsh interface ipv6 add route command to add the IPv6 address spaces as
static routes in the IPv6 routing table of the DirectAccess server.
Note
The instructions in this section only apply if your organization has deployed native IPv6
connectivity and the DirectAccess server is connected to the IPv6 Internet through an
IPv6-capable ISP.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
DirectAccess clients, DirectAccess servers, and selected servers must be members of an Active
Directory Domain Services (AD DS) domain. DirectAccess also uses Active Directory security
groups and Group Policy objects (GPOs) to identify sets of computers and the sets of settings
that are applied to them.
The DirectAccess Setup Wizard uses security groups to identify the following:
• The computer accounts of DirectAccess clients (required)
• The computer accounts of application servers for selected server access (optional)
Warning
You must not use a built-in security group, such as Domain Computers or Domain Users,
for the security group for DirectAccess clients.
You must create and populate these groups before running the DirectAccess Setup Wizard. For
more information, see Create DirectAccess Groups in Active Directory in the DirectAccess
Deployment Guide.
The DirectAccess Setup Wizard creates GPOs for the following:
54
• DirectAccess clients that contains settings for Internet Protocol version 6 (IPv6) transition
technologies, Name Resolution Policy Table (NRPT) rules, intranet detection settings, and
Windows Firewall with Advanced Security connection security rules (required).
• The DirectAccess server that contains settings for IPv6 transition technologies and
Windows Firewall with Advanced Security connection security rules (required).
• Selected servers that contain settings for Windows Firewall with Advanced Security
connection security rules (optional).
If you remove a computer from a DirectAccess client or selected server security group, the next
update of Group Policy will remove the DirectAccess settings from the computer.
55
multi-subnet Internet Protocol version 4 (IPv4) communication model to a flat, single-subnet
communication model with IPv6. This can affect the behavior of Active Directory Domain Services
(AD DS) and other applications that rely on your Active Directory Sites and Services
configuration. For example, if you used the Active Directory Sites and Services snap-in to
configure sites, IPv4-based subnets, and inter-site transports for forwarding of requests to servers
within sites, this configuration is not used by ISATAP hosts.
To configure Active Directory sites and services for forwarding within sites for ISATAP hosts, you
have to configure an IPv6 subnet object equivalent to each IPv4 subnet object, in which the IPv6
address prefix for the subnet expresses the same range of ISATAP host addresses as the IPv4
subnet.
For example, for the IPv4 subnet 192.168.99.0/24 and the 64-bit ISATAP address prefix
2002:836b:1:1::/64, the equivalent IPv6 address prefix for the IPv6 subnet object is
2002:836b:1:1:0:5efe:192.168.99.0/120. For an arbitrary IPv4 prefix length (set to 24 in the
example), the corresponding IPv6 prefix length is 96 + IPv4PrefixLength.
For the IPv6 addresses of DirectAccess clients, you should add the following:
• An IPv6 subnet for the range 2001:0:WWXX:YYZZ::/64, in which WWXX:YYZZ is the
colon-hexadecimal version of the first consecutive public IPv4 address (w.x.y.z) assigned to
the Internet interface of the DirectAccess server. This IPv6 prefix is for Teredo-based
DirectAccess clients.
• If you have a native IPv6 infrastructure, an IPv6 subnet for the range 48-
bitIntranetPrefix:5555::/64, in which 48-bitIntranetPrefix is the 48-bit native IPv6 prefix that is
being used on your intranet. This IPv6 prefix is for Internet Protocol over Secure Hypertext
Transfer Protocol (IP-HTTPS)-based DirectAccess clients.
• If you are using a 6to4-based IPv6 prefix on your intranet, an IPv6 subnet for the range
2002:WWXX:YYZZ:2::/64, in which WWXX:YYZZ is the colon-hexadecimal version of the first
consecutive public IPv4 address (w.x.y.z) assigned to the Internet interface of the
DirectAccess server. This IPv6 prefix is for IP-HTTPS-based DirectAccess clients.
• A series of 6to4-based IPv6 prefixes that begin with 2002: and represent the regional,
public IPv4 address prefixes that are administered by Internet Assigned Numbers Authority
(IANA) and regional registries. The 6to4-based prefix for a public IPv4 address prefix
w.x.y.z/n is 2002:WWXX:YYZZ::/[16+n], in which WWXX:YYZZ is the colon-hexadecimal
version of w.x.y.z. For example, the 7.0.0.0/8 range is administered by American Registry for
Internet Numbers (ARIN) for North America. The corresponding 6to4-based prefix for this
public IPv6 address range is 2002:700::/24. For information about the IPv4 public address
space, see IANA IPv4 Address Space Registry (http://www.iana.org/assignments/ipv4-
address-space/ipv4-address-space.xml). These IPv6 prefixes are for 6to4-based
DirectAccess clients.
56
For more information, see the Managing Roaming User Data Deployment Guide
(http://go.microsoft.com/fwlink/?LinkId=73435).
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The design of your Domain Name System (DNS) infrastructure can impact how you configure
DirectAccess. The biggest design aspect of your DNS infrastructure is whether you use split-brain
DNS.
Split-brain DNS
Split-brain DNS is the use of the same DNS domain for both Internet and intranet resources. For
example, the Contoso Corporation is using split brain DNS; contoso.com is the domain name for
intranet resources and Internet resources. Internet users use http://www.contoso.com to access
Contoso’s public Web site and Contoso employees on the Contoso intranet use
http://www.contoso.com to access Contoso’s intranet Web site. A Contoso employee with their
laptop that is not a DirectAccess client on the intranet that accesses http://www.contoso.com sees
the intranet Contoso Web site. When they take their laptop to the local coffee shop and access
that same URL, they will see the public Contoso Web site.
When a DirectAccess client is on the Internet, the Name Resolution Policy Table (NRPT) sends
DNS name queries for intranet resources to intranet DNS servers. A typical NRPT for
DirectAccess will have a rule for the namespace of the organization, such as contoso.com for the
Contoso Corporation, with the Internet Protocol version 6 (IPv6) addresses of intranet DNS
servers. With just this rule in the NRPT, when a user on a DirectAccess client on the Internet
attempts to access the uniform resource locator (URL) for their Web site (such as
http://www.contoso.com), they will see the intranet version. Because of this rule, they will never
see the public version of this URL when they are on the Internet.
If you want users on DirectAccess clients to see the public version of this URL when they are on
the Internet, you must add the fully qualified domain name (FQDN) of the URL as an exemption
rule to the NRPT of DirectAccess clients. However, if you add this exemption rule, users on
DirectAccess clients will never see the intranet version of this URL when they are on the Internet.
For split-brain DNS deployments, you must list the FQDNs that are duplicated on the Internet and
intranet and decide which resources the DirectAccess client should reach, the intranet version or
the public (Internet) version. For each name that corresponds to a resource for which you want
57
DirectAccess clients to reach the public version, you must add the corresponding FQDN as an
exemption rule to the NRPT for your DirectAccess clients.
In a split-brain DNS environment, if you want both versions of the resource to be available,
configure your intranet resources with alternate names that are not duplicates of the names that
are being used on the Internet and instruct your users to use the alternate name when on the
Intranet. For example, configure and use the alternate name www.internal.contoso.com for the
intranet name www.contoso.com.
In a non-split-brain DNS environment, the Internet namespace is different from the intranet
namespace. For example, the Contoso Corporation uses contoso.com on the Internet and
corp.contoso.com on the intranet. Because all intranet resources use the corp.contoso.com DNS
suffix, the NRPT rule for corp.contoso.com routes all DNS name queries for intranet resources to
intranet DNS servers. DNS name queries for names with the contoso.com suffix do not match the
corp.contoso.com intranet namespace rule in the NRPT and are sent to Internet DNS servers.
With a non-split-brain DNS deployment, because there is no duplication of FQDNs for intranet
and Internet resources, there is no additional configuration needed for the NRPT. DirectAccess
clients can access both Internet and intranet resources for their organization.
Note
58
Local name resolution behavior for DirectAccess
clients
If a name cannot be resolved with DNS, the DNS Client service in Windows 7 and Windows
Server 2008 R2 can use local name resolution, with the Link-Local Multicast Name Resolution
(LLMNR) and NetBIOS over TCP/IP protocols, to resolve the name on the local subnet.
Local name resolution is typically needed for peer-to-peer connectivity when the computer is
located on private networks, such as single subnet home networks. When the DNS Client service
performs local name resolution for intranet server names and the computer is connected to a
shared subnet on the Internet, malicious users can capture LLMNR and NetBIOS over TCP/IP
messages to determine intranet server names.
In Step 3 of the DirectAccess Setup Wizard, you configure the local name resolution behavior
based on the types of responses received from intranet DNS servers. You have the following
options:
• Use local name resolution only if the internal network DNS servers determined that the
name does not exist
This option is the most secure because the DirectAccess client will only perform local name
resolution for server names that cannot be resolved by intranet DNS servers. If the intranet
DNS servers can be reached, the names of intranet servers will be resolved. If the intranet
DNS servers cannot be reached or if there are other types of DNS errors, the intranet server
names will not be leaked to the subnet through local name resolution.
• Use local name resolution if the internal network DNS servers determined that the name
does not exist or if the internal network DNS servers are not reachable and the DirectAccess
client computer is on a private network
This option is moderately secure because it allows the use of local name resolution on a
private network when the intranet DNS servers are unreachable.
• Use local name resolution if there is any type of error when attempting to resolve the
name using internal network DNS servers
This is the least secure option because the names of intranet network servers can be leaked
to the local subnet through local name resolution.
Choose the option that complies with your security requirements.
NRPT rules
In step 3 of the DirectAccess Setup Wizard, you configure the rules in the NRPT, an internal table
used by the DNS Client service to determine where to send DNS name queries. The
DirectAccess Setup Wizard automatically creates two rules for DirectAccess clients:
• A namespace rule for the domain name of the DirectAccess server and the IPv6
addresses corresponding to the intranet DNS servers configured on the DirectAccess server.
For example, if the DirectAccess server is a member of the corp.contoso.com domain, the
DirectAccess Setup Wizard creates a namespace rule for the .corp.contoso.com DNS suffix.
59
• An exemption rule for the FQDN of the network location server. For example, if the
network location server URL is https://nls.corp.contoso.com, the DirectAccess Setup Wizard
creates an exemption rule for the FQDN nls.corp.contoso.com.
You might need to configure additional NRPT rules in step 3 of the DirectAccess Setup Wizard in
the following cases:
• You need to add more namespace rules for the DNS suffixes for your intranet
namespace.
• If the FDQN of your intranet and Internet CRL distribution points are based on your
intranet namespace, you must add exemption rules for the FQDNs of your Internet and
intranet CRL distribution points.
• If you have a split-brain DNS environment, you must add exemption rules for the names
of resources for which you want DirectAccess clients located on the Internet to access the
public (Internet) version, rather than the intranet version.
• If you are redirecting traffic to an external Web site through your intranet Web proxy
servers, the external Web site is only available from the intranet, and the external Web site is
using the addresses of your Web proxy servers to permit the inbound requests, then you
must add an exemption rule for the FQDN of the external Web site and specify that the rule
use your intranet Web proxy server, rather than the IPv6 addresses of intranet DNS servers.
For example, the Contoso Corporation is testing an external Web site named
test.contoso.com. This name is not resolvable via Internet DNS servers, but Contoso’s Web
proxy server knows how to resolve the name and to direct requests for the Web site to the
external Web server. To prevent users who are not on the Contoso intranet from accessing
the site, the external Web site only allows requests from the Internet Protocol version 4 (IPv4)
Internet address of the Contoso Web proxy. Therefore, intranet users can access the Web
site because they are using the Contoso Web proxy but DirectAccess users cannot because
they are not using the Contoso Web proxy. By configuring an NRPT exemption rule for
test.contoso.com that uses the Contoso Web proxy, Web page requests for test.contoso.com
will be routed to the intranet Web proxy server over the IPv4 Internet.
You can also configure NRPT rules from Computer Configuration\Policies\Windows
Settings\Name Resolution Policy in the Group Policy object for DirectAccess clients. For more
information, see Configure the NRPT with Group Policy in the DirectAccess Deployment Guide.
Notes
60
command at a command prompt. You can view the active NRPT rules with the netsh
namespace show effectivepolicy command.
Note
Note
If the name of a server on the local subnet is a duplicate of a server name on the intranet,
the DirectAccess client will always connect to the intranet resource. For example, if your
home network server is named Server1 and there is an intranet server of the same name,
you will always connect to the intranet Server1. To connect to the local subnet resource,
61
append “.local” to the name of the server. For example, to connect to the local subnet
server named Server1, use the name Server1.local.
External DNS
The DirectAccess Setup wizard configures DirectAccess clients with the IPv4 addresses of the
6to4 relay and the Teredo server with Group Policy settings in Computer
Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition
Technologies. For the URL for the Internet Protocol over Secure Hypertext Transfer Protocol (IP-
HTTPS) server (the IP-HTTPS State setting), the DirectAccess Setup Wizard configures
https://Subject:443/IPHTTPS, in which Subject is the Subject field of the HTTPS certificate that
you specify in Step 2 of the DirectAccess Setup Wizard. If the Subject field of the IP-HTTPS
certificate is an FQDN, you must ensure that the FQDN is resolvable using Internet DNS servers.
If you modify the 6to4 Relay Name or Teredo Server Name Group Policy settings to use FQDNs
rather than an IPv4 address, you must ensure that the FQDNs are resolvable using Internet DNS
servers.
You must also ensure that the FQDNs for your Internet-accessible certificate revocation list (CRL)
distribution points are resolvable using Internet DNS servers. For example, if the URL
http://crl.contoso.com/crld/corp-DC1-CA.crl is in the CRL Distribution Points field of the IP-HTTPS
certificate of the DirectAccess server, you must ensure that the FQDN crl.contoso.com is
resolvable using Internet DNS servers.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
A DirectAccess deployment needs a public key infrastructure (PKI) to issue certificates to
DirectAccess clients, the DirectAccess server, selected servers, and the network location server.
62
For more information, see Configure Computer Certificate Autoenrollment in the DirectAccess
Deployment Guide.
Note
Note
Note
Checking of CRL distribution points based on a universal naming convention (UNC) path,
such as \\crl.corp.contoso.com\crld\corp-DC1-CA.crl, is disabled by default in Windows 7
and Windows Server 2008 R2. For information about how to enable checking of UNC-
based CRL distribution points, see the following KnowledgeBase article
(http://go.microsoft.com/fwlink/?LinkId=196867). UNC-based CRL distribution points can
be used only for intranet CRL locations. For the Internet location of the CRL distribution
point, you should always use an HTTP-based URL. DirectAccess clients that use IP-
HTTPS to send IPv6 packets across the IPv4 Internet check the Internet CRL distribution
point. IP-HTTPS-based DirectAccess clients can be located behind proxy servers that do
not forward file and printer sharing traffic.
For more information, see Configure a CRL Distribution Point for Certificates in the DirectAccess
Deployment Guide.
Note
If your intranet CRL distribution points are only reachable over IPv6, you must configure a
Windows Firewall with Advanced Security connection security rule to exempt IPsec
protection from the IPv6 address space of your intranet to the IPv6 addresses of your
CRL distribution points.
64
Note
Note
If you enable strong CRL checking and the DirectAccess server cannot reach the CRL
distribution point, certificate-based IPsec authentication for all DirectAccess connections
will fail.
If you are using Network Access Protection (NAP) with DirectAccess and you enable
Note
65
connections will fail. Health certificates do not contain CRL distribution points because
their lifetime is on the order of hours, instead of years for computer certificates.
Note
You should design your PKI to replicate the entire smart card certificate chain to the
current user certificate store in a timely manner. If the PKI is slow in replicating the
certificate chain, users will obtain a smart card certificate and leave the intranet, but be
unable to use smart card authorization. To correct this condition, they might have to
return to the intranet and logon with their smart card credentials to force the PKI to install
the entire certificate chain in the local user’s certificate store.
Important
Appendix A of this white paper describes setting the IKEFlags registry value to 0x40 to
disable the use of the Authenticating IP (AuthIP). DirectAccess cannot function without
AuthIP. Therefore, you must not set this registry value in a DirectAccess deployment.
AuthIP in Windows 7 and Windows Server 2008 R2 supports the use of Diffie Hellman
(DH) for key exchange for AuthIP, which you enable with the netsh advfirewall set
global mainmode mmforcedh yes command.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
66
You will need Web locations for the following resources:
• The network location server through a Secure Hypertext Transfer Protocol (HTTPS)-
based uniform resource locator (URL) (required)
• An HTTP-based certificate revocation list (CRL) distribution point for the HTTPS
certificate of the network location server that is accessible on the intranet (optional)
The intranet CRL distribution points can also be based on a universal naming convention
(UNC) path of a file server.
• An HTTP-based CRL distribution point for the Internet Protocol over HTTPS (IP-HTTPS)
certificate of the DirectAccess server that is accessible on the Internet (required)
For more information, see Configure IIS for Network Location in the DirectAccess Deployment
Guide.
In all of these cases, the Web server providing these resources must be highly available. If these
resources cannot be reached, the following occurs:
• If the DirectAccess client on the intranet is unable to reach the HTTPS-based URL of the
network location server, a DirectAccess client cannot detect when it is on the intranet and
might not be able to access intranet resources.
• If the DirectAccess client on the intranet is unable to reach the intranet CRL distribution
point to perform certificate revocation checking for the network location server, a
DirectAccess client cannot detect when it is on the intranet and might not be able to access
intranet resources.
• If the DirectAccess client on the Internet is unable to reach the Internet CRL distribution
point to perform certificate revocation checking for the IP-HTTPS certificate, a DirectAccess
client cannot use IP-HTTPS. Because IP-HTTPS is the last transition technology that is used
for Internet Protocol version 6 (IPv6) connectivity to the DirectAccess server, DirectAccess
clients will not be able to establish a connection to the DirectAccess server when behind a
firewall or Web proxy or behind a network address translator (NAT) when the Teredo client
has been disabled.
• If you configure strong CRL checking on the DirectAccess server and it cannot reach the
CRL distribution points in the DirectAccess client’s certificate, certificate-based authentication
for the IPsec tunnels will fail and DirectAccess clients will be unable to access intranet
resources.
For Internet Information Services (IIS)-based Web servers, see Planning Redundancy for a
Network Location Server and Planning Redundancy for CRL Distribution Points for information
about high availability for Web servers.
Note
67
Choose an Internet Traffic Separation Design
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
With Internet Protocol version 6 (IPv6) and the Name Resolution Policy Table (NRPT),
DirectAccess clients by default separate their intranet and Internet traffic in the following way:
• Domain Name System (DNS) name queries for intranet fully qualified domain names
(FQDNs) and all intranet traffic is exchanged over the tunnels created with the DirectAccess
server or directly with intranet servers. Intranet traffic from DirectAccess clients is IPv6 traffic.
• DNS name queries for FQDNs that correspond to exemption rules or do not match the
intranet namespace and all traffic to Internet servers is exchanged over the physical interface
that is connected to the Internet. Internet traffic from DirectAccess clients is typically Internet
Protocol version 4 (IPv4) traffic.
This is the default and recommended operation of DirectAccess.
In contrast, some remote access virtual private network (VPN) implementations, including the
VPN client in Windows 7, by default send all of their traffic—both intranet and Internet—over the
remote access VPN connection. Internet-bound traffic is routed by the VPN server to intranet
IPv4 Web proxy servers for access to IPv4 Internet resources. It is possible to separate the
intranet and Internet traffic for remote access VPN clients using split tunneling, in which you
configure the Internet Protocol (IP) routing table on VPN clients so that traffic to intranet locations
is sent over the VPN connection and traffic to all other locations is sent using the physical
interface connected to the Internet.
You can configure DirectAccess clients to send all of their traffic through the tunnels to the
DirectAccess server with force tunneling. When force tunneling is configured, DirectAccess
clients that detect that they are on the Internet modify their IPv4 default route so that default route
IPv4 traffic is not sent. With the exception of local subnet traffic, all traffic sent by the
DirectAccess client is IPv6 traffic that goes through tunnels to the DirectAccess server.
Enabling force tunneling has the following consequences:
• DirectAccess clients use only Internet Protocol over Secure Hypertext Transfer Protocol
(IP-HTTPS) to obtain IPv6 connectivity to the DirectAccess server over the IPv4 Internet. IP-
HTTPS-based connections have lower performance and higher overhead on the
DirectAccess server than 6to4 and Teredo-based connections.
• The only locations that a DirectAccess client can reach by default with IPv4 traffic are
those on its local subnet. All other traffic sent by the applications and services running on the
DirectAccess client is IPv6 traffic sent over the DirectAccess connection. Therefore, IPv4-only
applications on the DirectAccess client cannot be used to reach Internet resources, except
those on the local subnet.
68
• Connectivity to the IPv4 Internet must be done through servers and devices on the
intranet that translate the IPv6 traffic from DirectAccess clients to IPv4 traffic for the IPv4
Internet. If you do not have the appropriate servers or translators, your DirectAccess clients
will not have access to IPv4 Internet resources, even though they are directly connected to
the IPv4 Internet.
To configure force tunneling, you must do the following:
• Configure IPv4 Internet access for your DirectAccess clients
• Enable force tunneling on DirectAccess clients
• Add a special entry in the NRPT on DirectAccess clients
• Configure your DirectAccess clients to always use the IP-HTTPS transition technology
• Configure your Internet firewall filters to allow only inbound and outbound Secure Sockets
Layer (SSL) traffic to and from the DirectAccess server
The following sections describe these elements of configuration in more detail. For more
information about configuring the settings for DirectAccess clients, see Configure Force Tunneling
for DirectAccess Clients in the DirectAccess Deployment Guide.
Notes
Due to the infrastructure requirements and reduced performance for accessing IPv4
Internet resources, Microsoft does not recommend the use of force tunneling for
DirectAccess.
Force tunneling relies on modifying the IPv4 default route in the IPv4 routing table to
prevent the DirectAccess client computer from sending traffic directly to IPv4 Internet
locations. A user with administrative rights can modify their IPv4 default route to point to
their Internet service provider’s router on the subnet.
69
Modify the NRPT
To route DNS name resolution and connection traffic to these servers or devices for translation
and forwarding to the IPv4 Internet, you must add a rule to the NRPT for DirectAccess clients that
specifies any DNS suffix and the IPv6 address of the DNS64.
If you are configuring the NRPT through the DirectAccess Setup Wizard, add a rule for the
following:
• Name suffix is set to “.”
• DNS server IPv4 or IPv6 addresses are set to the static IPv4 or IPv6 addresses of the
dual-protocol proxy server or DNS64
If you are configuring the NRPT through the Computer Configuration\Policies\Windows
Settings\Name Resolution Policy Group Policy setting, create a rule with the following:
• The Any suffix
• Enabled for DirectAccess
• For DNS servers, add the static IPv6 addresses of the dual-protocol proxy server or
IPv6/IPv4 DNS gateway
With this NRPT rule, a DirectAccess client sends DNS name queries that do not match any of the
other rules in the NRPT to the IPv6 address of the dual-protocol proxy server or DNS64.
70
Because a force tunneling deployment only uses IP-HTTPS traffic, you should remove the
following packet filters for the DirectAccess server on your Internet router:
• Protocol 41 inbound and outbound
• UDP destination port 3544 inbound and UDP source port 3544 outbound
If your DirectAccess server is directly attached to the Internet, use the following commands at an
administrator-level Command Prompt:
• netsh advfirewall firewall set rule dir=in name=”Core Networking – Teredo (UDP-
In)” enable=no
This command blocks inbound Teredo traffic.
• netsh advfirewall firewall add rule name=”Protocol 41 (6to4)” dir=in action=block
profile=public,private protocol=41
This command blocks 6to4 traffic on the Internet interface.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
DirectAccess clients on the Internet can communicate with each other directly without having to
go through the DirectAccess server. For example, two DirectAccess clients on the Internet named
DACL1 and DACL2 have public Internet Protocol version 4 (IPv4) addresses and configure
themselves as 6to4 hosts with 6to4 addresses. DACL1 and DACL2 register their 6to4 addresses
with intranet DNS servers. When DACL1 initiates communication with DACL2 by name, the
intranet DNS server responds with the 6to4-based address of DACL2. DACL1 then uses 6to4
tunneling to communicate directly with DACL2.
Without data confidentiality, the traffic between DACL1 and DACL2 is sent as clear text. Some
applications provide their own data confidentiality and some—such as Remote Assistance and
File and Printer Sharing—do not. To protect the traffic between DirectAccess clients for all
applications, do the following:
1. Create a connection security rule with the following properties:
• Rule Type: Isolation
• Requirements: Request authentication for inbound and outbound connections
• Authentication Method: Computer Certificate for the first authentication
• Profile: Private and Public
71
To configure this connection security rule using the Network Shell (Netsh) command-line tool,
you can use the following command:
netsh advfirewall consec add rule endpoint1=any endpoint2=any
action=requestinrequestout profile=public,private auth1=computercert
auth1ca=CAName
2. Create a connection security rule with the following properties:
• Rule Type: Custom
• Endpoints: Endpoint 1 address for your intranet IPv6 prefix, Endpoint 2 address for
your intranet IPv6 prefix
• Requirements: No authentication
• Protocols and Ports: Any
• Profile: Domain, Private, and Public
3. Create an inbound rule for each application that needs to accept unsolicited inbound
connection requests.
• For example, for Remote Desktop, the inbound rule has the following properties:
• Rule Type: Port
• Protocols and Ports: Transmission Control Protocol (TCP) 3389
• Action: Allow the connection if it is secure, Require the connections to be
encrypted
• Profile: Private and Public
To configure this Windows Firewall rule for Remote Desktop using Netsh.exe, you can use
the following command:
netsh advfirewall firewall add rule name=RemoteDesktop profile=public,private
program=system action=allow security=authenc protocol=tcp localport=3389
For additional protection, you can require protection for all inbound connections to the
DirectAccess client. You can specify this when creating the rule in the following ways:
• From the Windows Firewall with Advanced Security snap-in, on the Requirements page,
select Require authentication for inbound connections and request authentication for
outbound connections instead of Request authentication for inbound and outbound
connections.
• For the Network Shell (Netsh) command, specify the action=requireinrequestout
parameter instead of action=requestinrequestout.
With this additional protection, outbound connections to other DirectAccess clients is encrypted
regardless of the application. Outbound connections to Internet destinations and non-
DirectAccess clients is sent as clear text.
For more information, see Configure Connection Security Rules for Traffic Between DirectAccess
Clients in the DirectAccess Deployment Guide.
72
Design Your Intranet for Corporate
Connectivity Detection
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Computers running Windows 7 or Windows Server 2008 R2 use corporate connectivity detection
to determine whether the computer can access the resources of your intranet. Corporate
connectivity detection is separate from network location detection. A DirectAccess client can
successfully detect corporate connectivity when it is directly connected to the intranet or when it is
roaming on the Internet. Corporate connectivity determination is used for the following:
• Active Directory® Domain Services (AD DS) domain members detect corporate
connectivity before initiating updates of Group Policy settings.
• Network Access Protection (NAP) clients use successful corporate connectivity detection
to perform another health check if the NAP client determines that it is unhealthy because it
could not reach a NAP health policy server in a previous heath check.
• DirectAccess clients use corporate connectivity detection to determine when to use
Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS). If the DirectAccess
client cannot access intranet resources using Teredo, it attempts to connect to the
DirectAccess server using IP-HTTPS.
Corporate connectivity detection relies on the ability to perform the following checks for different
purposes, depending on the computer’s configuration:
• Resolve a specific intranet fully qualified domain name (FQDN) name to a specific
Internet Protocol version 6 (IPv6) address.
• Determine whether an Internet Protocol security (IPsec) security association (SA) has
been established for an IPv6 address that is based on the IPv6 prefix of the intranet.
• Access a specific intranet Web site.
The DirectAccess Setup Wizard automatically configures the following for corporate connectivity
detection:
• The intranet-specific name and IPv6 address and registers the corresponding AAAA
record in an intranet Domain Name System (DNS) server.
• The IPv6 prefix of the intranet.
The DirectAccess Setup Wizard does not automatically configure the settings and infrastructure
needed for DirectAccess clients to access a specific intranet Web site. This additional
configuration is required for branch scenarios in which a Web proxy server is between the
DirectAccess client and the intranet resources that it is trying to reach. This additional
configuration also aids in diagnosing DirectAccess connections.
73
To configure settings and infrastructure needed for DirectAccess clients to access a specific
intranet Web site, do the following:
1. Determine a Web site on your intranet that is not accessible from the Internet, is highly
available, and is reachable with IPv6. To ensure its ongoing reachability with IPv6, either
assign a static IPv6 address if you have a native IPv6 infrastructure or a static Internet
Protocol version 4 (IPv4) address if you are using Intra-Site Automatic Tunnel Addressing
Protocol (ISATAP). For example, the Contoso Corporation uses cweb.corp.contoso.com as its
central, highly-available intranet Web site. This Web server uses ISATAP and a static IPv4
address.
2. Enable the Computer Configuration/Policies/Administrative
Templates/Network/Network Connectivity Status Indicator/Corporate Website Probe
URL Group Policy setting in the Group Policy object for DirectAccess clients and configure it
for the highly available intranet URL. For example, enable and configure the Corporate
Website Probe URL setting with http://cweb.corp.contoso.com.
Note
If the name of the highly-available intranet Web site changes, you will have to update the
Corporate Website Probe URL setting with the new URL.
You also need to add the IPv6 address for the infrastructure tunnel endpoint to the Computer
Configuration/Policies/Administrative Templates/Network/Network Connectivity Status
Indicator/Corporate Site Prefix List Group Policy setting in the Group Policy object (GPO) for
DirectAccess clients. The IPv6 address for the infrastructure tunnel endpoint is configured in the
Windows Firewall with Advanced Security connection security rule named DirectAccess Policy-
ClientToDnsDc in the GPO for DirectAccess clients.
For more information, see Configure Corporate Connectivity Detection Settings in the
DirectAccess Deployment Guide.
Note
If you use the Use local name resolution if the internal network DNS servers
determined that the name does not exist or if the internal network DNS servers are
not reachable and the DirectAccess client computer is on a private network option
for local host name resolution, the Corporate Website Probe URL setting must be
specified as a FQDN, rather than an unqualified, single-label name. If you use an
unqualified, single-label name, corporate connectivity detection might incorrectly detect
that corporate connectivity exists and diagnostics for DirectAccess can be affected.
74
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Because the migration of remote access virtual private network (VPN) solution to DirectAccess
will take time, both of these solutions for remote access connectivity to intranet resources can be
used simultaneously for different sets of clients. For example, intranet client computers running
Windows Vista or Windows XP can continue to use your remote access VPN solution and
computers running Windows 7 can begin to use DirectAccess.
If a computer running Windows 7 is both a DirectAccess client and a remote access VPN client,
ensure the following:
• The remote access VPN server is not blocking access to the network location server on
the intranet, even when the network access of VPN clients is restricted. When the remote
access VPN connection is active, the DirectAccess client should successfully detect that it is
located on the intranet, regardless of its VPN-based network access status (restricted or full
access).
• Firewall or connection security rules of the DirectAccess client should not block access to
locations needed to remediate the system health of the computer when it has its access
restricted as a remote access VPN client.
• The fully qualified domain name (FQDN) of the VPN server on the Internet either does
not match the intranet namespace or there is a corresponding exemption rule for the FQDN in
the Name Resolution Policy Table (NRPT).
The same computer acting as a DirectAccess server and a remote access VPN server with
Routing and Remote Access is not a supported configuration, except when used with Microsoft
Forefront Unified Access Gateway (UAG). For more information, see Overview of Forefront UAG
(http://go.microsoft.com/fwlink/?LinkId=160322).
75
To configure DirectAccess clients to detect these types of VPN client configurations and
coexist with them, set the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Inte
rnet\ EnableNoGatewayLocationDetection (REG_DWORD) registry value to 1.
For more information about third-party VPN clients that provide their own implementations of
Internet Protocol security (IPsec), see Recommendations for Virtual Private Network Client
Coexistence with the Internet Protocol Security Implementation in Microsoft Windows
(http://go.microsoft.com/fwlink/?LinkId=163776).
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The DirectAccess server is a required component of any DirectAccess design. A DirectAccess
server must be running Windows Server 2008 R2.
See the following topics for more information about DirectAccess server deployment:
• When to Install a DirectAccess Server
• Where to Place the DirectAccess Server
• Planning Redundancy for a DirectAccess Server
76
When to Install a DirectAccess Server
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
All DirectAccess designs described in this guide require that you install at least one DirectAccess
server. In some cases, there are more than one DirectAccess server to provide redundancy and
increased capacity.
For more information, see the following topics:
• Planning Redundancy for a DirectAccess Server
• DirectAccess Capacity Planning
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Because DirectAccess servers provide intranet connectivity to DirectAccess clients on the
Internet, DirectAccess servers are installed in your perimeter network, typically between your
Internet-facing firewall and your intranet. The following figure shows an example.
The DirectAccess server must be joined to an Active Directory domain, running Windows
Server 2008 R2, and have at least two physical network adapters installed.
The DirectAccess server must have at least two, consecutive public Internet Protocol version 4
(IPv4) addresses assigned to the interface that is connected to the perimeter network, or, in the
absence of an Internet firewall, connected directly to the Internet. Addresses in the ranges
10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 are private IPv4 addresses and cannot be used.
The DirectAccess server requires two consecutive public IPv4 addresses so that it can act as a
Teredo server and Windows-based Teredo clients can use the DirectAccess server to perform
77
detection of the type of network address translator (NAT) that they are behind. For more
information, see Teredo Overview (http://go.microsoft.com/fwlink/?Linkid=157322).
Note
The DirectAccess Management console sorts the public IPv4 addresses assigned to the
Internet adapter alphabetically. Therefore, the DirectAccess Management console does
not consider the following sets of addresses as consecutive: w.x.y.9 and w.x.y.10, which
is sorted as w.x.y.10, w.x.y.9; w.x.y.99 and w.x.y.100, which is sorted as w.x.y.100,
w.x.y.99; w.x.y.1, w.x.y.2, and w.x.y.10, which is sorted as w.x.y.1, w.x.y.10, w.x.y.2. Use a
different set of consecutive addresses.
On the DirectAccess server, you install the DirectAccess Management Console feature through
Server Manager. You use the DirectAccess management console to configure DirectAccess
settings for the DirectAccess server and clients and monitor the status of the DirectAccess server.
DirectAccess servers should not host any other primary functions; they should be dedicated to
DirectAccess.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
To provide service redundancy for DirectAccess, use Forefront UAG for scalability, high-
availability, and enhanced management for a DirectAccess deployment. For more information,
see UAG and DirectAccess (http://go.microsoft.com/fwlink/?LinkId=159955).
To provide hardware redundancy, DirectAccess can be configured inside a Hyper-V Failover
cluster. The recommended configuration consists of two Hyper-V hosts with failover clustering
supporting a single shared DirectAccess server in a virtual machine. The two Hyper-V hosts
protect the system from a single node failure for the DirectAccess server.
In addition to the DirectAccess Setup Wizard, you need the following configuration:
• The Hyper-V servers must be using identical server hardware.
• Each Hyper-V server must have at least three physical network adapters to support
Internet, intranet, and Failover Clustering connectivity. Network interface card (NIC)
teaming is not supported.
• A fourth network adapter is a requirement if the Hyper-V clustering solution is using
iSCSI interfaces.
78
• The Hyper-V servers are joined to the domain and connected to the appropriate
networks.
• Ensure that the Hyper-V nodes are enabled to support Data Execution Prevention and
Processor Virtualization.
Make the following Hyper-V configuration settings:
• To improve overall performance, configure the following in the properties for the virtual
machine in Failover Cluster Manager:
• Do not set a preferred owner.
• Set Failback to Prevent Failback. If Failback is enabled, unnecessary outages may
occur when the DirectAccess VM resource is migrated or recovers from a node failure.
• To speed up client reconnection in the event of a quick migration or node failure, set the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\
Oakley\NLBSFlags registry value to 1 on the DirectAccess virtual machine for faster idle
timeout of IPsec security associations (SAs). With the NLBSFlags registry value set to 1, the
total time it takes for IPsec to fail over is two minutes; one minute for the idle time to expire
plus one minute for IKE to renegotiate SAs. The Hyper-V nodes do not need this
configuration change.
With Hyper-V and Failover Clustering the primary failover mechanisms are the following:
• Live migration
There should be no discernable client connectivity outage when the clustered DA server is
live migrated.
• Quick migration
With the NLBSFlags registry value set to 1, the maximum client connectivity outage on a
quick migration should be less than two minutes.
• Resource move
With the NLBSFlags registry value set to 1, the maximum client connectivity outage on a
manual resource move should be less than two minutes.
Hyper-V and Failover Clustering also support automatic recovery from a single node failure.
When failover occurs a client should be reconnected within two minutes; there is no action
needed from the user. If the NLBSFlags registry value is set to 1 and the host is back online in
less than two minutes, the maximum client connectivity outage on a mode failure should be less
than two minutes.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
79
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The network location server is a required component of any DirectAccess design. To function as a
network location server, a computer must be able to host and service requests for a Secure
Hypertext Transfer Protocol (HTTPS)-based uniform resource locator (URL).
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The network location server is a critical part of a DirectAccess deployment. If DirectAccess client
computers on the intranet cannot successfully locate and access the secure Web page on the
network location server, they might not be able to access intranet resources.
When DirectAccess clients obtain a physical connection to the intranet or experience a network
status change on the intranet (such as an address change when roaming between subnets), they
attempt a Secure Hypertext Transfer Protocol (HTTPS) connection to a configured uniform
resource locator (URL). If the DirectAccess client can successfully obtain an HTTPS connection
to the configured URL, including a revocation check of the Web server’s certificate, they
determine that they are on the intranet.
To ensure that the FQDN of the network location server is reachable for a DirectAccess client with
DirectAccess-based rules in the NRPT, the DirectAccess Setup Wizard by default adds the FQDN
of the network location server as an exemption rule to the NRPT. When the DirectAccess client
attempts to resolve the FQDN of the network location server, the FQDN matches the exemption
rule in the NRPT and the DirectAccess client uses interface-configured DNS servers, which are
reachable to resolve the name and connect to the network location server.
80
Note
Because the FQDN of network location URL is added as an exemption rule to the NRPT,
the intranet Web server at that FQDN will not be accessible to DirectAccess clients on the
Internet.
To ensure that DirectAccess clients can correctly detect when they are on the Internet,
DirectAccess clients on the Internet must not be able to successfully access the network location
URL. You can accomplish this by ensuring that the FQDN cannot be resolved using Internet DNS
servers, configuring the Web server to deny connections from Internet-based clients, or by
ensuring that the certificate validation process fails when DirectAccess clients are on the Internet.
In the DirectAccess Setup Wizard, you can specify that the DirectAccess server act as the
network location server or you can type the HTTPS-based URL for network location, specifying a
network location server that is separate from the DirectAccess server. Using a separate network
location server that is a highly available intranet Web server is strongly recommended.
Note
81
For more information, see Install and Configure IIS for a Network Location Server Certificate in
the DirectAccess Deployment Guide.
82
Planning Redundancy for a Network
Location Server
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
For Internet Information Services (IIS)-based Web servers that are acting as network location
servers, you can configure redundancy with Network Load Balancing. For more information, see
Overview of the Network Load Balancing Deployment Process (http://go.microsoft.com/fwlink/?
LinkId=159956).
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Certificate revocation list (CRL) distribution points are a critical component of the following
aspects of DirectAccess:
• DirectAccess clients use certificate revocation checking to validate the DirectAccess
server certificate for Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS)
connections. Without a reachable CRL distribution point on the Internet, all IP-HTTPS-based
DirectAccess connections will fail.
• DirectAccess clients use certificate revocation checking to validate the certificate for the
HTTPS connection to the network location server. Without a reachable CRL distribution point
on the intranet, intranet detection fails, which can impair intranet connectivity for DirectAccess
clients.
83
Where to Place the CRL Distribution Points
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
You need certificate revocation list (CRL) distribution points on both the intranet (for intranet
detection) and the Internet (for Internet Protocol over Secure Hypertext Transfer Protocol [IP-
HTTPS] connections).
Note
84
Planning Redundancy for CRL Distribution
Points
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
If the intranet certificate revocation list (CRL) distribution point becomes unavailable, intranet
detection will fail for DirectAccess clients on the intranet. If the Internet CRL distribution point
becomes unavailable, DirectAccess clients on the Internet will be unable to use Internet Protocol
over Secure Hypertext Transfer Protocol (IP-HTTPS)-based connections to the DirectAccess
server.
For CRL distribution point redundancy, you can do the following:
• For a single CRL distribution point, you can configure redundancy for Internet Information
Services (IIS)-based Web servers or Windows Server 2008 R2 or Windows Server 2008-
based file servers with Network Load Balancing. For more information, see Overview of the
Network Load Balancing Deployment Process (http://go.microsoft.com/fwlink/?
LinkId=159956).
• You can also configure multiple CRL distribution points on different Web or file servers on
your intranet or the Internet.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Network Access Protection (NAP) for DirectAccess connections is use of a health certificate for
the Internet Protocol security (IPsec) peer authentication of the intranet tunnel. A health certificate
is a certificate with the System Health object identifier (OID). A NAP client can only obtain a
health certificate from a Health Registration Authority (HRA) if it complies with system health
requirements as configured on a NAP health policy server.
Using NAP for enforcement of system health for DirectAccess connections requires the
deployment of the IPsec enforcement method, which includes the following elements:
85
• NAP health policy servers
• HRAs on the intranet
• NAP certification authorities (CAs)
• Remediation servers
• NAP client settings
For information about how to deploy IPsec enforcement, see IPsec Enforcement Design.
In your deployment of IPsec enforcement, on the DirectAccess server, you need to install an
IPsec exemption certificate.
For more information about the DirectAccess with NAP solution, see DirectAccess with
Network Access Protection (NAP).
Note
To prevent timing problems that might occur when obtaining Kerberos authentication and
accessing the Web location on the intranet HRA, you can configure Internet Information
Services (IIS) on the HRA to use NTLM authentication with the %windir
%\system32\inetsrv\appcmd.exe set config
-section:system.webServer/security/authentication/windowsAuthentication
/-providers.[value='Negotiate'] command.
Note
If you modify the connection security rules created by the DirectAccess Setup Wizard,
you must use Network Shell (Netsh) commands. There are connection security rule
settings that cannot be modified with the Windows Firewall with Advanced Security snap-
in. If you modify these connection security rules with the Windows Firewall with Advanced
86
Security snap-in, they will be overwritten with default values, which can result in
incompatible connection security rules that prevent DirectAccess connections.
Notes
If you modify the connection security rules created by the DirectAccess Setup Wizard,
you must use Network Shell (Netsh) commands. There are connection security rule
settings that cannot be modified with the Windows Firewall with Advanced Security snap-
in. If you modify these connection security rules with the Windows Firewall with Advanced
Security snap-in, they will be overwritten with default values, which can result in
incompatible connection security rules that prevent DirectAccess connections.
You can demonstrate NAP functionality for DirectAccess with the DirectAccess with NAP
test lab (http://go.microsoft.com/fwlink/?LinkId=186697).
87
Planning DirectAccess with an Existing
Server and Domain Isolation Deployment
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Server and Domain Isolation (SDI) allows administrators to dynamically segment their Windows
environment into more secure and isolated logical networks using Internet Protocol security
(IPsec) without costly changes to their network infrastructure or applications. This creates an
additional layer of policy-driven protection, helps better protect against costly network attacks,
and helps prevent unauthorized access to trusted networked resources, achieve regulatory
compliance, and reduce operational costs. For more information, see Server and Domain
Isolation (http://go.microsoft.com/fwlink/?Linkid=95395).
Both DirectAccess and SDI use a set of Windows Firewall with Advanced Security connection
security rules in Group Policy objects (GPOs) to determine when and how to protect intranet
traffic. You should perform a careful analysis of your existing SDI global IPsec settings and
connection security rules and the global IPsec settings and rules created by the DirectAccess
Setup Wizard to determine whether they are compatible. A mismatch in global IPsec or
connection security rule settings between DirectAccess and SDI can cause an IPsec negotiation
failure and a lack of connectivity when a DirectAccess client attempts to access an intranet
resource protected with SDI.
For example, you need to ensure that the global main mode IPsec settings of your DirectAccess
clients match the global main mode IPsec settings of your SDI deployment. The DirectAccess
Setup Wizard will configure default global main mode IPsec settings for DirectAccess clients to
match those of the default global main mode IPsec settings for Windows Vista and Windows
Server 2008. If you have changed the global main mode IPsec settings for your SDI deployment
from their default values, you need to configure the global main mode IPsec settings of the Group
Policy object for DirectAccess clients created by the DirectAccess Setup Wizard to match them.
Additional design considerations for deploying DirectAccess in an existing SDI environment are
the following:
• To allow for Teredo client discovery, you should exempt Internet Control Message
Protocol (ICMP) from IPsec protection in your SDI deployment.
• If you are only using SDI for data integrity, you must use Encapsulating Security Payload
(ESP)-NULL, rather than Authentication Header (AH). If you are using AH, you should
reconfigure your SDI deployment to use ESP-NULL before deploying DirectAccess.
88
Planning DirectAccess with Microsoft
Forefront Threat Management Gateway
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Microsoft Forefront Threat Management Gateway (TMG) can be installed on a DirectAccess
server to provide an additional layer of protection and for additional Forefront TMG features, such
as a full Internet Protocol version 4 (IPV4) firewall and secure Web publishing for computers that
are not DirectAccess clients.
Forefront TMG integrates with the Internet Protocol security (IPsec) Denial of Service Protection
(DoSP) component of DirectAccess to ensure that only IPsec-protected traffic is allowed to pass
through. For this reason, you must configure DirectAccess before installing Forefront TMG.
Forefront TMG also allows Internet Control Message Protocol (ICMP) traffic through by default,
which is required to support Teredo-based DirectAccess clients.
For more information, see Forefront Threat Management Gateway and DirectAccess
(http://go.microsoft.com/fwlink/?LinkId=169278).
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
To design a scalable DirectAccess infrastructure, you must analyze the elements of a
DirectAccess deployment and develop an implementation plan that considers several factors,
including:
• Performance. Which types of resources are most used by each server role in your
DirectAccess deployment? How will you monitor performance?
• Roles. Do servers in your DirectAccess deployment perform multiple functions? How
does this affect performance?
• Availability. Do you require 100 percent availability for all server roles in your
deployment?
• Access profile. When and where does your network experience peak activity? Is the
activity consistent or does it change over time?
89
See the following topics for additional information:
• Capacity Planning for DirectAccess Servers
• Capacity Planning for Network Location Servers
• Capacity Planning for CRL Distribution Points
• Planning for Multi-site DirectAccess
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Capacity planning for DirectAccess servers can be done in the following ways:
• Move the Internet Protocol security (IPsec) gateway function to a separate server that
has IPsec offload hardware
• Use DirectAccess with Microsoft Forefront Unified Access Gateway (UAG)
90
It is possible to move these functions to other computers. One configuration that supports
scalability for many DirectAccess connections is to move the IPsec gateway and ISATAP router
functions to another computer with IPsec offload hardware, which can handle the processor-
intensive cryptographic operations and support many IPsec tunnels. The following figure shows
an example.
In this example, Server 1 provides the 6to4 relay, Teredo server, and IP-HTTPS server functions
and Server 2 provides ISATAP router and IPsec gateway functions. DirectAccess clients use
Server 1 to tunnel traffic across the IPv4 Internet and establish the infrastructure and intranet
IPsec tunnels with Server 2. Intranet computers forward traffic to DirectAccess clients to Server 2.
The requirements of this configuration are the following:
• Both Server 1 and Server 2 must have two physical interfaces, one classified as a public
interface and one classified as a domain interface. Server 1 has its public interface on the
Internet.
• The subnet for the link between the Server 1 and Server 2, the intra-server subnet, must
use native IPv6 addressing. You cannot use 6to4 or ISATAP tunneling on this link. You must
pick a unique 64-bit prefix for your intranet and configure static IPv6 addresses for each
interface on this subnet.
• You must configure a default IPv6 route (::/0) on Server 2 that points to Server 1’s
interface on the intra-server subnet.
• Because Server 2 computer is a native IPv6 router, you must configure outbound firewall
rules on the interface on the intra-server subnet to prevent reachability to intranet domain
controllers.
• The tunnel endpoints in the Group Policy objects for the DirectAccess clients and server
must specify the native IPv6 address of Server 2’s interface on the intra-server subnet.
With this configuration, Server 2 acts as the IPsec intranet and infrastructure tunnel endpoint,
providing decryption services for packets from DirectAccess clients and encryption services for
packets to DirectAccess clients.
The following figure shows an example of the traffic between DirectAccess clients and intranet
servers for the full intranet access model.
91
The traffic over the Internet between the DirectAccess client and Server 2 is encrypted through
the intranet tunnel. The traffic over the intranet between Server 2 and intranet servers is clear
text.
The recommended method to deploy this configuration is the following:
1. While configured with two consecutive public IPv4 addresses, complete the DirectAccess
Setup Wizard on Server 2.
2. Set up the intra-server subnet and the static IPv6 addressing of Server 1. Reconfigure
Server 2 with the appropriate IPv4 addresses for the intra-server subnet and remove the two
consecutive public IPv4 addresses. Configure Server 1 with the two consecutive public IPv4
addresses on the Internet interface.
3. Configure Server 1 as a default advertising router for the intra-server subnet, and a 6to4
relay, Teredo server and relay, and IP-HTTPS server on the Internet.
4. Disable the 6to4 relay, Teredo server and relay, and IP-HTTPS server functionality on
Server 2.
5. Configure Group Policy settings for the new IPsec tunnel endpoint on Server 2.
For deployment instructions to move the IPsec gateway function to a separate server, see
Checklist: Moving the IPsec Gateway to Another Server.
92
Capacity Planning for Network Location
Servers
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The network location function for DirectAccess can be placed on an intranet Web server or the
DirectAccess server. Microsoft highly recommends placing the network location function on a
separate intranet Web server. You must plan the capacity of the network location server so that it
can handle the DirectAccess clients on your intranet performing intranet detection.
To provide capacity for an Internet Information Services (IIS) 7.0-based Web server, including the
DirectAccess server, see the documentation for the Web Server (IIS) role on Windows
Server 2008 R2 or Windows Server 2008 for recommendations on scaling IIS capacity.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The certificate revocation list (CRL) distribution points on the Internet for the Internet Protocol
over Secure Hypertext Transfer Protocol (IP-HTTPS) certificate and on the intranet for the
network location certificate can be located on Web or file servers. You must plan for the capacity
of CRL distribution points so that your Internet and intranet-connected DirectAccess clients can
perform certificate revocation checking for the IP-HTTPS connection and for network location
detection.
For an Internet Information Services (IIS)-based Web server or a Windows-based file server,
including the DirectAccess server, see the documentation for the Web Server (IIS) and File
Services roles on Windows Server 2008 R2 or Windows Server 2008 for recommendations on
scaling capacity.
93
Planning for Multi-site DirectAccess
DirectAccess servers can be installed in multiple sites of an organization to increase capacity and
provide more efficient routing when accessing site-specific intranet resources. Setting up multi-
site DirectAccess requires careful design and planning so that the following goals are met:
• A DirectAccess client can connect to the DirectAccess server of any site and can access
the intranet resources in that site.
• A DirectAccess client can be managed by a management server of any site.
• A DirectAccess client can travel to any site and determine that it is connected to the
intranet.
Note
You can also deploy multi-site DirectAccess with geo-locator services such as Global
Server Load Balancing (GSLB). This topic does not describe planning for multi-site
DirectAccess in conjunction with a geo-locator service. Additional information about using
geo-locator services for multi-site DirectAccess will be added to this topic when it
becomes available.
The following figure shows an example of DirectAccess deployed in two sites of the Contoso
Corporation.
94
usa.corp.contoso.com. Site 2 is the Contoso Corporation’s main office in Europe, corresponding
to the AD DS domain and DNS namespace europe.corp.contoso.com.
DirectAccess Client 1 is a member of the usa.corp.contoso.com domain. When on the Internet,
DirectAccess Client 1 connects to the DirectAccess server for the site containing the resources it
needs to access. To access a resource in Site 1, the DirectAccess client creates infrastructure
and intranet tunnels to DirectAccess Server 1. To access a resource in Site 2, the DirectAccess
client creates separate infrastructure and intranet tunnels to DirectAccess Server 2. The following
figure shows an example of the infrastructure and intranet tunnels created by DirectAccess Client
1 to reach resources in Site 1 and Site 2.
95
IPv6 connectivity for multi-site DirectAccess
In a single-site DirectAccess deployment, a DirectAccess server acts as a default Internet
Protocol version 6 (IPv6) router for an organization. Default route traffic that is traveling out of the
site destined for DirectAccess clients on the Internet must go through the DirectAccess server.
In a multi-site DirectAccess deployment, DirectAccess servers still act as default routers for a site
to facilitate traffic to Internet destinations. However, additional routing support must be configured
so that IPv6 traffic between computers directly attached to the intranet in different sites does not
flow through the DirectAccess servers. Inter-site IPv6 traffic between intranet computers must
flow through intranet IPv6 routers if you have native IPv6 connectivity or Intra-Site Automatic
Tunnel Addressing Protocol (ISATAP) site border routers if you have ISATAP-based connectivity.
ISATAP connectivity
Because most organizations do not have native IPv6 connectivity on their intranets, the
DirectAccess Setup Wizard can automatically configure the DirectAccess server as an ISATAP
router, deploying ISATAP-based IPv6 connectivity on your intranet. For information about Active
Directory Sites and Services configuration for ISATAP-based intranets, see the “Active Directory
Sites and Services configuration” section of Design Active Directory for DirectAccess.
With a single-site DirectAccess deployment, the single DirectAccess server acting as the ISATAP
router for the site achieves the goals of providing IPv6 reachability throughout the intranet and
default route traffic flows through the DirectAccess server. For a multi-site DirectAccess
deployment using only ISATAP-based IPv6 connectivity, you must also deploy ISATAP site border
routers.
When you deploy DirectAccess servers in multiple sites, by default there is ISATAP-based IPv6
connectivity within each site and the default route traffic flows through the site’s DirectAccess
server. Without ISATAP border routers, the inter-site traffic follows the default route path and
flows to the DirectAccess server, which can then use 6to4 encapsulation to forward the traffic
over the Internet to the DirectAccess server of the destination site. Because there are no
connection security rules for inter-site traffic, by default the DirectAccess server can send the
traffic as clear text across the Internet. If you deploy ISATAP border routers, ISATAP hosts have
additional routes for intranet sites and forward inter-site traffic to the ISATAP border routers.
The ISATAP site border routers have a different role than the DirectAccess server that is acting as
a default router for each site. The DirectAccess server configures each ISATAP host within its site
with the 64-bit IPv6 prefix of the ISATAP subnet for the site and a default route that points to the
DirectAccess server. An ISATAP border router advertises the following routes to ISATAP hosts
within its site:
96
• The 64-bit prefix of the site
This provides fault tolerance for ISATAP hosts to configure their ISATAP address in case they
do not receive the router advertisement from the DirectAccess server.
• The 64-bit prefixes of the other sites that are reachable through the ISATAP border router
This provides reachability to the other sites.
ISATAP hosts perform router discovery with all ISATAP routers within their sites (the DirectAccess
server and the ISATAP border routers), resulting in the routes needed to reach the following:
• All the IPv6 destinations within its own site through the site’s 64-bit prefix route, as
received from the DirectAccess server and the ISATAP border routers
• All the IPv6 destinations within the other sites in the organization through site-specific 64-
bit prefix routes, as received from the ISATAP border routers
• DirectAccess clients anywhere on the Internet through the default route, as received from
the DirectAccess server
If your ISATAP border routers have multiple physical interfaces and your intranet backbone is
IPv6-capable, attach an interface of the ISATAP border router to the backbone and configure the
appropriate routes to advertise over the ISATAP border router’s ISATAP interface. The following
figure shows an example.
97
header. With an IPv6-in-IPv4 point-to-point tunnel, you can set up the ISATAP border router
anywhere within the site. The combination of IPv6-in-IPv4 point-to-point tunnels and routes
provides inter-site reachability.
The following figure shows an example of ISATAP border routers within Site 1 and Site 2 that use
an IPv6-in-IPv4 point-to-point tunnel to forward inter-site traffic.
98
Example of using multiple ISATAP border routers between sites
ISATAP routing can be configured using many modern hardware routers. See the documentation
for your router for support and configuration information. A computer running Windows
Server 2008 or later can also act as an ISATAP border router.
99
Intranet DNS records
For a multi-site DirectAccess deployment, you might have to create the following additional DNS
records within each site:
• Address (A) or IPv6 address (AAAA) records for the network location server fully qualified
domain name (FQDN) with the addresses of the site-specific network location server
• A or AAAA records for the intranet certificate revocation list (CRL) distribution point FQDN
with the addresses of the site-specific Web or file servers that host the CRL files
• For each ISATAP site boundary router within the site, an A record for the name ISATAP
with the IPv4 address of an ISATAP boundary router interface that is attached to the local site
You can also create multiple A or AAAA records for the network location server and CRL
distribution points in all your sites and deploy GSLB within your intranet to return the A or AAAA
record for the network location server and CRL distribution point within each site.
NRPT
In a multi-site DirectAccess deployment, DirectAccess clients create infrastructure and intranet
tunnels to the DirectAccess server that is connected to the site containing the destination of the
traffic. To create the infrastructure tunnel to the DirectAccess server for each site and send DNS
query traffic for site-specific resources to site-specific DNS servers, DirectAccess clients must be
configured with Name Resolution Policy Table (NRPT) namespace rules that include the DNS
suffixes of all sites.
For our example, the DirectAccess client Group Policy objects (GPOs) for both Site 1 and Site 2
must be configured with the following namespace rules:
• usa.corp.contoso.com suffix with the IPv6 address of a DNS server in Site 1
• europe.corp.contoso.com suffix with the IPv6 address of a DNS server in Site 2
You can configure the namespace rules for other sites in step 3 of the DirectAccess Setup Wizard
or in the Computer Configuration\Policies\Windows Settings\Name Resolution Policy node
of the GPO for DirectAccess clients.
100
PKI for multi-site DirectAccess
To distribute computer certificates to DirectAccess clients and servers with your public key
infrastructure (PKI), enabling computer certificate autoenrollment for the domains in all sites
containing a DirectAccess server is recommended. You can also use manual enrollment.
101
Certificate requirements for network location certificates
For the network location server SSL certificate with a single network location URL and
organization-wide CRL paths:
• In the Subject field, the FQDN of the single network location URL
• In the Enhanced Key Usage field, the Server Authentication object identifier (OID)
• In the CRL Distribution Points field, the organization-wide CRL distribution points
For the network location server SSL certificate with a single network location URL and per-site
CRL paths:
• In the Subject field, the FQDN of the single network location URL
• In the Enhanced Key Usage field, the Server Authentication OID
• In the CRL Distribution Points field, the site-specific intranet CRL distribution points
102
• In the Subject field, either an IPv4 address of the Internet interface of the site-specific
DirectAccess server or the FQDN (recommended) of the IP-Secure Hypertext Transfer
Protocol (HTTPS) URL
• In the Enhanced Key Usage field, the Server Authentication OID
• In the CRL Distribution Points field, the organization-wide CRL distribution points on the
Internet
For per-site CAs that issue SSL certificates that are installed on DirectAccess servers for IP-
HTTPS connections:
• In the Subject field, either an IPv4 address of the Internet interface of the site-specific
DirectAccess server or the FQDN (recommended) of the IP-HTTPS URL
• In the Enhanced Key Usage field, the Server Authentication OID
• In the CRL Distribution Points field, the site-specific CRL distribution points on the
Internet
Note
A site-specific network location URL with per-site Web servers is not recommended
because it requires either inter-site network location detection traffic or multiple DNS
records and Web servers in each site, one for each site-specific URL.
103
Force tunneling for multi-site DirectAccess
DirectAccess clients configured for force tunneling send all of their Internet traffic through their
DirectAccess server. Force tunneling configuration consists of enabling the Route all traffic
through the internal network Group Policy setting and adding an NRPT rule to send DNS
queries for all names to either a dual protocol (IPv4 and IPv6) proxy server or an IPv6/IPv4
translator and IPv6/IPv4 DNS gateway in front of your IPv4-based proxy server. Because both of
these settings are stored in the Group Policy objects for DirectAccess clients, you can define
force tunneling on a per-site basis.
For our example, you can configure force tunneling behavior for the DirectAccess clients of Site 1
but not for the DirectAccess clients of Site 2. Additionally, you can configure all of your
DirectAccess clients in multiple sites to use a single, common dual protocol proxy server or
IPv6/IPv4 translator and IPv6/IPv4 DNS gateway that are in a specific site. For example, you can
configure force tunneling for both Site 1 and Site 2, but DirectAccess clients from both sites use a
dual protocol proxy server or IPv6/IPv4 translator and IPv6/IPv4 DNS gateway that are located in
Site 1.
104
To ensure that every DirectAccess client from any home site operates properly from the Internet
and when connected to any site, DirectAccess clients must be configured with the connection
security rules for the DirectAccess client GPOs of all sites. Therefore, for the DirectAccess client
GPO of each site, you must add the following connection security rules:
• The infrastructure tunnel rules for all other sites
For each site, you must create rules with different names that have the settings of the
DirectAccess Policy-ClientToDnsDc connection security rules of the other sites.
For our example, you create a connection security rule named DirectAccess Policy-
ClientToDnsDc_Site2 in the DirectAccess client GPO of Site 1 with the settings of the
DirectAccess Policy-ClientToDnsDc connection security rule in the DirectAccess client GPO
of Site 2. You also create a connection security rule named DirectAccess Policy-
ClientToDnsDc_Site1 in the DirectAccess client GPO of Site 2 with the settings of the
DirectAccess Policy-ClientToDnsDc connection security rule in the DirectAccess client GPO
of Site 1.
• The intranet tunnel rules for all other sites
For each site, you must create rules with different names that have the settings of the
DirectAccess Policy-ClientToCorp connection security rules of the other sites.
For our example, you create a connection security rule named DirectAccess Policy-
ClientToCorp_Site2 in the DirectAccess client GPO of Site 1 with the settings of the
DirectAccess Policy-ClientToCorp connection security rule in the DirectAccess client GPO of
Site 2. You also create a connection security rule named DirectAccess Policy-
ClientToCorp_Site1 in the DirectAccess client GPO of Site 2 with the settings of the
DirectAccess Policy-ClientToCorp connection security rule in the DirectAccess client GPO of
Site 1.
• The network location server exemption rules for all other sites
For each site, you must create rules with different names that have the settings of the
DirectAccess Policy-clientToNlaExempt connection security rules of the other sites.
For our example, you create a connection security rule named DirectAccess Policy-
ClientToNlaExempt_Site2 in the DirectAccess client GPO of Site 1 with the settings of the
DirectAccess Policy-ClientToNlaExempt connection security rule in the DirectAccess client
GPO of Site 2. You also create a connection security rule named DirectAccess Policy-
ClientToNlaExempt_Site1 in the DirectAccess client GPO of Site 2 with the settings of the
DirectAccess Policy-ClientToNlaExempt connection security rule in the DirectAccess client
GPO of Site 1.
• The management tunnel rules for all other sites
For each site, you must create rules with different names that have the settings of the
DirectAccess Policy-ClientToMgmt connection security rules of the other sites.
For our example, management servers have been specified for both sites. You create a
connection security rule named DirectAccess Policy-ClientToMgmt_Site2 in the DirectAccess
client GPO of Site 1 with the settings of the DirectAccess Policy-ClientToMgmt connection
security rule in the DirectAccess client GPO of Site 2. You also create a connection security
rule named DirectAccess Policy-ClientToMgmt_Site1 in the DirectAccess client GPO of Site 2
105
with the settings of the DirectAccess Policy-ClientToMgmt connection security rule in the
DirectAccess client GPO of Site 1.
• The selected server transport rules for all other sites
For each site, you must create rules with different names that have the settings of the
DirectAccess Policy-clientToAppServer connection security rules of the other sites.
For our example, selected servers have been specified for both sites. You create a
connection security rule named DirectAccess Policy-clientToAppServer_Site2 in the
DirectAccess client GPO of Site 1 with the settings of the DirectAccess Policy-
clientToAppServer connection security rule in the DirectAccess client GPO of Site 2. You also
create a connection security rule named DirectAccess Policy-clientToAppServer_Site1 in the
DirectAccess client GPO of Site 2 with the settings of the DirectAccess Policy-
clientToAppServer connection security rule in the DirectAccess client GPO of Site 1.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
You can find DirectAccess product information including overviews, Webcasts, step-by-step
guides, virtual labs, and announcements at http://go.microsoft.com/fwlink/?LinkId=160519.
Also see DirectAccess on Microsoft TechNet (http://go.microsoft.com/fwlink/?LinkID=151854).
For information about how to configure DirectAccess in a test lab, see Step-by-Step Guide:
Demonstrate DirectAccess in a Test Lab (http://go.microsoft.com/fwlink/?Linkid=150613). To learn
how to troubleshoot DirectAccess issues in the DirectAccess test lab, see Step-by-Step Guide:
Troubleshoot DirectAccess in a Test Lab (http://go.microsoft.com/fwlink/?LinkId=181160).
For design, deployment, and troubleshooting information about the DirectAccess with Network
Access Protection (NAP) solution, see DirectAccess with Network Access Protection (NAP).
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
106
Review this section for information about DirectAccess server, DirectAccess client, and network
infrastructure requirements.
Hardware and software requirements for Windows 7-based computers described in this section
apply to both x86 (32-bit) and x64 (64-bit) systems.
Element Requirements
Note
There are no built-in limitations on the
number of simultaneous DirectAccess
connections that a DirectAccess server
can support.
107
Element Requirements
Domain Name System (DNS) server At least one running Windows Server 2008 R2,
Windows Server 2008 with the Q958194 hotfix
(http://go.microsoft.com/fwlink/?LinkID=159951),
Windows Server 2008 SP2 or later, or a third-
party DNS server that supports DNS message
exchanges over the Intra-Site Automatic Tunnel
Addressing Protocol (ISATAP).
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
The DirectAccess solution uses a combination of Internet Protocol version 6 (IPv6) end-to-end
connectivity, Internet Protocol security (IPsec) protection of intranet traffic, separation of Domain
108
Name System (DNS) traffic with the Name Resolution Policy Table (NRPT), and network location
detection that DirectAccess clients use to determine when they are on the intranet. The following
sections describe the role that these technologies have in providing DirectAccess clients with
transparent access to intranet resources.
IPv6
IPv6 is the new version of the Network layer of the TCP/IP protocol stack that is designed to
replace Internet Protocol version 4 (IPv4), which is in wide use today on intranets and the
Internet. IPv6 provides an address space large enough to accommodate end-to-end addressing
of nodes on the IPv6 Internet, and with IPv6 transition technologies, of nodes on the IPv4
Internet. DirectAccess uses this capability to provide end-to-end addressing from DirectAccess
clients on the IPv4 or IPv6 Internet to computers on an intranet.
Because most of the current Internet is IPv4-based and many organizations have not deployed
native IPv6 addressing and routing on their intranets, DirectAccess uses IPv6 transition
technologies to provide IPv6 connectivity over these IPv4-only networks. Teredo, 6to4, Internet
Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS), and the Intra-Site Automatic
Tunnel Addressing Protocol (ISATAP) are examples of IPv6 transition technologies. These
technologies allow you to use IPv6 on the IPv4 Internet and your IPv4-only intranet. IPv6
transition technologies can simplify and reduce the costs of an IPv6 deployment.
6to4
6to4, defined in RFC 3056, is an IPv6 transition technology that provides IPv6 connectivity across
the IPv4 Internet for hosts or sites that have a public IPv4 address. For more information, see
IPv6 Transition Technologies (http://go.microsoft.com/fwlink/?Linkid=117205).
Teredo
Teredo, defined in RFC 4380, is an IPv6 transition technology that provides IPv6 connectivity
across the IPv4 Internet for hosts that are located behind an IPv4 network address translation
(NAT) device and are assigned a private IPv4 address. For more information, see Teredo
Overview (http://go.microsoft.com/fwlink/?Linkid=157322).
IP-HTTPS
IP-HTTPS is a new protocol for Windows 7 and Windows Server 2008 R2 that allows hosts
behind a Web proxy server or firewall to establish connectivity by tunneling IPv6 packets inside
an IPv4-based HTTPS session. HTTPS is used instead of HTTP so that Web proxy servers will
109
not attempt to examine the data stream and terminate the connection. IP-HTTPS is typically used
only if the client is unable to connect to the DirectAccess server using the other IPv6 connectivity
methods or if force tunneling has been configured.
For the details of IP-HTTPS, see the IP over HTTPS (IP-HTTPS) Tunneling Protocol Specification
(http://go.microsoft.com/fwlink/?Linkid=157309).
Note
Notes
ISATAP can also be used to provide IPv6 connectivity when the client is at a remote
location. ISATAP deployments can either connect to the IPv6 Internet or use 6to4 to
transfer IPv6 traffic across the IPv4 Internet.
The DirectAccess test lab (http://go.microsoft.com/fwlink/?Linkid=150613) uses ISATAP
across the simulated intranet.
IPsec
IPsec is a framework of open standards for ensuring private, secure communications over
Internet Protocol (IP) networks through the use of cryptographic security services. IPsec provides
aggressive protection against attacks through end-to-end security. The only computers that must
know about IPsec protection are the sender and receiver in the communication. IPsec provides
the ability to protect communication between workgroups, local area network computers, domain
clients and servers, branch offices (which might be physically remote), extranets, and roaming
clients.
IPsec protection can be used in two different modes: transport mode and tunnel mode. Transport
mode is designed to protect an Internet Protocol (IP) packet payload. Tunnel mode is designed to
protect an entire IP packet. For more information, see IPsec Protocol Types
(http://go.microsoft.com/fwlink/?Linkid=157319).
DirectAccess uses IPsec settings in the form of connection security rules in the Windows Firewall
with Advanced Security snap-in and the Network Shell (Netsh) command-line tool advfirewall
context for peer authentication, data integrity, and data confidentiality (encryption) of
110
DirectAccess connections. Multiple rules can be applied to a computer simultaneously, each
providing a different function. The result of all of these rules working together is a DirectAccess
client that can have protected communications with the DirectAccess server and intranet servers,
encrypting traffic sent over the Internet and optionally protecting traffic from end-to-end.
Note
Windows Server 2003 and earlier versions of Windows Server do not fully support the
use of IPsec with IPv6. IPv6-capable resources on servers running Windows Server 2003
will only be available to DirectAccess clients if you use the full intranet access model.
IPv4-only resources on servers running Windows Server 2003, including most built-in
applications and system services, require an IPv6/IPv4 translator and IPv6/IPv4 DNS
gateway to be available to DirectAccess clients.
Encryption
When a DirectAccess client sends data to the intranet, the traffic is encrypted over the Internet.
For the full intranet and selected server access models, multiple connection security rules
configured on the DirectAccess client defines tunnel mode IPsec settings for communication
between the DirectAccess client and the intranet:
• The first rule for the infrastructure tunnel requires authentication with a computer
certificate and encrypts traffic with IPsec and the Encapsulating Security Payload (ESP). This
rule provides protected communication with Active Directory domain controllers, DNS servers,
and other intranet resources before the user has logged on.
• The second rule for the intranet tunnel requires authentication with a computer certificate
and user-based Kerberos credentials. This rule provides protected communication to intranet
resources after the user has logged on.
For the end-to-edge and selected server access models, termination of IPsec tunnels between
the DirectAccess client and the intranet is done by the IPsec Gateway component on the
DirectAccess server. This component can be located on a separate server with an IPsec offload
network adapter to increase performance.
Data integrity
Data integrity allows the receiving IPsec peer to cryptographically verify that the packet was not
changed in transit. When encrypting data with IPsec, data integrity is also provided. It is possible
to specify data integrity without encryption. This might be helpful in order to mitigate the threat of
spoofing or man-in-the-middle attacks and allow you to ensure that DirectAccess clients are
connecting to their intended servers.
Note
When sensitive data is being transmitted, IPsec with only data integrity should only be
used when some other form of encryption is also implemented. It is possible to have end-
to-end data integrity using transport mode rules while using end-to-edge encryption for
the tunnel mode rules, which is how the selected server access model works.
111
DirectAccess accomplishes data integrity through the use of transport and tunnel mode IPsec
settings. These settings can be applied to DirectAccess clients, DirectAccess servers, or
application servers and provide data integrity by requiring ESP-NULL (recommended) or
Authentication Header (AH) for IPsec-protected communications. Some network infrastructure
devices or traffic monitoring and inspection solutions might not be able to parse packets with an
IPsec ESP or AH header. In this case, you can use authentication with null encapsulation to
perform IPsec peer authentication, but no per-packet data integrity.
112
NRPT exemptions
There are some names that need to be treated differently from all others with regards to name
resolution; these names must not be resolved using intranet DNS servers. To ensure that these
names are resolved with interface-configured DNS servers, you must add them as NRPT
exemptions.
If no DNS server addresses are specified in the NRPT rule, the rule is an exemption. If a DNS
name matches a rule in the NRPT that does not contain addresses of DNS servers or does not
match a rule in the NRPT, the DirectAccess client sends the name query to interface-configured
DNS servers.
If any of the following servers have a name suffix that matches an NRPT rule for the intranet
namespace, that server name must be an NRPT exemption:
• Network location servers
• Intranet certificate revocation list (CRL) distribution points
• System health remediation servers
These servers must always be resolved with interface-configured DNS servers.
Note
113
at each branch location to ensure that the Web site remains accessible even in the event of a link
failure.
Notes
Just like the URL for the network location server, the FQDN in the URL or the universal
naming convention (UNC) path for the CRL distribution point should either match an
exemption rule or no rules in the NRPT so that the DirectAccess client can use normal
name resolution and interface-configured intranet DNS servers to resolve the name. If the
DirectAccess client cannot resolve the FQDN for the CRL distribution point, intranet
location detection fails.
The DirectAccess test lab (http://go.microsoft.com/fwlink/?Linkid=150613) uses APP1, a
separate application server, as the network location server and the network location URL
https://nls.corp.contoso.com. The SSL certificate on APP1 has the CRL distribution point
http://crl.contoso.com/crld/corp-DC1-CA.crl, which for ease of configuration is hosted on
DA1, the DirectAccess server. To demonstrate network location detection, do the
following:
1. Connect CLIENT1 to the Internet subnet.
2. Open a Command Prompt.
3. From the Command Prompt window, run the netsh dnsclient show state command.
Notice that the Machine Location field states Outside corporate network.
114
4. Run the netsh namespace show effectivepolicy command.
Notice that there are two active NRPT rules: A namespace rule for corp.contoso.com and an
exemption rule for nls.corp.contoso.com.
5. Disconnect CLIENT1 from the Internet subnet and connect it to the Corpnet subnet.
6. From the Command Prompt window, run the netsh dnsclient show state command.
Notice that the Machine Location field states Inside corporate network.
7. Run the netsh namespace show effectivepolicy command.
Notice that there are now no active NRPT rules.
This topic describes design considerations for DirectAccess in Windows Server 2008 R2.
For the design considerations of DirectAccess in Microsoft Forefront Unified Access
Gateway (UAG), see the Forefront UAG DirectAccess Design Guide
(http://go.microsoft.com/fwlink/?LinkId=179988).
Documenting your DirectAccess design will help you explain the infrastructure and policy
decisions and record the results of the deployment phases of the project. You can use the
following sections to create a document with your goals and proposed timeline, and you can add
to these sections at the end of each phase of your DirectAccess deployment.
Concepts
Provide a brief description of how DirectAccess works or use the following description:
DirectAccess gives users the experience of being seamlessly connected to their corporate
network (intranet) any time they have Internet access. With DirectAccess, users are able to
access intranet resources (such as e-mail servers, shared folders, or intranet Web sites)
securely without connecting to a virtual private network (VPN). DirectAccess provides
increased productivity for mobile workforce by offering the same connectivity experience both
in and outside of the office. DirectAccess is on whenever the user has an Internet connection,
giving users access to intranet resources whether they are traveling, at the local coffee shop,
or at home. DirectAccess is supported by Windows 7 Ultimate or later, Windows 7 Enterprise
or later, and Windows Server 2008 R2 or later.
Goals
List your reasons for deploying DirectAccess and state how your design plan will achieve these
goals. Also provide the following:
115
• Benefits. Describe the pre-deployment state of the network and the benefits you expect
to see as a result of the DirectAccess deployment.
• Requirements. List what is required to achieve your goals. Examples include operating
system updates, equipment purchases, training, cross-team collaboration, and project
schedules.
• Progress. Describe your current progress.
For more information, see Identifying Your DirectAccess Deployment Goals.
Integration strategy
Describe your design for integrating DirectAccess with the following technologies and solutions:
• VPN. Describe the changes made to your VPN configuration to accommodate
DirectAccess detection of the intranet when connected and for third-party VPN clients.
116
• NAP. Describe the changes to DirectAccess settings and connection security rules for
Network Access Protection (NAP) health evaluation and enforcement of DirectAccess
connections.
• Server and domain isolation. Describe changes made to your existing server and
domain isolation deployment to accommodate DirectAccess client connectivity to intranet
resources.
Staging strategy
Describe how you staged the deployment of DirectAccess in your organization. Include the
following information:
• Staging milestones. List the set of infrastructure and deployment milestones and their
requirements.
• Timeline. Provide details of your proposed timeline to deploy DirectAccess on your
intranet. Include your initial timeline and any deviation from that timeline.
• Staging results. Provide the results for each stage of your DirectAccess deployment.
• Trends. Describe any trends in connectivity issues encountered.
Lessons learned
Use this section to describe problems that were encountered and solutions that were
implemented during your DirectAccess deployment.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
DirectAccess is one of the most anticipated features of the Windows 7 and Windows
Server 2008 R2 operating systems. DirectAccess allows remote users to securely access intranet
shares, Web sites, and applications without connecting to a virtual private network (VPN).
DirectAccess establishes bi-directional connectivity with a user’s intranet every time a user’s
DirectAccess-enabled portable computer connects to the Internet, even before the user logs on.
Users never have to think about connecting to the intranet, and IT administrators can manage
remote computers outside the office, even when the computers are not connected to the VPN.
DirectAccess is supported by Windows 7 Enterprise, Windows 7 Ultimate, and Windows
Server 2008 R2.
117
About this guide
This guide is intended for use by system administrators and system engineers. It provides
detailed instructions for deploying a DirectAccess design that has been preselected by you or an
infrastructure specialist or system architect in your organization. If your organization has not yet
selected a design, see the DirectAccess Design Guide. You can then use this guide to deploy
DirectAccess in your production environment.
This guide provides steps for deploying the following primary DirectAccess access methods:
1. Full intranet access
2. Selected server access
3. End-to-end access
This guide also provides steps for deploying the following additional DirectAccess configurations:
1. DirectAccess with Network Access Protection (NAP)
2. Using Hyper-V to provide redundancy
3. Adding capacity by moving the Internet Protocol security (IPsec) gateway function to
another server
Use the checklists in Implementing Your DirectAccess Design Plan to determine how best to use
the instructions in this guide to deploy your particular design. For information about hardware and
software requirements for deploying DirectAccess, see Appendix A: DirectAccess Requirements
in the DirectAccess Design Guide.
This guide, combined with the DirectAccess Design and Troubleshooting Guides, is also available
as a Microsoft Word file (http://go.microsoft.com/fwlink/?LinkId=163662) in the Microsoft
Download Center.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
After you collect information about your environment and decide on a DirectAccess design by
following the guidance in the DirectAccess Design Guide, you can begin to plan the deployment
of your organization's DirectAccess design. With the completed DirectAccess design and the
information in this topic, you can determine which tasks to perform to deploy DirectAccess in your
organization.
118
Reviewing your DirectAccess design
If the design team that constructed the original DirectAccess design for your organization is
different from the deployment team that will implement the design, make sure that the deployment
team reviews all final decisions with the design team. Review the following points regarding your
DirectAccess design:
• Evaluate the design team's strategy to determine the best physical topology for the
placement of DirectAccess servers in your corporate network by reviewing the following
topics in the DirectAccess Design Guide:
• Planning the Placement of a DirectAccess Server
• Planning the Placement of a Network Location Server
• Planning the Placement of CRL Distribution Points
• It is possible that the design team might leave the subject of DirectAccess server
placement for the deployment team. The deployment team is then responsible for
documenting and implementing the physical topology of DirectAccess and dependent
servers. The deployment team can review the preceding topics and also the DirectAccess
Capacity Planning and Appendix A: DirectAccess Requirements topics in the DirectAccess
Design Guide to help determine the number of servers and the hardware requirements for the
organization.
• Ensure that members of the deployment team understand the reasons the selected
DirectAccess design is being deployed and how client and server computers will be affected.
Ensure that members of the deployment team also understand the stages of the
DirectAccess deployment and what decisions govern when to advance from one deployment
stage to the next. For more information, see Planning a DirectAccess Deployment Strategy.
After the design teams and deployment teams agree on these issues, they can proceed with the
deployment of the DirectAccess design. For more information, see Implementing Your
DirectAccess Design Plan.
119
Implementing Your DirectAccess Design Plan
Important
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
Consider the following factors before you implement your design plan:
• Staging strategy You can also use small-scale pilot or lab deployments to become
familiar with DirectAccess processes, update your infrastructure, and refine your criteria for
compliance. For more information about the phases of a DirectAccess deployment, see
Checklist: Staging a DirectAccess Deployment.
• Server placement A DirectAccess server infrastructure includes DirectAccess servers,
network location servers, and CRL distribution points. For more information about planning
placement, load balancing, and redundancy for these servers, see the DirectAccess Design
Guide.
• Documenting your DirectAccess deployment Documenting your DirectAccess
deployment helps you to set clear goals and record whether these goals are met. For more
information, see Appendix C: Documenting Your DirectAccess Design.
120
Use the following checklist to become familiar with the options for staging a DirectAccess
deployment in your organization:
• Checklist: Staging a DirectAccess Deployment
Use the following checklist to become familiar with the deployment tasks to prepare your
infrastructure for DirectAccess:
• Checklist: Preparing Your Infrastructure for DirectAccess
Use the following checklist to become familiar with preparing your DirectAccess server prior to
configuring the DirectAccess feature for your organization's DirectAccess access model:
• Checklist: Preparing Your DirectAccess Server
Use the following checklists to become familiar with the deployment tasks when implementing
your organization's access model:
• Checklist: Implementing a DirectAccess Design for Full Intranet Access
• Checklist: Implementing a DirectAccess Design for Selected Server Access
• Checklist: Implementing a DirectAccess Design for End-to-End Access
Use the following checklists to become familiar with the deployment tasks for implementing
optional DirectAccess configuration options:
• Checklist: Implementing a Redundant DirectAccess Design
121
• Checklist: Configuring Network Access Protection (NAP) with DirectAccess
• Checklist: Moving the IPsec Gateway to Another Server
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
This checklist includes cross-reference links to important concepts about staging your
DirectAccess deployment. Perform these tasks after you have completed lab testing of
DirectAccess. For instructions to configure DirectAccess in a test lab, see Test Lab Guide:
Demonstrate DirectAccess (http://go.microsoft.com/fwlink/?Linkid=150613).
Note
Complete the tasks in this checklist in order. When a reference link takes you to a
conceptual topic, a procedure, or to another checklist, return to this topic so that you can
proceed with the remaining tasks in this checklist.
Checklist: Staging a DirectAccess deployment
Task Reference
122
Task Reference
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
This checklist includes cross-reference links to help you prepare your network and security
infrastructure for a DirectAccess deployment. It also contains links to procedures that will help
you complete the tasks that are required to implement this design.
Note
Complete the tasks in this checklist in order. When a reference link takes you to a
conceptual topic, a procedure, or to another checklist, return to this topic so that you can
proceed with the remaining tasks in this checklist.
Checklist: Preparing your infrastructure for DirectAccess
Task Reference
123
Task Reference
124
Task Reference
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
This checklist includes cross-reference links to important concepts about preparing the computer
that will be the DirectAccess server prior to installing the DirectAccess feature and running the
DirectAccess Setup Wizard. It also contains links to procedures that will help you complete the
tasks that are required to implement this design.
Note
Complete the tasks in this checklist in order. When a reference link takes you to a
conceptual topic, a procedure, or to another checklist, return to this topic so that you can
proceed with the remaining tasks in this checklist.
Checklist: Preparing Your DirectAccess Server
Task Reference
125
Task Reference
Configure static routes for Design Addressing and Routing for the
your intranet on the DirectAccess Server
DirectAccess server.
127
Checklist: Implementing a DirectAccess
Design for Full Intranet Access
Important
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
This checklist includes cross-reference links to important concepts about deploying DirectAccess
in the full intranet access model. It also contains links to procedures and other checklists that will
help you complete the tasks that are required to implement this design.
Note
Complete the tasks in this checklist in order. When a reference link takes you to a
conceptual topic, a procedure, or to another checklist, return to this topic so that you can
proceed with the remaining tasks in this checklist.
Checklist: Implementing a DirectAccess design for full intranet access
Task Reference
129
Checklist: Implementing a DirectAccess
Design for Selected Server Access
Important
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
This checklist includes cross-reference links to important concepts about deploying DirectAccess
in the selected server access model. It also contains links to procedures and other checklists that
will help you complete the tasks that are required to implement this design.
Note
Complete the tasks in this checklist in order. When a reference link takes you to a
conceptual topic, a procedure, or to another checklist, return to this topic so that you can
proceed with the remaining tasks in this checklist.
Checklist: Implementing a DirectAccess design for selected server access
Task Reference
130
Task Reference
131
Checklist: Implementing a DirectAccess
Design for End-to-End Access
Important
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
This checklist includes cross-reference links to important concepts about deploying DirectAccess
in the end-to-end access model. It also contains links to procedures and other checklists that will
help you complete the tasks that are required to implement this design.
Note
Complete the tasks in this checklist in order. When a reference link takes you to a
conceptual topic, a procedure, or to another checklist, return to this topic so that you can
proceed with the remaining tasks in this checklist.
Checklist: Implementing a DirectAccess design for end-to-end access
Task Reference
132
Task Reference
end-to-end access.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
This checklist includes cross-reference links to important concepts about deploying a redundant
design DirectAccess with Hyper-V. It also contains links to procedures and other checklists that
will help you complete the tasks that are required to implement this design.
133
Note
Complete the tasks in this checklist in order. When a reference link takes you to a
conceptual topic, a procedure, or to another checklist, return to this topic so that you can
proceed with the remaining tasks in this checklist.
Checklist: Implementing a redundant DirectAccess design
Task Reference
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
134
This checklist includes cross-reference links to important concepts about deploying Network
Access Protection (NAP) with DirectAccess. It also contains links to procedures and other
checklists that will help you complete the tasks that are required to implement this design.
Note
Complete the tasks in this checklist in order. When a reference link takes you to a
conceptual topic, a procedure, or to another checklist, return to this topic so that you can
proceed with the remaining tasks in this checklist.
Checklist: Configuring NAP with DirectAccess
Task Reference
135
Checklist: Moving the IPsec Gateway to
Another Server
This checklist includes cross-reference links to important concepts about adding capacity to your
DirectAccess deployment by moving the Internet Protocol security (IPsec) gateway function to
another server when you are using the full intranet or selected server access models. It also
contains links to procedures and other checklists that will help you complete the tasks that are
required to implement this design.
Note
Complete the tasks in this checklist in order. When a reference link takes you to a
conceptual topic, a procedure, or to another checklist, return to this topic so that you can
proceed with the remaining tasks in this checklist.
Checklist: Moving the IPsec gateway to another server
Task Reference
136
Procedures Used in this Guide
Important
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
The procedures in this section appear in the checklists of this guide. They should be used within
the context of the checklists in which they appear. They are presented here in alphabetical order.
• Configure a CRL Distribution Point for Certificates
• Configure Active Directory Certificate Services for CRL Locations
• Configure Client Authentication and Certificate Mapping for IP-HTTPS Connections
• Configure Computer Certificate Autoenrollment
• Configure Connection Security Rules for End-to-end Access
• Configure Connection Security Rules for Traffic Between DirectAccess Clients
• Configure Corporate Connectivity Detection Settings
• Configure DirectAccess Connection Security Rules for NAP
• Configure Firewall Rules to Prevent Traffic between Proxy Servers and DirectAccess
Servers
• Configure Force Tunneling for DirectAccess Clients
• Configure IIS for Network Location
• Configure Packet Filters to Allow ICMP Traffic
• Configure Packet Filters to Allow Management Traffic to DirectAccess Clients
• Configure Packet Filters to Block Access to Domain Controllers
• Configure Permissions on the Web Server Certificate Template
• Configure Settings to Confine ICMPv6 Traffic to the Intranet
• Configure Strong Certificate Revocation Checking for IPsec Authentication
• Configure the DirectAccess Server as the Network Location Server
• Configure the DirectAccess IPsec Gateway on a Different Server
• Configure the DirectAccess Setup Wizard for End-to-End Access
• Configure the DirectAccess Setup Wizard for Full Intranet Access
• Configure the DirectAccess Setup Wizard for Selected Server Access
• Configure the NRPT for an IPv6/IPv4 DNS Gateway
• Configure the NRPT with Group Policy
• Connect to the IPv6 Internet
• Create DirectAccess Groups in Active Directory
• Install a Network Location Server Certificate on the DirectAccess Server
• Install an IP-HTTPS Certificate
137
• Install and Configure IIS for a Network Location Server Certificate
• Install the DirectAccess Feature
• Remove ISATAP from the DNS Global Query Block List
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
To add intranet servers that are available to DirectAccess clients prior to user logon, you can add
them as management servers with the DirectAccess Setup Wizard (recommended) or add their
Internet Protocol version 6 (IPv6) addresses to the list of permitted endpoints for the infrastructure
or management tunnel with the Netsh.exe tool, depending on whether you are managing a
customized DirectAccess deployment and can run the DirectAccess Setup Wizard without
modifying one or more custom settings. For more information, see Design for Intranet Server
Availability Prior to User Logon.
To complete these procedures, you must be a member of the local Administrators group, or
otherwise be delegated permissions to create and apply the configuration of the DirectAccess
Setup Wizard or modify Group Policy settings. Review details about using the appropriate
accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
To make intranet servers available to DirectAccess clients before user logon using the
DirectAccess Setup Wizard
1. Click Start, click Run, type damgmt.msc, and then press ENTER.
2. In the console tree, click Setup.
3. In the details pane, click Configure for step 3.
4. On the Location page, click Next.
5. On the DNS and Domain Controller page, click Next.
6. On the Management page, right-click the empty row, and then click New.
7. In the IPv4 Address dialog box, specify either the host name or IPv4 address of the
intranet server, and then click OK. In the IPv6 Address/Prefix dialog box, specify either
the host name or IPv6 address or prefix of the intranet server, and then click OK.
8. Repeat steps 6 and 7 for additional intranet servers.
9. Click Finish.
10. Click Save, and then click Finish.
138
11. In the DirectAccess Review dialog box, click Apply. In the DirectAccess Policy
Configuration message box, click OK.
To make intranet servers available to DirectAccess clients before user logon using the
Netsh.exe tool and the management tunnel
1. On a domain controller, start a command prompt as an administrator.
2. From the Command Prompt window, run the netsh –c advfirewall command.
3. From the netsh advfirewall prompt, run the set store
gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}”
command.
4. From the netsh advfirewall prompt, run the consec show rule
name=“DirectAccess Policy-ClientToMgmt” command.
5. From the display of the consec show rule command, note the IPv6 addresses for
Endpoint2.
6. From the netsh advfirewall prompt, run the consec set rule “DirectAccess Policy-
ClientToMgmt” new
endpoint2=ExistingIPv6Addresses,ListOfAdditionalServerIPv6Addresses command,
where ExistingIPv6Addresses is the comma-separated list of IPv6-addresses from step
5.
7. From the netsh advfirewall prompt, run the set store
gpo=”DomainName\DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}"
command.
8. From the netsh advfirewall prompt, run the consec set rule “DirectAccess Policy-
DaServerToMgmt” new
endpoint1=ExistingIPv6Addresses,ListOfAdditionalServerIPv6Addresses command.
To make intranet servers available to DirectAccess clients before user logon using the
Netsh.exe tool and the infrastructure tunnel
1. On a domain controller, start a command prompt as an administrator.
2. From the Command Prompt window, run the netsh –c advfirewall command.
3. From the netsh advfirewall prompt, run the set store
gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}”
command.
4. From the netsh advfirewall prompt, run the consec show rule
name=“DirectAccess Policy-ClientToDnsDc” command.
5. From the display of the consec show rule command, note the IPv6 addresses for
Endpoint2.
6. From the netsh advfirewall prompt, run the consec set rule “DirectAccess Policy-
ClientToDnsDc” new
endpoint2=ExistingIPv6Addresses,ListOfAdditionalServerIPv6Addresses command,
where ExistingIPv6Addresses is the comma-separated list of IPv6-addresses from step
5.
7. From the netsh advfirewall prompt, run the set store
139
gpo=”DomainName\DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}"
command.
8. From the netsh advfirewall prompt, run the consec set rule “DirectAccess Policy-
DaServerToDnsDc” new
endpoint1=ExistingIPv6Addresses,ListOfAdditionalServerIPv6Addresses command.
DirectAccess clients and servers update their connection security rules in the next update of
computer configuration Group Policy.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
To successfully authenticate an Internet Protocol over Secure Hypertext Transfer Protocol (IP-
HTTPS)-based connection, DirectAccess clients must be able to check for certificate revocation
of the secure sockets layer (SSL) certificate submitted by the DirectAccess server. To
successfully perform intranet detection, DirectAccess clients must be able to check for certificate
revocation of the SSL certificate submitted by the network location server. This procedure
describes how to do the following:
• Create a Web-based certificate revocation list (CRL) distribution point using Internet
Information Services (IIS)
• Configure permissions on the CRL distribution shared folder
• Publish the CRL in the CRL distribution shared folder
To complete these procedures, you must be delegated permissions to configure IIS, file sharing
permissions on a shared folder, and Active Directory Certificate Services (AD CS).
In this procedure, you create and configure a Web site to contain the CRL files.
140
CRLD).
5. In Physical path, click the ellipsis (…).
6. Click the appropriate drive, and then click Make New Folder.
7. Type the name of a folder that will contain the CRL distribution list files (example:
CRLDist), press ENTER, and then click OK twice.
8. In the contents pane, double-click Directory Browsing.
9. In the Actions pane, click Enable.
10. In the console tree, click the new site name folder.
11. In the contents pane, double-click Configuration Editor.
12. In Section, open system.webServer\security\requestFiltering.
13. In the contents pane, double-click allowDoubleEscaping to change it from False to
True.
14. In the Actions pane, click Apply.
In this procedure, you configure the permissions on the CRL distribution file share so that the
certification authority (CA) can write CRL files.
141
To publish the CRL
1. On the computer running AD CS, click Start, point to Administrative Tools, and then
click Certification Authority.
2. In the console tree, double-click the CA name, right-click Revoked Certificates, point
to All Tasks, and then click Publish.
3. If prompted, click New CRL, and then click OK.
4. Click Start, type \\IisServer\SharedFolder$, and then press ENTER.
5. In the SharedFolder$ window, you should see two CRL files named CAName and
CAName+.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
If you are using Active Directory Certificate Services, you must configure the certification authority
(CA) that issues the Secure Sockets Layer (SSL) certificates to the network location server and
the DirectAccess server with additional certificate revocation list (CRL) distribution settings.
These settings are required so that DirectAccess clients can perform certificate revocation
checking for SSL certificates of the network location server (when located on the intranet) and the
DirectAccess server (for Internet Protocol over Secure Hypertext Transfer Protocol [IP-HTTPS]-
based connections).
Prior to this procedure, you should have determined the following:
1. The uniform resource locator (URL) or universal naming convention (UNC) path for the
CRL distribution point that is accessible from the intranet for the SSL certificate needed for
network location detection.
2. The URL or UNC path for the CRL distribution point that is accessible from the Internet
for the SSL certificate needed by the DirectAccess server for IP-HTTPS connections.
3. The UNC path for the shared folder that will contain the CRL files written by the CA.
Note
The computer account of the CA must have read and write permissions to the folder
corresponding to the shared folder that will contain the CRL files.
142
To complete these procedures, you must be a member of the Domain Administrators group, or
otherwise be delegated permissions to change global settings on an AD CS-based CA. Review
details about using the appropriate accounts and group memberships at Local and Domain
Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
The following procedure is for configuring a single CRL distribution point for issued certificates
and to configure a single corresponding location to store the CRL files. If you are using the same
URL or UNC path for both your intranet and Internet CRL location, you only need to perform this
procedure once. If you are using different locations for the intranet and Internet CRL distribution
points, perform this procedure twice on the appropriate CA.
143
Configure Client Authentication and
Certificate Mapping for IP-HTTPS
Connections
Important
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
This procedure helps mitigate possible security issues for Internet Protocol over Secure Hypertext
Transfer Protocol (IP-HTTPS)-connected DirectAccess clients.
To complete these procedures, you must be a member of the local Administrators group, or
otherwise be delegated permissions to configure HTTPS settings. Review details about using the
appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
To configure client authentication and certificate mapping for the IP-HTTPS certificate
1. On the DirectAccess server, start a command prompt as an administrator.
2. From the Command Prompt window, type the certutil –store my command.
3. From the output of the Certutil.exe tool, find the certificate that is being used for IP-
HTTPS authentication and note the Cert Hash(sha1) field.
4. From the Command Prompt window, type the netsh http add sslcert
ipport=IPHTTPSPublicIPv4Address:443 certhash=HashofDA_IPHTTPSCert
appid={00112233-4455-6677-8899-AABBCCDDEEFF} dsmapperusage=enable
command.
• IPHTTPSPublicIPv4Address is the public IPv4 address that the DirectAccess
server is listening on for incoming IP-HTTPS connections. You can obtain this
address from the URL in the display of the netsh interface httpstunnel show
interfaces command. IPHTTPSPublicIPv4Address is either the Internet Protocol
version 4 (IPv4) address in the uniform resource locator (URL) or the IPv4 address to
which the fully qualified domain name (FQDN) in the URL resolves on the Internet.
IPHTTPSPublicIPv4Address can also be set to 0.0.0.0.
• HashofDA_IPHTTPSCert is the certificate hash from step 3, a 20-byte
hexadecimal number, with the spaces removed.
Note
144
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
The default connection security rules use a computer certificate for Internet Protocol security
(IPsec) peer authentication. This requires a certificate on DirectAccess clients, DirectAccess
servers, and selected servers with either the Client Authentication or IP Security IKE Intermediate
object identifier (OID). The easiest way to deploy certificates containing the Client Authentication
OID to both DirectAccess clients and servers is to configure certificate autoenrollment for the
built-in Computer Certificate template.
To complete these procedures, you must be a member of the Domain Administrators group, or
otherwise be delegated permissions to change Group Policy settings. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
145
Configure Connection Security Rules for
End-to-end Access
Important
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
After you have used the DirectAccess Setup Wizard to create a base configuration for selected
server access, you must manually modify the connection security rules to require end-to-end
IPsec peer authentication and encryption between the DirectAccess client and intranet resources.
You can configure these rules for the following:
• Encryption is required between DirectAccess clients and intranet resources only when
the DirectAccess client is on the Internet (no encryption when the DirectAccess client is on
the intranet).
• Encryption is always required between DirectAccess clients and intranet resources
(encryption when the DirectAccess client is on the intranet or the Internet).
Because the default connection security rules contain settings that are not configurable with the
Windows Firewall with Advanced Security snap-in, you must modify the connection security rules
with commands in the netsh advfirewall consec context.
To complete these procedures, you must be a member of the Domain Administrators group, or
otherwise be delegated permissions to change Group Policy settings. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
In this procedure, you configure end-to-end access connection security rules to require encryption
only when DirectAccess clients are on the Internet.
146
consec set rule name=”DirectAccess Policy-ClientToDnsDc” new
exemptipsecprotectedconnections=yes
consec set rule name=”DirectAccess Policy-ClientToMgmt” new
exemptipsecprotectedconnections=yes
set store gpo="DomainName\DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-
3c397e8ad300}”
consec set rule name=”DirectAccess Policy-DaServerToMgmt” new
exemptipsecprotectedconnections=yes
consec set rule name=”DirectAccess Policy-DaServerToCorp” new
exemptipsecprotectedconnections=yes
consec set rule name=”DirectAccess Policy-DaServerToDnsDc” new
exemptipsecprotectedconnections=yes
set store gpo=”DomainName\DirectAccess Policy-{f7b77f47-7c33-4d8c-bb9a-
a913c5675d8d}”
consec set rule name=”DirectAccess Policy-appServerToIpHttpsClientPolicy” new
qmsecmethods=”ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-
AES128+60min+100000kb”
consec set rule name=”DirectAccess Policy-appServerToClient” new
qmsecmethods=”ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-
AES128+60min+100000kb”
In this procedure, you configure end-to-end access connection security rules to always require
encryption.
147
3c397e8ad300}”
consec set rule name=”DirectAccess Policy-DaServerToMgmt” new
exemptipsecprotectedconnections=yes
consec set rule name=”DirectAccess Policy-DaServerToCorp” new
exemptipsecprotectedconnections=yes
consec set rule name=”DirectAccess Policy-DaServerToDnsDc” new
exemptipsecprotectedconnections=yes
set store gpo=”DomainName\DirectAccess Policy-{f7b77f47-7c33-4d8c-bb9a-
a913c5675d8d}”
consec set rule name=”DirectAccess Policy-appServerToIpHttpsClientPolicy” new
endpoint2=any qmsecmethods=”ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-
AES128+60min+100000kb”
consec set rule name=”DirectAccess Policy-appServerToClient” new
endpoint2=any qmsecmethods=”ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-
AES128+60min+100000kb”
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
To protect the traffic sent between DirectAccess clients, you must configure additional connection
security rules.
To complete these procedures, you must be a member of the Domain Administrators group, or
otherwise be delegated permissions to change Group Policy settings. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
148
command.
4. To exempt the traffic between DirectAccess clients and intranet resources when the
DirectAccess clients are connected to the intranet, from the netsh advfirewall prompt,
run the consec add rule name=RuleName endpoint1=IntranetIPv6Prefix
endpoint2=IntranetIPv6Prefix action=noauthentication profile=domain,public,private
command.
5. To create an inbound firewall rule for an application that needs to accept unsolicited
inbound connection requests, from the netsh advfirewall prompt, run the firewall add
rule name=RuleName profile=public,private program=system action=allow
security=authenc protocol=Protocol localport=Port command.
For example, to create an inbound firewall rule for Remote Desktop traffic, run the
firewall add rule name=RemoteDesktop profile=public,private program=system
action=allow security=authenc protocol=tcp localport=3389 command.
6. To request protection of traffic between DirectAccess clients for all applications, from
the netsh advfirewall prompt, run the consec add rule name=RuleName
endpoint1=any endpoint2=any action=requestinrequestout profile=public,private
auth1=computercert auth1ca=CANameString command.
7. To require protection of traffic between DirectAccess clients for all applications, from
the netsh advfirewall prompt, run the consec add rule name=RuleName
endpoint1=any endpoint2=any action=requireinrequestout profile=public,private
auth1=computercert auth1ca=CANameString command.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
You need to configure the Corporate Website Probe URL and Corporate Site Prefix List Group
Policy settings for the Group Policy object for DirectAccess clients so that they can correctly
determine corporate (intranet) network access.
To complete these procedures, you must be a member of the Domain Administrators group, or
otherwise be delegated permissions to configure Group Policy settings. Review details about
using the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
149
To configure the NRPT with Group Policy
1. On a domain controller, click Start, click Run, type gpmc.msc, and then press
ENTER.
2. In the console tree, open the domain.
3. In the console tree, right-click the DirectAccess Policy-{3491980e-ef3c-4ed3-b176-
a4420a810f12} Group Policy object, and then click Edit.
4. In the console tree of the Group Policy Management Editor, open Computer
Configuration\Policies\Administrative Templates\Network\Network Connectivity
Status Indicator, and then double-click Corporate Website Probe URL in the details
pane.
5. Click Enabled.
6. In Corporate Website Probe URL, type the uniform resource locator (URL) of a
highly available intranet Web server that is available to any computer connected to the
intranet, either through a local area network (LAN) connection (such as wired or wireless)
or DirectAccess.
Note
This URL is different that the network location server URL, which is designed to
be accessible only from a computer connected to the intranet through a LAN
connection.
7. Click Apply, and then click OK.
8. Start a command prompt as an administrator.
9. From the Command Prompt window, run the netsh –c advfirewall command.
10. From the netsh advfirewall prompt, run the set store
gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}”
command.
11. From the netsh advfirewall prompt, run the consec show rule
name=“DirectAccess Policy-ClientToDnsDc”command.
12. From the display of the consec show rule command, note the IPv6 address
expressed as a range for Endpoint2.
13. In the details pane of the Group Policy Management Editor, double-click Corporate
Site Prefix List in the details pane.
14. In Corporate Site Prefix List, type a comma, and then the IPv6 address for
Endpoint2 with /128. For example, for the Endpoint2 IPv6 address 2002:836b:2::836b:2,
type 2002:836b:2::836b:2/128.
15. Click Apply, and then click OK.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
150
Configure DirectAccess Connection Security
Rules for NAP
Important
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
Configuring DirectAccess with Network Access Protection (NAP) consists of the following:
• Adding the Health Registration Authorities (HRAs) and remediation servers on your
intranet to the list of management servers.
• If you are using NAP full enforcement, configuring the intranet tunnel connection security
rule on the DirectAccess server to require health certificates for authentication.
To complete these procedures, you must be a member of the Domain Administrators group, or
otherwise be delegated permissions to change Group Policy settings. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
The following procedure uses the DirectAccess Setup Wizard to add your HRAs and remediation
servers to the list of management servers.
To add HRAs and remediation servers as management servers using the DirectAccess
Setup Wizard
1. Click Start, click Run, type damgmt.msc, and then press ENTER.
2. In the console tree, click Setup.
3. In the details pane, click Configure for step 3.
4. On the Location page, click Next.
5. On the DNS and Domain Controller page, click Next.
6. On the Management page, right-click the empty row, and then click New.
7. In the IPv4 Address dialog box, specify either the host name or Internet Protocol
version 4 (IPv4) address of the HRA or remediation server, and then click OK. In the IPv6
Address/Prefix dialog box, specify either the host name or Internet Protocol version 6
(IPv6) address or prefix of the HRA or remediation server, and then click OK.
8. Repeat steps 6 and 7 for additional servers.
9. Click Finish.
10. Click Save, and then click Finish.
11. In the DirectAccess Review dialog box, click Apply. In the DirectAccess Policy
Configuration message box, click OK.
151
The following procedure uses Netsh.exe commands to modify the connection security rules for
the management tunnel to allow DirectAccess clients to access the HRAs and remediation
servers on the intranet.
Note
Before performing this procedure, you must determine the list of IPv6 addresses for the
HRAs and remediation servers on your intranet.
To add HRAs and remediation servers as management servers using the Netsh.exe tool
1. On a domain controller, start a command prompt as an administrator.
2. From the Command Prompt window, run the netsh –c advfirewall command.
3. From the netsh advfirewall prompt, run the set store
gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}”
command.
This is the Group Policy object (GPO) for DirectAccess clients.
4. From the netsh advfirewall prompt, run the consec show rule
name=“DirectAccess Policy-ClientToMgmt” command.
5. From the display of the consec show rule command, note the IPv6 addresses for
Endpoint2.
6. From the netsh advfirewall prompt, run the consec set rule “DirectAccess Policy-
ClientToMgmt” new
endpoint2=ExistingIPv6Addresses,ListOfAdditionalServerIPv6Addresses command,
where ExistingIPv6Addresses is the comma-separated list of IPv6 addresses from step 5
and ListOfAdditionalServerIPv6Addresses is the comma-separated list of IPv6 addresses
for your HRAs and remediation servers on the intranet.
7. From the netsh advfirewall prompt, run the set store
gpo=”DomainName\DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}"
command.
This is the GPO for the DirectAccess server.
8. From the netsh advfirewall prompt, run the consec set rule “DirectAccess Policy-
DaServerToMgmt” new
endpoint1=ExistingIPv6Addresses,ListOfAdditionalServerIPv6Addresses command.
The following procedure modifies the intranet tunnel connection security rule on the DirectAccess
server to require the use of health certificates by DirectAccess clients. Perform this procedure
only when you are using NAP full enforcement for DirectAccess connections.
152
command.
This is the GPO for the DirectAccess server.
4. From the netsh advfirewall prompt, run the consec show rule
name=“DirectAccess Policy-DaServerToCorp” command.
5. From the display of the consec show rule command, note the certification authority
(CA) name string for Auth1CAName.
6. From the netsh advfirewall prompt, run the consec set rule “DirectAccess Policy-
DaServerToCorp” new auth1=computercert auth1ca=CANameString
auth1healthcert=yes applyauthz=yes command.
Important
When you use Netsh.exe to customize connection security rules for DirectAccess, those
changes are overwritten the next time you apply the settings of the DirectAccess Setup
Wizard. To ensure that the custom settings are maintained, you should either no longer
use the DirectAccess Setup Wizard for configuration changes or compile a list of custom
changes in a script and run the script each time you apply the DirectAccess Setup Wizard
settings.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
To prevent DirectAccess clients from using IP-HTTPS to connect to your intranet through your
proxy servers and DirectAccess servers when they are connected to your IPv4-only intranet or an
IPv4-only subnet of your intranet, you can do one of the following:
• On your DirectAccess servers, create an inbound rule that blocks all traffic from the IPv4
addresses of your proxy servers.
• On your proxy servers, create an outbound rule that blocks all traffic to the external
(Internet) IPv4 addresses of your DirectAccess servers.
153
To create an inbound rule on a DirectAccess server to drop traffic from your proxy
servers
1. On the DirectAccess server, click Start, click Run, type wf.msc, and then press
ENTER.
2. In the console tree of the Windows Firewall with Advanced Security snap-in, right-
click Inbound Rules, and then click New Rule.
3. On the Rule Type page, click Custom, and then click Next.
4. On the Programs page, click Next.
5. On the Protocols and Ports page, click Next.
6. On the Scope page, under Which remote IP addresses does this rule apply?,
click These IP addresses.
7. Click Add, type the IPv4 address of a proxy server in This IP address or subnet,
and then click OK. Repeat this step for the additional IPv4 addresses of your proxy
servers.
8. When you have added all of the IPv4 addresses of your proxy servers, click Next.
9. On the Action page, click Block the connection, and then click Next.
10. On the Profile page, click Next.
11. On the Name page, for Name, type Drop inbound proxy server traffic, and then
click Finish.
154
Configure Force Tunneling for DirectAccess
Clients
Important
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
Before configuring force tunneling settings for DirectAccess clients, you should have deployed
and determined the Internet Protocol version 6 (IPv6) addresses of either your dual protocol
(Internet Protocol version 4 [IPv4] and IPv6) proxy servers or your IPv6/IPv4 translator (NAT64)
and IPv6/IPv4 DNS gateway (DNS64) devices that are in front of your IPv4-based proxy servers.
For more information about these devices, see Choose Solutions for IPv4-only Intranet
Resources.
To complete these procedures, you must be a member of the Domain Administrators group, or
otherwise be delegated permissions to change Group Policy settings. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
155
of your IPv4-based proxy server. Repeat this step if you have multiple IPv6 addresses.
10. Click Create, and then click Apply.
11. In the console tree of the Group Policy Management Editor snap-in, open Computer
Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6
Transition Technologies.
12. In the details pane, double-click 6to4 State.
13. In the 6to4 State dialog box, click Enabled, click Disabled State in Select from the
following states, click Apply, and then click OK.
14. In the details pane, double-click Teredo State.
15. In the Teredo State dialog box, click Enabled, click Disabled State in Select from
the following states, click Apply, and then click OK.
16. In the details pane, double-click IP-HTTPS State.
17. In the IP-HTTPS State dialog box, click Enabled State in Select Interface state
from the following options, click Apply, and then click OK.
DirectAccess clients will apply these settings the next time they update their Computer
Configuration Group Policy.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
If the Internet Information Services (IIS) server is being used for only Hypertext Transfer Protocol
(HTTP)-based connections, determine an alias name that will be used by DirectAccess clients
and create an address (A) record in your intranet Domain Name System (DNS) servers so that
the fully qualified domain name (FQDN) of the IIS server using the alias name can be resolved by
intranet-connected DirectAccess clients. If the IIS server is being used only for network location,
you do not need to use an alias name.
For example, the IIS server app1.corp.contoso.com is an intranet server providing only HTTP-
based connections for intranet clients. APP1 is also the network location server. The alias for
network location detection for the APP1 Web server is nls.corp.contoso.com. The network
administrator creates an A record in the corp.contoso.com forward lookup zone that has the IPv4
address of app1.corp.contoso.com.
156
Once you have determined the FQDN of the network location server, construct the URL
https://FQDN (without the trailing “/”). This is the network location URL that you configure in Step
3 of the DirectAccess Setup Wizard.
Note
If you are not using an alias name, you cannot connect to the IIS server that is acting as
a network location server from a DirectAccess client that is on the Internet.
To complete these procedures, you must be a member of the local Administrators group, or
otherwise be delegated permissions to configure IIS global settings. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
To mitigate security risks posed by computers on the Internet, you must install the IP and Domain
Restrictions role service for IIS on the network location server.
Note
If you are using an alias name, you cannot use an IIS server that is also being used for
Secure Hypertext Transfer Protocol (HTTPS)-based connections. The certificate
157
configured for HTTPS bindings is for the alias name and HTTPS connections using other
FQDNs will not validate.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
To provide connectivity for Teredo-based DirectAccess clients, you need to configure Windows
Firewall with Advanced Security rules for all of your domain member computers to allow Internet
Control Message Protocol for Internet Protocol version 6 (IPv6) (ICMPv6) Echo Request
messages and, when using a NAT64 to translate IPv6 to IPv4 traffic on your intranet, Internet
Control Message Protocol for Internet Protocol version 4 (IPv4) (ICMPv4) Echo Request
messages.
To complete these procedures, you must be a member of the Domain Administrators group, or
otherwise be delegated permissions to configure Group Policy settings. Review details about
using the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
158
7. On the Rule Type page, click Custom, and then click Next. On the Program page,
click Next. On the Protocols and Ports page, for Protocol type, click ICMPv6, and then
click Customize. In the Customize ICMP Settings dialog box, click Specific ICMP
types, select Echo Request, and then click OK. Click Next. On the Scope page, click
Next. On the Action page, click Allow the connection, and then click Next. On the
Profile page, click Next. On the Name page, for Name, type Outbound ICMPv6 Echo
Requests, and then click Finish.
The following procedure is only needed when you are using a NAT64 on your intranet.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
To allow unsolicited incoming traffic from intranet computers to DirectAccess clients, the inbound
rules that allow management computers to initiate connections with intranet computers must have
edge traversal enabled for Teredo-based DirectAccess clients. See Packet Filters for
159
Management Computers for more information about whether to use your existing inbound rules or
to create new inbound rules just for DirectAccess clients.
For existing or duplicated inbound rules for management traffic to DirectAccess clients, you can
enable edge traversal in the following ways:
• With the Windows Firewall with Advanced Security snap-in
• With commands in the netsh advfirewall firewall set rule context
To complete these procedures, you must be a member of the Domain Administrators group, or
otherwise be delegated permissions to change Group Policy settings. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
To enable edge traversal for an inbound rule with the Windows Firewall with Advanced
Security snap-in
1. Click Start, click Run, type gpmc.msc, and then press ENTER.
2. In the console tree, open Forest\Domains\YourDomain, right-click the appropriate
Group Policy object (GPO), and then click Edit.
For example, your inbound rules for management traffic that are specific to DirectAccess
clients would reside in the DirectAccess client GPO named DirectAccess Policy-
{3491980e-ef3c-4ed3-b176-a4420a810f12}.
3. In the console tree of the Group Policy Management Editor, open Computer
Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with
Advanced Security\Windows Firewall with Advanced Security\Inbound Rules.
4. In the contents pane, right-click a rule for management traffic, and then click
Properties.
5. Click the Advanced tab, in Edge traversal, select Allow edge traversal, and then
click OK.
6. Repeat steps 4 and 5 for the additional rules for management traffic.
To enable edge traversal for an inbound rule with the Netsh.exe command-line tool
1. On a domain controller, start a command prompt as an administrator
2. From the Command Prompt window, run the netsh –c advfirewall command.
3. From the netsh advfirewall prompt, run the set store
gpo=DomainName\GPOName command.
For example, the name of the DirectAccess client GPO for the corp.contoso.com domain
is DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}. Therefore, the
command is set store gpo=”corp.contoso.com\DirectAccess Policy-{3491980e-ef3c-
4ed3-b176-a4420a810f12}".
4. From the netsh advfirewall prompt, run the firewall show rule name=all command.
5. From the display of this command, copy or write down the names of the inbound
rules for management traffic to DirectAccess clients.
6. From the netsh advfirewall prompt, run the firewall name=RuleName edge=yes
160
command for each rule noted in step 5.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
For the DirectAccess Setup Wizard to run, at least one physical interface of the DirectAccess
server computer must not be in the domain profile. Windows Firewall places an interface in the
domain profile if a domain controller for the domain for which the computer is a member is
reachable on that interface. The Internet interface of the DirectAccess server is attached to the
perimeter network. If your perimeter network contains a domain controller, such as a read-only
domain controller, Windows Firewall will place the Internet interface in the domain profile. To
prevent the Internet interface from reaching the domain controllers on the perimeter network, you
must configure outbound rules on the Internet interface to prevent connectivity to the IP
addresses of the perimeter network domain controllers.
To complete these procedures, you must be a member of the local Administrators group, or
otherwise be delegated permissions to create Windows Firewall rules. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
To add packet filters to prevent access to domain controllers from the Internet interface
1. On the DirectAccess server, click Start, click Run, type wf.msc, and then press
ENTER.
2. In the console tree, right-click Outbound Rules, and then click New Rule.
3. On the Rule Type page, click Custom, and then click Next.
4. On the Program page, click Next.
5. On the Protocol and Ports page, click Next.
6. On the Scope page, in Which local IP addresses does this rule apply to?, click
These IP addresses, and then click Add. In IP Address, specify the Internet Protocol
version 4 (IPv4) and Internet Protocol version 6 (IPv6) addresses of the Internet interface
of the DirectAccess server, and then click OK.
7. In Which remote IP addresses does this rule apply to?, click These IP
addresses, and then click Add. In IP Address, specify the IPv4 or IPv6 addresses of the
161
domain controllers that are reachable from the Internet interface of the DirectAccess
server, and then click OK.
8. Click Next.
9. On the Action page, click Next.
10. On the Profile page, clear Domain, and then click Next.
11. On the Name page, specify a name for the rule, and then click Finish.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
The DirectAccess server requires and network location servers might require certificates for
Secure Sockets Layer (SSL) authentication that have customized certificate properties. To
request and modify these certificates from an Active Directory Certificate Services (AD CS)-based
certification authority (CA), you must modify the permissions of the Web Server certificate
template.
To complete these procedures, you must be a member of the Domain Administrators group, or
otherwise be delegated permissions to create and enable certificate template settings on an AD
CS-based CA. Review details about using the appropriate accounts and group memberships at
Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
162
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
As described in Confining ICMPv6 Traffic to the Intranet, the default settings created by the
DirectAccess Setup Wizard allow the following:
• Any computer with a Teredo or 6to4 client can send Internet Control Message Protocol for
IPv6 (ICMPv6) traffic to intranet locations through the DirectAccess server to probe for valid
intranet destination IPv6 addresses. The amount of this traffic is limited by the Denial of
Service Protection (DoSP) feature of the DirectAccess server.
• A malicious user on the same subnet as a Teredo-based DirectAccess client can
determine the IPv6 addresses of intranet servers by capturing ICMPv6 Echo Request and
Echo Reply message exchanges.
This procedure allows you to prevent these possible security issues.
To complete these procedures, you must be a member of the Domain Administrators group, or
otherwise be delegated permissions to modify Group Policy settings. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
163
consec add rule name=”Exempt ICMPv6 to Tunnel endpoint” profile=private,public
action=noauthentication mode=tunnel endpoint1=any
endpoint2=IPv6AddressesOfTheRemoteTunnelEndpoints protocol=icmpv6
set store gpo="DomainName\DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-
3c397e8ad300}"
set global ipsec defaultexemptions neighbordiscovery,dhcp
consec add rule name=”Exempt ICMPv6 from Tunnel endpoint”
profile=private,public action=noauthentication mode=tunnel
endpoint1=IPv6AddressesOfTheRemoteTunnelEndpoints endpoint2=any
protocol=icmpv6
6. Click Start, type gpmc.msc, and then press ENTER.
7. In the console tree, open Forest/Domains/YourDomain, right-click the DirectAccess
Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12} GPO, and then click Edit.
8. In the console tree of the Group Policy Management Editor, open Computer
Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with
Advanced Security.
9. Right-click Windows Firewall with Advanced Security, and then click Properties.
10. Click the IPsec Settings tab. In IPsec exemptions, in Exempt ICMP from IPsec,
click No, and then click OK.
11. Close the Group Policy Management Editor.
12. In the console tree of the Group Policy Management console, open
Forest/Domains/YourDomain, right-click the DirectAccess Policy-{ab991ef0-6fa9-
4bd9-bc42-3c397e8ad300} GPO, and then click Edit.
13. In the console tree of the Group Policy Management Editor, open Computer
Configuration/Policies/Windows Settings/Security Settings/Windows Firewall with
Advanced Security.
14. Right-click Windows Firewall with Advanced Security, and then click Properties.
15. Click the IPsec Settings tab. In IPsec exemptions, in Exempt ICMP from IPsec,
click No, and then click OK.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
164
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
By default, the DirectAccess server uses weak certificate revocation list (CRL) checking when
performing certificate-based Internet Protocol security (IPsec) peer authentication with
DirectAccess clients. For weak CRL checking, certificate revocation checking fails only if the
validating computer confirms that the certificate has been revoked in the CRL.
This procedure describes how to enable strong CRL checking, in which certificate revocation
checking fails if the validating computer confirms that the certificate has been revoked or for any
error encountered during certificate revocation checking, including the inability to access the CRL
distribution point.
To complete these procedures, you must be a member of the Domain Administrators group, or
otherwise be delegated permissions to change Group Policy settings. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
Notes
If you enable strong CRL checking and the DirectAccess server cannot reach the CRL
distribution point, certificate-based IPsec authentication for all DirectAccess connections
will fail.
If you are using Network Access Protection (NAP) with DirectAccess and you enable
strong CRL checking, certificate-based IPsec authentication for all DirectAccess
connections will fail. Health certificates do not contain CRL distribution points because
their lifetime is on the order of hours, instead of years for computer certificates.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
165
Configure the DirectAccess IPsec Gateway
on a Different Server
Configuring the DirectAccess Internet Protocol security (IPsec) gateway on a different server
consists of the following procedures:
• Configure the Intra-Server Subnet
• Configure the IPv6 Connectivity Server
• Configure the IPsec Gateway Server
See Checklist: Moving the IPsec Gateway to Another Server for information about when these
procedures need to be performed.
166
command.
This command lists the interfaces and their interface indexes.
6. In the Command Prompt window, run the following commands:
netsh interface ipv6 SubnetInterfaceNameOrIndex forwarding=enabled
advertise=enabled advertisedefaultroute=enabled
netsh interface ipv6 add route 64BitPrefixOfSubnet publish=yes
7. On the IPsec gateway server, start a command prompt as an administrator.
8. In the Command Prompt window, type the netsh interface ipv6 show addresses
command.
9. In the display, copy or note the public address assigned to the subnet interface of the
IPsec gateway server. You will need this address for the Configure the IPsec Gateway
Server procedure.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
167
3. In the Command Prompt window, run the following commands:
netsh interface ipv6 set interface InternetInterfaceIndex forwarding=enabled
netsh interface teredo set state type=server servername=FirstPublicIPv4Address
netsh interface ipv6 set interface TeredoInterfaceIndex forwarding=enabled
netsh interface 6to4 set state enabled
netsh interface ipv6 set interface 6to4InterfaceIndex forwarding=enabled
netsh interface ipv6 set interface IPHTTPSInterface forwarding=enabled
advertise=enabled
4. Install a Secure Sockets Layer (SSL) certificate using manual enrollment. For more
information, see Install an IP-HTTPS Certificate.
5. Use the netsh http add sslcert command to configure the SSL binding.
6. In the Command Prompt window, run the following commands:
netsh interface httpstunnel add interface type=server
url=https://PublicIPv4AddressOrFQDN:443/iphttps state=enabled
authmode=certificates
netsh interface ipv6 add route IP-HTTPSPrefix::/64 IPHTTPSInterface publish=yes
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
168
netsh interface ipv6 set teredo default
netsh interface ipv6 set interface TeredoInterfaceIndex forwarding=disabled
netsh interface 6to4 set state default
netsh interface ipv6 set interface 6to4InterfaceIndex forwarding=disabled
netsh interface ipv6 set interface IPHTTPSInterface forwarding=disabled
advertise=disabled
netsh interface httpstunnel add interface state=default
4. On a domain controller, start a command prompt as an administrator.
5. From the Command Prompt window, type the following commands
netsh advfirewall set store gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-
4ed3-b176-a4420a810f12}"
netsh advfirewall consec set rule name=”DirectAccess Policy-ClientToCorp” new
remotetunnelendpoint=PublicIpv6AddressOfIPsecGWServerSubnetInterface
netsh advfirewall consec set rule name=”DirectAccess Policy-ClientToDnsDc” new
remotetunnelendpoint=PublicIpv6AddressOfIPsecGWServerSubnetInterface
netsh advfirewall consec set rule name=”DirectAccess Policy-ClientToMgmt” new
remotetunnelendpoint=PublicIpv6AddressOfIPsecGWServerSubnetInterface
netsh advfirewall set store gpo=”DomainName\DirectAccess Policy-{ab991ef0-6fa9-
4bd9-bc42-3c397e8ad300}"
netsh advfirewall consec set rule name=”DirectAccess Policy-DaServerToMgmt”
new localtunnelendpoint=PublicIpv6AddressOfIPsecGWServerSubnetInterface
netsh advfirewall consec set rule name=”DirectAccess Policy-DaServerToCorp”
new localtunnelendpoint=PublicIpv6AddressOfIPsecGWServerSubnetInterface
netsh advfirewall consec set rule name=”DirectAccess Policy-DaServerToDnsDc”
new localtunnelendpoint=PublicIpv6AddressOfIPsecGWServerSubnetInterface
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
169
If your DirectAccess server is acting as the network location server, you must install the Web
Server (IIS) server role with the IP and Domain Restrictions role service.
To complete these procedures, you must be a member of the local Administrators group, or
otherwise be delegated permissions to install a server role. Review details about using the
appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
Unlike full intranet and selected server access, the DirectAccess Setup Wizard does not configure
the DirectAccess server for end-to-end access. However, you can use the DirectAccess Setup
Wizard to create a foundation configuration and then customize the connection security rules for
end-to-end connectivity. The four steps in the wizard configure DirectAccess clients, the
DirectAccess server, infrastructure servers, and application servers.
Prior to running the DirectAccess Setup Wizard for end-to-end access, you should have
determined the following:
Prior to running the DirectAccess Setup Wizard for end-to-end access, you should have
completed the following:
To complete this procedure, you must be a member of the local Administrators group, or
otherwise be delegated permissions to create and apply the configuration of the DirectAccess
171
Setup Wizard. Review details about using the appropriate accounts and group memberships at
Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
172
click the empty row, and then click New. Select the appropriate local name resolution
option, and then click Next.
14. On the Management page, add the Internet Protocol (IP) addresses of computers
that will be initiating connections to DirectAccess clients as needed by your design. To
add a management computer, right-click the empty row, and then click New. Click Finish.
15. Click Configure for step 4.
16. On the DirectAccess Application Server Setup page:
a. Click Require end-to-end authentication and traffic protection for the
specified servers.
b. Click Add. In the Select Group dialog box, specify the Domain Computers group
for each of the domains of your organization.
c. Select Allow access to only those servers in the selected security groups.
17. Click Finish.
18. Click Save, and then click Finish.
19. In the DirectAccess Review dialog box, click Apply. In the DirectAccess Policy
Configuration message box, click OK.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
The DirectAccess Setup Wizard steps you through the configuration of a DirectAccess server for
full intranet access. The four steps in the wizard configure DirectAccess clients, the DirectAccess
server, infrastructure servers, and application servers.
Prior to running the DirectAccess Setup Wizard for full intranet access, you should have
determined the following:
173
48-bit address prefix used by your organization
and the 64-bit address prefix that you have
designated for IP-HTTPS-based DirectAccess
clients. For more information, see Choose an
Intranet IPv6 Connectivity Design.
Prior to running the DirectAccess Setup Wizard for full intranet access, you should have
completed the following:
174
To complete this procedure, you must be a member of the local Administrators group, or
otherwise be delegated permissions to create and apply the configuration of the DirectAccess
Setup Wizard. Review details about using the appropriate accounts and group memberships at
Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
175
the certificate for network location, click OK, and then click Next.
13. On the DNS and Domain Controller page, add the appropriate rules for the Name
Resolution Policy Table (NRPT) as needed by your design. To add an NRPT rule, right-
click the empty row, and then click New. Select the appropriate local name resolution
option, and then click Next.
14. On the Management page, add the Internet Protocol (IP) addresses of computers
that will be initiating connections to DirectAccess clients as needed by your design. To
add a management computer, right-click the empty row, and then click New. Click Finish.
15. Click Configure for step 4.
16. On the DirectAccess Application Server Setup page, click Finish.
17. Click Save, and then click Finish.
18. In the DirectAccess Review dialog box, click Apply. In the DirectAccess Policy
Configuration message box, click OK.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
The DirectAccess Setup Wizard steps you through the configuration of a DirectAccess server for
selected server access. The four steps in the wizard configure DirectAccess clients, the
DirectAccess server, infrastructure servers, and application servers.
Prior to running the DirectAccess Setup Wizard for selected server access, you should have
determined the following:
176
Intranet IPv6 Connectivity Design.
Prior to running the DirectAccess Setup Wizard for selected server access, you should have
completed the following:
177
To complete this procedure, you must be a member of the local Administrators group, or
otherwise be delegated permissions to create and apply the configuration of the DirectAccess
Setup Wizard. Review details about using the appropriate accounts and group memberships at
Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
178
Network Location server is run on the DirectAccess server, click Browse, click
the certificate for network location, click OK, and then click Next.
13. On the DNS and Domain Controller page, add the appropriate rules for the Name
Resolution Policy Table (NRPT) as needed by your design. To add an NRPT rule, right-
click the empty row, and then click New. Select the appropriate local name resolution
option, and then click Next.
14. On the Management page, add the Internet Protocol (IP) addresses of computers
that will be initiating connections to DirectAccess clients as needed by your design. To
add a management computer, right-click the empty row, and then click New. Click Finish.
15. Click Configure for step 4.
16. On the DirectAccess Application Server Setup page:
a. Click Require end-to-end authentication and traffic protection for the
specified servers.
b. Click Add. In the Select Group dialog box, specify the names of the security
groups that contain the selected servers.
c. If you want to confine the access of DirectAccess clients to only the selected
servers, select Allow access to only those servers in the selected security
groups.
d. If you want to use authentication with null encapsulation, select Configure the
IPsec connection security rules on these servers to perform authentication
without traffic protection.
17. Click Finish.
18. Click Save, and then click Finish.
19. In the DirectAccess Review dialog box, click Apply. In the DirectAccess Policy
Configuration message box, click OK.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
An IPv6/IPv4 DNS gateway translates between Internet Protocol version 6 (IPv6) and Internet
Protocol version 4 (IPv4) for DNS name queries. You need an IPv6/IPv4 DNS gateway and an
IPv6/IPv4 translator for DirectAccess clients to reach an IPv4-only resource on your intranet. For
179
more information about these devices, see Choose Solutions for IPv4-only Intranet Resources. If
you are using these devices in your DirectAccess deployment, you must identify the portions of
your intranet namespace that contain IPv4-only application servers and add them to the Name
Resolution Policy Table (NRPT) of your DirectAccess clients with the IPv6 addresses of your
IPv6/IPv4 DNS gateways.
To complete these procedures, you must be a member of the Domain Administrators group, or
otherwise be delegated permissions to change Group Policy settings. Review details about using
the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
You can configure the rules directly to the Name Resolution Policy Table (NRPT) with Group
Policy, rather than using the DirectAccess Setup Wizard.
To complete these procedures, you must be a member of the Administrators group, or otherwise
be delegated permissions to configure Group Policy settings. Review details about using the
appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
180
To configure the NRPT with Group Policy
1. Click Start, click Run, type gpmc.msc, and then press ENTER.
2. In the console tree, open the domain.
3. In the console tree, right-click the DirectAccess Policy-{3491980e-ef3c-4ed3-b176-
a4420a810f12} Group Policy object, and then click Edit.
4. In the console tree of the Group Policy Management Editor, open Computer
Configuration\Policies\Windows Settings, and then click Name Resolution Policy.
• To create a new NRPT rule for DirectAccess, in the details pane, click DNS
Settings for Direct Access, select Enable DNS settings for DirectAccess in this
rule. Specify the namespace to which the rule applies, the certification authority and
Internet Protocol version 6 (IPv6) addresses of Domain Name System (DNS) servers
(if needed), and then click Create.
• To modify an existing rule, click the rule in the NRPT, and then click Edit Rule.
When you are done making changes, click Update.
• To delete an existing rule, click the rule in the NRPT, and then click Delete Rule.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
To provide connectivity to the Internet Protocol version 6 (IPv6) Internet for DirectAccess clients,
you must configure the DirectAccess server with direct or tunneled connection to the IPv6
internet. For tunneled connections, you can use 6to4 or an IPv6-in-Internet Protocol version 4
(IPv4) tunnel to a service provider that is providing tunneled access to the IPv6 Internet.
Before performing this procedure:
• If you have a direct connection to the IPv6 Internet, you must determine the interface
name or index of the DirectAccess server Internet interface and the next-hop IPv6 address for
default route traffic.
• If you are using 6to4, you must determine the IPv4 address of your 6to4 relay. If your
Internet service provider (ISP) does not provide one, use 192.88.99.1.
• If you are using an IPv6-in-IPv4 tunnel to a service provider, you must determine a name
for the tunnel interface on the DirectAccess server, a public IPv4 address on the DirectAccess
server to use as the local tunnel endpoint, the public IPv4 address of the service provider’s
tunnel server, and an IPv6 next-hop address.
181
To complete these procedures, you must be a member of the local Administrators group, or
otherwise be delegated permissions to configure IPv6 settings. Review details about using the
appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
To configure a default IPv6 route for a direct connection to the IPv6 Internet
1. On the DirectAccess server, start a command prompt as an administrator.
2. From the Command Prompt window, type the netsh interface ipv6 add route ::/0
InterfaceNameOrIndex NextHopIPv6Address command.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
Important
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
182
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
Note
You must add at least one member computer to the selected security group to specify it in
Step 4 of the DirectAccess Setup Wizard.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
183
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
A DirectAccess server acting as a network location server must obtain an additional customized
Secure Sockets Layer (SSL) certificate using the Web Server certificate template.
To complete these procedures, you must be a member of the local Administrators group, or
otherwise be delegated permissions to obtain a customized certificate. Review details about
using the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
Note
Steps 14 and 15 are optional, but make it easier for you to select the certificate for
network location in Step 3 of the DirectAccess Setup Wizard.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
184
Install an IP-HTTPS Certificate
Important
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
The DirectAccess server needs a customized Secure Sockets Layer (SSL) certificate to
authenticate Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS)-based
DirectAccess connections.
To complete these procedures, you must be a member of the local Administrators group, or
otherwise be delegated permissions to request and customize an SSL certificate. Review details
about using the appropriate accounts and group memberships at Local and Domain Default
Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
185
Note
Steps 12 and 13 are optional, but make it easier for you to select the certificate for
Secure Hypertext Transfer Protocol (HTTPS) connections in Step 2 of the DirectAccess
Setup Wizard.
Warning
The DirectAccess Setup Wizard by default configures the URL of the IP-HTTPS server in
the DirectAccess client and server GPOs based on the following format:
https://SubjectFieldIP-HTTPSCertificate:443://IPHTTPS. This URL must not be more than
256 characters long. Otherwise, the IP-HTTPS component on the DirectAccess client and
server will not operate correctly. Therefore, the FQDN in Step 9 of this procedure must
not be more than 234 characters.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
The network location server uses a Secure Sockets Layer (SSL) certificate to authenticate
Secure Hypertext Transfer Protocol (HTTPS)-based requests from DirectAccess clients. The SSL
certificate has a customized subject name.
To complete these procedures, you must be a member of the local Administrators group, or
otherwise be delegated permissions to request an SSL certificate and to configure certificate
settings for Internet Information Services (IIS). Review details about using the appropriate
accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
In this procedure, you request and customize an SSL certificate.
186
computer, click Finish, and then click OK.
4. In the console tree of the Certificates snap-in, open Certificates (Local
Computer)\Personal\Certificates.
5. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
6. Click Next twice.
7. On the Request Certificates page, click the Web Server certificate template, and
then click More information is required to enroll for this certificate.
If the Web Server certificate template does not appear, ensure that the network location
server computer account has enroll permissions for the Web Server certificate template.
For more information, see Configure Permissions on the Web Server Certificate
Template.
8. On the Subject tab of the Certificate Properties dialog box, in Subject name, for
Type, select Common Name.
9. In Value, type the fully qualified domain name (FQDN) of the network location server
(for example, nls.corp.contoso.com), and then click Add.
10. Click OK, click Enroll, and then click Finish.
11. In the details pane of the Certificates snap-in, verify that a new certificate with the
FQDN was enrolled with Intended Purposes of Server Authentication.
In this procedure, you configure the HTTPS security binding on the network location server to use
the new SSL certificate.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
187
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
You configure DirectAccess client and server settings and monitor DirectAccess connectivity with
the DirectAccess management console, which you must install as a feature with Server Manager.
To complete these procedures, you must be a member of the local Administrators group, or
otherwise be delegated permissions to install features from Server Manager. Review details
about using the appropriate accounts and group memberships at Local and Domain Default
Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
By default, DNS servers running Windows Server 2008 R2 or Windows Server 2008 use the
global query block list to block the resolution of the name ISATAP. To allow name resolution for
the ISATAP name, you must remove ISATAP from the global query block list of the DNS Server
service for each DNS server on your intranet running Windows Server 2008 R2 or Windows
Server 2008.
To complete these procedures, you must be a member of the local Administrators group on the
DNS server, or otherwise be delegated permissions to modify registry values on the DNS server.
Review details about using the appropriate accounts and group memberships at Local and
Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
188
To remove ISATAP from the DNS global query block list on a DNS server
1. Click Start, type regedit.exe, and then press ENTER.
2. In the console tree, open
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Par
ameters.
3. In the contents pane, double-click the GlobalQueryBlockList value.
4. In the Edit Multi-String dialog box, remove the name ISATAP from the list, and then
click OK.
5. Start a command prompt as an administrator.
6. In the Command Prompt window, run the following commands:
net stop dns
net start dns
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to
return to the checklist.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
You can also configure a DirectAccess server manually with a series of commands at a
Command Prompt window or within a script. The following sections describe the commands to
configure a DirectAccess server for the equivalent default configuration of the DirectAccess Setup
Wizard.
Teredo server Configure Teredo with netsh interface ipv6 set teredo server
the name or IPv4 FirstIPv4AddressOfDirectAccessServer
address of the Teredo
server.
IPv6 interfaces Configure the IPv6 1. Run the following command for the 6to4
189
Component Purpose Command
SSL certificates for IP- Configure the 1. Install the SSL certificate using manual
HTTPS connections certificate binding. enrollment.
2. Use the netsh http add sslcert
command to configure the certificate
binding.
IP-HTTPS Interface Configure the IP- netsh interface httpstunnel add interface
HTTPS interface. server
https://PublicIPv4AddressOrFQDN:443/iphttps
enabled certificates
IP-HTTPS Routing Configure IPv6 netsh interface ipv6 add route IP-
routing for the IP- HTTPSPrefix::/64 IPHTTPSInterface
HTTPS interface. publish=yes
IP-HTTPSPrefix is one of the following:
• 6to4-basedPrefix:2 if you are using a
6to4-based prefix based on the first public
IPv4 address assigned to Internet interface
of the DirectAccess server.
• NativePrefix:5555 if you are using a 48-
bit native IPv6 prefix. 5555 is the Subnet ID
value chosen by the DirectAccess Setup
Wizard.
190
Component Purpose Command
Network Interface If you have native IPv6, netsh interface ipv6 set interface
configure intranet LANInterfaceIndex forwarding=enabled
interface forwarding and advertise=enabled
advertising on the LAN
interface.
Enable IPsec DoSP on the intranet interface. netsh ipsecdosp add interface
intranetInterfaceName internal
191
Configure connection security rules
There are separate connection security rules for the full intranet access model for the
DirectAccess server and DirectAccess clients.
Purpose Command
Purpose Command
192
Purpose Command
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
Manual configuration of DirectAccess clients consist of IPv6 transition technology settings and the
Name Resolution Policy Table (NRPT).
193
IPv6 transition technology settings
Purpose Command Group Policy Setting
194
NRPT
For DirectAccess, the NRPT must be configured with the namespaces of your intranet with a
leading dot (for example, .internal.contoso.com or .corp.contoso.com). For a DirectAccess client,
any name request that matches one of these namespaces will be sent to the specified intranet
Domain Name System (DNS) servers. Include all intranet DNS namespaces that you want
DirectAccess client computers to access.
There are no command line methods for configuring NRPT rules. You must use Group Policy
settings. To configure the NRPT through Group Policy, use the Group Policy add-in at Computer
Configuration\Policies\Windows Settings\Name Resolution Policy in the Group Policy object
for DirectAccess clients. You can create a new NRPT rule and edit or delete existing rules. For
more information, see Configure the NRPT with Group Policy.
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
DirectAccess user interface (UI) scripting allows you to use PowerShell scripts to run a
combination of Netsh.exe and PowerShell commands and configure a DirectAccess server.
The DirectAccess Setup Wizard generates an Extensible Markup Language (XML) data file that
can be passed as an input to the engine.ps1 PowerShell script. The location for the data file is
%WINDIR%\DirectAccess\DirectAccessConfig.xml. This XML data file is generated whenever you
save or apply settings with the DirectAccess Management Console. For more information and the
engine.ps1 script file, see Perform DirectAccess Scripting (http://go.microsoft.com/fwlink/?
LinkId=157388).
By accessing the tag names inside the XML file, you can configure the DirectAccess server and
all of the required Group Policies.
Here is an example of a data file:
<root>
<ServerData>
<CorpPrefix>2002:836b:1::/48</CorpPrefix>
</ServerData>
195
.
</root>
Script usage
The script takes in as arguments the data file path and the log file path along with the mandatory
mode parameter.
Engine.ps1 –mode <serveronly|gpsettingonly|all> [–data <dataFilePath>] [-log
<logFilePath>]
Log file
The script generates a log file named DirectAccessLog.txt when run, which contains the details
of what actions the script performed, with timestamps. The log file contents have the following
format:
Time Stamp Step: description
196
Executing: the command being run
Output: output of the command
Appendix D - DirectAccessConfig.xsd
Important
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For
deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see
the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?
LinkId=179989).
The DirectAccessConfig.xml file contains DirectAccess configuration data of the DirectAccess
Setup Wizard. The following is the Extended Markup Language (XML) schema definition (XSD)
file for DirectAccessConfig.xml. To create a DirectAccessConfig.xsd file, copy the contents to
Notepad, and then save the file as DirectAccessConfig.xsd.
<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns="http://www.microsoft.com/networking/DirectAccess/v1"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://www.microsoft.com/networking/DirectAccess/v1"
attributeFormDefault="unqualified" elementFormDefault="qualified">
<xs:element name="root">
<xs:complexType>
<xs:all>
<xs:element name="ServerData">
<xs:complexType>
<xs:all>
197
<xs:element name="TransitionTechnologies">
<xs:complexType>
<xs:all>
<xs:annotation>
<xs:documentation xml:lang="en-us">
</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:all>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="Teredo">
<xs:complexType>
<xs:all>
<xs:element name="FirstInternetGlobalAddress"
type="ipv4Address" />
</xs:all>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="IPHttps">
<xs:complexType>
<xs:all>
198
<xs:element name="IpHttpsServerURL" type="xs:anyURI" />
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="DOSPConfig">
<xs:complexType>
<xs:all>
</xs:all>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
</xs:element>
<xs:annotation>
<xs:documentation xml:lang="en-us">
</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:all>
<xs:element name="IpHttpsAddresses">
<xs:complexType>
<xs:sequence>
</xs:sequence>
199
</xs:complexType>
</xs:element>
<xs:element name="InOutAddresses">
<xs:complexType>
<xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="GPO">
<xs:complexType>
<xs:all>
<xs:element name="Common">
<xs:complexType>
<xs:all>
<xs:annotation>
<xs:documentation xml:lang="en-us">
</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="DnsServers">
200
<xs:complexType>
<xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:complexType>
<xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="CertType">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="Root"/>
<xs:enumeration value="Intermediate"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="SmartCard">
<xs:complexType>
<xs:all>
<xs:element name="Option">
<xs:simpleType>
<xs:restriction base="xs:string">
201
<xs:enumeration value="NoSmartCard"/>
<xs:enumeration value="RemoteSmartCard"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:annotation>
<xs:documentation xml:lang="en-us">
</xs:documentation>
</xs:annotation>
</xs:element>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="DistinguishedDomainName"
type="distinguishedDomainName" />
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="ClientPolicies">
<xs:complexType>
<xs:all>
<xs:element name="SecurityGroups">
<xs:complexType>
<xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="NRPT">
<xs:complexType>
202
<xs:sequence>
<xs:complexType>
<xs:all>
<xs:element name="DirectAccessDNSServers"
type="xs:string">
<xs:annotation>
<xs:documentation>
</xs:documentation>
</xs:annotation>
</xs:element>
</xs:all>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:unique name="NRPTRuleName">
</xs:unique>
</xs:element>
<xs:element name="DnsFallBackOptions">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="DnsFallbackNameDoesNotExist"/>
<xs:enumeration value="DnsAlwaysFallbackForAnyError"/>
<xs:enumeration value="DnsAlwaysFallbackPrivateOnly"/>
</xs:restriction>
203
</xs:simpleType>
</xs:element>
<xs:element name="NCSI">
<xs:complexType>
<xs:all>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="NID">
<xs:complexType>
<xs:all>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="ClientToApplicationServerExemptPolicy"
type="xs:string" default="DirectAccess Policy-clientToAppServerExempt" minOccurs="0" />
204
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="ServerPolicies">
<xs:complexType>
<xs:all>
<xs:element name="SecurityGroups">
<xs:complexType>
<xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="AppServerPolicies">
<xs:complexType>
<xs:all>
<xs:annotation>
<xs:documentation xml:lang="en-us">
205
MUST be specified in case AuthorizationOption is other than
NoAuthorization.
</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AuthenticationOption">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="NoAuthentication"/>
<xs:enumeration value="SelectedServerEndToEnd"/>
<xs:enumeration value="EndToEndAuthentication"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:annotation>
<xs:documentation xml:lang="en-us">
</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="ApplicationServerToIpHttpsClientPolicy"
type="xs:string" default="DirectAccess Policy-appServerToIpHttpsClientPolicy"
minOccurs="0" />
206
</xs:all>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
<xs:unique name="GPONames">
</xs:unique>
</xs:element>
</xs:all>
</xs:complexType>
</xs:element>
<xs:complexType name="sg">
<xs:annotation>
<xs:documentation xml:lang="en">
</xs:documentation>
</xs:annotation>
<xs:all>
<xs:element name="Type">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="computer"/>
<xs:enumeration value="group"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
207
</xs:all>
</xs:complexType>
<xs:complexType name="interface">
<xs:annotation>
<xs:documentation xml:lang="en">
</xs:documentation>
</xs:annotation>
<xs:all>
</xs:all>
</xs:complexType>
<xs:simpleType name="ipv4Address">
<xs:annotation>
<xs:documentation xml:lang="en">
</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:pattern value="((0|(1[0-9]{0,2})|(2(([0-4][0-9]?)|(5[0-5]?)|([6-9]?)))|([3-9]
[0-9]?))\.){3}(0|(1[0-9]{0,2})|(2(([0-4][0-9]?)|(5[0-5]?)|([6-9]?)))|([3-9][0-9]?))" />
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="ipv6Address">
<xs:annotation>
<xs:documentation xml:lang="en">
208
</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:pattern value="((([0-9a-fA-F]{1,4}:){7})([0-9a-fA-F]{1,4}))|((([0-9a-fA-F]
{1,4}:){6})(([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})))|((([0-9a-fA-F]{1,4}:)*([0-
9a-fA-F]{1,4}))*(::)(([0-9a-fA-F]{1,4}:)*([0-9a-fA-F]{1,4}))*)|((([0-9a-fA-F]{1,4}:)*([0-
9a-fA-F]{1,4}))*(::)(([0-9a-fA-F]{1,4}:)*([0-9a-fA-F]{1,4}))*(([0-9]{1,3}\.[0-9]{1,3}\.
[0-9]{1,3}\.[0-9]{1,3})))" />
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="ipv6Prefix">
<xs:annotation>
<xs:documentation xml:lang="en">
</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:pattern value="((([0-9a-fA-F]{1,4}:){7})([0-9a-fA-F]{1,4})/\d+)|((([0-9a-fA-F]
{1,4}:){6})(([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))/\d+)|((([0-9a-fA-F]
{1,4}:)*([0-9a-fA-F]{1,4}))*(::)(([0-9a-fA-F]{1,4}:)*([0-9a-fA-F]{1,4}))*/\d+)|((([0-9a-
fA-F]{1,4}:)*([0-9a-fA-F]{1,4}))*(::)(([0-9a-fA-F]{1,4}:)*([0-9a-fA-F]{1,4}))*(([0-9]
{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))/\d+)" />
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="ipv6PrefixOrAddress">
<xs:annotation>
<xs:documentation xml:lang="en">
</xs:documentation>
</xs:annotation>
</xs:simpleType>
209
<xs:simpleType name="ipAddress" >
<xs:annotation>
<xs:documentation xml:lang="en">
</xs:documentation>
</xs:annotation>
</xs:simpleType>
<xs:simpleType name="guid">
<xs:annotation>
<xs:documentation xml:lang="en">
</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:pattern value="\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-
[a-fA-F0-9]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="domainName">
<xs:annotation>
<xs:documentation>
</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:pattern value="([a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9]\.)*[a-zA-Z][a-zA-Z0-9\-]*[a-
zA-Z0-9]" />
</xs:restriction>
210
</xs:simpleType>
<xs:simpleType name="distinguishedDomainName">
<xs:annotation>
<xs:documentation>
</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:pattern value="(DC=[a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9],)*DC=[a-zA-Z][a-zA-Z0-
9\-]*[a-zA-Z0-9]" />
</xs:restriction>
</xs:simpleType>
</xs:schema>
In this guide
This guide is intended for use by a network or system administrator. This guide provides
information to help you identify and resolve problems quickly. Use this guide to assist you while
performing root-cause analysis of incidents and problems with components of a DirectAccess
infrastructure. Before you read this guide, you should have a good understanding of the way
DirectAccess works and how it is deployed in your organization. The following topics are included
in this guide:
• Introduction to Troubleshooting DirectAccess
• A-Z List of Problem Topics for DirectAccess
• Tools for Troubleshooting DirectAccess
• General Methodology for Troubleshooting DirectAccess Connections
• Troubleshooting DirectAccess Problems
211
To learn how to use DirectAccess troubleshooting tools and techniques in the DirectAccess test
lab (http://go.microsoft.com/fwlink/?Linkid=150613), see the Test Lab Guide: Troubleshoot
DirectAccess (http://go.microsoft.com/fwlink/?LinkId=181160).
This guide, combined with the DirectAccess Design and Deployment Guides, is also available as
a Microsoft Word file (http://go.microsoft.com/fwlink/?LinkId=163662) in the Microsoft Download
Center.
For a list of all the DirectAccess troubleshooting resources, see Troubleshoot DirectAccess in
Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkId=190435).
Introduction to Troubleshooting
DirectAccess
This guide explains how to troubleshoot DirectAccess. If you are not familiar with this guide,
review the following sections of this introduction.
Additional resources
To learn how to use DirectAccess troubleshooting tools and techniques in a test lab, see the Test
Lab Guide: Troubleshoot DirectAccess (http://go.microsoft.com/fwlink/?LinkId=181160).
212
For a list of all the DirectAccess troubleshooting resources, see Troubleshoot DirectAccess in
Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkId=190435).
213
Network Diagnostics and Tracing
Windows 7 and Windows Server 2008 R2 include extensive network diagnostics and tracing
facilities that are designed for gathering troubleshooting information on the DirectAccess client
when attempting to connect to the DirectAccess server.
This topic describes the following:
• Windows Network Diagnostics
• Troubleshooting item in Control Panel
• Network tracing for DirectAccess
• Windows Firewall tracing
Note
For this troubleshooting tool to work correctly, you must configure the Computer
Configuration/Policies/Administrative Templates/Network/Network Connectivity
Status Indicator/Corporate Website Probe URL Group Policy setting in the Group
Policy object for DirectAccess clients. For more information, see Design Your Intranet for
Corporate Connectivity Detection.
214
Network tracing for DirectAccess
Windows 7 and Windows Server 2008 R2 includes a new Netsh.exe context for network tracing;
netsh trace. Commands in the netsh trace context allow you to selectively enable tracing for
providers and scenarios. A provider represents an individual component in the network protocol
stack, such as Windows Sockets (WinSock), Transmission Control Protocol/Internet Protocol
(TCP/IP), Wireless Local Area Network (LAN) Services, or Network Device Interface Specification
(NDIS). A tracing scenario is a collection of providers for a specific function, such as file sharing
or wireless LAN access. You can also apply filters to exclude irrelevant details and reduce the
size of the resulting Event Tracing Log (ETL) file.
To perform detailed troubleshooting for networking issues, a helpdesk staff person or Microsoft’s
Customer Service and Support organization typically needs both internal component tracing
information and a capture of the network traffic that occurred when duplicating the problem. Prior
to Windows 7, this information had to be obtained two different ways; use Netsh.exe commands
to enable and disable tracing and a packet sniffer program such as Network Monitor to capture
the network traffic. Even with this information, it was difficult to tie these two sources of
information together to determine when network traffic was sent relative to the events in the
tracing logs.
When you perform network tracing in Windows 7 with commands in the netsh trace context, ETL
files can contain both network traffic and component tracing information in sequence. The ETL
files can be displayed with Microsoft Network Monitor 3.3 (http://go.microsoft.com/fwlink/?
LinkId=157376), which provides much more efficient way to analyze and troubleshoot network
problems.
216
• netsh interface ipv6 show interfaces
• netsh interface ipv6 show interfaces level=verbose
• netsh interface ipv6 show route
Note
The example displays of Netsh.exe commands in this topic were obtained from the
DirectAccess test lab (http://go.microsoft.com/fwlink/?Linkid=150613).
--------------------------------------------------------------------
Query Failure Behavior : Only use LLMNR and NetBIOS if the name does not
exist in DNS
In this example, the DirectAccess client is located on the intranet (Machine location: Inside
corporate network) and has been configured with DirectAccess NRPT rules, but they are
disabled (DirectAccess Settings: Configured and Disabled).
You use the netsh dnsclient show state command to determine the results of network location
detection (the Machine location field) and the state of DirectAccess NRPT rules (the
DirectAccess Settings field).
----------------------------------------------------------------------
C1-CA
----------------------------------------------------------------------
C1-CA
In this example, the DirectAccess client is located on the Internet and has a namespace entry for
its intranet namespace (the rule for .corp.contoso.com) and an exemption rule for the FQDN of its
network location server (the rule for .nls.corp.contoso.com).
You use the netsh namespace show effectivepolicy command to determine the results of
network location detection and the Internet Protocol version 6 (IPv6) addresses of intranet
Domain Name System (DNS) servers for additional troubleshooting.
If there are active rules in the NRPT, the DirectAccess client has determined that it is not on the
intranet. If there are no active rules in the NRPT, the DirectAccess client has determined that
it is on the intranet or it has not been correctly configured with NRPT rules.
If there are no rules in the NRPT as configured through Group Policy (from the display of the
netsh namespace show policy command), the DirectAccess client has not been properly
configured. Verify that the computer account of the DirectAccess client is a member of the
appropriate security group.
218
Note
The DirectAccess server is not a DirectAccess client and is not configured with NRPT
rules. The netsh namespace show effectivepolicy command on a DirectAccess server
should always display no rules.
In this example, the DirectAccess client has been configured with the 6to4 relay IPv4 address of
131.107.0.2 through Group Policy.
You use the netsh interface 6to4 show relay command to determine where the DirectAccess
client is sending its default route IPv6 traffic when it has been configured with a public IPv4
address and using 6to4 to tunnel IPv6 traffic across the Internet.
---------------------------------------------
Type : client
State : offline
In this example, the DirectAccess client has been configured with the Teredo server IPv4 address
of 131.107.0.2 through Group Policy and is in an offline state.
219
The following is an example of output from the netsh interface teredo show state command on
a DirectAccess server.
Teredo Parameters
---------------------------------------------
Type : server
State : online
In this example, the DirectAccess server is acting as a Teredo server and a Teredo relay and is in
an online state.
You use the netsh interface teredo show state command on a DirectAccess client to determine
the Teredo server of a DirectAccess client and its current state. You use the netsh interface
220
teredo show state command on a DirectAccess server to determine whether it is acting as a
Teredo server and its current state.
------------------------------------------------------------
Role : client
URL : https://da1.contoso.com:443/IPHTTPS
In this example, the DirectAccess client has been configured as an IP-HTTPS client with the URL
https://da1.contoso.com:443/IPHTTPS.
The following is an example of output from the netsh interface httpstunnel show interfaces
command on a DirectAccess server.
Interface IPHTTPSInterface Parameters
------------------------------------------------------------
Role : server
URL : https://da1.contoso.com:443/IPHTTPS
In this example, the DirectAccess server has been configured as an IP-HTTPS server with the
URL https://da1.contoso.com:443/IPHTTPS and uses certificates for authentication.
You use the netsh interface httpstunnel show interfaces command on a DirectAccess client to
determine the URL of the IP-HTTPS server and the current state of the IP-HTTPS client
component. You use the netsh interface httpstunnel show interfaces command on a
DirectAccess server to determine URL of the IP-HTTPS server and to verify that it is acting as an
IP-HTTPS server and the authentication method. The URL for the netsh interface httpstunnel
show interfaces command on both the DirectAccess client and server should be the same.
221
netsh interface istatap show state and netsh
interface istatap show router
These commands show the state and configuration of the Intra-Site Automatic Tunnel Addressing
Protocol (ISATAP) component on the ISATAP router (the DirectAccess server) or an ISATAP host.
Unlike 6to4, Teredo, and IP-HTTPS transition technologies, the DirectAccess Setup Wizard does
not configure a name or IPv4 address for an ISATAP router in Group Policy. Instead, it attempts to
register the name ISATAP and an assigned intranet IPv4 address with its DNS server. ISATAP
hosts on the intranet use the name ISATAP to resolve the IPv4 address of the ISATAP router (the
DirectAccess server).
The following is an example of output from the netsh interface istatap show state command on
a DirectAccess server.
ISATAP State : enabled
In this example, the DirectAccess server has the ISATAP component enabled.
The following is an example of output from the netsh interface istatap show router command
on the DirectAccess server.
Router Name : isatap.corp.contoso.com
In this example, the DirectAccess server has constructed the ISATAP router name from the name
ISATAP and the DNS suffix assigned to the computer (corp.contoso.com).
You use the netsh interface istatap show state and netsh interface istatap show router
commands on the DirectAccess server to ensure that it is configured to act as an ISATAP router.
You use the netsh interface istatap show state and netsh interface istatap show router
commands on an intranet node to ensure that it has a default configuration.
To determine if an ISATAP host has successfully configured an ISATAP-based address, use the
ipconfig command and look for an interface named Tunnel adapter isatap.ComputerDNSSuffix.
Ensure that it has been assigned an ISATAP-based IPv6 address that begins with 2 or 3 and a
default gateway.
----------------------------------------------------------------------
222
Auth1: ComputerCert
Auth2: UserNTLM
MM Offer: None-AES128-SHA256
Health Cert: No
----------------------------------------------------------------------
Auth1: ComputerCert
Auth2: UserNTLM
MM Offer: None-AES128-SHA256
Health Cert: No
----------------------------------------------------------------------
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Health Cert: No
----------------------------------------------------------------------
223
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Health Cert: No
----------------------------------------------------------------------
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Health Cert: No
----------------------------------------------------------------------
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Health Cert: No
Ok.
The following is an example of output from the netsh advfirewall monitor show mmsa
command on the DirectAccess server of the DirectAccess client.
Main Mode SA at 09/11/2009 10:44:03
----------------------------------------------------------------------
224
Remote IP Address: 2002:836b:65::836b:65
Auth1: ComputerCert
Auth2: UserNTLM
MM Offer: None-AES128-SHA256
Health Cert: No
----------------------------------------------------------------------
Auth1: ComputerCert
Auth2: UserNTLM
MM Offer: None-AES128-SHA256
Health Cert: No
----------------------------------------------------------------------
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Health Cert: No
----------------------------------------------------------------------
225
Auth2 Remote ID: CORP\CLIENT2$
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Health Cert: No
----------------------------------------------------------------------
Auth1: ComputerCert
Auth2: UserKerb
MM Offer: None-AES128-SHA256
Health Cert: No
Ok.
You can correlate the main mode SAs on the DirectAccess client and server through the Cookie
Pair.
You use the netsh advfirewall monitor show mmsa command to verify that the DirectAccess
client and server can successfully negotiate main mode Internet Protocol security (IPsec) SAs. If
there are no main mode IPsec SAs on the DirectAccess client after attempting to access an
intranet resource, investigate the inability to perform IPsec peer authentication with installed
certificates.
----------------------------------------------------------------------
226
Local Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
----------------------------------------------------------------------
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
----------------------------------------------------------------------
Protocol: Any
Direction: Both
QM Offer: ESP:SHA256-None+60min+100000kb
PFS: None
----------------------------------------------------------------------
227
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Ok.
The following is an example of output from the netsh advfirewall monitor show qmsa
command on the DirectAccess server of the DirectAccess client.
Quick Mode SA at 09/11/2009 10:56:47
----------------------------------------------------------------------
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
----------------------------------------------------------------------
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
----------------------------------------------------------------------
228
Remote Port: Any
Protocol: Any
Direction: Both
QM Offer: ESP:SHA1-AES192+60min+100000kb
PFS: None
Ok.
You can correlate the quick mode SAs on the DirectAccess client and server through the local
and remote Internet Protocol (IP) address pairs and Quick Mode (QM) offers.
You use the netsh advfirewall monitor show qmsa command to verify that the DirectAccess
client and server can successfully negotiate quick mode IPsec SAs. If there are no quick mode
IPsec SAs on the DirectAccess client after attempting to access an intranet resource, investigate
the correlation of quick mode settings between the DirectAccess client, the DirectAccess server,
and the intranet node.
----------------------------------------------------------------------
Enabled: Yes
Profiles: Private,Public
Type: Dynamic
Mode: Tunnel
LocalTunnelEndpoint: Any
RemoteTunnelEndpoint: Any
Endpoint1: 2002:836b:2:1::/64
Endpoint2: 2002:836b:2:1:0:5efe:10.0.0.3-2002:836b:2:
1:0:5efe:10.0.0.3
Port1: Any
Port2: 443
Protocol: TCP
229
Action: NoAuthentication
ExemptIPsecProtectedConnections: No
ApplyAuthorization: No
----------------------------------------------------------------------
Enabled: Yes
Profiles: Private,Public
Type: Dynamic
Mode: Transport
Endpoint1: Any
Endpoint2: 2002:836b:2:1:0:5efe:10.0.0.3-2002:836b:2:
1:0:5efe:10.0.0.3
Protocol: Any
Action: RequestInRequestOut
Auth1: ComputerCert,ComputerKerb
Auth1CertMapping: No
Auth1ExcludeCAName: No
Auth1CertType: Root
Auth1HealthCert: No
Auth2: UserKerb
MainModeSecMethods: DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA
1,DHGroup2-3DES-SHA1
QuickModeSecMethods: ESP:SHA256-None+60min+100000kb,AH:SHA256+6
0min+100000kb,AuthNoEncap:SHA256+60min+100000kb
----------------------------------------------------------------------
Enabled: Yes
Profiles: Private,Public
Type: Dynamic
Mode: Tunnel
230
LocalTunnelEndpoint: Any
RemoteTunnelEndpoint: 2002:836b:2::836b:2
Endpoint1: Any
Endpoint2: 2002:836b:2:1:200:5efe:157.60.79.2-2002:83
6b:2:1:200:5efe:157.60.79.2
Protocol: Any
Action: RequireInRequireOut
Auth1: ComputerCert
Auth1CertMapping: No
Auth1ExcludeCAName: No
Auth1CertType: Root
Auth1HealthCert: No
Auth2: UserNTLM
MainModeSecMethods: DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA
1,DHGroup2-3DES-SHA1
QuickModeSecMethods: ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AE
S128+60min+100000kb
ExemptIPsecProtectedConnections: No
ApplyAuthorization: No
----------------------------------------------------------------------
Enabled: Yes
Profiles: Private,Public
Type: Dynamic
Mode: Tunnel
LocalTunnelEndpoint: Any
RemoteTunnelEndpoint: 2002:836b:3::836b:3
Endpoint1: Any
Endpoint2: 2002:836b:2:1::/64
Protocol: Any
Action: RequireInRequireOut
231
Auth1: ComputerCert
Auth1CertMapping: No
Auth1ExcludeCAName: No
Auth1CertType: Root
Auth1HealthCert: No
Auth2: UserKerb
MainModeSecMethods: DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA
1,DHGroup2-3DES-SHA1
QuickModeSecMethods: ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AE
S128+60min+100000kb
ExemptIPsecProtectedConnections: No
ApplyAuthorization: No
----------------------------------------------------------------------
Enabled: Yes
Profiles: Private,Public
Type: Dynamic
Mode: Tunnel
LocalTunnelEndpoint: Any
RemoteTunnelEndpoint: 2002:836b:2::836b:2
Endpoint1: Any
Endpoint2: 2002:836b:2:1:0:5efe:10.0.0.1-2002:836b:2:
1:0:5efe:10.0.0.1
Protocol: Any
Action: RequireInRequireOut
Auth1: ComputerCert
Auth1CertMapping: No
Auth1ExcludeCAName: No
Auth1CertType: Root
232
Auth1HealthCert: No
Auth2: UserNTLM
MainModeSecMethods: DHGroup2-AES128-SHA256,DHGroup2-AES128-SHA
1,DHGroup2-3DES-SHA1
QuickModeSecMethods: ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AE
S128+60min+100000kb
ExemptIPsecProtectedConnections: No
ApplyAuthorization: No
Ok.
You use the netsh advfirewall monitor show consec rule name=all command to verify that a
DirectAccess client, DirectAccess server, or selected server has been configured with the correct
connection security rules.
----------------------------------------------------------------------
corp.contoso.com
Public Profile:
----------------------------------------------------------------------
Unidentified network
Ok.
In this example, the DirectAccess server is attached to two networks (corp.contoso.com and
Unidentified network). The corp.contoso.com network is assigned the domain profile and the
Unidentified network is assigned the public profile.
You use the netsh advfirewall monitor show currentprofile command to determine the profiles
that are assigned to DirectAccess clients when troubleshooting network location detection and
the profiles assigned to a DirectAccess server when troubleshooting DirectAccess Setup Wizard
problems.
233
netsh interface ipv6 show interfaces
This command shows the set of IPv6 interfaces on a computer and their state. The following is an
example of the output from the netsh interface ipv6 show interfaces command on a
DirectAccess server.
Idx Met MTU State Name
You use the netsh interface ipv6 show interfaces command to quickly determine the set of
IPv6 interfaces and whether ISATAP, 6to4, Teredo, and IP-HTTPS tunneling interfaces are
present and their state (connected or disconnected).
----------------------------------------------
IfLuid : loopback_1
IfIndex : 1
State : connected
Metric : 50
DAD Transmits : 0
234
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
----------------------------------------------
IfLuid : tunnel_4
IfIndex : 13
State : connected
Metric : 25
DAD Transmits : 0
Site Id : 1
Forwarding : enabled
Advertising : enabled
235
Neighbor Discovery : enabled
----------------------------------------------
IfLuid : tunnel_5
IfIndex : 14
State : connected
Metric : 25
DAD Transmits : 0
Site Id : 1
Forwarding : disabled
Advertising : disabled
236
Other Stateful Configuration : disabled
----------------------------------------------
IfLuid : ethernet_6
IfIndex : 11
State : connected
Metric : 20
DAD Transmits : 1
Site Id : 1
Forwarding : enabled
Advertising : disabled
237
Ignore Default Routes : disabled
----------------------------------------------
IfLuid : tunnel_6
IfIndex : 15
State : connected
Metric : 25
DAD Transmits : 0
Site Id : 1
Forwarding : enabled
Advertising : disabled
238
Force ARPND Wake up patterns : disabled
----------------------------------------------
IfLuid : tunnel_7
IfIndex : 16
State : connected
Metric : 50
DAD Transmits : 0
Site Id : 1
Forwarding : enabled
Advertising : disabled
239
----------------------------------------------
IfLuid : tunnel_8
IfIndex : 17
State : connected
Metric : 50
DAD Transmits : 1
Site Id : 1
Forwarding : enabled
Advertising : enabled
----------------------------------------------
IfLuid : ethernet_9
IfIndex : 12
State : connected
240
Metric : 20
DAD Transmits : 1
Site Id : 1
Forwarding : enabled
Advertising : disabled
You use the netsh interface ipv6 show interfaces level=verbose command on a DirectAccess
server to verify that forwarding has been enabled on the 6to4, Teredo, IP-HTTPS, ISATAP, and
local area network (LAN) interfaces and that advertising has been enabled on the IP-HTTPS and
ISATAP interfaces.
241
1
nterface
oso.com
face
nterface
com
com
udo-Interface
nterface
242
No Manual 256 ff00::/8 11 Corpnet
You use the netsh interface ipv6 show route command to troubleshoot reachability problems
for communication between DirectAccess clients and the DirectAccess server and between
DirectAccess clients and intranet resources. You can also use the netsh interface ipv6 show
route command to determine the IPv6 prefix that the DirectAccess server is advertising to IP-
HTTPS clients, which is the 64-bit route that begins with 2 or 3 and has the Gateway/Interface
Name of IPHTTPSInterface.
243
The Nslookup.exe Command Line Tool
You use the Nslookup.exe command line tool in DirectAccess to test whether intranet Domain
Name System (DNS) servers can respond to DNS queries of DirectAccess clients. However, you
must remember to specify the Internet Protocol version 6 (IPv6) address of the intranet DNS
server in the command line. The correct syntax is for using Nslookup.exe for DirectAccess
troubleshooting is nslookup IntranetFQDN IntranetDNSServerIPv6Address (example: nslookup
dc1.corp.contoso.com 2002:836b:2:1::5efe:10.0.0.1).
To emulate the behavior of the DirectAccess client, you can use the –q=aaaa command-line
parameter to request only IPv6 addresses in the response. The syntax is nslookup –q=aaaa
IntranetFQDN IntranetDNSServerIPv6Address (example: nslookup –q=aaaa
dc1.corp.contoso.com 2002:836b:2:1::5efe:10.0.0.1).
You can obtain the IPv6 address of your intranet DNS servers from the display of the netsh
namespace show effectivepolicy command.
Important
Nslookup.exe does not use the Name Resolution Policy Table (NRPT). If you do not
specify the IPv6 address of the intranet DNS server, Nslookup.exe will send its queries to
interface-configured DNS servers.
244
Default Gateway . . . . . . . . . :
In this example, the DirectAccess client is using 6to4 to reach the DirectAccess server (the
interface named Tunnel adapter 6TO4 Adapter has a 6to4-based IPv6 address and default
gateway).
245
The following is an example of the output from the ipconfig command on the DirectAccess server
in the DirectAccess test lab (http://go.microsoft.com/fwlink/?Linkid=150613).
Windows IP Configuration
Default Gateway . . . . . . . . . :
Default Gateway . . . . . . . . . :
Default Gateway . . . . . . . . . :
246
Default Gateway . . . . . . . . . :
Default Gateway . . . . . . . . . :
Default Gateway . . . . . . . . . :
Default Gateway . . . . . . . . . :
In this example, the DirectAccess server has an ISATAP address (on the interface named Tunnel
adapter isatap.corp.contoso.com) and is using 6to4, Teredo, and IP-HTTPS.
You can also use the Ipconfig.exe command line tool to display the contents of the Domain Name
System (DNS) Resolver cache with the ipconfig /displaydns command. From the contents of
the DNS Resolver cache, you can determine the results of resolving intranet resource names.
Note
The display of the ipconfig /displaydns command can also contain the results of DNS
queries for personal communications and care should be taken to preserve the privacy of
the computer user.
247
The following is an example of the output from the certutil –store my command on the
DirectAccess client in the DirectAccess test lab (http://go.microsoft.com/fwlink/?Linkid=150613).
================ Certificate 0 ================
Subject: CN=CLIENT2.corp.contoso.com
Non-root Certificate
Cert Hash(sha1): d2 48 b0 ac d0 75 d2 17 d3 a2 52 73 03 fb 6d 93 05 d6 c5 9c
d8a0337
You use the Certutil.exe command line tool for DirectAccess troubleshooting to determine the
subject, enhanced key usage (EKU), and certificate revocation list (CRL) distribution points fields
of installed certificates. Use the certutil -v –store my > cert.txt command and then view the
contents of the Cert.txt file.
Address: \\2002:836b:2:1:0:5efe:10.0.0.1
248
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST FULL_SECRET WS
You use the Nltest.exe command line tool (the nltest /dsgetdc: /force command) for
DirectAccess troubleshooting to determine whether DirectAccess clients, DirectAccess servers,
and intranet resources can locate and contact domain controllers for Internet Protocol security
(IPsec) authentication.
Snap-in Tools
Windows 7 and Windows Server 2008 R2 also provide a set of snap-ins to gather troubleshooting
information or modify settings to correct problems. The following snap-ins can be used for
DirectAccess troubleshooting:
• DirectAccess Management
• Group Policy Management Console and Editor
• Windows Firewall with Advanced Security
• Event Viewer
• Certificates
DirectAccess Management
With the Monitoring node of the DirectAccess Management snap-in, you can monitor the overall
status and obtain performance counters for DirectAccess server components.
249
Log files of the DirectAccess Management snap-in
For additional information about events and errors encountered by the Setup node of the
DirectAccess Management snap-in and the DirectAccess Setup Wizard, see the %SystemRoot
%\Tracing\DASetup.log file.
For additional information about events and errors encountered by the Monitoring node of the
DirectAccess Management snap-in, see the %SystemRoot%\Tracing\DAMontr.log file.
Warning
When you click the Monitoring node in the console tree, the DirectAccess Management
snap-in begins recording trace data in the DAMontr.log and continues until all instances
of the DirectAccess Management snap-in have been closed, including the DirectAccess
Management console in the Administrative Tools group, the DirectAccess Management
snap-in for a custom console, or from within Server Manager. This continuous tracing
adds 80 Megabytes (MB) of data per day to the DAMontr.log file, which can result a large
file size over time. The logging continues regardless of which node you select in the
DirectAccess Management console tree. When you close all instances of the
DirectAccess Management snap-in, run it again, then click the Monitoring node in the
console tree, the DirectAccess Management snap-in automatically deletes DaMontr.log
when the file size is larger than 10 MB. If you want to keep an instance of the
DirectAccess Management snap-in open continuously, you can create and run a script to
delete the DaMontr.log file at regular intervals.
250
NRPT rules
Rules in the NRPT that you configure in step 3 of the DirectAccess Setup Wizard are created in
the Computer Configuration\Policies\Windows Settings\Name Resolution Policy node of the
Group Policy object for DirectAccess clients.
Use the Group Policy Management Editor snap-in to verify the configuration of NRPT rules and
modify them as needed.
6to4 Relay Name Allows you to specify a 6to4 The first consecutive Internet
relay name for a 6to4 host. A Protocol version 4 (IPv4)
6to4 relay is used as a default address of the DirectAccess
gateway for IPv6 network traffic server’s Internet interface.
sent by the 6to4 host.
6to4 Relay Name Resolution Allows you to specify the N/A (not configured)
Interval interval at which the 6to4 relay
name is resolved.
Teredo Default Qualified Allows you to set Teredo to be Set to enabled state.
ready to communicate. By
default, Teredo enters a
dormant state when not in use.
The qualification process brings
it out of a dormant state.
Teredo Server Name Allows you to specify the name The first consecutive IPv4
of the Teredo server. address of the DirectAccess
server’s Internet interface.
Use the Group Policy Management Editor snap-in to verify the configuration of 6to4, Teredo, and
IP-HTTPS settings for DirectAccess clients and modify them as needed.
252
Setting name Description Value set by the DirectAccess
Setup Wizard
Corporate Site Prefix List The list of IPv6 addresses The IPv6 prefix of the intranet.
and prefixes that define the
address space of the
corporate network.
Domain Location The Secure Hypertext The URL specified during the
Determination URL Transfer Protocol (HTTPS)- DirectAccess Setup Wizard or
based URL of the network obtained from the Subject field of
location server. the certificate on the DirectAccess
server that was selected for
network location.
Use the Group Policy Management Editor snap-in to verify the configuration of these corporate
connectivity settings—most importantly for DirectAccess, the Domain Location Determination
URL setting—and modify them as needed.
Note
Use the Group Policy Management Editor snap-in only to view the connection security
rules. Because the DirectAccess Setup Wizard creates the connection security rules with
advanced settings for which there is no user interface equivalent, you must not modify
the connection security rules with the Group Policy Management Editor snap-in. Instead,
use netsh advfirewall consec set rule commands.
253
To use the Windows Firewall with Advanced Security snap-in
1. Click Start, type wf.msc, and then press ENTER.
2. In the console tree of the Windows Firewall with Advanced Security snap-in, double-
click Monitoring.
To view the active firewall rules, in the console tree, click Firewall.
To view the active connection security rules, in the console tree, click Connection
Security Rules.
To view the active main mode or quick mode SAs, in the console tree, double-click
Security Associations, and then click Main Mode or Quick Mode.
On a DirectAccess client, if there are active connection security rules whose names begin with
DirectAccess Policy, the DirectAccess client has determined that it is not connected to your
intranet. If there are active connection security rules but no main mode or quick mode SAs after
attempting to access an intranet resource, the DirectAccess client is unable to negotiate IPsec
protection with the DirectAccess server.
Event Viewer
Use the Event Viewer snap-in on a DirectAccess client to examine Windows events for
operational Internet Protocol security (IPsec) and Windows Firewall events, network location
detection events, and IPsec negotiation events.
254
and then view the events in the Event Viewer snap-in. To enable audit policies for IPsec
security negotiation, run the auditpol /set /subcategory:”IPsec Main Mode”,“IPsec
Extended Mode” /success:enable /failure:enable command at an elevated command
prompt.
Then, view events 4653, 4654 and 4984 in the Windows Logs\Security event log.
Certificates
Use the Certificates snap-in to view the properties of certificates in the computer store of a
DirectAccess client, DirectAccess server, intranet server, or the network location server.
255
General Methodology for Troubleshooting
DirectAccess Connections
DirectAccess connections initiated by DirectAccess clients occur in the following stages:
1. Internet Protocol version 6 (IPv6) connectivity to the DirectAccess server.
2. Negotiation of protection of DirectAccess traffic with the DirectAccess server (for the full
intranet and selected server access models).
3. IPv6 connectivity to the intranet resource.
4. Negotiation of protection of DirectAccess traffic with the intranet server (for the selected
server and end-to-end access models).
You can use the following process as a general methodology for incrementally stepping through
the DirectAccess connection requirements for a DirectAccess client on the Internet to
successfully access an intranet resource:
1. The DirectAccess client computer must be running Windows 7 Ultimate Edition,
Windows 7 Enterprise Edition, or Windows Server 2008 R2.
2. The DirectAccess client computer must be a member of an Active Directory Domain
Services (AD DS) domain and its computer account must be a member of one of the security
groups configured in step 1 of the DirectAccess Setup Wizard.
3. The DirectAccess client computer must have received computer configuration Group
Policy settings for DirectAccess.
To verify, use the Resultant Set of Policy snap-in to ensure that DirectAccess Policy-
{3491980e-ef3c-4ed3-b176-a4420a810f12} is listed for the computer configuration Group
Policy objects associated with the DirectAccess client computer.
4. The DirectAccess server computer must have received computer configuration Group
Policy settings for DirectAccess.
To verify, use the Resultant Set of Policy snap-in to ensure that DirectAccess Policy-
{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300} is listed for the computer configuration Group
Policy objects associated with the DirectAccess server computer.
5. The DirectAccess client must have a global IPv6 address.
Use the ipconfig command to display the Transmission Control Protocol/Internet Protocol
(TCP/IP) configuration. Is there an IPv6 address assigned to an interface that begins with 2 or
3?
If so, go to step 6.
If not, use the netsh interface 6to4 show relay, netsh interface teredo show state, and
netsh interface httpstunnel show interfaces commands on the DirectAccess client and
server to verify the configuration of 6to4, Teredo, and Internet Protocol over Secure Hypertext
Transfer Protocol (IP-HTTPS).
If the DirectAccess client is connected to the Internet Protocol version 4 (IPv4)
Notes
256
Adapter should also be assigned a default gateway. For a private IPv4 address, your
Teredo interface should be configured with an address that starts with 2001.
For IP-HTTPS, look at the Tunnel adapter iphttpsinterface. Unless you had a
native IPv6 infrastructure in place prior to running the DirectAccess Setup Wizard, the
Tunnel adapter iphttpsinterface should be configured with an address that starts
with 2002. For more information, see Cannot Reach the DirectAccess Server with IP-
HTTPS.
If you have configured force tunneling, only the Tunnel adapter iphttpsinterface will
be enabled.
For more information and additional troubleshooting steps, see Fixing Connectivity Issues
Between the DirectAccess Client and the DirectAccess Server over the Internet.
6. The DirectAccess client must be able to reach the IPv6 addresses of the DirectAccess
server.
Use the ipconfig command on the DirectAccess server to display the TCP/IP configuration.
Note the global IPv6 addresses of the DirectAccess server (those starting with 2 or 3). From
the DirectAccess client, ping any of the global IPv6 addresses of the DirectAccess server,
starting with the IPv6 addresses that begin with 2002.
If successful, go to step 7.
If not successful, troubleshoot the IPv6 reachability between the DirectAccess client and
server. For more information and additional troubleshooting steps, see Fixing Connectivity
Issues Between the DirectAccess Client and the DirectAccess Server over the Internet.
7. The intranet servers have a global IPv6 address.
Use the ipconfig command on the intranet server to display the TCP/IP configuration. Is
there an IPv6 address assigned to an interface that begins with 2 or 3?
If so, go to step 8.
If not, troubleshoot the IPv6 infrastructure on your intranet. For Intra-Site Automatic Tunnel
Addressing Protocol (ISATAP), ensure that your Domain Name System (DNS) servers
running Windows Server 2008 with Service Pack 2 or later have the name ISATAP removed
from their global query block lists. Additionally, verify that the DirectAccess server has
registered an ISATAP A record in the intranet DNS. For additional information and
troubleshooting steps, see DirectAccess Client Cannot Access Intranet Resources.
Note
If you are using an IPv6/IPv4 translator such as a NAT64, the intranet server might
not have a global IPv6 address. In this case, ensure that the NAT64 has a global
IPv6 address.
8. The DirectAccess client on the Internet must correctly determine that it is not on the
intranet.
Type the netsh dnsclient show state command. The determined network location is
displayed in the Machine Location field (Outside corporate network or Inside corporate
network).
257
If the DirectAccess client has correctly determined that it is outside the corporate network (not
on the intranet), go to step 9.
If the DirectAccess client has incorrectly determined that it is inside the corporate network (on
the intranet), use the netsh namespace show policy command to display the Name
Resolution Policy Table (NRPT) rules configured through Group Policy. There should be
NRPT rules for the intranet namespace and an exemption rule for the fully qualified domain
name (FQDN) of the network location server.
Determine the network location uniform resource locator (URL) from the reg query
HKLM\software\policies\microsoft\windows\NetworkConnectivityStatusIndicator\Corpo
rateConnectivity /v DomainLocationDeterminationUrl command.
Determine whether the FQDN from this URL either does not match the DNS suffix for your
intranet namespace in the NRPT or matches an exemption rule in the NRPT.
For additional information and troubleshooting steps, see DirectAccess Client Determines
that it is on the Intranet When on the Internet.
9. The DirectAccess client must not be assigned the domain firewall profile.
Use the netsh advfirewall monitor show currentprofile command to display the attached
networks and their determined firewall profiles. None of your networks should be assigned
the domain profile.
If none of your networks have been assigned the domain profile, go to step 10.
If any of your networks has been assigned the domain profile, determine if you have an active
remote access virtual private network (VPN) connection or a domain controller that is
available on the Internet.
10. The DirectAccess client must have IPv6 reachability to its intranet DNS servers.
From the display of the netsh namespace show effectivepolicy command, obtain the IPv6
addresses of your intranet DNS servers. Ping these IPv6 addresses from the DirectAccess
client.
If successful, go to step 11.
If not successful, troubleshoot the IPv6 reachability between the DirectAccess client and the
intranet DNS servers.
Ensure that your DirectAccess server has only a single IPv4 default gateway that is
configured on the Internet interface. Also ensure that your DirectAccess server has been
configured with the set of IPv4 routes on the intranet interface that allow it to access all of the
IPv4 destinations of your intranet.
The use of the Ping.exe tool assumes the default global Internet Protocol security
Note
(IPsec) settings that exempt Internet Control Message Protocol (ICMP) traffic from
IPsec protection.
11. The DirectAccess client must be able to use intranet DNS servers to resolve intranet
FQDNs.
Use the nslookup –q=aaaa IntranetFQDN IntranetDNSServerIPv6Address command to
resolve the names of intranet servers (example: nslookup –q=aaaa dc1.corp.contoso.com
258
2002:836b:2:1::5efe:10.0.0.1). The Nslookup.exe tool should display the IPv6 addresses of
the specified intranet server.
If the Nslookup.exe tool performs successful name resolution, go to step 12.
If there is no response from the intranet DNS server, test DNS name resolution from an
intranet computer with the nslookup –q=aaaa IntranetFQDN
IntranetDNSServerIPv6Address command. If there is no response, ensure that the DNS
Server service on Windows-based DNS servers is listening on its assigned IPv6 addresses.
Use the Interfaces tab for the properties of the DNS server in the DNS Manager snap-in.
Otherwise, go to step 14.
If the name was not found, determine why the corresponding AAAA record is not in your
intranet DNS.
For additional information and troubleshooting steps, see DirectAccess Client Cannot
Resolve Names with Intranet DNS Servers.
12. The DirectAccess client must have reachability to the intranet servers.
Use the Ping.exe tool to ping the IPv6 addresses of intranet servers.
If successful, go to step 13.
If not successful, troubleshoot the IPv6 reachability between the DirectAccess client and the
intranet servers.
Note
The use of the Ping.exe tool assumes the default global IPsec settings that exempt
ICMP traffic from IPsec protection.
13. The DirectAccess client must be able to communicate with intranet servers using
application layer protocols.
Use the appropriate program to access the intranet server. If File and Printer Sharing is
enabled on the intranet server, test application layer protocol access with the net
view \\IntranetFQDN command. The application on the DirectAccess client must be IPv6-
capable. If not, you must use an intermediate NAT64/DNS64, such as the Microsoft Forefront
Unified Access Gateway (UAG) 2010.
If not successful, go to step 14.
14. For the end-to-edge or selected server access models, the DirectAccess client must be
able to successfully negotiate main mode and quick mode IPsec security associations (SAs)
with the DirectAccess server for the infrastructure tunnel.
On the DirectAccess client, ensure that the Windows Firewall service is running using the
Services snap-in or the sc query mpssvc command at a Windows command prompt. If you
are using a third-party host firewall, see DirectAccess and Third-party Host Firewalls.
On the DirectAccess client, use the Windows Firewall with Advanced Security snap-in or the
netsh advfirewall monitor show mmsa and netsh advfirewall monitor show qmsa
commands to determine if there are main mode and quick mode SAs to the IPv6 address
2002:WWXX:YYZZ::WWXX:YYZZ. WWXX:YYZZ is the colon-hexadecimal representation of
the first consecutive IPv4 address assigned to the Internet interface of the DirectAccess
259
server. For example, for 131.107.0.1, the corresponding IPv6 address is 2002:836b:1::836b:1
(131=0x83, 107=0x6b).
If successful, go to step 15.
If not successful, use the nltest /dsgetdc: /force command on the DirectAccess server to
ensure that it can access a domain controller. If there are no domain controllers listed,
troubleshoot the lack of discoverability and connectivity between the DirectAccess server and
an Active Directory domain controller.
Ensure that the DirectAccess client and DirectAccess server have the proper certificates for
IPsec peer authentication.
If the proper certificates are installed on the DirectAccess client and DirectAccess server, use
Windows Firewall tracing on the DirectAccess client and analyze the contents of the
Wfpdiag.xml file. For more information, see Network Diagnostics and Tracing.
15. For the end-to-edge or selected server access models, the DirectAccess client must be
able to successfully negotiate main mode and quick mode IPsec SAs with the DirectAccess
server for the intranet tunnel.
Verify that you have logged on to the DirectAccess client computer with a domain account.
Local computer accounts do not have the credentials to authenticate the intranet tunnel.
On the DirectAccess client, use the Windows Firewall with Advanced Security snap-in or the
netsh advfirewall monitor show mmsa and netsh advfirewall monitor show qmsa
commands to determine if there are main mode and quick mode SAs to the IPv6 address
2002:RRSS:TTUU::RRSS:TTUU. RRSS:TTUU is the colon-hexadecimal representation of
the second consecutive IPv4 address assigned to the Internet interface of the DirectAccess
server.
If the SAs exist and you are using an IPv6/IPv4 translator such as NAT64 to reach the
intranet server, verify that the IPv6/IPv4 translator supports translating the application
protocol. Some protocols embed IP address information in the packet payload and cannot be
used across some IPv6/IPv4 translators.
If successful, go to step 16.
If not successful, use the nltest /dsgetdc: /force command on the DirectAccess server to
ensure that it has access to a domain controller. If there are no domain controllers listed,
troubleshoot the lack of discoverability and connectivity between the DirectAccess server and
Active Directory.
Use the nltest /dsgetdc: /force command on the DirectAccess client to ensure that it has
access to a domain controller. If there are no domain controllers listed, ensure that the IPv6-
capable domain controllers that are being used by DirectAccess clients are using site-less
locator records in DNS.
Ensure that the DirectAccess client and DirectAccess server have the proper certificates for
IPsec peer authentication.
If the proper certificates are installed on the DirectAccess client and DirectAccess server, use
Windows Firewall tracing on the DirectAccess client and analyze the contents of the
Wfpdiag.xml file. For more information, see Network Diagnostics and Tracing.
260
For additional information and troubleshooting steps, see DirectAccess Client Cannot
Establish Tunnels to the DirectAccess Server.
16. For the end-to-end access model or the selected servers in the selected server access
model, the DirectAccess client must be able to successfully negotiate main mode and quick
mode IPsec SAs with the intranet or selected server.
On the DirectAccess client, use the Windows Firewall with Advanced Security snap-in or the
netsh advfirewall monitor show mmsa and netsh advfirewall monitor show qmsa
commands to determine if there are main mode and quick mode SAs to the IPv6 address of
the intranet or selected server.
If not successful, use the nltest /dsgetdc: /force command on the intranet or selected server
to ensure that it has access to a domain controller. If there are no domain controllers listed,
troubleshoot the lack of discoverability and connectivity between the intranet or selected
server and Active Directory.
Use the nltest /dsgetdc: /force command on the DirectAccess client to ensure that it has
access to a domain controller. If there are no domain controllers listed, ensure that the IPv6-
capable domain controllers that are being used by DirectAccess clients are using Service
Location (SRV) records in DNS that are not specific to an Active Directory site.
Ensure that the DirectAccess client and intranet or selected server have the proper
certificates for IPsec peer authentication.
If the proper certificates are installed on the DirectAccess client and intranet or selected
server, use Windows Firewall tracing on the DirectAccess client and analyze the contents of
the Wfpdiag.xml file. For more information, see Network Diagnostics and Tracing.
For additional information and troubleshooting steps, see Fixing Problems with Creating
Protected Connections to an Intranet Resource.
To troubleshoot DirectAccess connections on the DirectAccess client using the DirectAccess
Connectivity Assistant (DCA), see Using the DCA Software.
261
See Fixing Issues with Network Location Detection.
The current security context is not associated The DirectAccess server cannot reach a
or accessible to Active Directory Domain domain controller of the domain in which it is a
Services (AD DS). member. Verify the connection to your intranet
and name resolution and reachability to an
intranet domain controller.
The Active Directory domain is unreachable. The DirectAccess server cannot reach a
Unable to get domain information. domain controller of the domain in which it is a
member. Verify the connection to your intranet
and name resolution and reachability to an
intranet domain controller.
The DirectAccess server must have two or The DirectAccess server requires two physical
more physical network interfaces. Verify that network adapters corresponding to two local
you have two or more interfaces and then try area network (LAN) or wireless LAN (WLAN)
262
Error message Error condition and the steps to correct
At least two network interfaces must be The network connections corresponding to the
configured with static IP addresses. Please network adapters for the DirectAccess server’s
contact the network administrator to obtain and connection to the Internet and intranet must be
assign static IP addresses to this server. configured with static Internet Protocol version 4
(IPv4) addresses. They cannot use the Dynamic
Host Configuration Protocol (DHCP) to obtain
an IPv4 address configuration.
The DirectAccess server must have two At least one of the network connections
consecutive public IPv4 addresses configured corresponding to the network adapters installed
on the same physical interface. Configure IPv4 in the DirectAccess server must have two,
addresses and try again. consecutive public IPv4 addresses statically
assigned. These two consecutive addresses are
needed by the DirectAccess server to act as a
Teredo server. Obtain two consecutive
addresses and assign them to a network
adapter on the DirectAccess server.
Note
The DirectAccess Management console
sorts the public IPv4 addresses
alphabetically. Therefore, the
DirectAccess Management console
does not consider the following sets of
addresses as consecutive: w.x.y.9 and
w.x.y.10, which is sorted as w.x.y.10,
w.x.y.9; w.x.y.99 and w.x.y.100, which is
sorted as w.x.y.100, w.x.y.99; w.x.y.1,
w.x.y.2, and w.x.y.10, which is sorted as
w.x.y.1, w.x.y.10, w.x.y.2. Use a different
set of consecutive addresses.
For additional information about events and errors encountered by the DirectAccess Management
snap-in, see the %SystemRoot%\Tracing\DASetup.log file.
For more information about the configuration requirements of the DirectAccess server, see
Appendix A: DirectAccess Requirements and Checklist: Preparing Your DirectAccess Server.
263
Fixing Problems Encountered during the
Steps of the DirectAccess Setup Wizard
The following sections describe problems that you might encounter on the pages of the
DirectAccess Setup Wizard in the DirectAccess Management snap-in and how to correct them.
For additional information about events and errors encountered by the DirectAccess Setup
Wizard, see the %SystemRoot%\Tracing\DASetup.log file.
Connectivity page
On the Connectivity page, you select the interface that is connected to the Internet, the interface
that is connected to the intranet (internal network), and specify whether you want to require smart
cards for an additional level of authorization for access to the intranet.
The following table lists most typical error messages you might see when selecting the Internet or
intranet (internal network) interface.
The Internet interface must have two The interface that you select must have two,
consecutive global Internet Protocol version 4 consecutive public IPv4 addresses statically
(IPv4) addresses configured. Select an assigned. These two consecutive addresses are
interface with two consecutive global IPv4 needed by the DirectAccess server to act as a
addresses. Teredo server.
Note
The DirectAccess Management console
sorts the public IPv4 addresses
alphabetically. Therefore, the
DirectAccess Management console
does not consider the following sets of
addresses as consecutive: w.x.y.9 and
w.x.y.10, which is sorted as w.x.y.10,
w.x.y.9; w.x.y.99 and w.x.y.100, which is
sorted as w.x.y.100, w.x.y.99; w.x.y.1,
w.x.y.2, and w.x.y.10, which is sorted as
w.x.y.1, w.x.y.10, w.x.y.2. Use a different
264
Error message Error condition and the steps to correct
The Internet interface must not be classified as The interface that you have specified for the
a domain network. Internet is connected to a network that contains
a domain controller (the network has been
assigned the domain firewall profile). The
Internet interface must be connected to a
network that has been assigned the Public or
Private profiles. Select a different interface or
add outbound packet filters to the selected
interface that block connectivity to the IP
addresses of the domain controllers. For more
information, see Configure Packet Filters to
Block Access to Domain Controllers.
You can use the netsh advfirewall monitor
show currentprofile command to display the
networks to which your computer is attached
and their assigned profiles. Then, use the
Network Connections window to determine the
networks to which the interfaces are connected.
The internal network interface must be The interface that you have specified for the
classified as a domain network. intranet (internal network) is connected to a
network that has been assigned the Private or
Public firewall profile. The intranet interface
must be connected to a network that has been
assigned the Domain profile, which contains a
domain controller. Select a different interface.
You can use the netsh advfirewall monitor
show currentprofile command to display the
networks to which your computer is attached
and their assigned profiles. Then, use the
Network Connections window to determine the
networks to which the interfaces are connected.
The internal network interface does not have The intranet (internal network) interface must be
Domain Name System (DNS) server settings manually configured with the IPv4 or IPv6
configured. Select an interface with DNS server addresses of at least one intranet DNS server.
settings configured. Select another interface or manually configure
the appropriate interface with the IPv4 or
Internet Protocol version 6 (IPv6) addresses of
at least one intranet DNS server.
The internal network interface does not have a The intranet (internal network) interface must be
265
Error message Error condition and the steps to correct
IPv6 was detected on your Internet interface. Your Internet interface has a native IPv6
DirectAccess setup will apply settings without address assigned. The DirectAccess Setup
considering the IPv6 settings on the Internet Wizard will configure IPv6 for the intranet
interface. without regard to the IPv6 configuration of the
Internet interface.
However, you will need to configure packet
filters on the Internet interface to prevent the
Internet interface from being assigned the
Domain firewall profile. For more information,
see Configure Packet Filters to Block Access to
Domain Controllers.
The IPv6 prefix you provided for the internal You have not specified a valid global or unique
network is not valid. Provide a valid IPv6 prefix. local address prefix for your organization.
The IPv6 prefix you provided to assign to the You have not specified a valid 64-bit global or
IPv6 addresses of remote client computers is unique local address prefix for your IP-HTTPS-
not valid. Provide a valid IPv6 prefix. based DirectAccess clients.
The network prefix you provided to assign to The 64-bit prefix for your IP-HTTPS-based
IPv6 addresses must be a subset of the internal DirectAccess clients must be based on the IPv6
network IPv6 prefix. Provide a valid IPv6 prefix. prefix for your organization. For example, if your
intranet IPv6 prefix is 2001:db8:4ac1::/48, your
64-bit prefix must be of the form
2001:db8:4ac1:xxxx::/64.
266
Certificate Components page
On the Certificate Components page, you select a root or intermediate certificate for IPsec
authentication and the certificate used by the DirectAccess server for client-based authentication
of IP-HTTPS connections.
The following table lists the most common error messages you might see when specifying the IP-
HTTPS certificate.
The selected certificate has a subject name that The certificate that you selected does not have
is not valid. Select a certificate with a valid a valid value in the Subject field. A valid Subject
subject name. field is required to configure DirectAccess
clients with a Secure Hypertext Transfer
Protocol (HTTPS)-based uniform resource
locator (URL) of the IP-HTTPS server (the
DirectAccess server). To see the value of the
Subject field, use the Certificates snap-in for the
local computer store, obtain properties of the
certificate, and then click the Details tab.
The selected certificate does not have a subject The certificate that you selected does not have
name. Select a certificate with a subject name. a value in the Subject field. The Subject field is
or required to configure DirectAccess clients with
an HTTPS-based URL of the IP-HTTPS server
The selected certificate does not contain a
(the DirectAccess server).
subject name.
The selected certificate does not have Server The certificate that you selected does not have
Authentication Enhanced Key Usage enabled. the Server Authentication object identifier (OID)
in the Enhanced Key Usage (EKU) field. The
Server Authentication OID is required by the
DirectAccess server to perform HTTPS-based
authentications as the IP-HTTPS server. Select
a certificate with a Server Authentication OID or
obtain a new certificate with a Server
Authentication OID. To see the value of the EKU
field, use the Certificates snap-in for the local
computer store, obtain properties of the
certificate, and then click the Details tab.
Unable to resolve the subject name of the The DirectAccess Setup Wizard cannot resolve
certificate to a valid Internet Protocol (IP) the fully qualified domain name (FQDN) in the
address. Subject field of the selected certificate. Select a
certificate with a resolvable FQDN in the
267
Error message Error condition and the steps to correct
Location page
On the Location page, you specify the HTTPS-based URL of the network location server or you
specify that the DirectAccess server is the network location server and the certificate to use for
HTTPS authentication.
For the HTTPS-based URL of the network location server, ensure the following:
• You are specifying an HTTPS-based URL, rather than a Hypertext Transfer Protocol
(HTTP)-based URL.
• The URL is valid and can be reached from the DirectAccess server. To test reachability,
click Verify or type the URL in your Web browser on the DirectAccess server. You should be
able to view the Web page with no errors in the certificate authentication.
• If you are using an IP address in the FQDN portion of the URL, it must be an IPv6
address and it must be reachable by the DirectAccess server over IPv6.
If you have selected the DirectAccess server as the network location server, you might see the
message The IP and Domain Restrictions role service of the Web Server (IIS) role must be
installed for network location to work properly on the DirectAccess server. Install this role
service and try again. The IP and Domain Restrictions role service prevents DirectAccess
clients on the Internet from reaching the network location URL on the DirectAccess server.
Additionally, you cannot select the certificate that you are using for IP-HTTPS as the network
location server certificate. Select another certificate or obtain an additional certificate with the
Server Authentication OID. For more information about the network location certificate
requirements, see Design Your PKI for DirectAccess.
268
addresses of the DNS servers. When you add new NRPT exemption rules, you must specify the
FQDN.
When configuring NRPT rules, ensure that:
• You are using a valid DNS suffix or FQDN.
• The FQDN for an exemption rule can be resolved to its IPv4 or IPv6 address. To test this,
try to ping the name in a Command Prompt window.
When configuring the IP addresses for DNS servers, ensure the following:
• They are not duplicated for a rule.
• That the DNS server is available on the network and is responding to DNS queries. To
test this, use the nslookup IntranetName DNSServerIPAddress command in a Command
Prompt window.
Registration of Intra-Site Automatic Tunnel The DirectAccess server computer cannot use
Addressing Protocol (ISATAP) in Domain Name DNS dynamic update to create an Address (A)
System (DNS) failed. record in its DNS server for the name ISATAP.
This most commonly occurs when using a DNS
server that is not running Windows.
Troubleshoot DNS dynamic update between the
DirectAccess server and its configured DNS
server.
Membership in the local Administrators group, You must log on to the DirectAccess server
or equivalent, is the minimum required to computer with a user account that has local
complete this operation. administrator privileges.
269
Error message Error condition and the steps to correct
DirectAccess server configuration failed The IP-HTTPS interface is not active. Use the
because the IP-HTTPS interface cannot be netsh interface httpstunnel show interfaces
configured. command to display the state of the IP-HTTPS
interface.
DirectAccess server configuration failed The 6to4 service is not active. Use the netsh
because the 6to4 interface is not operational. interface 6to4 show state command to display
the state of the 6to4 service. If needed, start the
6to4 service with the netsh interface 6to4 set
state enabled command.
DirectAccess server configuration failed The Teredo service is not active. Use the netsh
because the Teredo interface is not operational. interface teredo show state command to
display the state of the Teredo service. If
needed, start the Teredo service with the netsh
interface teredo set state default command.
If you see the DirectAccess server configuration failed. message, ensure that the Internet and
intranet interfaces have been configured with different connection-specific DNS suffixes. The
connection-specific DNS suffix of the intranet interface should be the DNS suffix of the Active
Directory domain of the DirectAccess server. A specific DNS suffix for the Internet interface is not
needed, but it must be different than the DNS suffix of the intranet interface.
If you see the DirectAccess server configuration failed. message, see the %SystemRoot
%\Tracing\DASetup.log file for additional information about events and errors encountered by the
DirectAccess Setup Wizard. For example, if the DirectAccess server cannot register the IPv6
Address (AAAA) record for corpConnectivityHost.DomainName and the IPv6 address of ::1 with a
DNS server that is not running Windows, the DirectAccess Setup Wizard displays the
DirectAccess server configuration failed. message
270
Fixing Connectivity Issues Between the
DirectAccess Client and the DirectAccess
Server over the Internet
The typical problems with connectivity issues between the DirectAccess client and the
DirectAccess server over the Internet are the following:
• Cannot Reach the DirectAccess Server from the IPv6 Internet
• Cannot Reach the DirectAccess Server with 6to4
• Cannot Reach the DirectAccess Server with Teredo
• Cannot Reach the DirectAccess Server with IP-HTTPS
• DirectAccess Client Connection is Slow
271
To troubleshoot connectivity from a DirectAccess client on the IPv6 Internet to the
DirectAccess server
1. On the DirectAccess client, start a command prompt as an administrator.
2. From the Command Prompt window, run the netsh –c advfirewall command.
3. From the netsh advfirewall prompt, run the set store
gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}”
command.
4. From the netsh advfirewall prompt, run the consec show rule
name=”DirectAccess Policy-ClientToDnsDc” command.
5. From the netsh advfirewall prompt, run the exit command.
6. From the Command Prompt window, ping the IPv6 address in
RemoteTunnelEndpoint. This is the IPv6 address of the DirectAccess server for the
infrastructure tunnel.
If you cannot reach this IPv6 address, use the tracert –d IPv6Address command to trace
the route to the destination.
7. From the Command Prompt window, run the netsh advfirewall consec show rule
name=”DirectAccess Policy-ClientToCorp” command.
8. From the Command Prompt window, ping the IPv6 address in
RemoteTunnelEndpoint. This is the IPv6 address of the DirectAccess server for the
intranet tunnel.
If you cannot reach this IPv6 address, use the tracert –d IPv6Address command to trace
the route to the destination.
272
On the IPv4 Internet, there must be a routing path between the DirectAccess client and server
that allows IPv4 protocol 41 traffic. If the traffic is also traveling on the IPv6 Internet, there must
be a routing path between the DirectAccess client and server that allows the following types of
traffic:
• Internet Control Message Protocol for IPv6 (ICMPv6) (IPv6 Next Header value of 58)
• Internet Key Exchange (IKE)/Authenticating Internet Protocol (AuthIP) (User Datagram
Protocol [UDP] port 500)
• Internet Protocol security (IPsec) Encapsulating Security Payload (ESP) (IPv6 Next
Header value of 50)
Note
273
This command should display default or enabled in 6to4 Service State.
The 6to4 service state should not show disabled. A value of disabled means that the
DirectAccess client will never bring up a 6to4 interface. A value of default means that the
DirectAccess client will bring up a 6to4 interface if it does not have a global IPv6 address
assigned already and it has a public IPv4 address. A value of enabled means that the
DirectAccess client will bring up a 6to4 interface whenever it has a public IPv4 address
assigned.
6. From the Command Prompt window, run the netsh –c advfirewall command.
7. From the netsh advfirewall prompt, run the set store
gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}”
command.
8. From the netsh advfirewall prompt, run the consec show rule
name=”DirectAccess Policy-ClientToDnsDc” command.
9. From the netsh advfirewall prompt, run the exit command.
10. From the Command Prompt window, note the IPv6 address in
RemoteTunnelEndpoint.
11. From the Command Prompt window, run the route print command.
The IPv6 route table should have ::/0 route with the Gateway address set to the IPv6
address in step 8. The IPv6 route table should also have 2002::/16 route with the
Gateway address set to On-link.
274
never bring up a 6to4 interface. A value of default means that the DirectAccess server
will bring up a 6to4 interface if it does not have a global IPv6 address assigned already
and it has a public IPv4 address. A value of enabled means that the DirectAccess server
will bring up a 6to4 interface whenever it has a public IPv4 address assigned.
5. From the Command Prompt window, run the route print command.
The IPv6 route table should have 2002::/16 route with the interface index of the Microsoft
6to4 Adapter and the Gateway address set to On-link.
275
Cannot Reach the DirectAccess Server with
Teredo
If the DirectAccess client is on the Internet Protocol version 4 (IPv4) Internet, is not on the
Internet Protocol version 6 (IPv6) Internet, and has a private IPv4 address assigned to a local
area network (LAN) interface, the DirectAccess client attempts to use Teredo to encapsulate IPv6
traffic sent to the DirectAccess server.
If the DirectAccess server is on the IPv4 Internet (the DirectAccess tunnel endpoints are 6to4
addresses that have the form 2002:WWXX:YYZZ::WWXX:YYZZ, where WWXX:YYZZ is the
colon hexadecimal representation of w.x.y.z, a public IPv4 address), the DirectAccess client
encapsulates IPv6 traffic directly to the DirectAccess server. If the DirectAccess server is only on
the IPv6 Internet (the DirectAccess tunnel endpoints are not 6to4 addresses), the DirectAccess
client encapsulates IPv6 traffic and sends it to a Teredo relay. The Teredo relay then forwards the
native IPv6 traffic across the IPv6 Internet to the DirectAccess server.
On the IPv4 Internet, there must be a routing path between the DirectAccess client and server
that allows User Datagram Protocol (UDP) destination port 3544 traffic for Teredo-encapsulated
traffic to the DirectAccess server and UDP source port 3544 traffic for Teredo-encapsulated traffic
from the DirectAccess server.
If the traffic is also traveling on the IPv6 Internet, there must be a routing path between the
DirectAccess client and server that allows the following types of traffic:
• Internet Control Message Protocol for IPv6 (ICMPv6) (IPv6 Next Header value of 58)
• Internet Key Exchange (IKE)/Authenticating Internet Protocol (AuthIP) (User Datagram
Protocol [UDP] port 500)
• Internet Protocol security (IPsec) Encapsulating Security Payload (ESP) (IPv6 Next
Header value of 50)
276
If the DisabledComponents registry value is present, the command displays its value. If
the DisabledComponents registry value is not present, the command displays ERROR:
The system was unable to find the specified registry key or value.
If DisabledComponents is present and it is not 0, convert it to a binary number. If the first
or fourth bit from the right in the binary number is 1, DisabledComponents has disabled
Teredo. You must change the first and fourth bit from the right to 0 to enable Teredo.
5. From the Command Prompt window, run the reg query
HKLM\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition /v
Teredo_ServerName command.
This command should display the first consecutive public IPv4 address of the
DirectAccess server’s Internet interface. If there is no IPv4 address, your DirectAccess
client has not been properly configured with the Group Policy settings for DirectAccess
clients.
6. From the Command Prompt window, run the netsh interface teredo show state
command.
This command should display enterpriseclient or client in Type and the first
consecutive public IPv4 address of the DirectAccess server’s Internet interface in Server
Name. See the following table for information about the Teredo client state.
If the Teredo state is offline and the error state is Teredo server is unreachable over UDP, UDP
port 3544 traffic may be blocked somewhere between the DirectAccess client and the
DirectAccess server due to the following:
• A third-party host firewall that is running on the DirectAccess client.
• An intermediate router or network firewall between the DirectAccess client and the
DirectAccess server. It is a common practice in organizations to block unexpected UDP traffic
with their Internet firewalls.
277
Another possibility is that the DirectAccess server is not available. See “To troubleshoot
connectivity from a Teredo-based DirectAccess client on the IPv4 Internet to the DirectAccess
server” in this topic.
If the Teredo state is offline and the error state is Client is in a managed network, the
DirectAccess client has detected a local Active Directory domain. In this case, the Teredo client
will not bring up the Teredo tunnel adapter unless the Teredo client has been configured as an
enterprise client. You can view the Teredo client type from the netsh interface teredo show
state command. If set to client, a reachable domain controller will prevent Teredo from becoming
active. If it set to enterpriseclient, Teredo will be active even when a domain controller is
reachable. You can change a Teredo client from client to enterpriseclient with the Computer
Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition
Technologies\Teredo State setting of the Group Policy object for DirectAccess clients or for an
individual DirectAccess client with the netsh interface teredo set state enterpriseclient
command.
278
number of entries in the neighbor cache is comparable to the value of the Neighbor
Cache Limit field, you might have run out of space to store neighbor cache entries for
additional Teredo-based DirectAccess clients. To increase the number of entries allowed
in the neighbor cache, run the netsh interface ipv6 set global
neighborcachelimit=Maximum command, in which Maximum is the maximum number of
expected Teredo-based DirectAccess clients.
279
11. If the DirectAccess client cannot connect to an intranet resource using a specific
application, use the Windows Firewall with Advanced Security snap-in on the
DirectAccess client to determine if there is an inbound rule for the application’s traffic. If
there is, right-click the rule, click the Advanced tab, then check the Edge traversal
setting. If it is set to Block edge traversal, change the setting to the appropriate level for
the application.
280
If DisabledComponents is present and it is not 0, convert it to a binary number. If the first
bit from the right in the binary number is 1, DisabledComponents has disabled IP-HTTPS.
You must change the first bit from the right to 0 to enable IP-HTTPS.
3. From the Command Prompt window, run the netsh interface httpstunnel show
interfaces command.
This command should display client in Role and the IP-HTTPS URL in URL.
4. If the netsh interface httpstunnel show interfaces command displays More data
is available, your IP-HTTPS URL is longer than 256 characters. Run the reg delete
HKLM\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition\iphttps\iphttpsi
nterface /f command, install an IP-HTTPS certificate on the DirectAccess server that has
a Subject field value less than 235 characters, configure the DirectAccess server with the
DirectAccess Setup Wizard to use the new certificate, apply the DirectAccess server
settings, and update the computer configuration Group Policy on your DirectAccess
clients. For more information, see Install an IP-HTTPS Certificate.
If the DirectAccess client is on an intranet behind a proxy server, it must be able to locate and use
the intranet proxy server for IP-HTTPS-based connections. To quickly check this, use your
Internet browser and attempt to reach an Internet website (such as www.microsoft.com). If
successful, the DirectAccess client has determined the proper intranet proxy server. If not
successful accessing any Internet locations, perform the following procedure.
If you must reconfigure the proxy server settings after leaving the intranet, repeat the previous
procedure with the original proxy settings.
281
You must change the first bit from the right to 0 to enable IP-HTTPS.
3. From the Command Prompt window, run the netsh interface httpstunnel show
interfaces command.
This command should display server in Role, the IP-HTTPS URL in URL, and IPHTTPS
interface active in Interface Status.
4. If the netsh interface httpstunnel show interfaces command displays More data
is available, your IP-HTTPS URL is longer than 256 characters. Run the reg delete
HKLM\CurrentControlSet\services\iphlpsvc\Parameters\IPHTTPS\IPHTTPSInterface
/f command, install an IP-HTTPS certificate on the DirectAccess server that has a
Subject field value less than 235 characters, configure the DirectAccess server with the
DirectAccess Setup Wizard to use the new certificate, apply the DirectAccess server
settings, and update the computer configuration Group Policy on your DirectAccess
server. For more information, see Install an IP-HTTPS Certificate.
282
9. From the netsh advfirewall prompt, run the consec show rule
name=”DirectAccess Policy-ClientToDnsDc” command.
10. From the netsh advfirewall prompt, run the exit command.
11. From the Command Prompt window, ping the IPv6 address in
RemoteTunnelEndpoint. This is the IPv6 address of the DirectAccess server for the
infrastructure tunnel.
If the IPv6 address is not a 6to4 address and you cannot reach this IPv6 address, use the
tracert –d IPv6Address command to trace the route to the destination.
12. From the Command Prompt window, run the netsh advfirewall consec show rule
name=”DirectAccess Policy-ClientToCorp” command.
13. From the Command Prompt window, ping the IPv6 address in
RemoteTunnelEndpoint. This is the IPv6 address of the DirectAccess server for the
intranet tunnel.
If the IPv6 address is not a 6to4 address and you cannot reach this IPv6 address, use the
tracert –d IPv6Address command to trace the route to the destination.
283
certificate of the DirectAccess client.
284
client to the public IPv4 address of the DirectAccess server. If the DirectAccess client detects
corporate connectivity within this network delay, the IP-HTTPS client will remain in an offline
state. If the DirectAccess client does not detect corporate connectivity within this network delay,
the IP-HTTPS client will attempt to qualify again.
Using IP-HTTPS for DirectAccess connectivity has higher overhead and lower performance than
Teredo. If the DirectAccess client is using IP-HTTPS instead of Teredo, the DirectAccess client
will have a lower performance connection.
However, due to network timing issues, it is possible for the DirectAccess client to have both
Teredo and IP-HTTPS interfaces active, but use only the IP-HTTPS interface for traffic to the
intranet. This condition occurs when the DirectAccess client takes more than the computed delay
for the DirectAccess client to determine corporate connectivity over the Teredo interface. To test
for this condition, run the ipconfig command at a command prompt. If you have global addresses
on both the Teredo and IP-HTTPS tunnel interfaces, this condition has occurred.
285
namespace to an intranet DNS server. When the DirectAccess client attempts to find a domain
controller, it must resolve names for which the DNS suffix matches the intranet namespace and a
corresponding rule in the effective NRPT. But before a DNS query can be sent to the intranet
DNS server, the infrastructure tunnel must be established.
After the infrastructure tunnel is successfully established, the DirectAccess client sends the DNS
query to locate a domain controller. The DirectAccess client then connects to the domain
controller, performs a computer-based domain logon, and connects to other infrastructure servers
as needed to perform computer-based start-up functions, such as performing a health evaluation
and obtaining a health certificate with Network Access Protection (NAP).
When the user logs on to the computer and a process in the context of the user account attempts
to access an intranet resource by its Internet Protocol version 6 (IPv6) address, the DirectAccess
client establishes the intranet tunnel.
For both tunnels, success of the Internet Protocol security (IPsec) tunnel mode security
associations (SAs) depends on the connection security rules configured on DirectAccess clients
and the DirectAccess server. These rules consist of a variety of settings for the following:
• The source or destination IPv6 addresses or address prefixes for which IPsec tunnel
mode is required.
• The tunnel endpoints (the IPv6 addresses of the DirectAccess server).
• The authentication methods required to successfully authenticate both IPsec peers (the
DirectAccess client and server).
For the infrastructure tunnel, the authentication methods are computer certificate and
UserNTLM (using the computer’s computer account credentials).
For the intranet tunnel, the authentication methods are computer certificate and UserKerb
(using the user’s user account credentials).
• The encryption and data integrity methods.
The DirectAccess Setup Wizard configures a compatible set of connection security rules for the
DirectAccess server and DirectAccess clients that should result in a successful negotiation of
IPsec SAs for both tunnels, provided the DirectAccess client and server have certificates installed
in their computer store that can be used for IPsec and validated by both IPsec peers.
If the DirectAccess client cannot successfully negotiate the two tunnels, it cannot connect to
resources on the intranet.
To verify whether the DirectAccess client can successfully create the infrastructure
tunnel
1. On the DirectAccess client, start a command prompt as an administrator.
2. On the DirectAccess client, click Start, type wf.msc, and then press ENTER.
3. In the tree pane of the Windows Firewall with Advanced Security snap-in console,
click Connection Security Rules.
In the details pane, you should see connection security rules whose names begin with
DirectAccess Policy. If not, this DirectAccess client has not received its connection
security rules from computer configuration Group Policy. Verify that the DirectAccess
286
client is running Windows 7 Ultimate Edition, Windows 7 Enterprise Edition, or Windows
Server 2008 R2 and is a member of one of the security groups specified in step 1 of the
DirectAccess Setup Wizard.
4. In the tree pane of the Windows Firewall with Advanced Security snap-in console,
open Monitoring\Connection Security Rules.
In the details pane, you should see a list of connection security rules that begin with
DirectAccess Policy, including rules named DirectAccess Policy-ClientToDnsDc and
DirectAccess Policy-ClientCorp.
5. If you do not see these rules, from the Command Prompt window, run the netsh
advfirewall monitor show currentprofile command.
This command displays the attached networks and their determined firewall profiles.
None of your networks should be in the domain profile. If any of your networks has been
assigned the domain profile, determine if you have an active remote access virtual
private network (VPN) connection or a domain controller that is available on the Internet.
6. From the Command Prompt window, run the netsh advfirewall monitor show
mmsa command.
There should be a main mode SA with the Remote IP Address set to the IPv6 address
2002:WWXX:YYZZ::WWXX:YYZZ, in which WWXX:YYZZ is the colon hexadecimal
representation of w.x.y.z, the first public Internet Protocol version 4 (IPv4) address
assigned to the Internet interface of the DirectAccess server. For example, if the first
public IPv4 address is 131.107.0.2, the corresponding 6to4 IPv6 address is
2002:836b:2::836b:2 (836b:2 is the colon-hexadecimal representation for 131.107.0.2).
The main mode SA should also have ComputerCert for Auth1 and UserNTLM for
Auth2.
7. From the Command Prompt window, run the netsh advfirewall monitor show qmsa
command.
There should be a quick mode SA with the Remote IP Address set to the IPv6 address
2002:WWXX:YYZZ::WWXX:YYZZ, corresponding to the first public IPv4 address
assigned to the Internet interface of the DirectAccess server.
If the DirectAccess client computer cannot establish the main and quick mode SAs for the
infrastructure tunnel using the default connection security rules created by the DirectAccess
Setup Wizard, the most likely problem is a certificate authentication failure. For more information,
see the “IKE certificate selection process” and “IKE certificate acceptance process” sections of
Public Key Certificate.
You can view the certificates in the local computer store on the DirectAccess client and server
with the Certificates snap-in.
To ensure that the DirectAccess server can access a domain controller to validate the credentials
of the DirectAccess client, run the nltest /dsgetdc: /force command at an elevated command
prompt. If there are no domain controllers listed, troubleshoot the lack of discoverability and
connectivity between the DirectAccess server and Active Directory.
Similarly, use the nltest /dsgetdc: /force command on the DirectAccess client to ensure that it
has access to a domain controller. If there are no domain controllers listed, ensure that the IPv6-
287
capable domain controllers that are being used by DirectAccess clients are using site-less locator
records in DNS.
To perform detailed IPsec negotiation analysis, use IPsec audit events in the Windows
Logs\Security event log and network tracing for DirectAccess. For more information, see Event
Viewer and Network Diagnostics and Tracing.
To verify whether the DirectAccess client can successfully create the intranet tunnel
1. On the DirectAccess client, start a command prompt as an administrator.
2. From the Command Prompt window, run the net view \\IntranetFileServer command.
Alternately, use your Internet Web browser to access an intranet uniform resource locator
(URL) or another application to access an intranet resource.
3. From the Command Prompt window, run the netsh advfirewall monitor show
mmsa command.
There should be a main mode SA with the Remote IP Address set to the 6to4 IPv6
address corresponding to the second public IPv4 address assigned to the Internet
interface of the DirectAccess server. For example, if the first public IPv4 address is
131.107.0.3, the corresponding 6to4 IPv6 address is 2002:836b:3::836b:3 (836b:3 is the
colon-hexadecimal notation for 131.107.0.3). The main mode SA should also have
ComputerCert for Auth1 and UserKerb for Auth2.
4. From the Command Prompt window, run the netsh advfirewall monitor show qmsa
command.
There should be a quick mode SA with the Remote IP Address set to the 6to4 IPv6
address corresponding to the second public IPv4 address assigned to the Internet
interface of the DirectAccess server.
If the DirectAccess client computer cannot establish the main and quick mode SAs for the intranet
tunnel using the default connection security rules created by the DirectAccess Setup Wizard, the
most likely problem is a certificate authentication failure. For more information, see the “IKE
certificate selection process” and “IKE certificate acceptance process” sections of Public Key
Certificate.
To ensure that the DirectAccess server can access a domain controller to validate the credentials
of the DirectAccess client, run the nltest /dsgetdc: /force command at an elevated command
prompt. If there are no domain controllers listed, troubleshoot the lack of discoverability and
connectivity between the DirectAccess server and Active Directory.
Similarly, use the nltest /dsgetdc: /force command on the DirectAccess client to ensure that it
has access to a domain controller. If there are no domain controllers listed, ensure that the IPv6-
capable domain controllers that are being used by DirectAccess clients are using site-less locator
records in DNS.
To perform detailed IPsec negotiation analysis, use IPsec audit events in the Windows
Logs\Security event log and network tracing for DirectAccess. For more information, see Event
Viewer and Network Diagnostics and Tracing.
288
IPsec and certificate revocation checking
By default, the DirectAccess client does not perform certificate revocation checking on the
certificates that it receives from IPsec peers for authentication. However, the DirectAccess server
by default performs certificate revocation checking on the certificates that it receives from IPsec
peers with either a weak or strong CRL check.
With weak CRL checking, IPsec will check its local certificate revocation list (CRL) cache for
revoked certificates. If the certificate being examined is in the cache as revoked, authentication
will fail. If it is not listed as revoked in the local CRL cache, authentication will succeed. You can
view the list of CRL files in your local CRL cache with the certutil -URLcache CRL command.
Weak CRL checking is the default configuration of the DirectAccess server.
With strong CRL checking, IPsec will check the certificate for revocation its local CRL cache and
the published CRL distribution points. If the certificate being examined is in the cache as revoked,
is listed in the CRL from the CRL distribution point as revoked, or the CRL distribution point is not
accessible, authentication fails. If strong CRL checking is enabled, obtain the certificate properties
of the computer certificate for the DirectAccess client, examine the CRL Distribution Point field,
and verify that the DirectAccess server can access the CRL from one of the specified CRL
distribution point locations. If the DirectAccess server cannot retrieve the CRL from any of these
locations, all IPsec certificate authentication fails.
If strong or weak CRL checking configured on either the DirectAccess server or client, you can
obtain additional information through the Windows Logs\Security event log. To view the failures
for IPsec in the Windows Logs\Security event log in Event Viewer, you must enable auditing on
the DirectAccess client or server with the auditpol.exe /set /SubCategory:"IPsec Main
Mode","IPsec Extended Mode" /success:enable /failure:enable command.
Look for the following events in the Windows Logs\Security event log:
• Event ID 4653: Main Mode: Failed: An IPsec Main Mode Negotiation Failed
• Event ID 4654: Quick Mode: Failed: An IPsec Quick Mode Negotiation Failed
• Event ID 4984: Extended Mode: Failed: An IPsec Extended Mode Negotiation Failed.
The corresponding Main Mode Security Association has been deleted.
Extended Mode failures are typically generated for problems with user authentication for
tunnel mode and for IPsec authorization failures, such as when you are using smart cards for
additional authorization. Event 4984 indicates that the credentials supplied are not authorized
to establish the tunnel to the DirectAccess Server.
289
SymbolicName=ERROR_IPSEC_IKE_AUTHORIZATION_FAILURE. SA establishment is not
authorized.
To perform additional NAP health evaluation troubleshooting, see Introduction to
Troubleshooting NAP and Fixing Health Certificate Problems in the Network Access
Protection Troubleshooting Guide.
290
resources to intranet DNS servers. DirectAccess clients receive NRPT rules through Group
Policy.
To troubleshoot why a DirectAccess client cannot resolve names with an intranet DNS
server
1. On the DirectAccess client, start a command prompt as an administrator.
2. From the Command Prompt window, run the netsh namespace show policy
command.
This command displays the NRPT rules configured through Group Policy, which are
typically one or more namespace rules (with a leading period) for your intranet
namespace and one or more exemption rules for names that should not be resolvable
while on the Internet (fully qualified domain names [FQDNs] without a leading period for
names such as your network location server). Verify that your entire intranet namespace
is represented by namespace rules. If there are no rules, verify that the DirectAccess
client is running Windows 7 Ultimate Edition, Windows 7 Enterprise Edition, or Windows
Server 2008 R2, is a member of a security group specified in step 1 of the DirectAccess
Setup Wizard, and has updated its computer configuration Group Policy.
In the DirectAccess-based rules for your intranet namespace, there should be at least
one Internet Protocol version 6 (IPv6) address for DirectAccess (DNS Servers).
3. From the Command Prompt window, run the netsh namespace show effective
command.
This command displays the current effective rules.
If there are no DirectAccess-based rules, the DirectAccess client has determined that it is
on the intranet.
4. From the Command Prompt window, ping the IPv6 addresses of your intranet DNS
servers from step 2 or 3.
This ensures that the intranet DNS server is reachable across the DirectAccess
connection.
5. From the Command Prompt window, use the nslookup –q=aaaa IntranetFQDN
IntranetDNSServerIPv6Address command to resolve the names of intranet servers
(example: nslookup –q=aaaa dc1.corp.contoso.com 2002:836b:2:1::5efe:10.0.0.1).
This command should display the IPv6 addresses of the specified intranet server.
If there are no IPv6 addresses for the name, determine why the corresponding IPv6
(AAAA) records are not in your intranet DNS.
If there is no response from the intranet DNS server, troubleshoot the infrastructure
tunnel between the DirectAccess client and server. For more information, see
DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server.
291
Fixing Issues with Connecting to an Intranet
Resource
Issues with connecting to and from intranet resources typically fall into the following categories:
• DirectAccess Client Cannot Access Intranet Resources
• Intranet Management Server Cannot Connect to a DirectAccess Client
292
network location server). Verify that your entire intranet namespace is represented by
DirectAccess-based namespace rules.
In the rules for your intranet namespace, there should be at least one IPv6 address for
DirectAccess (DNS Servers).
If there are no rules, run the netsh namespace show policy command. If there are
DirectAccess-based rules, the DirectAccess client has determined that it is on the
intranet. If there are no rules, verify that the DirectAccess client is running Windows 7
Ultimate Edition, Windows 7 Enterprise Edition, or Windows Server 2008 R2, is a
member of a security group specified in step 1 of the DirectAccess Setup Wizard, and
has updated its computer configuration Group Policy.
3. From the Command Prompt window, ping the IPv6 addresses of your intranet DNS
servers from step 2.
This step ensures that the intranet DNS server is reachable across the DirectAccess
connection.
4. Verify that the FQDN of the intranet resource matches a namespace rule in the NRPT
and does not match an exemption rule.
This step ensures that the DirectAccess client will send its queries to the intranet DNS
servers, rather than an Internet DNS server.
5. From the Command Prompt window, use the nslookup –q=aaaa IntranetFQDN
IntranetDNSServerIPv6Address command to resolve the names of intranet servers to
IPv6 addresses (example: nslookup –q=aaaa dc1.corp.contoso.com
2002:836b:2:1::5efe:10.0.0.1).
This command should display the IPv6 addresses of the specified intranet server.
If there are no IPv6 addresses for the name, see the To determine the IPv6 addresses
that an intranet resource registers in DNS procedure in this topic.
If there is no response from the intranet DNS server, troubleshoot the infrastructure
tunnel between the DirectAccess client and server. For more information, see
DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server.
6. From the Command Prompt window, ping the IPv6 addresses of the intranet resource
server from step 5.
This ensures that the intranet resource server is reachable across the DirectAccess
connection.
7. From the DirectAccess client, attempt to connect to the intranet server using the
appropriate application or run the net view \\IntranetServerName command from the
Command Prompt window.
If there is no response from the intranet DNS server, verify that the client and server or
peer applications running on both the DirectAccess client and intranet server are IPv6-
capable.
If the peer or client application running on the DirectAccess client is not IPv6-capable,
you cannot use it over the DirectAccess connection.
If the peer or client application running on the intranet server is not IPv6-capable, you can
293
update the application to support IPv6 or place it behind an IPv6/IPv4 translator. Most
built-in server applications and system services on computers running Windows Server
2003 or Windows XP are not IPv6-capable.
8. If the applications running on both the DirectAccess client and intranet server are
IPv6-capable, troubleshoot the intranet tunnel between the DirectAccess client and
server.
For more information, see DirectAccess Client Cannot Establish Tunnels to the
DirectAccess Server.
If you are using ISATAP for IPv6 connectivity on your intranet, ISATAP hosts should automatically
discover the IPv4 address of the ISATAP router (the DirectAccess server) and configure an
ISATAP address on an ISATAP interface.
To troubleshoot why an intranet ISATAP host does not configure an ISATAP address
1. On the Windows-based intranet resource, start a command prompt as an
administrator.
2. From the Command Prompt window, run the reg query
294
HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters /v
DisabledComponents command.
If the DisabledComponents registry value is present, the command displays its value. If
the DisabledComponents registry value is not present, the command displays ERROR:
The system was unable to find the specified registry key or value.
If DisabledComponents is present and it is not 0, convert it to a binary number. If the first
or third bit from the right in the binary number is 1, DisabledComponents has disabled
ISATAP. You must change the first and third bit from the right to 0 to enable ISATAP.
3. From the Command Prompt window, run the reg query
HKLM\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition /v
ISATAP_RouterName command.
This command should display ERROR: The system was unable to find the specified
registry key or value. If it does not, note the value.
4. From the Command Prompt window, run the reg query
HKLM\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition /v
ISATAP_State command.
This command should display ERROR: The system was unable to find the specified
registry key or value. If it does not, ensure that the value is set to enabled. If it is set to
disabled, change the Computer Configuration\Policies\Administrative
Templates\Network\TCPIP Settings\IPv6 Transition Technologies\ISATAP State
setting in the Group Policy object for this intranet resource to either Enabled or Not
Configured and update computer configuration Group Policy.
5. From the Command Prompt window, run the netsh interface isatap show state
command.
This command should display enabled in ISATAP State.
6. From the Command Prompt window, run the netsh interface isatap show router
command.
This command should display default or the name from step 3 in Router Name.
7. From the Command Prompt window, ping the name isatap or the name from step 3.
This ensures that the intranet resource can resolve the name of the ISATAP router to an
IPv4 address and reach the IPv4 address. Verify that the IPv4 address is assigned to the
computer that is the intranet ISATAP router, which is typically the DirectAccess server.
8. If the name isatap or the name from step 3 does not resolve, check your DNS server
to verify that the corresponding Address (A) record exists in your intranet DNS.
9. DNS servers running Windows Server 2008 or later will not by default answer queries
for the name isatap unless you remove it from the global query block list. Verify that the
name isatap has been removed from the global query block list. For more information,
see Remove ISATAP from the DNS Global Query Block List.
The next step in troubleshooting ISATAP connectivity is the ISATAP router.
295
To troubleshoot an ISATAP router
1. On the DirectAccess server acting as the ISATAP router, start a command prompt
as an administrator.
2. From the Command Prompt window, run the reg query
HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters /v
DisabledComponents command.
If the DisabledComponents registry value is present, the command displays its value. If
the DisabledComponents registry value is not present, the command displays ERROR:
The system was unable to find the specified registry key or value.
If DisabledComponents is present and it is not 0, convert it to a binary number. If the first
or third bit from the right in the binary number is 1, DisabledComponents has disabled
ISATAP. You must change the first and third bit from the right to 0 to enable ISATAP.
3. From the Command Prompt window, run the reg query
HKLM\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition /v
ISATAP_RouterName command.
This command should display ERROR: The system was unable to find the specified
registry key or value. If it does not, note the value.
4. From the Command Prompt window, run the reg query
HKLM\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition /v
ISATAP_State command.
This command should display ERROR: The system was unable to find the specified
registry key or value. If it does not, ensure that the value is set to enabled.
5. From the Command Prompt window, run the netsh interface isatap show state
command.
This command should display enabled in ISATAP State.
6. From the Command Prompt window, run the netsh interface isatap show router
command.
This command should display isatap.IntranetDNSSuffix in Router Name.
7. From the Command Prompt window, ping the name isatap.
This demonstrates that the DirectAccess server has registered the ISATAP name. Verify
that the resolved IPv4 address is assigned to an intranet interface of the DirectAccess
server.
8. From the Command Prompt window, run the netsh interface ipv6 show interfaces
command.
This command lists all of the IPv6 interfaces and their interface index numbers. Note the
interface index (Idx) of the interface named isatap.IntranetDNSSuffix.
9. From the Command Prompt window, run the netsh interface ipv6 show interface
ISATAPInterfaceIndex command.
Verify that Advertising and Forwarding are set to Enabled. If not, run the netsh
interface ipv6 set interface ISATAPInterfaceIndex advertise=enabled
296
forwarding=enabled command.
10. From the Command Prompt window, run the netsh interface ipv6 show route
command.
This command lists the routes in the IPv6 route table. Verify that there is a 64-bit route
with the Gateway/Interface Name set to isatap.IntranetDNSSuffix and Publish set to
Yes. This is the ISATAP subnet route that the DirectAccess server is advertising to
ISATAP hosts on the intranet. The 64-bit route typically has the form
2002:WWXX:YYZZ:1::/64, in which WWXX:YYZZ is the colon hexadecimal
representation of w.x.y.z, the first public IPv4 address of the DirectAccess server’s
Internet interface.
11. If Publish is set to No for the route in step 10, run the netsh interface ipv6 set
route 64BitRoute ISATAPInterfaceIndex publish=yes.
297
To verify whether the management server can successfully create the management
tunnel
1. On the DirectAccess client, start a command prompt as an administrator.
2. On the DirectAccess client, click Start, type wf.msc, and then press ENTER.
3. In the tree pane of the Windows Firewall with Advanced Security snap-in console,
click Connection Security Rules.
In the details pane, you should see connection security rules whose names begin with
DirectAccess Policy. If not, this DirectAccess client has not received its connection
security rules from computer configuration Group Policy. Verify that the DirectAccess
client is running Windows 7 Ultimate Edition, Windows 7 Enterprise Edition, or Windows
Server 2008 R2 and is a member of one of the security groups specified in step 1 of the
DirectAccess Setup Wizard.
4. In the tree pane of the Windows Firewall with Advanced Security snap-in console,
open Monitoring\Connection Security Rules.
In the details pane, you should see a list of connection security rules that begin with
DirectAccess Policy, including a rule named DirectAccess Policy-ClientToMgmt.
5. If you do not see these rules, from the Command Prompt window, run the netsh
advfirewall monitor show currentprofile command.
This command displays the attached networks and their determined firewall profiles.
None of your networks should be in the domain profile. If any of your networks has been
assigned the domain profile, determine if you have an active remote access virtual
private network (VPN) connection or a domain controller that is available on the Internet.
6. Double-click the DirectAccess Policy-ClientToMgmt rule and then click the
Computers tab. Verify that the IPv6 address of the management server is listed in
Endpoint 2. This list of IPv6 addresses was configured in step 3 of the DirectAccess
Setup Wizard.
7. From the intranet, use the management server to initiate communication with the
DirectAccess client. For example, use the management server to establish a remote
desktop connection to the DirectAccess client.
8. On the DirectAccess client, from the Command Prompt window, run the netsh
advfirewall monitor show mmsa command.
There should be a main mode SA with the Remote IP Address set to the IPv6 address
2002:WWXX:YYZZ::WWXX:YYZZ, corresponding to the first public IPv4 address
assigned to the Internet interface of the DirectAccess server. For example, if the first
public IPv4 address is 131.107.0.2, the corresponding 6to4 IPv6 address is
2002:836b:2::836b:2 (836b:2 is the colon-hexadecimal notation for 131.107.0.2). The
main mode SA should also have ComputerCert for Auth1 and UserNTLM for Auth2.
9. From the Command Prompt window, run the netsh advfirewall monitor show qmsa
command.
There should be a quick mode SA with the Remote IP Address set to the IPv6 address
2002:WWXX:YYZZ::WWXX:YYZZ, corresponding to the first public IPv4 address
298
assigned to the Internet interface of the DirectAccess server.
If the DirectAccess client computer cannot establish the main and quick mode SAs for the
management tunnel using the default connection security rules created by the DirectAccess
Setup Wizard, the most likely problem is a certificate authentication failure. For more information,
see the “IKE certificate selection process” and “IKE certificate acceptance process” sections of
Public Key Certificate.
You can view the certificates in the local computer store on the DirectAccess client and server
with the Certificates snap-in
To ensure that the DirectAccess server can access a domain controller to validate the credentials
of the DirectAccess client, run the nltest /dsgetdc: /force command at an elevated command
prompt. If there are no domain controllers listed, troubleshoot the lack of discoverability and
connectivity between the DirectAccess server and Active Directory.
Similarly, use the nltest /dsgetdc: /force command on the DirectAccess client to ensure that it
has access to a domain controller. If there are no domain controllers listed, ensure that the IPv6-
capable domain controllers that are being used by DirectAccess clients are using site-less locator
records in DNS.
To perform detailed IPsec negotiation analysis, use IPsec audit events in the Windows
Logs\Security event log and network tracing for DirectAccess. For more information, see Event
Viewer and Network Diagnostics and Tracing.
If you have configured DirectAccess for the end-to-end access model, verify that the
management server has been configured with compatible connection security rules to use
transport mode IPsec when initiating communication with DirectAccess clients.
299
To verify whether the DirectAccess client can successfully create transport mode IPsec
SAs to selected servers
1. On the DirectAccess client, start a command prompt as an administrator.
2. On the DirectAccess client, click Start, type wf.msc, and then press ENTER.
3. In the tree pane of the Windows Firewall with Advanced Security snap-in console,
click Connection Security Rules.
In the details pane, you should see connection security rules whose names begin with
DirectAccess Policy. If not, this DirectAccess client has not received its connection
security rules from computer configuration Group Policy. Verify that the DirectAccess
client is running Windows 7 Ultimate Edition, Windows 7 Enterprise Edition, or Windows
Server 2008 R2 and is a member of one of the security groups specified in step 1 of the
DirectAccess Setup Wizard.
4. In the tree pane of the Windows Firewall with Advanced Security snap-in console,
open Monitoring\Connection Security Rules.
In the details pane, you should see a list of connection security rules that begin with
DirectAccess Policy, including a rule named DirectAccess Policy-clientToAppServer.
5. If you do not see these rules, from the Command Prompt window, run the netsh
advfirewall monitor show currentprofile command.
This command displays the attached networks and their determined firewall profiles.
None of your networks should be in the domain profile. If any of your networks has been
assigned the domain profile, determine if you have an active remote access virtual
private network (VPN) connection or a domain controller that is available on the Internet.
6. Double-click the DirectAccess Policy- clientToAppServer rule and then click the
Computers tab. Verify that the Internet Protocol version 6 (IPv6) addresses of the
selected servers are listed in Endpoint 2. This list of IPv6 addresses was configured
based on the selected server security groups specified in step 4 of the DirectAccess
Setup Wizard.
7. Initiate communication with the selected server. For example, use the appropriate
application or the net view \\SelectedServerName command.
8. From the Command Prompt window, run the netsh advfirewall monitor show
mmsa command.
There should be a main mode SA with the Remote IP Address set to the IPv6 address of
the selected server. The main mode SA should also have ComputerCert or
ComputerKerb for Auth1 and UserKerb for Auth2.
9. From the Command Prompt window, run the netsh advfirewall monitor show qmsa
command.
There should be a quick mode SA with the Remote IP Address set to the IPv6 address
of the selected server.
If the DirectAccess client computer cannot establish the main and quick mode SAs to the
selected server using the default connection security rules created by the DirectAccess Setup
Wizard, the most likely problem is the lack of corresponding connection security rules on the
300
selected server. Verify that a rule named DirectAccess Policy-appServerToClient appears in
the Connection Security Rules and Monitoring\Connection Security Rules nodes in the
console tree of the Windows Firewall with Advanced Security snap-in on the selected server.
To verify whether the DirectAccess client can successfully create transport mode IPsec
SAs to intranet resources
1. On the DirectAccess client, start a command prompt as an administrator.
2. Click Start, type wf.msc, and then press ENTER.
3. In the tree pane of the Windows Firewall with Advanced Security snap-in console,
click Connection Security Rules.
In the details pane, you should see connection security rules whose names begin with
DirectAccess Policy. If not, this DirectAccess client has not received its connection
security rules from computer configuration Group Policy. Verify that the DirectAccess
client is running Windows 7 Ultimate Edition or Windows 7 Enterprise Edition and is a
member of one of the security groups specified in step 1 of the DirectAccess Setup
Wizard.
4. In the tree pane of the Windows Firewall with Advanced Security snap-in console,
open Monitoring\Connection Security Rules.
In the details pane, you should see a list of connection security rules that begin with
DirectAccess Policy, including a rule named DirectAccess Policy-clientToAppServer.
5. If you do not see this rule, from the Command Prompt window, run the netsh
advfirewall monitor show currentprofile command.
This command displays the attached networks and their determined firewall profiles.
None of your networks should be in the domain profile. If any of your networks has been
assigned the domain profile, determine if you have an active remote access virtual
private network (VPN) connection or a domain controller that is available on the Internet.
6. Initiate communication with an intranet server. For example, use an appropriate client
application or the net view \\IntranetServer command.
7. From the Command Prompt window, run the netsh advfirewall monitor show
mmsa command.
There should be a main mode SA with the Remote IP Address set to the IPv6 address of
the intranet server. The main mode SA should also have ComputerCert or
301
ComputerKerb for Auth1 and UserKerb for Auth2.
8. From the Command Prompt window, run the netsh advfirewall monitor show qmsa
command.
There should be a quick mode SA with the Remote IP Address set to the IPv6 address
of the intranet server.
If the DirectAccess client computer cannot establish the main and quick mode SAs to intranet
server using the modified connection security rules, the most likely problem is the lack of
corresponding connection security rules on intranet servers. Verify that a rule named
DirectAccess Policy-appServerToClient appears in the Connection Security Rules and
Monitoring\Connection Security Rules nodes in the console tree of the Windows Firewall with
Advanced Security snap-in on your intranet servers.
302
is on the intranet and removes the DirectAccess-based rules in the effective Name Resolution
Policy Table (NRPT). If the DirectAccess client computer has an existing, active virtual private
network (VPN) connection to the intranet, this is the desired behavior. With an existing layer 2
connection to the intranet, such as that provided by a VPN connection, the network location
server is accessible and DirectAccess should not be used to provide intranet connectivity.
If the DirectAccess client computer does not have an existing, active VPN connection to the
intranet, the network location server should not be accessible. If it is, the DirectAccess client
removes the DirectAccess-based rules in the effective NRPT and the DirectAccess client sends
all Domain Name System (DNS) name queries to interface-configured DNS servers. The result is
that the DirectAccess client will not be able to resolve intranet DNS server names and connect to
intranet DNS servers through the DirectAccess server.
If the network location server is accessible from DirectAccess clients on the Internet, it could be
due to the following:
• Your NRPT does not have an exemption rule for the fully qualified domain name (FQDN)
of the network location URL
If the FQDN of the network location URL matches the namespace rule for your intranet, you
must have an additional exemption rule for the FQDN in the NRPT. With this exemption rule,
the DirectAccess client uses interface-configured DNS servers for the FQDN, which Internet
DNS servers should not be able to resolve. If this exemption rule is missing and the FQDN of
the network location URL matches the namespace rule for your intranet, the DirectAccess
client will use intranet DNS servers to successfully resolve the FQDN and access the network
location server over the DirectAccess connection.
• The network location URL is accessible from the Internet
The network location URL is designed to be accessible only from the intranet. You should not
be able to access the FQDN of the network location URL or the HTTPS-based URL from an
Internet-connected computer. To test this, connect a computer that is not a DirectAccess
client to the Internet and attempt to ping the FQDN of the network location URL and use an
Internet browser to access the network location URL. If you can resolve the name and access
the URL, remove the Internet DNS records for the FQDN or remove the network location
server from the Internet. If the DirectAccess server is acting as the network location server,
ensure that the IP and Domain Restrictions role service is installed for the Web server (IIS)
role to prevent DirectAccess clients on the Internet from reaching the network location URL
on the DirectAccess server.
For more information about the technical details of the network location detection process, see
Network Location Detection.
303
the intranet, network location detection determines that a DirectAccess client is on the Internet
and keeps the DirectAccess-based rules in the effective Name Resolution Policy Table (NRPT).
With the DirectAccess-based rules in the effective NRPT, the DirectAccess client sends Domain
Name System (DNS) queries for names that match the intranet namespace to the Internet
Protocol version 6 (IPv6) addresses of intranet DNS servers.
If you have native IPv6 connectivity and the IPv6 addresses of the DNS servers configured in the
namespace rules are reachable, the DirectAccess client will be able to successfully resolve and
connect to intranet DNS servers. However, if the NRPT rules use a different set of DNS servers
than intranet computers through interface-configured DNS servers (for example, to place the load
of DirectAccess and intranet clients on different sets of DNS servers), DirectAccess clients on the
intranet will continue to use the DNS servers that are intended for use by DirectAccess clients on
the Internet.
Note
304
To troubleshoot why a DirectAccess client on the intranet cannot successfully access
the network location URL
1. On the DirectAccess client, start a command prompt as an administrator.
2. From the Command Prompt window, run the reg query
HKLM\software\policies\microsoft\windows\NetworkConnectivityStatusIndicator\C
orporateConnectivity /v DomainLocationDeterminationUrl command.
This displays the network location URL. If there is no value, the DirectAccess client has
not been properly configured with computer configuration Group Policy. Verify that this
computer is running Windows 7 Ultimate Edition or Windows 7 Enterprise Edition and is a
member of one of the security groups specified in step 1 of the DirectAccess Setup
Wizard.
3. From the Command Prompt window, run the netsh namespace show policy
command.
4. Compare the FQDN in the network location URL to the NRPT rules from step 3.
Either the FQDN should not match the DirectAccess-based intranet namespace rules or it
should match an exemption rule for the FQDN. In either case, the DirectAccess client will
use interface-configured DNS server to resolve the FQDN in the network location URL.
5. From the Command Prompt window, ping the FQDN in the network location URL.
This step ensures that the DirectAccess client can resolve the name and reach the
network location server.
6. Attempt to access the network location URL with your Internet browser.
You should see the Web page without any certificate errors. Note that the contents of the
Web page do not matter, only the ability to successfully access it.
If you see a certificate error, verify the following for the certificate on the network location server
that is being used for HTTPS (SSL)-based connections:
• The DirectAccess client can validate and trust the network location certificate.
• The Subject field is the FQDN from the network location URL.
• The Enhanced Key Usage field contains the Server Authentication object identifier (OID).
• The certificate revocation list (CRL) Distribution Points field contains at least one CRL
distribution point that the DirectAccess client can successfully access.
To test access to the CRL distribution points of the network location certificate from a
DirectAccess client on the intranet
1. On the network location server, obtain the CRL distribution points—the Hypertext
Transfer Protocol (HTTP) URL without the file name or the universal naming convention
(UNC) path without the file name—from the CRL Distribution Points field of the certificate
being used for HTTPS-based connections. If the network location server is running
Windows, use the Certificates snap-in for the local computer store and view the Details
tab for the properties of the HTTPS (Secure Sockets Layer [SSL]) certificate.
2. On the DirectAccess client, start a command prompt as an administrator.
305
3. From the Command Prompt window, ping the FQDNs from the URLs or UNC paths
for the CRL distribution points obtained in step 1.
This step ensures that the DirectAccess client can resolve the names of the CRL
distribution point locations and reach the resolved addresses.
4. For a URL-based CRL distribution point, paste it into your Internet browser. You
should see a series of files with the .crl extension. Ensure that you can open all of the .crl
files.
5. For a UNC path-based CRL distribution point, click Start, type the path, and then
press ENTER. You should see folder with a series of files with the .crl extension. Ensure
that you can open all of the .crl files.
The DirectAccess client must be able to access at least one of the CRL distribution points and
open the CRL files. Otherwise, certificate revocation fails and the DirectAccess determines that it
is on the Internet.
For more information about the technical details of the network location detection process, see
Network Location Detection.
306
DirectAccess client must be able to determine when it is connected to the intranet. This is known
as network location detection.
To demonstrate network location detection and its impact on the NRPT and connection
security rules in the DirectAccess test lab (http://go.microsoft.com/fwlink/?
Linkid=150613), do the following:
1. Connect CLIENT1 to the Internet subnet.
2. Open a Command Prompt.
3. From the Command Prompt window, run the netsh dnsclient show state command.
Notice that the Machine Location field states Outside corporate network.
4. Run the netsh namespace show effectivepolicy command.
Notice that there are two active NRPT rules: A namespace rule for corp.contoso.com and an
exemption rule for nls.corp.contoso.com.
5. Open the Windows Firewall with Advanced Security snap-in (wf.msc).
6. From the console tree of the Windows Firewall with Advanced Security snap-in, open
Monitoring\Connection Security Rules.
In the details pane, notice that there are three connection security rules: DirectAccess Policy-
ClientToCorp, DirectAccess Policy-ClientToDnsDc, and DirectAccess Policy-
clientToNlaExempt.
7. Disconnect CLIENT1 from the Internet subnet and connect it to the Corpnet subnet.
8. From the Command Prompt window, run the netsh dnsclient show state command.
Notice that the Machine Location field states Inside corporate network.
9. Run the netsh namespace show effectivepolicy command.
Notice that there are now no active NRPT rules.
10. Refresh the details pane of the Windows Firewall with Advanced Security snap-in
(Monitoring\Connection Security Rules).
Notice that there are now no connection security rules.
308
• Cannot reach the CRL distribution point
• Cannot read the CRL files
The behavior of a DirectAccess client on the intranet when it cannot perform a successful network
location detection depends on the name used by applications to access intranet resources, either
FQDN or single-label, and whether the DirectAccess client can reach the Internet interface of the
DirectAccess server.
If the DirectAccess client cannot reach the Internet interface of the DirectAccess server and tries
to resolve an intranet FQDN, name resolution fails because there is no fall back behavior for
FQDNs. Therefore, the DirectAccess client cannot reach the intranet resource.
If the DirectAccess client cannot reach the Internet interface of the DirectAccess server and tries
to resolve a single-label name, fall back behavior can use LLMNR or NetBIOS methods, including
WINS. Therefore, connectivity to the intranet resource can use IPv4, rather than IPv6.
A DirectAccess client on the intranet can use Internet Protocol over Secure Hypertext Transfer
Protocol (IP-HTTPS) and an intranet proxy server to reach the Internet interface of the
DirectAccess server. In this case, all DirectAccess tunneled traffic is exchanged with the
DirectAccess server over the IP-HTTPS session out to the Internet and back to the intranet via
the DirectAccess server.
In this configuration, the DirectAccess client behaves in much the same way as if it were located
on the Internet. However, intranet resources that are not available over DirectAccess are still
unavailable, even though the DirectAccess client is connected to the intranet. Additionally,
intranet access can have decreased performance because the traffic is routed through the IP-
HTTPS session, out to the Internet, and back through the DirectAccess server.
309