Requirements and Prerequisites
Before deploying DirectAccess, make sure that your environment meets all of the hardware, infrastructure, and network requirements listed in this section.
Configuration requirements
The following requirements are necessary for the DirectAccess server and the DirectAccess client:
DirectAccess server
The DirectAccess server has the following requirements:
Joined to an Active Directory domain
Running Windows Server 2008 R2
Has at least two physical network adapters installed
Has at least two consecutive static, public IPv4 addresses that are externally resolvable through the Internet DNS (addresses in the ranges 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 are private IPv4 addresses and cannot be used)
Cannot be behind a NAT
Note
The requirement for two consecutive public IPv4 addresses is so that the DirectAccess server can act as a Teredo server and Windows-based Teredo clients can use the DirectAccess server to perform detection of the type of network address translator (NAT) that they are behind. For more information, see Teredo Overview.
The DirectAccess Management console sorts the public IPv4 addresses assigned to the Internet adapter lexigraphically, rather than numerically. In a lexigraphic sort, numbers are sorted by their alphabetic spelling. Therefore, the DirectAccess Management console does not consider the following sets of addresses as consecutive: w.x.y.9 and w.x.y.10, which will be sorted as w.x.y.10, w.x.y.9; w.x.y.99 and w.x.y.100, which will be sorted as w.x.y.100, w.x.y.99; w.x.y.1, w.x.y.2, and w.x.y.10, which will be sorted as w.x.y.1, w.x.y.10, w.x.y.2. Use a different set of consecutive addresses.On the DirectAccess server, you install the DirectAccess Management Console feature through Server Manager. You use the DirectAccess management console to configure DirectAccess settings for the DirectAccess server and clients and monitor the status of the DirectAccess server.
More than one DirectAccess server may be needed depending on your deployment and scalability requirements. For more information, see the Choosing a Scalability Model section in this document. DirectAccess servers should not host any other primary functions; they should be dedicated to DirectAccess.
DirectAccess client
DirectAccess clients have the following requirements:
Joined to an Active Directory domain
Running Windows 7 Ultimate or Enterprise edition or Windows Server 2008 R2
Clients not joined to an Active Directory domain or clients running Windows Vista or earlier or Windows Server 2008 or earlier are not supported.
Infrastructure requirements and considerations
The following infrastructure is required:
Active Directory – At least one Active Directory domain must be deployed. Workgroups are not supported. For more information about installing Active Directory, see the AD DS Installation and Removal Step-by-Step Guide.
Group Policy – Group policy is recommended for centralized administration and deployment of DirectAccess client settings. The DirectAccess Setup wizard creates a set of Group Policy objects and settings for DirectAccess clients, the DirectAccess server, and management servers. For more information, see the Group Policy Planning and Deployment Guide.
DNS/domain controller – At least one domain controller and DNS server must be running Windows Server 2008 SP2 or later or Windows Server 2008 R2.
Public key infrastructure (PKI) – Required to issue computer certificates for authentication, and optionally, health certificates when using Network Access Protection (NAP). External certificates are not required. For more information about setting up a PKI with Active Directory Certificate Services, see Active Directory Certificate Services.
The SSL certificate for IP-HTTPS installed on the DirectAccess server must have a CRL distribution point that is reachable from the Internet and the Subject field must contain either a public IPv4 address assigned to the DirectAccess server or an FQDN that can be resolved to a public IPv4 address assigned to the DirectAccess server using the Internet DNS.
The SSL certificate for the network location server must have a CRL distribution point that is reachable from the intranet and the Subject field must contain either an intranet IPv4 address assigned to the network location server or an FQDN that can be resolved to an intranet IPv4 address assigned to the network location server using the intranet DNS.
IPsec policies – DirectAccess utilizes IPsec policies configured and administered as part of Windows Firewall with Advanced Security. For more information, see the Windows Firewall with Advanced Security Getting Started Guide.
Allow ICMPv6 Echo Request traffic – You must create separate inbound and outbound rules that allow ICMPv6 Echo Request messages. The inbound rule is required to allow ICMPv6 Echo Request messages and is scoped to all profiles. The outbound rule to allow ICMPv6 Echo Request messages, scoped to all profiles, is recommended as a best practice and is only required if Outbound block is turned on. DirectAccess clients that use Teredo for IPv6 connectivity to the intranet use ICMPv6 message when establishing communication. For more information, see Teredo Overview.
IPv6 and transition technologies – IPv6 and the transition technologies ISATAP, Teredo, and 6to4 must be available for use on the DirectAccess server. For each of your DNS servers that are running Windows Server 2008 or later, remove the ISATAP name from the global query block list. For more information, see the following resources on the Microsoft Web site:
Note
DirectAccess and the Routing and Remote Access service (RRAS) configured as a VPN server cannot be run on the same computer.
Firewall exceptions
The following table lists external firewall exceptions for DirectAccess traffic to and from the DirectAccess server.
| Name | Teredo | 6to4 | IP-HTTPS | Native IPv6 |
|---|---|---|---|---|
UDP 3544 |
X |
N/A |
N/A |
N/A |
Protocol 41 |
N/A |
X |
N/A |
N/A |
TCP 443 |
N/A |
N/A |
X |
N/A |
ICMPv6 (if you have connectivity to the IPv6 Internet) |
N/A |
N/A |
N/A |
X |
UDP 500 (if you have connectivity to the IPv6 Internet) |
N/A |
N/A |
N/A |
X |
Protocol 50 |
N/A |
N/A |
N/A |
X |
This table indicates that if you are going to support clients connecting using Teredo, 6to4, and IP-HTTPS—which are the standard and recommended suite of DirectAccess client connectivity protocols—you would need to allow UDP port 3544, IPv4 protocol 41, and TCP port 443 traffic respectively through the Internet-facing firewall and allow this traffic to travel to the DirectAccess server. If you are going to support clients connecting in with a native IPv6 address, you will also need to allow ICMPv6 and IPv6 Protocol 50 through the external firewall.
For example, the exceptions on your firewall’s Internet interface will be in the format:
[Any] allowed inbound to [IPv4 address of Internet-facing adapter on DirectAccess server] for [protocol or port]
[IPv4 address of Internet-facing adapter on DirectAccess server] for [protocol or port] allowed outbound to [Any]
The following table lists intranet firewall exceptions for traffic to and from DirectAccess clients.
| Name | ISATAP | Native IPv6 | IPv4 + NAT-PT |
|---|---|---|---|
Protocol 41 |
X |
||
TCP |
X |
X |
|
UDP |
X |
X |
|
ICMPV6 |
X |
||
All IPv6 connectivity |
X |
||
UDP 500 IKE/AuthIP |
X |
X |
This table indicates that if there is a firewall between the DirectAccess server and the rest of the intranet, the ports and protocols that must be opened on that firewall depend on what type of connectivity is used by DirectAccess client to reach resources within your intranet. These exceptions are in addition to allowing all IPv4 and IPv6 traffic to and from the DirectAccess server so that it can reach and is reachable by Active Directory domain controllers, management servers, CAs, and other intranet resources.