Configure the DirectAccess Setup Wizard for Selected Server Access

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Important

This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).

The DirectAccess Setup Wizard steps you through the configuration of a DirectAccess server for selected server access. The four steps in the wizard configure DirectAccess clients, the DirectAccess server, infrastructure servers, and application servers.

Prior to running the DirectAccess Setup Wizard for selected server access, you should have determined the following:

Whether you are using smart card authorization. For more information, see Choose an Authentication and Authorization Scheme.

If you have an existing IPv6 infrastructure, the 48-bit address prefix used by your organization and the 64-bit address prefix that you have designated for IP-HTTPS-based DirectAccess clients. For more information, see Choose an Intranet IPv6 Connectivity Design.

Whether you are using the DirectAccess server or a separate server as the network location server. For more information, see Design Your Web Servers for DirectAccess.

The list of additional NRPT rules. For more information, see Design Your DNS Infrastructure for DirectAccess.

The option for local name resolution behavior. For more information, see Design Your DNS Infrastructure for DirectAccess.

The list of names or IP addresses of management computers that will be initiating connections to DirectAccess clients. For more information, see Design for Remote Management.

The type of selected server access for your organization. For more information, see Selected Server Access.

Prior to running the DirectAccess Setup Wizard for selected server access, you should have completed the following:

Created at least one Active Directory security group for DirectAccess client computers and at least one Active Directory security group for selected servers. For more information, see Create DirectAccess Groups in Active Directory.

Installed an additional certificate on the DirectAccess server computer for IP-HTTPS connections. For more information, see Install an IP-HTTPS Certificate.

If you are using the DirectAccess server as the network location server, installed the Web Server (IIS) role with the IP and Domain Restrictions role service and an additional certificate for network location on the DirectAccess server computer. For more information, see Configure the DirectAccess Server as the Network Location Server.

To complete this procedure, you must be a member of the local Administrators group, or otherwise be delegated permissions to create and apply the configuration of the DirectAccess Setup Wizard. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To run the DirectAccess Setup wizard for selected server access

  1. Click Start, click Run, type damgmt.msc, and then press ENTER.

  2. In the console tree, click Setup.

  3. In the details pane, click Configure for step 1.

  4. On the DirectAccess Client Setup page, click Add.

  5. In the Select Group dialog box, specify the names of the security groups that you created to contain DirectAccess client computers, click OK, and then click Finish.

    Do not specify the names of built-in security groups, such as Domain Computers or Domain Users.

  6. Click Configure for step 2.

  7. On the Connectivity page, for Interface connected to the Internet, select the network connection that is attached to the Internet. For Interface connected to the internal network, select the network connection that is attached to your intranet. If you are using smart card authorization, select Require smart card login for remote users, and enforce this policy on the DirectAccess server. Click Next.

  8. If you have an existing Internet Protocol version 6 (IPv6) infrastructure, a Prefix Configuration page displays. In The IPv6 prefix that is used in your internal network, type the 48-bit address prefix used by your organization. In The IPv6 prefix that is used to assign IPv6 addresses to remote client computers, type the 64-bit address prefix that you have designated for Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS)-based IPv6 DirectAccess clients.

  9. On the Certificate Components page, for Select the root certificate to which remote client certificates must chain, click Browse. In the list of certificates, click the root certificate for your public key infrastructure (PKI) that issues computer certificates to your DirectAccess clients and servers, and then click OK.

  10. For Select the certificate that will be used to secure remote client connectivity over HTTPS, click Browse. In the list of certificates, click the certificate installed on the DirectAccess server computer for IP-HTTPS connections, and then click OK. Click Finish.

  11. Click Configure for step 3.

  12. On the Location page:

    • If you are using a separate network location server, click Network Location server is run on a highly available server, type the Secure Hypertext Transfer Protocol (HTTPS)-based uniform resource locator (URL) for network location without a trailing / (such as https://nls.corp.contoso.com), click Validate, and then click Next.

    • If you are using the DirectAccess server as the network location server, click Network Location server is run on the DirectAccess server, click Browse, click the certificate for network location, click OK, and then click Next.

  13. On the DNS and Domain Controller page, add the appropriate rules for the Name Resolution Policy Table (NRPT) as needed by your design. To add an NRPT rule, right-click the empty row, and then click New. Select the appropriate local name resolution option, and then click Next.

  14. On the Management page, add the Internet Protocol (IP) addresses of computers that will be initiating connections to DirectAccess clients as needed by your design. To add a management computer, right-click the empty row, and then click New. Click Finish.

  15. Click Configure for step 4.

  16. On the DirectAccess Application Server Setup page:

    1. Click Require end-to-end authentication and traffic protection for the specified servers.

    2. Click Add. In the Select Group dialog box, specify the names of the security groups that contain the selected servers.

    3. If you want to confine the access of DirectAccess clients to only the selected servers, select Allow access to only those servers in the selected security groups.

    4. If you want to use authentication with null encapsulation, select Configure the IPsec connection security rules on these servers to perform authentication without traffic protection.

  17. Click Finish.

  18. Click Save, and then click Finish.

  19. In the DirectAccess Review dialog box, click Apply. In the DirectAccess Policy Configuration message box, click OK.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.