Appendix B – Manual DirectAccess Client Configuration
Updated: October 7, 2009
Applies To: Windows Server 2008 R2
Important
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).
Manual configuration of DirectAccess clients consist of IPv6 transition technology settings and the Name Resolution Policy Table (NRPT).
IPv6 transition technology settings
| Purpose | Command | Group Policy Setting |
|---|---|---|
Configure the Teredo client as an enterprise client and configure the Internet Protocol version 4 (IPv4) address of the Teredo server (the DirectAccess server). |
netsh interface teredo set state type=enterpriseclient servername=FirstPublicIPv4AddressOfDirectAccessServer |
Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\Teredo State=Enterprise Client and Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\Ipv6 transition Technologies\Teredo Server Name=FirstPublicIPv4AddressOfDirectAccessServer |
Configure the public IPv4 address of the 6to4 relay (the DirectAccess server). |
netsh interface 6to4 set relay name=FirstPublicIPv4AddressOfDirectAccessServer |
Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\Ipv6 transition Technologies\6to4 Relay Name=FirstPublicIPv4AddressOfDirectAccessServer |
Enable the IP-HTTPS client and configure the IP-HTTPS Uniform Resource Locator (URL). |
netsh interface httpstunnel add interface client https://SubjectOfIP-HPPTSCertificate/IPHTTPS |
Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\Ipv6 transition Technologies\IP-HTTPS State set to Enabled and the IP-HTTPS URL of https://SubjectOfIP-HPPTSCertificate:443/IPHTTPS |
NRPT
For DirectAccess, the NRPT must be configured with the namespaces of your intranet with a leading dot (for example, .internal.contoso.com or .corp.contoso.com). For a DirectAccess client, any name request that matches one of these namespaces will be sent to the specified intranet Domain Name System (DNS) servers. Include all intranet DNS namespaces that you want DirectAccess client computers to access.
There are no command line methods for configuring NRPT rules. You must use Group Policy settings. To configure the NRPT through Group Policy, use the Group Policy add-in at Computer Configuration\Policies\Windows Settings\Name Resolution Policy in the Group Policy object for DirectAccess clients. You can create a new NRPT rule and edit or delete existing rules. For more information, see Configure the NRPT with Group Policy.