DirectAccess can separate intranet traffic to the intranet from Internet traffic, as shown in Figure 4, to reduce unnecessary traffic on the corporate network. Most VPNs send all traffic—even traffic that is destined for the Internet—through the VPN, which can slow both intranet and Internet access. Because communications to the Internet do not have to travel to the corporate network and back to the Internet, DirectAccess does not slow down Internet access.

Figure 4   The default traffic flow for DirectAccess does not send Internet traffic through the DirectAccess server

IT administrators can also choose to route all traffic, except traffic for the local subnet, through the DirectAccess server and the intranet. When this option is enabled, all communications use the IP-HTTPS protocol, which creates an IP tunnel within the HTTPS protocol, allowing it to pass through firewalls and proxy servers.

Combining this option with Windows Firewall with Advanced Security, IT administrators have complete control over which applications can send traffic and which subnets client computers can reach. For example, IT administrators can use outbound Windows Firewall rules to:

• Allow client computers to connect to the entire Internet, but only one specific subnet on the intranet.
  
  
• Allow client computers to connect directly to the Internet using Internet Explorer®, but send traffic for all other applications through the intranet.
  
  
• Prevent intranet applications from sending communications to the Internet by restricting them to specific servers on your intranet.
  
  

While the default DirectAccess traffic configuration is optimized for performance, IT administrators have the flexibility they need to meet their organization’s security requirements.