Appendix A – Installation Overview

When installing a DirectAccess server, there are three sets of components to consider:

• Internet access components – Protocols that provide the bridge between the Internet and your intranet.

• Intranet access components – Protocols that provide the bridge between the intranet that your client is sitting on (or the DirectAccess server itself) and other IPv6 devices on your intranet.

• Security components – Provides additional security to protect the intranet and DirectAccess clients.

Getting Started steps

Begin by performing the following steps:

1. Install Windows Server 2008 R2 on a server computer with two physical network adapters.

2. Join the server to an Active Directory domain. The DirectAccess server must be joined to an Active Directory domain.

3. Install a computer certificate on the DirectAccess server, which will be used for IPsec authentication.

4. Configure the DirectAccess server so that it is in the perimeter network with one network adapter connected to the Internet and at least one other network adapter connected to the intranet. Ensure that both network adapters are enabled and have their respective IPv4 addresses configured (if there is no native IPv6 connectivity available). This is critical for DirectAccess server to derive its configuration information automatically. Otherwise, detailed configuration will need to be configured manually.

   Note

   Native IPv6 connectivity is not a requirement for the DirectAccess server. IPv6 connectivity can be obtained automatically through the use of IPv6 transition technologies if native IPv6 is not present.

5. Verify that the ports and protocols listed in the Firewall exceptions section of this document are opened on the perimeter and Internet-facing firewalls.

6. The DirectAccess server will need at least two consecutive, public static IPv4 addresses that are externally resolvable through DNS. Addresses in the ranges 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 are private IPv4 addresses and cannot be used. Make sure that you have an IPv4 address available and that you have the ability to have that address published in your externally facing DNS server. For example, da.[your company name].com or das.[your company name].com are some names you could choose, but these are not requirements. Changing this address will change your 6to4 prefix to 2002:[IPv4 addresses]::/64

7. If your organization has disabled IPv6 on clients and servers, enable IPv6.

8. Create a security group in Active Directory and add the client computer accounts for the DirectAccess clients.

9. If the DirectAccess server is also the network location server, install the IIS server role on the DirectAccess server. For more information, see the Determination of On-Intranet or Off-Intranet section in this document.

10. Designate one of the server network adapters as the Internet-facing interface. That interface will require two consecutive, public IPv4 addresses. Both IPv4 addresses must be assigned to the same interface.

11. On the DirectAccess server, ensure the Internet-facing interface is configured to be either a “Public” or a “Private” interface (depending on your network design) and the intranet interfaces are configured to be “Domain” interfaces. No other combinations are supported. If you have more than two interfaces, ensure that no more than two classification types are selected.

For detailed instructions to set up DirectAccess in a test lab, see Step-by-Step Guide: Demonstrate DirectAccess in a Test Lab.