Capacity Planning for DirectAccess Servers

Applies To: Windows 7, Windows Server 2008 R2

Important

This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (https://go.microsoft.com/fwlink/?LinkId=179988).

Capacity planning for DirectAccess servers can be done in the following ways:

  • Move the Internet Protocol security (IPsec) gateway function to a separate server that has IPsec offload hardware

  • Use DirectAccess with Microsoft Forefront Unified Access Gateway (UAG)

Increasing the number of concurrent Teredo clients

By default, the DirectAccess server can support 256 concurrent Teredo-based DirectAccess clients based on the default maximum number of entries in the neighbor cache. To increase the number of entries allowed in the neighbor cache, run the **netsh interface ipv6 set global neighborcachelimit=**Maximum command, in which Maximum is the maximum number of expected concurrent Teredo-based DirectAccess clients.

Moving the IPsec gateway function to a separate server

The DirectAccess server as configured by the DirectAccess Setup Wizard has the following functions:

  • Teredo server and relay

  • 6to4 relay

  • Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) server

  • Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router

  • Native Internet Protocol version 6 (IPv6) router

  • IPsec gateway

It is possible to move these functions to other computers. One configuration that supports scalability for many DirectAccess connections is to move the IPsec gateway and ISATAP router functions to another computer with IPsec offload hardware, which can handle the processor-intensive cryptographic operations and support many IPsec tunnels. The following figure shows an example.

In this example, Server 1 provides the 6to4 relay, Teredo server, and IP-HTTPS server functions and Server 2 provides ISATAP router and IPsec gateway functions. DirectAccess clients use Server 1 to tunnel traffic across the IPv4 Internet and establish the infrastructure and intranet IPsec tunnels with Server 2. Intranet computers forward traffic to DirectAccess clients to Server 2.

The requirements of this configuration are the following:

  • Both Server 1 and Server 2 must have two physical interfaces, one classified as a public interface and one classified as a domain interface. Server 1 has its public interface on the Internet.

  • The subnet for the link between the Server 1 and Server 2, the intra-server subnet, must use native IPv6 addressing. You cannot use 6to4 or ISATAP tunneling on this link. You must pick a unique 64-bit prefix for your intranet and configure static IPv6 addresses for each interface on this subnet.

  • You must configure a default IPv6 route (::/0) on Server 2 that points to Server 1’s interface on the intra-server subnet.

  • Because Server 2 computer is a native IPv6 router, you must configure outbound firewall rules on the interface on the intra-server subnet to prevent reachability to intranet domain controllers.

  • The tunnel endpoints in the Group Policy objects for the DirectAccess clients and server must specify the native IPv6 address of Server 2’s interface on the intra-server subnet.

With this configuration, Server 2 acts as the IPsec intranet and infrastructure tunnel endpoint, providing decryption services for packets from DirectAccess clients and encryption services for packets to DirectAccess clients.

The following figure shows an example of the traffic between DirectAccess clients and intranet servers for the full intranet access model.

The traffic over the Internet between the DirectAccess client and Server 2 is encrypted through the intranet tunnel. The traffic over the intranet between Server 2 and intranet servers is clear text.

The recommended method to deploy this configuration is the following:

  1. While configured with two consecutive public IPv4 addresses, complete the DirectAccess Setup Wizard on Server 2.

  2. Set up the intra-server subnet and the static IPv6 addressing of Server 1. Reconfigure Server 2 with the appropriate IPv4 addresses for the intra-server subnet and remove the two consecutive public IPv4 addresses. Configure Server 1 with the two consecutive public IPv4 addresses on the Internet interface.

  3. Configure Server 1 as a default advertising router for the intra-server subnet, and a 6to4 relay, Teredo server and relay, and IP-HTTPS server on the Internet.

  4. Disable the 6to4 relay, Teredo server and relay, and IP-HTTPS server functionality on Server 2.

  5. Configure Group Policy settings for the new IPsec tunnel endpoint on Server 2.

For deployment instructions to move the IPsec gateway function to a separate server, see Checklist: Moving the IPsec Gateway to Another Server.

Using DirectAccess with UAG

You can expand the capacity of a single Forefront UAG DirectAccess server deployment by creating a load-balanced Forefront UAG array that provides high availability and scalability. For more information, see Configuring NLB for a Forefront UAG DirectAccess array (https://go.microsoft.com/fwlink/?LinkId=160075).