Selected Server Access
Applies To: Windows 7, Windows Server 2008 R2
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (https://go.microsoft.com/fwlink/?LinkId=179988).
The DirectAccess Setup Wizard allows you to configure one of the following for the selected server access model:
The only servers that DirectAccess clients can communicate with are selected intranet servers using Internet Protocol security (IPsec) peer authentication and end-to-end data integrity.
The only servers that DirectAccess clients can communicate with are selected intranet servers using IPsec peer authentication but no IPsec protection.
Communications between DirectAccess clients and selected intranet servers must perform IPsec peer authentication and end-to-end data integrity. Communications with all other intranet endpoints use clear text.
Communications between DirectAccess clients and intranet servers must perform IPsec peer authentication but no IPsec protection. Communications with all other intranet endpoints use clear text.
In each of these cases, the traffic sent between the DirectAccess client and the DirectAccess server is encrypted over the Internet. See Selected Server Access Example for more information.
The following are the benefits of the selected server access model:
You can easily confine the access of DirectAccess clients to specific application servers.
Provides additional end-to-end authentication and data protection beyond that provided with traditional virtual private network (VPN) connections.
Can be used with smart cards for an additional level of authorization.
Is fully configurable with the DirectAccess Setup Wizard.
By customizing the default Windows Firewall with Advanced Security connection security rules created by the DirectAccess Setup Wizard, you can restrict certain users or computers from accessing particular application servers or specify that certain client applications will not be able to access intranet resources remotely. However, customization of connection security rules requires knowledge of and experience with connection security rule design and configuration.
The following are the limitations of the selected server access model:
Selected servers must run Windows Server 2008 or later. Selected servers cannot run Windows Server 2003 or earlier.
Selected servers when using IPsec peer authentication without IPsec protection must be running Windows Server 2008 R2 or later.
Note
To demonstrate selected server access, configure the DirectAccess test lab (https://go.microsoft.com/fwlink/?Linkid=150613) with the Selected Server Access extension (https://go.microsoft.com/fwlink/?LinkId=192278).