End-to-End Access

Applies To: Windows 7, Windows Server 2008 R2

Important

This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (https://go.microsoft.com/fwlink/?LinkId=179988).

The end-to-end access model allows you to configure DirectAccess clients so that communications between DirectAccess clients and all intranet servers perform IPsec peer authentication, data confidentiality (encryption), and data integrity from the DirectAccess client to the intranet resource. The traffic sent between DirectAccess clients and servers is encrypted over both the Internet and the intranet. For more information, see the End-to-end Access Example.

The following are the benefits of the end-to-end access model:

  • Provides additional end-to-end authentication, data integrity, and data confidentiality beyond that provided with traditional virtual private network (VPN) connections.

  • There is less processing overhead on the DirectAccess server, which is acting only as a router and providing denial of service protection (DoSP) for the IPsec-encrypted DirectAccess traffic.

  • By customizing the default Windows Firewall with Advanced Security connection security rules created by the DirectAccess Setup Wizard, you can define policies that restrict certain users or computers from accessing particular application servers or specify that certain applications will not be able to access intranet resources remotely. However, customization of the default connection security rules requires knowledge of and experience with connection security rule design and configuration.

The following are the limitations of the end-to-end access model:

  • All intranet application servers accessible to DirectAccess clients must run Windows ServerĀ 2008 or later. Application servers cannot run Windows Server 2003 or earlier.

  • Your intranet must allow the forwarding of IPsec-encrypted traffic.

  • Is not fully configurable with the DirectAccess Setup Wizard. You use the DirectAccess Setup Wizard to create the initial set of DirectAccess client and server Group Policy objects and settings and then you must customize the default Windows Firewall with Advanced Security connection security rules.

  • Cannot use smart cards for an additional level of authorization.

  • Cannot access IPv4-only intranet resources, even with an IPv6/IPv4 translator and IPv6/IPv4 DNS gateway.