Group Policy Management Console and Editor

Updated: November 18, 2009

Applies To: Windows Server 2008 R2

DirectAccess clients, servers, and selected servers obtain their DirectAccess settings through Group Policy objects. The primary tools for viewing and changing the configuration of settings within Group Policy objects are the Group Policy Management Console and Group Policy Management Editor snap-ins.

For DirectAccess, you use the Group Policy Management Editor snap-in to view or modify the following configuration:

  • Name Resolution Policy Table (NRPT) rules

  • Internet Protocol version 6 (IPv6) transition technologies

  • Intranet connectivity

  • Connection security rules

NRPT rules

Rules in the NRPT that you configure in step 3 of the DirectAccess Setup Wizard are created in the Computer Configuration\Policies\Windows Settings\Name Resolution Policy node of the Group Policy object for DirectAccess clients.

Use the Group Policy Management Editor snap-in to verify the configuration of NRPT rules and modify them as needed.

IPv6 Transition Technologies settings

The DirectAccess Setup Wizard configures settings for the 6to4, Teredo, and Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) IPv6 transition technologies in the Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies node of the Group Policy object for DirectAccess clients.

The following table lists the IPv6 transition technology settings and their values as set by the DirectAccess Setup Wizard.

Setting name Description Value set by the DirectAccess Setup Wizard

6to4 Relay Name

Allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host.

The first consecutive public Internet Protocol version 4 (IPv4) address of the DirectAccess server’s Internet interface.

6to4 Relay Name Resolution Interval

Allows you to specify the interval at which the 6to4 relay name is resolved.

N/A (not configured)

6to4 State

Allows you to configure the state of the 6to4 client.

N/A

IP-HTTPS State

Allows you to configure the state of the IP-HTTPS client.

The IP-HTTPS uniform resource locator (URL) and the interface in a default state.

ISATAP Router Name

Allows you to specify a name or IPv4 address for an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.

N/A

ISATAP State

Allows you to configure the state of the ISATAP host.

N/A

Teredo Client Port

Allows you to specify the User Datagram Protocol (UDP) port the Teredo client uses to send packets.

N/A

Teredo Default Qualified

Allows you to set Teredo to be ready to communicate. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state.

Set to enabled state.

Teredo Refresh Rate

Allows you to configure the rate at which Teredo clients refresh the Network Address Translator (NAT) translation table.

N/A

Teredo Server Name

Allows you to specify the name of the Teredo server.

The first consecutive public IPv4 address of the DirectAccess server’s Internet interface.

Teredo State

Allows you to specify the state of the Teredo service.

N/A

Use the Group Policy Management Editor snap-in to verify the configuration of 6to4, Teredo, and IP-HTTPS settings for DirectAccess clients and modify them as needed.

Intranet connectivity settings

Settings for the intranet and network location detection processes are configured by the DirectAccess Setup Wizard in the Computer Configuration\Policies\Administrative Templates\Network\Network Connection Status Indicator node of the Group Policy object for DirectAccess clients.

Setting name Description Value set by the DirectAccess Setup Wizard

Corporate DNS Probe Host Address

The expected address when querying the Corporate DNS Probe Host Name.

::1

Corporate DNS Probe Host Name

A fully qualified domain name (FQDN) to query to determine corporate connectivity.

directaccess-corpConnectivityHost. ComputerDNSSuffix

Corporate Site Prefix List

The list of IPv6 addresses and prefixes that define the address space of the corporate network.

The IPv6 prefix of the intranet.

Corporate Website Probe URL

A URL to request to determine corporate connectivity.

N/A (not configured)

Domain Location Determination URL

The Secure Hypertext Transfer Protocol (HTTPS)-based URL of the network location server.

The URL specified during the DirectAccess Setup Wizard or obtained from the Subject field of the certificate on the DirectAccess server that was selected for network location.

Use the Group Policy Management Editor snap-in to verify the configuration of these corporate connectivity settings—most importantly for DirectAccess, the Domain Location Determination URL setting—and modify them as needed.

Connection security rules

The DirectAccess Setup Wizard configures connection security rules to define traffic protection in the Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security node of the Group Policy objects for DirectAccess clients, the DirectAccess server, and selected servers.

Note

Use the Group Policy Management Editor snap-in only to view the connection security rules. Because the DirectAccess Setup Wizard creates the connection security rules with advanced settings for which there is no user interface equivalent, if you modify the connection security rules with the Group Policy Management Editor snap-in, the advanced settings are lost. This can result in impaired DirectAccess functionality. Instead, use netsh advfirewall consec set rule commands.