Configure Force Tunneling for DirectAccess Clients

  • Article

Updated: May 24, 2010

Applies To: Windows Server 2008 R2

Important

This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).

Before configuring force tunneling settings for DirectAccess clients, you should have deployed and determined the Internet Protocol version 6 (IPv6) addresses of either your dual protocol (Internet Protocol version 4 [IPv4] and IPv6) proxy servers or your IPv6/IPv4 translator (NAT64) and IPv6/IPv4 DNS gateway (DNS64) devices that are in front of your IPv4-based proxy servers. For more information about these devices, see Choose Solutions for IPv4-only Intranet Resources.

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to change Group Policy settings. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To configure force tunneling

  1. On a domain controller, click Start, type gpmc.msc, and then press ENTER.

  2. In the console tree of the Group Policy Management snap-in, open the appropriate forest and domain object, right-click the Group Policy object for DirectAccess clients, and then click Edit.

  3. In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Administrative Templates\Network\Network Connections.

  4. In the details pane, double-click Route all traffic through the internal network.

  5. In the Route all traffic through the internal network dialog box, click Enabled, and then click OK.

  6. In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Windows Settings\Name Resolution Policy.

  7. In the details pane, in To which part of the namespace does this rule apply?, click Any.

  8. Click the DNS Settings for Direct Access tab, and then click Enable DNS settings for Direct Access in this rule.

  9. In DNS servers (optional), click Add. In DNS server, type the IPv6 address of your dual protocol (IPv4 and IPv6) proxy server or your NAT64/DNS64 devices that are in front of your IPv4-based proxy server. Repeat this step if you have multiple IPv6 addresses.

  10. Click Create, and then click Apply.

  11. In the console tree of the Group Policy Management Editor snap-in, open Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies.

  12. In the details pane, double-click 6to4 State.

  13. In the 6to4 State dialog box, click Enabled, click Disabled State in Select from the following states, click Apply, and then click OK.

  14. In the details pane, double-click Teredo State.

  15. In the Teredo State dialog box, click Enabled, click Disabled State in Select from the following states, click Apply, and then click OK.

  16. In the details pane, double-click IP-HTTPS State.

  17. In the IP-HTTPS State dialog box, click Enabled State in Select Interface state from the following options, click Apply, and then click OK.

DirectAccess clients will apply these settings the next time they update their Computer Configuration Group Policy.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.