Appendix D - DirectAccessConfig.xsd
Updated: October 7, 2009
Applies To: Windows Server 2008 R2
Important
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).
The DirectAccessConfig.xml file contains DirectAccess configuration data of the DirectAccess Setup Wizard. The following is the Extended Markup Language (XML) schema definition (XSD) file for DirectAccessConfig.xml. To create a DirectAccessConfig.xsd file, copy the contents to Notepad, and then save the file as DirectAccessConfig.xsd.
<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns="https://www.microsoft.com/networking/DirectAccess/v1" xmlns:xs="https://www.w3.org/2001/XMLSchema" targetNamespace="https://www.microsoft.com/networking/DirectAccess/v1" attributeFormDefault="unqualified" elementFormDefault="qualified">
<xs:element name="root">
<xs:complexType>
<xs:all>
<xs:element name="ServerData">
<xs:complexType>
<xs:all>
<xs:element name="CorpPrefix" type="ipv6Prefix" />
<xs:element name="InternetInterface" type="interface" />
<xs:element name="InternalNetworkInterface" type="interface" />
<xs:element name="TransitionTechnologies">
<xs:complexType>
<xs:all>
<xs:element name="ISATAP" minOccurs="0">
<xs:annotation>
<xs:documentation xml:lang="en-us">
This MUST be specified if there is no pre-existing IPv6 or ISATAP
deployment on the internal network.
</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:all>
<xs:element name="IsatapRouterName" type="domainName" />
<xs:element name="IsatapInterfaceName" type="domainName" />
<xs:element name="CorpV4Address" type="ipv4Address" />
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="Teredo">
<xs:complexType>
<xs:all>
<xs:element name="FirstInternetGlobalAddress" type="ipv4Address" />
</xs:all>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="IPHttps">
<xs:complexType>
<xs:all>
<xs:element name="IpHttpsPrefix" type="ipv6Prefix" />
<xs:element name="IpHttpsCertHash" type="xs:hexBinary" />
<xs:element name="IpHttpsServerURL" type="xs:anyURI" />
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="DOSPConfig">
<xs:complexType>
<xs:all>
<xs:element name="IPsecUnauthenticatedPerIPRate" default="10240" type="xs:unsignedInt" />
<xs:element name="IPsecAuthenticatedRate" default="0" type="xs:unsignedInt" />
<xs:element name="ICMPv6Rate" default="10240" type="xs:unsignedInt" />
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="IsV6Deployed" type="xs:boolean" />
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="IIS" minOccurs="0">
<xs:annotation>
<xs:documentation xml:lang="en-us">
This MUST be specified in case network location server is run on the DirectAccess
server and certificate used for securing location identification is same as
that used by remote client to secure connectivity over IPHTTPS.
</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:all>
<xs:element name="IpHttpsAddresses">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Address" type="ipAddress" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="InOutAddresses">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Address" type="ipAddress" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="GPO">
<xs:complexType>
<xs:all>
<xs:element name="Common">
<xs:complexType>
<xs:all>
<xs:element name="AppServers" minOccurs="0">
<xs:annotation>
<xs:documentation xml:lang="en-us">
List of application server addresses that will enforce authorization.
This must be specified in case the authorization option is other than NoAuthorization.
</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Address" type="ipv6Address" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="DnsServers">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Address" type="ipv6Address" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="MgmtServers" minOccurs="0">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="Address" type="ipv6PrefixOrAddress" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="CorpV6" type="ipv6Prefix" />
<xs:element name="NonCorpV6" type="xs:string" />
<xs:element name="TunnelEndpointDnsDcMgmt" type="ipv6Address" />
<xs:element name="TunnelEndpointCorp" type="ipv6Address" />
<xs:element name="RootCert" type="xs:string" />
<xs:element name="RootCertNetshFormatted" type="xs:string" />
<xs:element name="CertType">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="Root"/>
<xs:enumeration value="Intermediate"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="SmartCard">
<xs:complexType>
<xs:all>
<xs:element name="Option">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="NoSmartCard"/>
<xs:enumeration value="RemoteSmartCard"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="SDDLString" type="xs:string" minOccurs="0">
<xs:annotation>
<xs:documentation xml:lang="en-us">
This MUST be specified in case SmartCard option selected is RequireSmartCard.
</xs:documentation>
</xs:annotation>
</xs:element>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="DistinguishedDomainName" type="distinguishedDomainName" />
<xs:element name="DomainName" type="domainName" />
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="ClientPolicies">
<xs:complexType>
<xs:all>
<xs:element name="SecurityGroups">
<xs:complexType>
<xs:sequence>
<xs:element name="SecurityGroup" type="sg" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="NRPT">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="entry">
<xs:complexType>
<xs:all>
<xs:element name="Name" type="xs:string" />
<xs:element name="DirectAccessDNSServers" type="xs:string">
<xs:annotation>
<xs:documentation>
List of DNS server IPv6 addresses (, delimited) for the DNS suffix
specified in Name element above. Can be empty if specifying NRPT exepmption.
</xs:documentation>
</xs:annotation>
</xs:element>
</xs:all>
<xs:attribute name="PolicyName" type="xs:string" use="required" />
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:unique name="NRPTRuleName">
<xs:selector xpath="*" />
<xs:field xpath="@PolicyName" />
</xs:unique>
</xs:element>
<xs:element name="DnsFallBackOptions">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="DnsFallbackNameDoesNotExist"/>
<xs:enumeration value="DnsAlwaysFallbackForAnyError"/>
<xs:enumeration value="DnsAlwaysFallbackPrivateOnly"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="NCSI">
<xs:complexType>
<xs:all>
<xs:element name="NcsiUrl" type="xs:anyURI" />
<xs:element name="NcsiRrName" type="domainName" />
<xs:element name="NcsiRrIp" type="ipv6Address" fixed="0:0:0:0:0:0:0:1" />
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="NID">
<xs:complexType>
<xs:all>
<xs:element name="NidCertHash" type="xs:hexBinary" minOccurs="0"/>
<xs:element name="NidUrl" type="xs:anyURI" />
<xs:element name="NidAddress" type="ipv6Address" />
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="ClientToDnsPolicy" type="xs:string" default="DirectAccess Policy-ClientToDnsDc" />
<xs:element name="ClientToCorpPolicy" type="xs:string" default="DirectAccess Policy-ClientToCorp" />
<xs:element name="ClientToMgmtPolicy" type="xs:string" default="DirectAccess Policy-ClientToMgmt" minOccurs="0" />
<xs:element name="ClientToApplicationServerPolicy" type="xs:string" default="DirectAccess Policy-clientToAppServer" minOccurs="0" />
<xs:element name="ClientToApplicationServerExemptPolicy" type="xs:string" default="DirectAccess Policy-clientToAppServerExempt" minOccurs="0" />
<xs:element name="ClientToNlaExemptPolicy" type="xs:string" default="DirectAccess Policy-clientToNlaExempt" />
<xs:element name="IpHttpsOutRuleName" type="xs:string" default="Core Networking - IPHTTPS (TCP-Out)" />
</xs:all>
<xs:attribute name="GPOName" type="xs:string" default="DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}" />
</xs:complexType>
</xs:element>
<xs:element name="ServerPolicies">
<xs:complexType>
<xs:all>
<xs:element name="SecurityGroups">
<xs:complexType>
<xs:sequence>
<xs:element name="SecurityGroup" type="sg" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="ServerToDnsPolicy" type="xs:string" default="DirectAccess Policy-DaServerToDnsDc" />
<xs:element name="ServerToCorpPolicy" type="xs:string" default="DirectAccess Policy-DaServerToCorp" />
<xs:element name="ServerToMgmtPolicy" type="xs:string" default="DirectAccess Policy-DaServerToMgmt" minOccurs="0" />
<xs:element name="IpHttpsInRuleName" type="xs:string" default="Core Networking - IPHTTPS (TCP-In)" />
</xs:all>
<xs:attribute name="GPOName" type="xs:string" default="DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}" />
</xs:complexType>
</xs:element>
<xs:element name="AppServerPolicies">
<xs:complexType>
<xs:all>
<xs:element name="SecurityGroups" minOccurs="0">
<xs:annotation>
<xs:documentation xml:lang="en-us">
List of security groups containing servers that will enforce authorization.
MUST be specified in case AuthorizationOption is other than NoAuthorization.
</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element name="SecurityGroup" type="sg" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AuthenticationOption">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="NoAuthentication"/>
<xs:enumeration value="SelectedServerEndToEnd"/>
<xs:enumeration value="EndToEndAuthentication"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="EndToEndIPsecCompatibilityMode" type="xs:boolean" minOccurs="0">
<xs:annotation>
<xs:documentation xml:lang="en-us">
Whether IPsec connection security rules on application servers should allow null encryption.
MUST be specified in case AuthorizationOption is other than NoAuthorization.
</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="ApplicationServerToClientPolicy" type="xs:string" default="DirectAccess Policy-appServerToClient" minOccurs="0" />
<xs:element name="ApplicationServerToIpHttpsClientPolicy" type="xs:string" default="DirectAccess Policy-appServerToIpHttpsClientPolicy" minOccurs="0" />
</xs:all>
<xs:attribute name="GPOName" type="xs:string" default="DirectAccess Policy-{f7b77f47-7c33-4d8c-bb9a-a913c5675d8d}" />
</xs:complexType>
</xs:element>
</xs:all>
</xs:complexType>
<xs:unique name="GPONames">
<xs:selector xpath="*" />
<xs:field xpath="@GPOName" />
</xs:unique>
</xs:element>
</xs:all>
<xs:attribute name="State" type="xs:string" fixed="Complete" use="required" />
<xs:attribute name="Version" type="xs:decimal" default="1.0" />
</xs:complexType>
</xs:element>
<xs:complexType name="sg">
<xs:annotation>
<xs:documentation xml:lang="en">
Type representing a security group.
</xs:documentation>
</xs:annotation>
<xs:all>
<xs:element name="Name" type="xs:string" />
<xs:element name="Type">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="computer"/>
<xs:enumeration value="group"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
</xs:all>
</xs:complexType>
<xs:complexType name="interface">
<xs:annotation>
<xs:documentation xml:lang="en">
Type representing an network interface. Holds interface properties.
</xs:documentation>
</xs:annotation>
<xs:all>
<xs:element name="Name" type ="xs:string" />
<xs:element name="Id" type="guid" />
</xs:all>
</xs:complexType>
<xs:simpleType name="ipv4Address">
<xs:annotation>
<xs:documentation xml:lang="en">
The representation of an IPv4 address
</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:pattern value="((0|(1[0-9]{0,2})|(2(([0-4][0-9]?)|(5[0-5]?)|([6-9]?)))|([3-9][0-9]?))\.){3}(0|(1[0-9]{0,2})|(2(([0-4][0-9]?)|(5[0-5]?)|([6-9]?)))|([3-9][0-9]?))" />
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="ipv6Address">
<xs:annotation>
<xs:documentation xml:lang="en">
The representation of an IPv6 address
</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:pattern value="((([0-9a-fA-F]{1,4}:){7})([0-9a-fA-F]{1,4}))|((([0-9a-fA-F]{1,4}:){6})(([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})))|((([0-9a-fA-F]{1,4}:)*([0-9a-fA-F]{1,4}))*(::)(([0-9a-fA-F]{1,4}:)*([0-9a-fA-F]{1,4}))*)|((([0-9a-fA-F]{1,4}:)*([0-9a-fA-F]{1,4}))*(::)(([0-9a-fA-F]{1,4}:)*([0-9a-fA-F]{1,4}))*(([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})))" />
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="ipv6Prefix">
<xs:annotation>
<xs:documentation xml:lang="en">
The representation of an IPv6 prefix
</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:pattern value="((([0-9a-fA-F]{1,4}:){7})([0-9a-fA-F]{1,4})/\d+)|((([0-9a-fA-F]{1,4}:){6})(([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))/\d+)|((([0-9a-fA-F]{1,4}:)*([0-9a-fA-F]{1,4}))*(::)(([0-9a-fA-F]{1,4}:)*([0-9a-fA-F]{1,4}))*/\d+)|((([0-9a-fA-F]{1,4}:)*([0-9a-fA-F]{1,4}))*(::)(([0-9a-fA-F]{1,4}:)*([0-9a-fA-F]{1,4}))*(([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}))/\d+)" />
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="ipv6PrefixOrAddress">
<xs:annotation>
<xs:documentation xml:lang="en">
The representation of an IPv6 prefix or address
</xs:documentation>
</xs:annotation>
<xs:union memberTypes="ipv6Prefix ipv6Address" />
</xs:simpleType>
<xs:simpleType name="ipAddress" >
<xs:annotation>
<xs:documentation xml:lang="en">
The representation of an IP address. This can be IPv4 or IPv6.
</xs:documentation>
</xs:annotation>
<xs:union memberTypes="ipv4Address ipv6Address" />
</xs:simpleType>
<xs:simpleType name="guid">
<xs:annotation>
<xs:documentation xml:lang="en">
The representation of a GUID, generally the id of an element.
</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:pattern value="\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="domainName">
<xs:annotation>
<xs:documentation>
The domainName type represents a DNS domain name.
</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:pattern value="([a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9]\.)*[a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9]" />
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="distinguishedDomainName">
<xs:annotation>
<xs:documentation>
This type represents a domain name in distinguished name format.
</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:pattern value="(DC=[a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9],)*DC=[a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9]" />
</xs:restriction>
</xs:simpleType>
</xs:schema>