Appendix A – Manual DirectAccess Server Configuration

  • Article

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Important

This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).

You can also configure a DirectAccess server manually with a series of commands at a Command Prompt window or within a script. The following sections describe the commands to configure a DirectAccess server for the equivalent default configuration of the DirectAccess Setup Wizard.

Configure Internet access components

Component Purpose Command

Teredo server

Configure Teredo with the name or IPv4 address of the Teredo server.

netsh interface ipv6 set teredo server FirstIPv4AddressOfDirectAccessServer

IPv6 interfaces

Configure the IPv6 interfaces for the correct forwarding and advertising behavior.
  1. Run the following command for the 6to4 and Teredo interfaces:

    netsh interface ipv6 set interface InterfaceIndex forwarding=enabled

  2. If a LAN interface is present with a native IPv6 address, run the following command:

    netsh interface ipv6 set interface InterfaceIndex forwarding=enabled

  3. For the IP-HTTPS interface, run the following command:

    netsh interface ipv6 set interface IPHTTPSInterface forwarding=enabled advertise=enabled

6to4

Enable 6to4.

netsh interface 6to4 set state enabled

SSL certificates for IP-HTTPS connections

Configure the certificate binding.
  1. Install the SSL certificate using manual enrollment.

  2. Use the netsh http add sslcert command to configure the certificate binding.

IP-HTTPS Interface

Configure the IP-HTTPS interface.

netsh interface httpstunnel add interface server https://PublicIPv4AddressOrFQDN:443/iphttps enabled certificates

IP-HTTPS Routing

Configure IPv6 routing for the IP-HTTPS interface.

netsh interface ipv6 add route IP-HTTPSPrefix::/64 IPHTTPSInterface publish=yes

IP-HTTPSPrefix is one of the following:

  • 6to4-basedPrefix:2 if you are using a 6to4-based prefix based on the first public IPv4 address assigned to Internet interface of the DirectAccess server.

  • NativePrefix:5555 if you are using a 48-bit native IPv6 prefix. 5555 is the Subnet ID value chosen by the DirectAccess Setup Wizard.

Configure intranet access components

Component Purpose Command

ISATAP

Enable ISATAP.

netsh interface isatap set state enabled

ISATAP

Configure the ISATAP router address.

netsh interface isatap set router DirectAccessServerIntranetIPv4Address

ISATAP

Configure ISATAP routing.

netsh interface ipv6 add route IntranetPrefix:1::/64 ISATAPInterfaceIndex publish=yes

IntranetPrefix is one of the following:

  • The 48-bit 6to4-based prefix based on the first public IPv4 address assigned to Internet interface of the DirectAccess server.

  • Your 48-bit native IPv6 prefix.

ISATAP

Configure intranet interface forwarding and advertising on the ISATAP interface.

netsh interface ipv6 set interface ISATAPInterfaceIndex forwarding=enabled advertise=enabled

Network Interface

If you have native IPv6, configure intranet interface forwarding and advertising on the LAN interface.

netsh interface ipv6 set interface LANInterfaceIndex forwarding=enabled advertise=enabled

DNS

Publish the ISATAP name in DNS on the DNS server.

dnscmd /recordadd DNSSuffix isatap A DirectAccessServerIntranetIPv4Address

Configure IPsec DoSP

Purpose Command

Enable IPsec Denial of Service Protection (DoSP) on the Internet interface.

netsh ipsecdosp add interface InternetInterfaceName public

Enable IPsec DoSP on the intranet interface.

netsh ipsecdosp add interface intranetInterfaceName internal

Configure connection security rules

There are separate connection security rules for the full intranet access model for the DirectAccess server and DirectAccess clients.

DirectAccess server configuration (full intranet access model)

Purpose Command

Connection security rule for traffic to the intranet DNS server and domain controller (the infrastructure tunnel).

netsh advfirewall consec add rule name="DirectAccess Policy ClientToDNSDC" mode=tunnel profile=public,private Endpoint1=DNS-DCIPv6Address Endpoint2=Any LocalTunnelEndpoint=IPv6AddressOfDirectAccessServerInternetInterface RemoteTunnelEndpoint=Any Action=RequireInRequireOut Auth1=ComputerCert Auth1CA=CANameString Auth2=UserNTLM qmsecmethods=ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb

Connection security rule for traffic to management servers.

netsh advfirewall consec add rule name="DirectAccess Policy ClientToMgMt" mode=tunnel profile=public,private Endpoint1=ManagementServerIPv6 Addresses Endpoint2=Any LocalTunnelEndpoint=IPv6AddressOfDirectAccessServerInternetInterface RemoteTunnelEndpoint=Any Action=RequireInRequireOut Auth1=ComputerCert Auth1CA=CANameString Auth2=UserNTLM qmsecmethods=ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb

Connection security rule for traffic to the intranet (the intranet tunnel).

netsh advfirewall consec add rule name="DirectAccess Policy ClientToCorp" mode=tunnel profile=public,private Endpoint1=IntranetIPv6Prefix Endpoint2=Any LocalTunnelEndpoint=IPv6AddressOfDirectAccessServerInternetInterface RemoteTunnelEndpoint=Any Action=RequireInRequireOut Auth1=ComputerCert Auth1CA= Auth1CA=CANameString Auth2=UserKerb qmsecmethods=ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb

Connection security rules for client configuration (full intranet access model)

Purpose Command

Connection security rule for traffic to the intranet DNS server and domain controller (the infrastructure tunnel).

netsh advfirewall consec add rule name="DirectAccess Policy ClientToDNSDC" mode=tunnel profile=public,private Endpoint1=Any Endpoint2=DNS-DCIPv6Address LocalTunnelEndpoint=Any RemoteTunnelEndpoint=IPv6AddressOfDirectAccessServerInternetInterface Action=RequireInRequireOut Auth1=ComputerCert Auth1CA=CANameString Auth2=UserNTLM qmsecmethods=ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb

Connection security rule for traffic to management servers.

netsh advfirewall consec add rule name="DirectAccess Policy ClientToCorp" mode=tunnel profile=public,private Endpoint1=Any Endpoint2=IntranetIPv6Prefix LocalTunnelEndpoint=Any RemoteTunnelEndpoint=IPv6AddressOfDirectAccessServerInternetInterface Action=RequireInRequireOut Auth1=ComputerCert Auth1CA= Auth1CA=CANameString Auth2=UserKerb qmsecmethods=ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb

Connection security rule for traffic to the intranet (the intranet tunnel).

netsh advfirewall consec add rule name="DirectAccess Policy ClientToMgmt" mode=tunnel profile=public,private Endpoint1=Any Endpoint2=ManagementServerIPv6 Addresses LocalTunnelEndpoint=Any RemoteTunnelEndpoint=IPv6AddressOfDirectAccessServerInternetInterface Action=RequireInRequireOut Auth1=ComputerCert Auth1CA=CANameString Auth2=UserNTLM qmsecmethods=ESP:SHA1-AES192+60min+100000kb,ESP:SHA1-AES128+60min+100000kb

Connection security rule to exempt IPsec protection to the network location server.

netsh advfirewall consec add rule name=”DirectAccess Policy clientToNlaExempt” mode=tunnel profile=public,private endpoint1=IntranetIPv6Prefix endpoint2=NetworkLocationServerIPv6Address action=noauthentication protocol=tcp port2=443