Understanding DirectAccess Deployment Models

Applies To: Windows Server 2008 R2

DirectAccess can be deployed using a combination of the following:

  • An access model, which defines the types of internal network resources that a DirectAccess client can access and whether the DirectAccess client and internal network server perform authentication and traffic protection by using Internet Protocol security (IPsec)

  • A scalability model, which defines how many DirectAccess servers that you need to scale your DirectAccess infrastructures to meet the demands of DirectAccess clients

Access models

You can deploy a DirectAccess server by using the DirectAccess Setup wizard with the following access models:

  • End-to-edge

  • End-to-end for selected servers


The end-to-edge access model allows DirectAccess clients to connect to all of the resources inside the internal network but does not use IPsec to protect the end-to-end communication with internal network servers. IPsec-based tunnel policies require authentication and encryption and the IPsec sessions terminate by default at the DirectAccess server. This access model works with network servers running Windows Server 2003 that do not support policy-based IPsec protection of IPv6 traffic.

End-to-end for selected servers

In addition to the encryption of traffic between the DirectAccess client and server over the Internet, the end-to-end for selected servers access model also ensures that communications between the DirectAccess client and internal network servers are authenticated and protected. This allows the DirectAccess client to confirm that they are communicating with their intended servers.

For this access model, you can also specify the use of authentication without protection, which uses the new Authenticate only (Null Encapsulation) IPsec policy option available in Windows 7 and Windows Server 2008 R2. Authentication without protection requires that the DirectAccess client and internal network resource perform IPsec peer authentication, but subsequent data packets exchanged are not protected with an IPsec header. This option might be needed for networks that contain packet processing or forwarding devices that cannot parse or forward IPsec-protected traffic.

Scalability models

DirectAccess can be set up using a single server, which allows DirectAccess to provide all of the baseline functionality required to operate. However, because the purpose of DirectAccess is to provide connectivity to remote users, reliability and scalability with multiple servers and division of tasks are also important.

Single server

In the single server scenario, all of the components of DirectAccess are hosted on the same server computer. The benefit of this scenario is a relatively simple deployment, requiring only a single DirectAccess server. The limitations of this scenario are a single point of failure and server performance bottlenecks can limit the maximum number of concurrent DirectAccess connections. The DirectAccess Setup wizard configures the single server scenario.

Multiple servers

If high availability is a priority, multiple servers can minimize any network outages to approximately two minutes. To achieve this, a minimum of four servers are required for a deployment. A Network Load Balancing (NLB) cluster configured with two servers provide IPv6 connectivity to DirectAccess clients on the Internet. Two servers provide IPsec session termination and failover. If any server fails, the service is restored because the connection is re-routed through an operational server.

For more information about the multiple-server scalability model and how to configure the components of DirectAccess on different servers, see the DirectAccess home page on Microsoft Technet (http://go.microsoft.com/fwlink/?LinkId=142598).

Community Additions