Checklist: Preparing Your Infrastructure for DirectAccess

Article
07/02/2012

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Important

This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).

This checklist includes cross-reference links to help you prepare your network and security infrastructure for a DirectAccess deployment. It also contains links to procedures that will help you complete the tasks that are required to implement this design.

Note

Complete the tasks in this checklist in order. When a reference link takes you to a conceptual topic, a procedure, or to another checklist, return to this topic so that you can proceed with the remaining tasks in this checklist.

Checklist: Preparing your infrastructure for DirectAccess

	Task	Reference
	Review important concepts for DirectAccess.	Appendix B: Reviewing Key DirectAccess Concepts
	Review the client, server, and network infrastructure requirements for DirectAccess.	Appendix A: DirectAccess Requirements
	Create Active Directory security groups for DirectAccess clients (required) and selected servers (optional) and add members.	Create DirectAccess Groups in Active Directory
	Configure packet filtering on Internet and intranet firewalls.	Packet Filters for Your Internet Firewall Packet Filters for Your Intranet Firewall
	Configure packet filtering for Internet Control Message Protocol for IPv6 (ICMPv6) traffic.	Configure Packet Filters to Allow ICMP Traffic Configure Settings to Confine ICMPv6 Traffic to the Intranet
	Configure packet filtering for remote management computers.	Design for Remote Management Configure Packet Filters to Allow Management Traffic to DirectAccess Clients
	Compile a list of additional Name Resolution Policy Table (NRPT) namespace or exemption rules.	Design Your DNS Infrastructure for DirectAccess
	Add intranet A records as needed for your network location server and CRL distribution points.	Design Your DNS Infrastructure for DirectAccess
	Add Internet Domain Name System (DNS) Address (A) records as needed for the DirectAccess server as Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) server and certificate revocation list (CRL) distribution points.	Design Your DNS Infrastructure for DirectAccess
	Configure your DNS servers running Windows Server 2008 R2 or Windows Server 2008 to support resolution of the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) name.	Remove ISATAP from the DNS Global Query Block List
	Configure your public key infrastructure (PKI) for CRL distribution points.	Configure a CRL Distribution Point for Certificates Configure Active Directory Certificate Services for CRL Locations
	Configure autoenrollment of computer certificates.	Configure Computer Certificate Autoenrollment
	Modify the permissions on the Web Server certificate template.	Configure Permissions on the Web Server Certificate Template
	If needed by your design, configure an Secure Hypertext Transfer Protocol (HTTPS) uniform resource locator (URL) on your separate network location server.	Configure IIS for Network Location
	If needed by your design, install a custom SSL certificate on your separate network location server.	Install and Configure IIS for a Network Location Server Certificate

Checklist: Preparing Your Infrastructure for DirectAccess

Additional resources