Understanding DirectAccess Components

Applies To: Windows Server 2008 R2

This topic provides information about the components of a DirectAccess deployment, DirectAccess client connectivity methods, firewall configuration for DirectAccess traffic, and integration with smart cards.

DirectAccess components

A DirectAccess deployment consists of the following components:

  • DirectAccess clients

  • At least one DirectAccess server

  • An Active Directory® Domain Services (AD DS) domain

  • A public key infrastructure (PKI)

  • Network location server

  • An Internet Protocol version 6 (IPv6)-capable internal network and applications or Network Address Translation-Port Translation (NAT-PT) devices

DirectAccess clients

A DirectAccess client is a computer running Windows 7 or Windows Server 2008 R2 that is joined to an AD DS domain and uses IPv6 and Internet Protocol security (IPsec) to automatically initiate and maintain remote connectivity to an internal network from the Internet.

Computers that are not joined to an AD DS domain or computers running Windows Vista or earlier versions of Windows do not support DirectAccess.

At least one DirectAccess server

A DirectAccess server is a computer running Windows Server 2008 R2 that is joined to an AD DS domain and uses IPv6 and IPsec to respond to DirectAccess clients on the Internet and transparently connect them to an internal network.

Computers that are not joined to an Active Directory domain or computers running Windows Server 2008 or earlier versions of Windows Server do not support DirectAccess server functionality.

To install DirectAccess, see Install DirectAccess.

Do not host any other primary functions on DirectAccess servers. DirectAccess servers should be dedicated to DirectAccess. Depending on your deployment and scalability requirements, you might need more than one DirectAccess server or to use manual configuration to separate DirectAccess functions between multiple servers. For more information about multiple-server deployments, see the DirectAccess home page on Microsoft Technet (http://go.microsoft.com/fwlink/?LinkId=142598).

For more information about the requirements of the DirectAccess server, see Checklist: Before You Configure DirectAccess.

An AD DS domain

DirectAccess relies on AD DS for authentication credentials, autoenrollment of computer certificates, and centralized Group Policy-based configuration of IPsec, IPv6, and other settings. DirectAccess clients and servers must be members of an AD DS domain.

PKI

DirectAccess relies on computer certificates issued by an Active Directory Certificate Services (AD CS) certification authority for authentication of IPsec sessions and IP-HTTPS-based connections.

Network location server

A network location server is an internal network server that hosts an HTTPS-based uniform resource locator (URL). DirectAccess clients access the URL to determine whether they are located on the internal network. The DirectAccess server can be the network location server but a high-availability Web server is recommended. The Web server does not have to be dedicated as a network location server.

IPv6-capable internal network and applications or a NAT-PT device

DirectAccess clients exclusively use IPv6 to access internal network resources. Therefore, DirectAccess clients can only communicate with internal network servers and resources that are reachable by using IPv6. There are three ways to achieve IPv6 connectivity to an internal network:

  • Configure your internal network routing infrastructure to support native IPv6. Internal network servers and applications that support IPv6 are then reachable. Computers running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008 are configured to use IPv6 by default.

  • Deploy the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) on your internal network. By using ISATAP, IPv6-capable internal network servers and applications can tunnel IPv6 traffic over your IPv4-only internal network. Computers running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008 support ISATAP host functionality. ISATAP allows these computers to use IPv6 without requiring native IPv6 routing. The DirectAccess server will automatically configure itself as an ISATAP router in the absence of IPv6 connectivity on your internal network.

  • Use a Network Address Translation-Protocol Translation (NAT-PT) device to translate traffic between your DirectAccess clients that are using IPv6 and servers and applications that can only use IPv4. Windows Server 2008 R2 does not provide NAT-PT functionality. NAT-PT devices are typically available from Layer 2 and Layer 3 switch and router vendors. See your switch and router documentation for information about NAT-PT capabilities and configuration.

DirectAccess client connectivity methods

The following table lists possible DirectAccess client configurations and their corresponding method of sending IPv6 traffic to the DirectAccess server.

 

Client configuration Preferred connectivity method

Assigned a global IPv6 address

Global IPv6 address

Assigned a public IPv4 address (addresses that are not in the ranges 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16)

6to4, an IPv6 transition technology that provides IPv6 connectivity across the IPv4 Internet for hosts or sites that have a public IPv4 address.

Assigned a private IPv4 address (addresses that are in the ranges 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16)

Teredo, an IPv6 transition technology that provides IPv6 connectivity across the IPv4 Internet for hosts that are assigned a private IPv4 address and are located behind an IPv4 network address translation (NAT) device that does not support 6to4 router functionality.

The client cannot connect using 6to4 or Teredo

IP-HTTPS, a new protocol for Windows 7 and Windows Server 2008 R2 that allows hosts behind a Web proxy server or firewall to establish connectivity by tunneling IPv6 packets inside an IPv4-based secure Hypertext Transfer Protocol (HTTPS) session. IP-HTTPS is typically used only if the client cannot connect to the DirectAccess server by using the other IPv6 connectivity methods.

Firewall configuration for DirectAccess traffic

External firewalls between the Internet and your perimeter network must be able to pass the following types of traffic to and from the DirectAccess server:

  • For native IPv6 traffic, Internet Control Message Protocol for IPv6 (ICMPv6) traffic (IPv6 protocol 58) and IPsec Encapsulating Security Payload (ESP) traffic (IPv6 protocol 50).

  • For 6to4 traffic, IPv4 traffic that encapsulates IPv6 traffic (IPv4 protocol 41).

  • For Teredo traffic, IPv4 traffic with the User Datagram Protocol (UDP) port 3544.

  • For IP-HTTPS traffic, IPv4 traffic with the Transmission Control Protocol (TCP) port 443.

For example, the exceptions on your external firewall’s Internet interface will be in the following format:

  • Input filter: [Any] allowed inbound to [IPv4 address of Internet-facing adapter on DirectAccess server] for [IPv4 or IPv6] with [IPv4/IPv6 protocol number or UDP/TCP port]
    
  • Output filter: [IPv4 address of Internet-facing adapter on DirectAccess server] for [IPv4 or IPv6] with [IPv4/IPv6 protocol number or UDP/TCP port] allowed outbound to [Any]
    

Internal firewalls between the perimeter network and the internal network must be able to pass the following types of traffic to and from the DirectAccess server:

  • For native IPv6 traffic, all types of IPv6 traffic.

  • For ISATAP traffic, IPv4 traffic that encapsulates IPv6 traffic (IPv4 protocol 41).

  • For IPv4 and NAT-PT traffic, all TCP, UDP, and UDP 500 Internet Key Exchange (IKE)/AuthIP traffic.

To allow Teredo-based connectivity, you must configure and deploy the following additional Windows Firewall with Advanced Security rules for all of the domain member computers in your organization:

  • Inbound ICMPv6 Echo Request messages (required)

  • Outbound ICMPv6 Echo Request messages (recommended)

Do not use the predefined File and Printer Sharing (Echo Request – ICMPv6-In) inbound rule or the File and Printer Sharing (Echo Request – ICMPv6-Out) outbound rule for this purpose. If you use these predefined rules, they can be disabled by turning off file and printer sharing within an organization, which will result in a lack of Teredo-based connectivity.

The easiest way to deploy these Windows Firewall settings to all of the member computers in your organization is through the Default Domain Group Policy object (GPO). For more information, see Checklist: Implementing a Basic Firewall Policy Design (http://go.microsoft.com/fwlink/?LinkId=147688).

Rule 1: Inbound ICMPv6 Echo Request messages

Create and enable a custom inbound rule with the following settings:

  • All programs

  • ICMPv6 protocol type with the Echo Request message

  • Any local and remote IP addresses

  • Allow action

  • All profiles (domain, work, public)

This rule is required.

Rule 2: Outbound ICMPv6 Echo Request messages

Create and enable a custom outbound rule with the following settings:

  • All programs

  • ICMPv6 protocol type with the Echo Request message

  • Any local and remote IP addresses

  • Allow action

  • All profiles (domain, work, public)

This rule is recommended as a best practice unless you are using Windows Firewall to block all outbound traffic, in which case this rule is required.

Integration with smart cards

You can require the use of smart cards when DirectAccess clients make a connection to the DirectAccess server. Users can log on to their computers and access the Internet without a smart card, but require smart card authentication to access any internal network resources.

Additional resources

For information about DirectAccess integration with server and domain isolation and Network Access Protection (NAP), see the DirectAccess home page on Microsoft Technet (http://go.microsoft.com/fwlink/?LinkId=142598).

Community Additions

Show: