Selected Server Access Example

Updated: October 1, 2009

Applies To: Windows 7, Windows Server 2008 R2

This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (

Selected server access allows you to confine the access of DirectAccess clients to a specific set of intranet application servers and deny access to all other locations on the intranet. Intranet access requires end-to-end Internet Protocol security (IPsec) protection from the DirectAccess client to the specified servers. This provides an additional layer of IPsec peer authentication and data integrity for end-to-end traffic so that DirectAccess clients can verify that they are communicating with specific servers.

The following figure shows an example of selected server access.


The DirectAccess client and selected servers by default perform IPsec peer authentication using computer credentials and protect the traffic with Encapsulating Security Payload (ESP)-NULL for data integrity.

You can also use selected server access to require end-to-end IPsec protection from the DirectAccess client to specified servers and allow access to all other locations on the intranet. Traffic to other intranet application servers is not protected with IPsec peer authentication and data integrity. The intranet tunnel between the DirectAccess client and server provides encryption for both types of intranet traffic across the Internet.

To demonstrate selected server access, configure the DirectAccess test lab ( with the Selected Server Access extension (

Authentication with null encapsulation is a new feature of Windows Firewall with Advanced Security for Windows 7 and Windows Server 2008 R2. Some intranets contain hardware that cannot parse or forward IPsec-protected traffic. With authentication with null encapsulation enabled, IPsec peers perform normal IPsec peer authentication and include IPsec data integrity on the first packet exchanged. Subsequent packets are sent as clear text with no IPsec protection. This feature allows you to use IPsec for peer authentication in environments that do not support IPsec-protected traffic flows. You can enable authentication with null encapsulation for DirectAccess when using selected server access.

Authentication with null encapsulation is not the same as using ESP-NULL for per-packet data integrity.

Community Additions