DirectAccess Learning Roadmap

Updated: February 18, 2011

Applies To: Windows Server 2008 R2

DirectAccess in Windows Server 2008 R2 and Windows 7 allows remote users to securely access enterprise shares, websites, and applications without connecting to a virtual private network (VPN). DirectAccess establishes bi-directional connectivity with a user’s enterprise network every time a user’s DirectAccess-enabled portable computer connects to the Internet, even before the user logs on. Users never have to think about connecting to the enterprise network and IT administrators can manage remote computers outside the office, even when the computers are not connected to the VPN.

If you are new to DirectAccess, this topic can help you identify what you need to learn to fully understand how to deploy and troubleshoot DirectAccess. It includes prerequisite topics that cover a variety of networking and IT infrastructure fundamentals. You must understand the prerequisite technologies first, because DirectAccess builds upon them and assumes an understanding of them. Afterwards, you can begin learning about DirectAccess through the resources in the Level 100 (introductory), 200 (intermediate), and 300 (advanced) sections.

We recommend that you read the topics in the order listed.

• Prerequisites

• Level 100

• Level 200

• Level 300

This section contains links to a variety of resources that contain the background information you need to fully understand how DirectAccess works.

• Step 1: Learn about TCP/IP architecture.

  See Chapter 2 – Architectural Overview of the TCP/IP Protocol Suite (https://go.microsoft.com/fwlink/?linkid=153192) of TCP/IP Fundamentals for Windows.

  Your goal is to understand the basics of the layered TCP/IP stack architecture and the key protocols in the TCP/IP suite including Internet Protocol version 4 (IPv4), Internet Protocol version 6 (IPv6), Internet Control Message Protocol (ICMP), ICMP for IPv6 (ICMPv6), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP).

• Step 2: Learn about IPv6 addresses.

  See Chapter 3 – IP Addressing (https://go.microsoft.com/fwlink/?linkid=153193) of TCP/IP Fundamentals for Windows.

  Your goal is to understand the syntax and size of IPv6 addresses, the different types of addresses, and how to express ranges of addresses.

• Step 3: Learn about IPv6 forwarding and routing.

  See Chapter 5 – IP Routing (https://go.microsoft.com/fwlink/?linkid=153197) and Chapter 10 - TCP/IP End-to-End Delivery (https://go.microsoft.com/fwlink/?linkid=153198) of TCP/IP Fundamentals for Windows.

  Your goal is to understand how IPv6 uses routing tables to send or forward packets and the details of the IPv6 end-to-end delivery processes.

• Step 4: Learn about IPv6 transition technologies.

  See Chapter 15 – IPv6 Transition Technologies (https://go.microsoft.com/fwlink/?linkid=153199) of TCP/IP Fundamentals for Windows.

  Your goal is to understand how the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), 6to4, and Teredo IPv6 transition technologies work.

• Step 5: Learn how the Internet Protocol security (IPsec) protocols work to help protect your network traffic.

  See Chapter 13 - Internet Protocol Security and Packet Filtering (https://go.microsoft.com/fwlink/?linkid=153200) of TCP/IP Fundamentals for Windows.

  Your goal is to understand the role of IPsec, the differences between tunnel and transport modes, the differences between main mode and quick mode negotiation, and the protocols used to implement IPsec protection.

• Step 6: Learn how to create a public key infrastructure (PKI) with Active Directory Certificate Services (AD CS).

  DirectAccess requires a PKI to issue digital certificates to DirectAccess clients and servers. If you do not already have a PKI, you can deploy one with AD CS. See Designing a Public Key Infrastructure (https://go.microsoft.com/fwlink/?LinkId=169425).

  Your goal is to understand how to deploy a PKI, configure certificate autoenrollment, request custom certificates, and configure certificate revocation list (CRL) distribution points.

• Step 7: Learn how to create Hypertext Transfer Protocol (HTTP) and Secure HTTP (HTTPS) websites with Internet Information Services (IIS).

  DirectAccess requires web servers to host an HTTPS-based intranet website and CRL distribution points on the Internet and your intranet. If you do not already have web servers, you can deploy IIS. See the IIS 7 Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=166752).

  Your goal is to understand how to configure websites with IIS, including certificate bindings and HTTPS-based sites.

• Step 8 (optional): Learn how to use the Network Access Protection (NAP) IPsec enforcement method.

  DirectAccess can be configured with the NAP IPsec enforcement method to allow intranet access only when a DirectAccess client complies with system health requirements. See the Internet Protocol Security Enforcement in the Network Access Protection Platform (https://go.microsoft.com/fwlink/?LinkId=169427) white paper.

  Your goal is to understand how the NAP IPsec enforcement method works to require system health evaluation for IPsec-protected communications.

The following resources contain introductory information about DirectAccess.

• Step 1: Learn the benefits of DirectAccess.

  See the Windows 7 and Windows Server 2008 R2 DirectAccess Executive Overview (https://go.microsoft.com/fwlink/?LinkId=137755) and view the Windows 7 Enterprise Demo of DirectAccess (https://go.microsoft.com/fwlink/?LinkId=169437).

  Your goal is to understand the business benefits of DirectAccess.

• Step 2: Learn about the components of DirectAccess.

  See the Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2 (https://go.microsoft.com/fwlink/?LinkId=137754).

  This document describes the technologies that are used to create the DirectAccess solution.

  Your goal is to understand DirectAccess access models, connections, security, connectivity, requirements, and integration with NAP.

• Step 3: Learn about how DirectAccess compares to other VPN solutions.

  See Next Generation Remote Access with DirectAccess and VPNs (https://go.microsoft.com/fwlink/?LinkId=152702).

  This document describes the benefits of DirectAccess over VPNs, scenarios where VPNs are still needed, and how DirectAccess and VPNs can be used together.

  Your goal is to understand the relationship between DirectAccess and remote access VPN solutions.

The following resources contain intermediate information about DirectAccess.

• Step 1: Learn how to create an effective design for a DirectAccess deployment.

  See the DirectAccess Design Guide (https://go.microsoft.com/fwlink/?LinkID=161985) and the Infrastructure Planning and Design (IPD) Guide for DirectAccess (https://go.microsoft.com/fwlink/?LinkID=163945). For DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (https://go.microsoft.com/fwlink/?LinkId=179988).

  These documents describe design considerations so that DirectAccess can meet your organization’s requirements for connectivity and security.

  Your goal is to understand the different access models, the infrastructure elements and requirements, and how to plan for the different servers needed for a DirectAccess deployment.

• Step 2: Learn how to configure a DirectAccess server with the DirectAccess Setup Wizard.

  View the DirectAccess Configuration Webcast (https://go.microsoft.com/fwlink/?LinkId=169434).

  This webcast demonstrates how to use the DirectAccess Setup Wizard and how DirectAccess client connectivity and remote management work.

  Your goal is to understand the steps of the DirectAccess Setup Wizard and the resulting bi-directional connectivity of DirectAccess clients.

• Step 3: Demonstrate DirectAccess in a test lab.

  See the Test Lab Guide: Demonstrate DirectAccess (https://go.microsoft.com/fwlink/?Linkid=150613).

  This document contains procedures that demonstrate how to set up DirectAccess in a simplified test lab environment.

  Your goal is to understand the different elements of a DirectAccess deployment and their configuration and to experience DirectAccess working in a test lab for different types of Internet connections.

• Step 4: Learn how to deploy your design for DirectAccess.

  See the DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=166398). For DirectAccess in Microsoft Forefront UAG, see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).

  These documents discuss how to implement your DirectAccess design with checklists and detailed, step-by-step procedures.

  Your goal is to understand how to meet infrastructure requirements and configure the DirectAccess server and other infrastructure servers to implement your DirectAccess design.

• Step 5: Learn basic troubleshooting for DirectAccess.

  See the DirectAccess Troubleshooting Guide (https://go.microsoft.com/fwlink/?LinkId=165904).

  This document describes DirectAccess troubleshooting tools and general techniques to diagnose and resolve common DirectAccess deployment and connectivity problems.

  Your goal is to understand the tools, the general methodology, and the kinds of problems that can occur when configuring the DirectAccess server and making DirectAccess connections.

• Step 6: Troubleshoot DirectAccess in a test lab.

  See the Test Lab Guide: Troubleshoot DirectAccess (https://go.microsoft.com/fwlink/?LinkId=181160).

  This document lists the DirectAccess troubleshooting tools, shows the results of the tools in a working DirectAccess test lab, and guides you through troubleshooting common problems in the controlled environment of the DirectAccess test lab.

  Your goal is to learn how to use DirectAccess troubleshooting tools and techniques by working through a set of DirectAccess troubleshooting scenarios.

• Step 7 (optional): Learn how to deploy your DirectAccess with NAP.

  See the DirectAccess with Network Access Protection (NAP).

  This resource describes how to deploy DirectAccess with NAP to enforce system health requirements before allowing intranet access to DirectAccess clients.

  Your goal is to understand the business benefits, infrastructure requirements, deployment phases, and troubleshooting techniques for a DirectAccess with NAP solution.

The following resources contain advanced information about DirectAccess.

• Step 1: Learn the details of IPsec protocols and packets, and how they are processed by Windows.

  See Chapter 18 – Internet Protocol Security (IPsec) of the Windows Server 2008 TCP/IP Protocols and Services (https://go.microsoft.com/fwlink/?linkid=153195) Microsoft Press book.

  This chapter provides details of the IPsec protocols and examines the structure of IPsec packets.

  Your goal is to understand the different types of IPsec headers and trailers, message exchanges, and processing for IPsec-protected packets.

• Step 2: Learn the details of the IP-HTTPS protocol.

  See the IP over HTTPS (IP-HTTPS) Tunneling Protocol Specification (https://go.microsoft.com/fwlink/?linkid=157309).

  This specification defines the Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS), which DirectAccess clients use to exchange IPv6 packets with the DirectAccess server when they cannot use 6to4 or Teredo.

  Your goal is to understand the different types of IP-HTTPS messages, message exchanges, and protocol details for the IP-HTTPS client (the DirectAccess client) and the IP-HTTPS server (the DirectAccess server).

DirectAccess TechNet web page (https://go.microsoft.com/fwlink/?Linkid=151854)