Share via


Planning DirectAccess with Network Access Protection (NAP)

Applies To: Windows 7, Windows Server 2008 R2

Important

This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (https://go.microsoft.com/fwlink/?LinkId=179988).

Network Access Protection (NAP) for DirectAccess connections is use of a health certificate for the Internet Protocol security (IPsec) peer authentication of the intranet tunnel. A health certificate is a certificate with the System Health object identifier (OID). A NAP client can only obtain a health certificate from a Health Registration Authority (HRA) if it complies with system health requirements as configured on a NAP health policy server.

Using NAP for enforcement of system health for DirectAccess connections requires the deployment of the IPsec enforcement method, which includes the following elements:

  • NAP health policy servers

  • HRAs on the intranet

  • NAP certification authorities (CAs)

  • Remediation servers

  • NAP client settings

For information about how to deploy IPsec enforcement, see IPsec Enforcement Design.

In your deployment of IPsec enforcement, on the DirectAccess server, you need to install an IPsec exemption certificate.

For more information about the DirectAccess with NAP solution, see DirectAccess with Network Access Protection (NAP).

Note

To prevent timing problems that might occur when obtaining Kerberos authentication and accessing the Web location on the intranet HRA, you can configure Internet Information Services (IIS) on the HRA to use NTLM authentication with the %windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/authentication/windowsAuthentication /-providers.[value='Negotiate'] command.

Configuration changes for the infrastructure tunnel

To allow DirectAccess clients the ability to obtain a health certificate from an HRA on the intranet and to remediate their noncompliant system health, you must make the following configuration changes:

  • For the Group Policy object for DirectAccess clients, add the Internet Protocol version 6 (IPv6) addresses of your intranet HRAs and remediation servers to the set of accessible endpoints in the DirectAccess Policy-ClientToDnsDc connection security rule.

  • For the GPO for DirectAccess servers, add the IPv6 addresses of your intranet HRAs and remediation servers to the set of accessible endpoints in the DirectAccess Policy-DaServerToDnsDc connection security rule.

If you are using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) for intranet IPv6 connectivity, you must assign static Internet Protocol version 4 (IPv4) addresses to your HRAs and remediation servers. If you are using native IPv6 connectivity, you must assign static IPv6 addresses to your HRAs and remediation servers.

Note

If you modify the connection security rules created by the DirectAccess Setup Wizard, you must use Network Shell (Netsh) commands. There are connection security rule settings that cannot be modified with the Windows Firewall with Advanced Security snap-in. If you modify these connection security rules with the Windows Firewall with Advanced Security snap-in, they will be overwritten with default values, which can result in incompatible connection security rules that prevent DirectAccess connections.

Configuration changes for the intranet tunnel

After you have confirmed that health certificates are being obtained by compliant NAP clients, you must choose the NAP enforcement mode for your DirectAccess clients:

  • In reporting mode, DirectAccess clients will be able to perform peer authentication for the intranet tunnel on the DirectAccess server even when they are not compliant with system health requirements. Users on noncompliant DirectAccess clients receive no notification that they are not compliant.

  • In deferred enforcement mode, DirectAccess clients will be able to perform peer authentication for the intranet tunnel on the DirectAccess server even when they are not compliant with system health requirements. However, users on noncompliant DirectAccess clients receive a notification that they are not compliant and a date by which they will no longer be able to connect if they are still noncompliant.

  • In full enforcement mode, DirectAccess clients will not be able to perform peer authentication for the intranet tunnel when they are not compliant with system health requirements. Users on noncompliant DirectAccess clients will receive a notification that they are not compliant.

For reporting mode and deferred enforcement mode, there are no changes that need to be made to the settings of the DirectAccess server Group Policy object for the intranet tunnel. For full enforcement mode, you must require health certificates for the Computer certificate authentication method and enable authorization for IPsec tunneling in the DirectAccess Policy-DaServerToCorp connection security rule.

For more information, see Checklist: Configuring Network Access Protection (NAP) with DirectAccess and Configure DirectAccess Connection Security Rules for NAP in the DirectAccess Deployment Guide.

Note

If you modify the connection security rules created by the DirectAccess Setup Wizard, you must use Network Shell (Netsh) commands. There are connection security rule settings that cannot be modified with the Windows Firewall with Advanced Security snap-in. If you modify these connection security rules with the Windows Firewall with Advanced Security snap-in, they will be overwritten with default values, which can result in incompatible connection security rules that prevent DirectAccess connections.
You can demonstrate NAP functionality for DirectAccess with the DirectAccess with NAP test lab (https://go.microsoft.com/fwlink/?LinkId=186697).