Add Servers that are Available to DirectAccess Clients before User Logon

  • Article

Updated: March 22, 2010

Applies To: Windows Server 2008 R2

Important

This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).

To add intranet servers that are available to DirectAccess clients prior to user logon, you can add them as management servers with the DirectAccess Setup Wizard (recommended) or add their Internet Protocol version 6 (IPv6) addresses to the list of permitted endpoints for the infrastructure or management tunnel with the Netsh.exe tool, depending on whether you are managing a customized DirectAccess deployment and can run the DirectAccess Setup Wizard without modifying one or more custom settings. For more information, see Design for Intranet Server Availability Prior to User Logon.

To complete these procedures, you must be a member of the local Administrators group, or otherwise be delegated permissions to create and apply the configuration of the DirectAccess Setup Wizard or modify Group Policy settings. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To make intranet servers available to DirectAccess clients before user logon using the DirectAccess Setup Wizard

  1. Click Start, click Run, type damgmt.msc, and then press ENTER.

  2. In the console tree, click Setup.

  3. In the details pane, click Configure for step 3.

  4. On the Location page, click Next.

  5. On the DNS and Domain Controller page, click Next.

  6. On the Management page, right-click the empty row, and then click New.

  7. In the IPv4 Address dialog box, specify either the host name or IPv4 address of the intranet server, and then click OK. In the IPv6 Address/Prefix dialog box, specify either the host name or IPv6 address or prefix of the intranet server, and then click OK.

  8. Repeat steps 6 and 7 for additional intranet servers.

  9. Click Finish.

  10. Click Save, and then click Finish.

  11. In the DirectAccess Review dialog box, click Apply. In the DirectAccess Policy Configuration message box, click OK.

To make intranet servers available to DirectAccess clients before user logon using the Netsh.exe tool and the management tunnel

  1. On a domain controller, start a command prompt as an administrator.

  2. From the Command Prompt window, run the netsh –c advfirewall command.

  3. From the netsh advfirewall prompt, run the set store gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}” command.

  4. From the netsh advfirewall prompt, run the consec show rule name=“DirectAccess Policy-ClientToMgmt” command.

  5. From the display of the consec show rule command, note the IPv6 addresses for Endpoint2.

  6. From the netsh advfirewall prompt, run the **consec set rule “DirectAccess Policy-ClientToMgmt” new endpoint2=**ExistingIPv6Addresses,ListOfAdditionalServerIPv6Addresses command, where ExistingIPv6Addresses is the comma-separated list of IPv6-addresses from step 5.

  7. From the netsh advfirewall prompt, run the set store gpo=”DomainName\DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}" command.

  8. From the netsh advfirewall prompt, run the **consec set rule “DirectAccess Policy-DaServerToMgmt” new endpoint1=**ExistingIPv6Addresses,ListOfAdditionalServerIPv6Addresses command.

To make intranet servers available to DirectAccess clients before user logon using the Netsh.exe tool and the infrastructure tunnel

  1. On a domain controller, start a command prompt as an administrator.

  2. From the Command Prompt window, run the netsh –c advfirewall command.

  3. From the netsh advfirewall prompt, run the set store gpo=”DomainName\DirectAccess Policy-{3491980e-ef3c-4ed3-b176-a4420a810f12}” command.

  4. From the netsh advfirewall prompt, run the consec show rule name=“DirectAccess Policy-ClientToDnsDc” command.

  5. From the display of the consec show rule command, note the IPv6 addresses for Endpoint2.

  6. From the netsh advfirewall prompt, run the **consec set rule “DirectAccess Policy-ClientToDnsDc” new endpoint2=**ExistingIPv6Addresses,ListOfAdditionalServerIPv6Addresses command, where ExistingIPv6Addresses is the comma-separated list of IPv6-addresses from step 5.

  7. From the netsh advfirewall prompt, run the set store gpo=”DomainName\DirectAccess Policy-{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300}" command.

  8. From the netsh advfirewall prompt, run the **consec set rule “DirectAccess Policy-DaServerToDnsDc” new endpoint1=**ExistingIPv6Addresses,ListOfAdditionalServerIPv6Addresses command.

DirectAccess clients and servers update their connection security rules in the next update of computer configuration Group Policy.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.