DirectAccess for Windows Server 2008 R2
Design, Deployment, and Troubleshooting Guides
Microsoft Corporation
Published: December 2009
Updated: September 2010
Author: Joe Davies
Editor: Scott Somahano
Abstract
This document contains the Design Guide, Deployment Guide, and Troubleshooting Guide for DirectAccess in Windows Server 2008 R2. These guides help you to design and deploy DirectAccess servers, DirectAccess clients, and infrastructure servers on your intranet and troubleshoot common DirectAccess problems. Use the Design Guide to answer the “What,” “Why,” and “When” questions a deployment design team might ask before deploying DirectAccess in a production environment. Use the Deployment Guide to answer the “How” questions a deployment team might ask when implementing a DirectAccess design. Use the Troubleshooting Guide for task-oriented information to help you identify and resolve problems quickly and perform root-cause analysis of incidents and problems with the elements of a DirectAccess infrastructure.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
The DirectAccess Design, Deployment, and Troubleshooting Guides are for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Windows Server, Windows Vista, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
This white paper reflects content that was published on Microsoft TechNet as of September 1, 2010. The corresponding content published on TechNet after this date might contain changes. For the latest information, see the following documents:
· DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkID=161985)
· DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=166398)
· DirectAccess Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=165904)
Contents
DirectAccess Design Guide 13
About this guide 13
Understanding the DirectAccess Design Process 14
Identifying Your DirectAccess Deployment Goals 15
Transparent and Automatic Remote Access for DirectAccess Clients 16
Ongoing Management of Remote DirectAccess Clients 16
Efficient Routing of Intranet and Internet Traffic 17
Reduction of Remote Access-based Servers in your Edge Network 17
End-to-end Traffic Protection 18
Multi-factor Credentials for Intranet Access 18
Mapping Your Deployment Goals to a DirectAccess Design 19
Evaluating DirectAccess Design Examples 19
Full Intranet Access Example 20
Full Intranet Access with Smart Cards Example 21
Selected Server Access Example 22
Using authentication with null encapsulation for selected server access 23
End-to-end Access Example 24
Planning a DirectAccess Deployment Strategy 25
Resources Available to DirectAccess Clients 26
IPv6 resources on your intranet 26
IPv4-only resources on the intranet 27
Using an IPv4-only intranet 28
Limiting connectivity to selected resources 28
IPv6 resources on the IPv6 Internet 29
Choose an Intranet IPv6 Connectivity Design 30
No existing IPv6 infrastructure 30
Existing ISATAP infrastructure 31
Existing native IPv6 infrastructure 31
Choose Solutions for IPv4-only Intranet Resources 32
Choose an Access Model 34
Full Intranet Access 34
Selected Server Access 35
End-to-End Access 36
Choose a Configuration Method 37
DirectAccess Management Console 37
Custom configuration using the Network Shell (Netsh) command-line tool and Group Policy 37
Design for Remote Management 38
Design for Intranet Server Availability Prior to User Logon 39
Design Packet Filtering for DirectAccess 41
Packet Filters for Your Internet Firewall 41
Packet Filters for Your Intranet Firewall 42
Confining ICMPv6 Traffic to the Intranet 43
Packet filters for Teredo Connectivity 45
Packet filters to allow inbound ICMP Echo Requests on all computers 45
Enable edge traversal on inbound management traffic 46
Enable inbound ICMPv6 Echo Requests for management traffic 46
Packet Filters for Management Computers 46
DirectAccess and Third-party Host Firewalls 47
Choose an Authentication and Authorization Scheme 48
Additional end-to-end peer authentication for selected server access 49
Peer authentication for end-to-end access 49
Smart cards for additional authorization 49
Allowing access for users with unusable smart cards 50
Prompts for smart card credentials while on the intranet 50
Under the covers: Smart card authorization 51
Design Addressing and Routing for the DirectAccess Server 52
IPv4 address and routing configuration 52
IPv6 address and routing configuration 53
Design Active Directory for DirectAccess 54
Active Directory and the DirectAccess server 55
Active Directory Sites and Services configuration 55
DirectAccess and user profiles for remote users 56
Design Your DNS Infrastructure for DirectAccess 56
Split-brain DNS 57
DNS server requirements for ISATAP 58
AAAA records for servers that do not perform DNS dynamic update 58
Local name resolution behavior for DirectAccess clients 58
NRPT rules 59
DNS server querying behavior for DirectAccess clients 60
Unqualified, single-label names and DNS search suffixes 61
External DNS 61
Design Your PKI for DirectAccess 62
Autoenrollment for computer certificates 62
Manual enrollment for network location server and IP-HTTPS certificates 62
Certificate revocation checking and CRL distribution points 63
Using a commercial CA for the IP-HTTPS certificate 64
Enabling strong CRL checking for IPsec authentication 65
Smart cards for additional authorization 65
Using Suite B certificates for DirectAccess 66
Design Your Web Servers for DirectAccess 66
Choose an Internet Traffic Separation Design 67
Configure IPv4 Internet access 69
Enable force tunneling 69
Modify the NRPT 69
Configure the use of IP-HTTPS 70
Modify Internet firewall settings 70
Design Protection for Traffic between DirectAccess Clients 71
Design Your Intranet for Corporate Connectivity Detection 72
Choose a DirectAccess and VPN Coexistence Design 74
DirectAccess and third-party VPN clients 75
Use the DirectAccess Connectivity Assistant (DCA) 75
Planning the Placement of a DirectAccess Server 76
When to Install a DirectAccess Server 76
Where to Place the DirectAccess Server 77
Planning Redundancy for a DirectAccess Server 78
Planning the Placement of a Network Location Server 79
Where to Place the Network Location Server 79
Highly available intranet Web server as the network location server 80
Authentication and authorization for the network location URL 81
DirectAccess server as the network location server 81
Planning Redundancy for a Network Location Server 82
Planning the Placement of CRL Distribution Points 82
Where to Place the CRL Distribution Points 83
Intranet location for intranet detection 83
Internet location for IP-HTTPS connections 83
Planning Redundancy for CRL Distribution Points 84
Planning DirectAccess with Network Access Protection (NAP) 84
Configuration changes for the infrastructure tunnel 85
Configuration changes for the intranet tunnel 86
Planning DirectAccess with an Existing Server and Domain Isolation Deployment 87
...
qfx