Windows 7 / Networking

Configure DirectAccess

The primary difference between DirectAccess and a typical VPN is that DirectAccess performs authentication at the computer level and doesn't require any form of user authentication. With DirectAccess, a user simply powers on his or her computer, connects to an Internet access point, and then automatically gains access to the organization's internal network.

Configuring client side

You need to know what steps to take to prepare a computer running Windows 7 to function as a DirectAccess client.

DirectAccess is a special type of IPv6, encrypted VPN connection that makes an automatic connection when an Internet connection is detected. DirectAccess does not require the user to authenticate when establishing a connection as authentication occurs using a computer certificate. DirectAccess is bidirectional, so Group Policies and other management technologies can manage the computer as though it were connected to a LAN. DirectAccess can be integrated with NAP to ensure that mobile clients are kept up to date with software updates and antimalware software and definitions.

Windows 7 Enterprise and Windows 7 Ultimate support DirectAccess. These computers must be members of an Active Directory domain and must have a computer certificate for IPsec authentication installed. When configuring a computer for DirectAccess, the computer account must be a member of a specially configured security group. This group is specified when running the DirectAccess Wizard during initial configuration on the DirectAccess server. DirectAccess configuration is pushed to the client through Group Policy.

Group Policies for DirectAccess are configured when you run the DirectAccess Client Setup Wizard on the DirectAccess server during initial configuration. Two GPOs are created: One applies to the DirectAccess clients and the other to the DirectAccess server. You don't have to edit the policies manually; they are configured based on your responses to the DirectAccess Setup Wizard.

The method that the client uses to connect to the DirectAccess server depends on its local connectivity (for example, if the client's Internet connection point provides the following):

  • A globally routable IPv6 address: DirectAccess will use this address.
  • A public IPv4 address: DirectAccess will use 6to4.
  • A private IPv4 address: DirectAccess will use Teredo unless the NAT device also provides 6to4 gateway functionality. In that case, DirectAccess will use 6to4.
  • If these methods fail, the client will fall back to using IP-HTTPS.

Configuring authentication

You need to know what steps you need to take to ensure that DirectAccess clients can authenticate.

DirectAccess uses computer certificates for authentication. Although it is possible to use certificates from a trusted third-party CA because all computers using DirectAccess must be members of an Active Directory domain, you should use computer certificates issued from an internal CA to support this authentication. If you want to use certificate autoenrollment to simplify the certificate deployment process, you'll have to use an enterprise root or enterprise subordinate CA. You'll have to make a duplicate of the existing computer certificate template and configure the duplicate to support autoenrollment. The certificates used by the clients should be trusted by the DirectAccess server. The certificate used on the DirectAccess server must be trusted by the DirectAccess clients.

DirectAccess requires that users authenticate using a smart card. Answer: False. You can configure DirectAccess to use smart cards to authenticate remote users. This isn't necessary because DirectAccess usually authenticates the computer before the user logs on, although this grants access only to domain controllers and DNS servers. Once the user logs on, DirectAccess authenticates the user, and the user can access network resources in a normal manner. By default, this is done through user account and password credentials, but it is also possible to configure user authentication to require smart cards. Configuring this method of authentication requires the same steps as configuring smart cards for access to the LAN.

You need to ensure that the certificate revocation list (CRL) distribution points (CDPs) are accessible to DirectAccess clients. You can configure multiple CDPs for a single CA. You configure CDPs on the Extensions tab of the CA properties dialog box. If you are using Windows Server 2008 R2 CAs, you can also use one or more Online Certificate Status Protocol (OCSP) arrays as CDPs. CDPs are used in the following parts of the DirectAccess process:

  • DirectAccess clients check CRLs to validate the DirectAccess server certificate when using IP-HTTPS connections. Without access to the CDP, IP-HTTPS communication will fail. This CDP needs to be accessible to clients on the Internet.
  • DirectAccess clients must perform a certificate revocation check to validate the SSL certificate on the network location server. This CDP needs to be accessible to clients on the internal network.
Remember that if you want to use autoenrollment for computer certificates, you'll need to modify the properties of the existing certificate template.
[Previous] [Contents] [Next]

In this tutorial:

  1. Configuring Mobile Computing
  2. Managing Trusted Platform Module (TPM) PINs
  3. Data recovery agent support
  4. Configure DirectAccess
  5. Network infrastructure requirements
  6. Configure mobility options
  7. Transparent caching
  8. Configure remote connections
  9. Enabling a VPN Reconnect
  10. NAP quarantine remediation