Network infrastructure requirements
You need to know what components must be present on the organizational network to support a DirectAccess deployment.
The DirectAccess server is a server running Windows Server 2008 R2 with the DirectAccess Management Console feature installed. To function as a Direct-Access server, the host must meet the following requirements:
- The DirectAccess server must be a member of an Active Directory domain.
- The DirectAccess server must have a minimum of two network adapters.
- At least one of the network adapters on a DirectAccess server must be connected to the public Internet and must be assigned two consecutive public IPv4 addresses.
- At least one of the network adapters on the DirectAccess server must be connected to the internal network.
- The DirectAccess server must have a digital certificate that supports server authentication installed. This certificate must match the fully qualified domain name that is assigned to the public IP addresses used by the server's external network interface.
You must configure an internal website that is protected by an SSL certificate trusted by both the DirectAccess server and the DirectAccess clients. This website must be configured so that it can be accessed only by clients on the organization's internal network. Clients attempt to connect to this website to determine whether they are on the organizational network or on the Internet. On top of the requirements for the DirectAccess server, the internal network must have the following:
- At least one domain controller must be running Windows Server 2008 R2 or Windows Server 2008.
- A DNS server running Windows Server 2008 R2 or Windows Server 2008 with hotfix Q958194 or Service Pack 2 installed.
- A server running Windows Server 2008 or Windows Server 2008 R2 with the Active Directory Certificate Services role installed that is configured as either an enterprise root or an enterprise subordinate CA.
To ensure that DirectAccess clients can communicate with internal network resources, you need to do one of the following:
- Configure all internal resources with IPv6 addresses.
- Configure ISATAP on the intranet so DirectAccess clients can tunnel IPv6 traffic over an internal IPv4 intranet.
- Configure a NAT-PT device, so those devices that only support IPv4 can be accessible to DirectAccess clients.
You must also ensure that all application servers that you want DirectAccess clients to interact with allow ICMPv6 traffic inbound and outbound.
TIP:
Remember which editions of Windows 7 support DirectAccess.