The DirectAccess Connection Process
Applies To: Windows Server 2008 R2
DirectAccess clients use the following process to connect to intranet resources:
The DirectAccess client computer running Windows 7 Enterprise or Windows 7 Ultimate detects that it is connected to a network.
The DirectAccess client computer determines whether it is connected to the intranet. If it is, DirectAccess is not used. Otherwise, DirectAccess is used.
The DirectAccess client computer on the Internet connects to the DirectAccess server with IPv6 and IPsec. If a native IPv6 network is not available (and it probably will not be when the computer is connected to the Internet), the client uses the 6to4 or Teredo IPv6 transition technologies to send IPv4-encapsulated IPv6 traffic.
If a firewall or proxy server prevents the client computer using 6to4 or Teredo from reaching the DirectAccess server, the client automatically attempts to connect with the Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) protocol. IP-HTTPS uses an IPv4-based Secure Sockets Layer (SSL) connection to encapsulate IPv6 traffic.
As part of establishing the IPsec session for the infrastructure tunnel to reach the intranet DNS server and domain controller, the DirectAccess client and server authenticate each other using computer certificates and computer account credentials.
If Network Access Protection (NAP) is enabled and configured for health validation, the DirectAccess client attempts to obtain a health certificate from a Health Registration Authority (HRA) on the intranet. The HRA forwards the DirectAccess client’s health status information to a NAP health policy server. The NAP health policy server processes the policies defined within the Network Policy Server (NPS) and determines whether the client is compliant with system health requirements. If so, the HRA obtains a health certificate for the DirectAccess client.
For more information, see DirectAccess and Network Access Protection later in this document.
When the user logs on, the DirectAccess client establishes the intranet tunnel to access the resources of the intranet. The DirectAccess client and server authenticate each other using a computer certificate and user account credentials. IF NAP is being used, the DirectAccess client submits its health certificate for authentication.
The DirectAccess server forwards traffic between the DirectAccess client and the intranet resources to which the user has been granted access.
The DirectAccess connection process happens automatically, without requiring user intervention.