Appendix C: Documenting Your DirectAccess Design

Applies To: Windows 7, Windows Server 2008 R2


This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (

Documenting your DirectAccess design will help you explain the infrastructure and policy decisions and record the results of the deployment phases of the project. You can use the following sections to create a document with your goals and proposed timeline, and you can add to these sections at the end of each phase of your DirectAccess deployment.


Provide a brief description of how DirectAccess works or use the following description:

  • DirectAccess gives users the experience of being seamlessly connected to their corporate network (intranet) any time they have Internet access. With DirectAccess, users are able to access intranet resources (such as e-mail servers, shared folders, or intranet Web sites) securely without connecting to a virtual private network (VPN). DirectAccess provides increased productivity for mobile workforce by offering the same connectivity experience both in and outside of the office. DirectAccess is on whenever the user has an Internet connection, giving users access to intranet resources whether they are traveling, at the local coffee shop, or at home. DirectAccess is supported by Windows 7 Ultimate or later, Windows 7 Enterprise or later, and Windows Server 2008 R2 or later.


List your reasons for deploying DirectAccess and state how your design plan will achieve these goals. Also provide the following:

  • Benefits. Describe the pre-deployment state of the network and the benefits you expect to see as a result of the DirectAccess deployment.

  • Requirements. List what is required to achieve your goals. Examples include operating system updates, equipment purchases, training, cross-team collaboration, and project schedules.

  • Progress. Describe your current progress.

For more information, see Identifying Your DirectAccess Deployment Goals.

Infrastructure design plan

List the names and locations of servers and other devices that will be used in your DirectAccess deployment. Include current and future plans. Provide the following details:

  • IPv6 connectivity. Describe how you deployed Internet Protocol version 6 (IPv6) connectivity across your intranet. Include details on routers, default routing design, and IPv6 Internet connectivity.

  • Servers, devices, and roles. List all servers and devices, including their roles, in your DirectAccess design. Include computers and other devices used for DirectAccess certificate validation and connectivity.

  • Packet filtering. List the packet filters configured on Internet and intranet firewalls, across intranet hosts, and for DirectAccess clients.

  • Capacity management and redundancy. Describe your expectations for capacity management and redundancy in the DirectAccess design.

  • Scaling plan. Describe changes that will be required to support the expansion of the DirectAccess deployment to include additional capacity.

Custom configuration plan

Use this section to document how you had to customize the default configuration of DirectAccess to implement specific requirements on your network.

  • Baseline configuration. List the steps in the DirectAccess Setup Wizard and the options chosen for your initial configuration.

  • NRPT rules. List any additional Name Resolution Policy Table (NRPT) rules for intranet namespaces or exemptions that you needed for your deployment.

  • Connection security rules. List any changes made to the default connection security rules in the form of Network Shell (Netsh) commands, including the Group Policy object, the rule name, and the changes made.

Integration strategy

Describe your design for integrating DirectAccess with the following technologies and solutions:

  • VPN. Describe the changes made to your VPN configuration to accommodate DirectAccess detection of the intranet when connected and for third-party VPN clients.

  • NAP. Describe the changes to DirectAccess settings and connection security rules for Network Access Protection (NAP) health evaluation and enforcement of DirectAccess connections.

  • Server and domain isolation. Describe changes made to your existing server and domain isolation deployment to accommodate DirectAccess client connectivity to intranet resources.

Staging strategy

Describe how you staged the deployment of DirectAccess in your organization. Include the following information:

  • Staging milestones. List the set of infrastructure and deployment milestones and their requirements.

  • Timeline. Provide details of your proposed timeline to deploy DirectAccess on your intranet. Include your initial timeline and any deviation from that timeline.

  • Staging results. Provide the results for each stage of your DirectAccess deployment.

  • Trends. Describe any trends in connectivity issues encountered.

Lessons learned

Use this section to describe problems that were encountered and solutions that were implemented during your DirectAccess deployment.