Where to Place the Network Location Server
Applies To: Windows 7, Windows Server 2008 R2
This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkId=179988).
The network location server is a critical part of a DirectAccess deployment. If DirectAccess client computers on the intranet cannot successfully locate and access the secure Web page on the network location server, they might not be able to access intranet resources.
When DirectAccess clients obtain a physical connection to the intranet or experience a network status change on the intranet (such as an address change when roaming between subnets), they attempt a Secure Hypertext Transfer Protocol (HTTPS) connection to a configured uniform resource locator (URL). If the DirectAccess client can successfully obtain an HTTPS connection to the configured URL, including a revocation check of the Web server’s certificate, they determine that they are on the intranet.
To ensure that the FQDN of the network location server is reachable for a DirectAccess client with DirectAccess-based rules in the NRPT, the DirectAccess Setup Wizard by default adds the FQDN of the network location server as an exemption rule to the NRPT. When the DirectAccess client attempts to resolve the FQDN of the network location server, the FQDN matches the exemption rule in the NRPT and the DirectAccess client uses interface-configured DNS servers, which are reachable to resolve the name and connect to the network location server.
Because the FQDN of network location URL is added as an exemption rule to the NRPT, the intranet Web server at that FQDN will not be accessible to DirectAccess clients on the Internet.
To ensure that DirectAccess clients can correctly detect when they are on the Internet, DirectAccess clients on the Internet must not be able to successfully access the network location URL. You can accomplish this by ensuring that the FQDN cannot be resolved using Internet DNS servers, configuring the Web server to deny connections from Internet-based clients, or by ensuring that the certificate validation process fails when DirectAccess clients are on the Internet.
In the DirectAccess Setup Wizard, you can specify that the DirectAccess server act as the network location server or you can type the HTTPS-based URL for network location, specifying a network location server that is separate from the DirectAccess server. Using a separate network location server that is a highly available intranet Web server is strongly recommended.
Highly available intranet Web server as the network location server
The recommended configuration for a network location server is a highly available and, depending on the number of DirectAccess clients, high-capacity intranet Web server. The Web server must be able to support HTTPS-based URLs with certificate-based authentication. Internet Information Services 7.0, included with Windows Server 2008 R2 and Windows Server 2008, can be used as a network location server. The content of the HTTPS-based URL is not important, only the DirectAccess client’s ability to successfully access the page at the URL.
The certificate used by the Web server to act as a network location server has the following requirements:
In the Subject field, either an Internet Protocol (IP) address of the intranet interface of the Web server or the FQDN of the network location URL.
For the Enhanced Key Usage field, the Server Authentication object identifier (OID).
For the CRL Distribution Points field, a certificate revocation list (CRL) distribution point that is accessible by DirectAccess clients that are connected to the intranet.
The FQDN in the URL or the universal naming convention (UNC) path of the CRL distribution point location should either match an exemption rule or no rules in the NRPT so that the DirectAccess client can use interface-configured intranet DNS servers to resolve the name. If the DirectAccess client cannot resolve the FQDN in the URL or UNC of the CRL distribution point, access the CRL distribution point, and verify that the network location server’s certificate has not been revoked, intranet detection fails.
For more information, see Install and Configure IIS for a Network Location Server Certificate in the DirectAccess Deployment Guide.
Authentication and authorization for the network location URL
A DirectAccess client computer performs intranet detection when it starts up on the network, before the user has logged on. The Network Location Awareness service on the DirectAccess client must be able to access the network location URL using the credentials of the computer account. Therefore, you must choose a network location URL that does not require authentication or authorization with user account credentials. If authentication or authorization with user account credentials is required to access the network location URL, the DirectAccess client computer will not successfully detect the intranet, which might impair intranet connectivity.
DirectAccess server as the network location server
If you have to use the DirectAccess server as the network location server, which is highly discouraged, you must do the following:
Install the Web server (IIS) server role on the DirectAccess server computer.
Obtain an additional certificate to be used for HTTPS connections to the DirectAccess server from DirectAccess clients on the intranet.
This additional certificate must be a different certificate than that used for Internet Protocol over HTTPS (IP-HTTPS) connections and have the following properties:
In the Subject field, either an IP address of the intranet interface of the DirectAccess server or the FQDN of the network location URL.
For the Enhanced Key Usage field, the Server Authentication OID.
For the CRL Distribution Points field, a CRL distribution point that is accessible by DirectAccess clients that are connected to the intranet.
To ensure that DirectAccess clients can correctly detect when they are on the Internet, you can configure IIS on the DirectAccess server to deny connections from Internet-based clients with the IP and Domain Restrictions Web server (IIS) role service or ensure that the CRL distribution point location in the certificate being used for network location cannot be accessed from the Internet.
For more information, see Configure the DirectAccess Server as the Network Location Server and Install a Network Location Server Certificate on the DirectAccess Server in the DirectAccess Deployment Guide.