Multi-factor Credentials for Intranet Access

Applies To: Windows 7, Windows Server 2008 R2


This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (

In typically deployed access models, DirectAccess clients create two tunnels to the DirectAccess server. The first tunnel, the infrastructure tunnel, provides access to intranet Domain Name System (DNS) servers, Active Directory Domain Services (AD DS) domain controllers, and other infrastructure and management servers. The second tunnel, the intranet tunnel, provides access to intranet resources such as Web sites, file shares, and other application servers.

To provide an additional layer of security for traffic sent over the intranet tunnel, you can specify that the intranet tunnel also require smart card authorization, which enforces the use of multiple sets of credentials to access intranet resources. Multi-factor credentials for the intranet tunnel uses the new tunnel-mode authorization feature of Windows Firewall with Advanced security in Windows 7 and Windows Server 2008 R2, which allows you to specify that only authorized computers or users can establish an inbound tunnel.