Packet Filters for Your Intranet Firewall

Updated: October 1, 2009

Applies To: Windows 7, Windows Server 2008 R2


This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (

Some organizations use an additional intranet firewall between the perimeter network and the intranet to filter out malicious traffic that makes it past the Internet firewall and perimeter network servers. If you use an intranet firewall and the DirectAccess server is on the Internet Protocol version 4 (IPv4) Internet, you must configure the following additional packet filters:

  • All IPv4 and Internet Protocol version 6 (IPv6) traffic to and from the DirectAccess server

    The DirectAccess server must reach and be reachable by Active Directory Domain Services (AD DS) domain controllers, management servers, and other intranet resources. You can begin with this initial filter and then refine the filter over time to allow the subset of traffic needed by the DirectAccess server.

    For AD DS, the DirectAccess server must be able to communicate with the domain controller that is acting as the primary domain controller (PDC) emulator for the domain in which the DirectAccess server is a member. The DirectAccess server must also be able to reach at least one domain controller and at least one global catalog for each domain in which DirectAccess client computer accounts are members.

  • Protocol 41 inbound and outbound

    Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) encapsulates IPv6 packets with an IPv4 header. In the IPv4 header, the Protocol field is set to 41 to indicate an IPv6 packet payload. Use this packet filter if you are using ISATAP to send IPv6 traffic across your IPv4-only intranet.