Efficient Routing of Intranet and Internet Traffic

Applies To: Windows 7, Windows Server 2008 R2


This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkId=179988).

DirectAccess separates intranet from Internet traffic, which reduces unnecessary traffic on the intranet by sending only traffic destined for the intranet through the DirectAccess server. Some virtual private network (VPN) solutions use Network layer routing table entries to separate intranet from Internet traffic, in a configuration known as split-tunneling. DirectAccess solves this problem in the Application layer through more intelligent name resolution and in the Network layer by summarizing the IPv6 address space of an entire organization with IPv6 address prefixes. Rather than directing traffic solely based on a destination address, DirectAccess clients also direct traffic based on the name needed by the application.

DirectAccess clients use a Name Resolution Policy Table (NRPT) that contains Domain Name System (DNS) namespace rules and a corresponding set of intranet DNS servers that resolve names for that DNS namespace. When an application on a DirectAccess client attempts to resolve a name, it first compares the name with the rules in the NRPT. If there is a match, the DirectAccess client uses a protected query to the specified intranet DNS servers to resolve the name to intranet addresses and establish connections. If there are no matches, the DirectAccess client uses Internet DNS servers to resolve the name to Internet addresses and establish connections.