Design Your Web Servers for DirectAccess
Applies To: Windows 7, Windows Server 2008 R2
This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkId=179988).
You will need Web locations for the following resources:
The network location server through a Secure Hypertext Transfer Protocol (HTTPS)-based uniform resource locator (URL) (required)
An HTTP-based certificate revocation list (CRL) distribution point for the HTTPS certificate of the network location server that is accessible on the intranet (optional)
The intranet CRL distribution points can also be based on a universal naming convention (UNC) path of a file server.
An HTTP-based CRL distribution point for the Internet Protocol over HTTPS (IP-HTTPS) certificate of the DirectAccess server that is accessible on the Internet (required)
For more information, see Configure IIS for Network Location in the DirectAccess Deployment Guide.
In all of these cases, the Web server providing these resources must be highly available. If these resources cannot be reached, the following occurs:
If the DirectAccess client on the intranet is unable to reach the HTTPS-based URL of the network location server, a DirectAccess client cannot detect when it is on the intranet and might not be able to access intranet resources.
If the DirectAccess client on the intranet is unable to reach the intranet CRL distribution point to perform certificate revocation checking for the network location server, a DirectAccess client cannot detect when it is on the intranet and might not be able to access intranet resources.
If the DirectAccess client on the Internet is unable to reach the Internet CRL distribution point to perform certificate revocation checking for the IP-HTTPS certificate, a DirectAccess client cannot use IP-HTTPS. Because IP-HTTPS is the last transition technology that is used for Internet Protocol version 6 (IPv6) connectivity to the DirectAccess server, DirectAccess clients will not be able to establish a connection to the DirectAccess server when behind a firewall or Web proxy or behind a network address translator (NAT) when the Teredo client has been disabled.
If you configure strong CRL checking on the DirectAccess server and it cannot reach the CRL distribution points in the DirectAccess client’s certificate, certificate-based authentication for the IPsec tunnels will fail and DirectAccess clients will be unable to access intranet resources.
For Internet Information Services (IIS)-based Web servers, see Planning Redundancy for a Network Location Server and Planning Redundancy for CRL Distribution Points for information about high availability for Web servers.