Resources Available to DirectAccess Clients
Applies To: Windows 7, Windows Server 2008 R2
This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkId=179988).
When designing your DirectAccess deployment, you must determine how DirectAccess clients will reach all of the desired intranet resources.
IPv6 resources on your intranet
DirectAccess relies on Internet Protocol version 6 (IPv6) for end-to-end connectivity between the DirectAccess client and an intranet endpoint. DirectAccess clients only send IPv6 traffic across the connection to the DirectAccess server. Therefore, DirectAccess clients can only communicate using applications that support IPv6 and connect to intranet resources that are reachable with IPv6. Internet Protocol version 4 (IPv4)-only applications on the DirectAccess client cannot be used to access intranet application servers with DirectAccess.
The recommended configuration for your intranet is to have IPv6 connectivity to your intranet resources. This requires the following:
An intranet infrastructure that supports the forwarding of IPv6 traffic.
IPv6-capable applications on computers that run an operating system that supports an IPv6 protocol stack.
An intranet infrastructure that supports forwarding IPv6 traffic can be achieved in the following ways:
Configure your intranet infrastructure to support native IPv6 addressing and routing.
Computers running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2 use IPv6 by default. Although few organizations today have a native IPv6 infrastructure, this is the preferred and recommended connectivity method. For the most seamless intranet connectivity for DirectAccess clients, organizations should deploy a native IPv6 infrastructure, typically alongside their existing IPv4 infrastructure.
Deploy Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) on your intranet.
Without a native IPv6 infrastructure, you can use ISATAP to make intranet servers and applications reachable by tunneling IPv6 traffic over your IPv4-only intranet. Deploying ISATAP consists of setting up one or more ISATAP routers that provide address configuration and default routing for ISATAP hosts on your intranet. Computers running Windows 7 or Windows Server 2008 R2 support ISATAP host functionality and can be configured to act as ISATAP routers.
ISATAP should be deployed as a temporary method of IPv6 connectivity while you are planning for and implementing native IPv6 connectivity.
If you do not have a native IPv6 infrastructure or ISATAP on your intranet, the DirectAccess Setup Wizard automatically configures the DirectAccess server as the ISATAP router for your intranet. This feature of the DirectAccess Setup Wizard facilitates easy deployment of ISATAP-based IPv6 connectivity on your intranet, but ISATAP is not recommended as a long-term, enterprise-wide IPv6 connectivity solution. You should be planning to replace ISATAP-based IPv6 connectivity with native IPv6 over time.
Applications that are end-to-end reachable by DirectAccess clients must be IPv6-capable and running on an operating system that supports an IPv6 protocol stack with native IPv6 or ISATAP host capability.
For applications running on versions of Windows:
Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008 support an IPv6 protocol stack and all built-in components and system services are IPv6-capable. These versions of Windows are highly recommended.
Windows XP and Windows Server 2003 have an IPv6 protocol stack, but many built-in components and system services and applications are not IPv6-capable. Therefore, in most cases, applications running on computers running Windows XP or Windows Server 2003 are not reachable by DirectAccess clients over IPv6. For the solutions for providing DirectAccess connectivity to applications running on Windows XP and Windows Server 2003-based computers, see Choose Solutions for IPv4-only Intranet Resources.
For applications running on non-Windows operating systems, verify that both the operating system and the applications support IPv6 and are reachable over native IPv6 or ISATAP.
IPv4-only resources on the intranet
Because DirectAccess clients only send IPv6 traffic to the DirectAccess server, users on DirectAccess clients cannot use IPv4-only client applications to reach IPv4-only resources on your intranet. Examples of IPv4-only resources are the following:
Applications running on Windows 2000 or prior versions of Windows.
The built-in applications and system services running on Windows XP and Windows Server 2003 that are not IPv6-capable.
For applications that are not built-in to Windows, check with the software vendor to ensure that the application is IPv6-capable. Applications that only use IPv4, such as Office Communications Server (OCS), cannot by default be reached by DirectAccess clients.
However, IPv6-capable applications can reach IPv4-only resources on your intranet by using an IPv6/IPv4 translation device or service such as a NAT64/DNS64. For the solutions for providing connectivity for DirectAccess clients to IPv4-only resources, see Choose Solutions for IPv4-only Intranet Resources.
Using an IPv4-only intranet
It is possible to use DirectAccess with an IPv4-only intranet, but you must use a NAT64/DNS64 device between your DirectAccess clients and your intranet and you no longer have the ability to remotely manage DirectAccess clients from the intranet. For information about providing connectivity for DirectAccess clients to an IPv4-only intranet, see Choose Solutions for IPv4-only Intranet Resources.
When the DirectAccess client physically connects to your IPv4-only intranet or an IPv4-only subnet of your intranet, it is possible in some situations for the client to use Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) to access the intranet through a proxy server and the DirectAccess server, instead of using normal IPv4-based connectivity. This can cause problems for some applications. To prevent this behavior, configure Windows Firewall rules to block traffic between your proxy servers and your DirectAccess servers. For more information, see Configure Firewall Rules to Prevent Traffic between Proxy Servers and DirectAccess Servers.
Limiting connectivity to selected resources
With the selected server access model, you can limit the access of DirectAccess clients to a specific set of servers identified by membership in Active Directory security groups. The following figure shows an example of using selected server access to restrict intranet access to specific application servers.
For more information, see Selected Server Access Example.
IPv6 resources on the IPv6 Internet
By default, Windows 7 and Windows Server 2008 R2-based computers attempt to resolve the name 6to4.ipv6.microsoft.com to determine the IPv4 address of a 6to4 relay and teredo.ipv6.microsoft.com to determine the IPv4 addresses of Teredo servers on the IPv4 Internet. With the 6to4 relay at 6to4.ipv6.microsoft.com and the Teredo servers at teredo.ipv6.microsoft.com, Windows 7-based clients on the IPv4 Internet can reach the IPv6 Internet.
When Windows 7 and Windows Server 2008 R2-based computers are configured as DirectAccess clients, the DirectAccess server becomes the 6to4 relay and the Teredo server so that DirectAccess clients can tunnel IPv6 traffic destined for the intranet to the DirectAccess server. If the DirectAccess server does not also forward default route traffic to the IPv6 Internet, DirectAccess clients will not be able to reach the IPv6 Internet.
If you want DirectAccess clients to reach the IPv6 Internet, configure the DirectAccess server with one of the following:
A direct, native connection to the IPv6 Internet
Configure the DirectAccess server to forward default route traffic using its native connection to the IPv6 Internet. You can also use a separate router for your connection to the IPv6 Internet and configure the DirectAccess server to forward its default route traffic to the router.
A 6to4-tunneled connection to the IPv6 Internet
Configure the DirectAccess server to forward default route traffic using the Microsoft 6to4 Adapter interface to a 6to4 relay on the IPv4 Internet. You can configure a DirectAccess server for the IPv4 address of the Microsoft 6to4 relay on the IPv4 Internet with the netsh interface ipv6 6to4 set relay name=220.127.116.11 state=enabled command. Use 18.104.22.168, the IPv4 anycast address of 6to4 relays on the Internet, unless your Internet service provider recommends a specific unicast IPv4 address of the 6to4 relay that they maintain.
For more information, see Connect to the IPv6 Internet in the DirectAccess Deployment Guide.