Full Intranet Access

Applies To: Windows 7, Windows Server 2008 R2


This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkId=179988).

The full intranet access model allows DirectAccess clients to connect to Internet Protocol version 6 (IPv6)-reachable resources inside your intranet and provides Internet Protocol security (IPsec)-based end-to-edge peer authentication and encryption that terminates at the DirectAccess server. See Full Intranet Access Example for more information.

The following are the benefits of the full intranet access model:

  • Does not require intranet application servers that are running Windows ServerĀ 2008 or later. Works with any IPv6-capable application servers.

  • Most closely resembles current virtual private network (VPN) architecture and is typically easier to deploy.

  • Can be used with smart cards for an additional level of authorization.

  • Is fully configurable with the DirectAccess Setup Wizard.

  • Does not require IPsec-protected traffic on the intranet.

The following are the limitations of the full intranet access model:

  • Does not provide end-to-end authentication or data protection with intranet servers.

  • Because the DirectAccess server is terminating the IPsec tunnels, there is extra processing load on DirectAccess server to perform encryption and decryption. This load can be mitigated by moving the IPsec gateway function to a different server with IPsec offload network adapters. For more information, see Capacity Planning for DirectAccess Servers.


To demonstrate full intranet access for DirectAccess, set up the DirectAccess test lab (http://go.microsoft.com/fwlink/?Linkid=150613).