Full Intranet Access Example
Applies To: Windows 7, Windows Server 2008 R2
This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (http://go.microsoft.com/fwlink/?LinkId=179988).
Full intranet access allows DirectAccess clients to connect to all of the Internet Protocol version 6 (IPv6)-reachable resources inside the intranet. The DirectAccess client uses Internet Protocol security (IPsec) to create two encrypted tunnels to the Internet interface of the DirectAccess server. The first tunnel, known as the infrastructure tunnel, allows the DirectAccess client to access Domain Name System (DNS) servers, Active Directory Domain Services (AD DS) domain controllers, and other infrastructure and management servers. The second tunnel, known as the intranet tunnel, allows the DirectAccess client to access intranet resources. The infrastructure tunnel uses computer authentication and the intranet tunnel uses both computer and user authentication.
After the intranet tunnel is established, the DirectAccess client can exchange traffic with intranet application servers. This traffic is encrypted by the tunnel for its journey across the Internet. By default, the DirectAccess server is acting as an IPsec gateway, terminating the IPsec tunnels for the DirectAccess client.
The following figure shows an example of full intranet access.
When the DirectAccess client starts up and determines that it is on the Internet, it creates the tunnels to the DirectAccess server and begins normal communications with intranet infrastructure servers such as AD DS domain controllers and application servers as if it were directly connected to the intranet.
This design does not require IPsec protection for traffic on the intranet and is structurally very similar to current remote access virtual private network (VPN) scenarios.