Configure IIS for Network Location
Updated: October 7, 2009
Applies To: Windows Server 2008 R2
This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=179989).
If the Internet Information Services (IIS) server is being used for only Hypertext Transfer Protocol (HTTP)-based connections, determine an alias name that will be used by DirectAccess clients and create an address (A) record in your intranet Domain Name System (DNS) servers so that the fully qualified domain name (FQDN) of the IIS server using the alias name can be resolved by intranet-connected DirectAccess clients. If the IIS server is being used only for network location, you do not need to use an alias name.
For example, the IIS server app1.corp.contoso.com is an intranet server providing only HTTP-based connections for intranet clients. APP1 is also the network location server. The alias for network location detection for the APP1 Web server is nls.corp.contoso.com. The network administrator creates an A record in the corp.contoso.com forward lookup zone that has the IPv4 address of app1.corp.contoso.com.
Once you have determined the FQDN of the network location server, construct the URL https://FQDN (without the trailing “/”). This is the network location URL that you configure in Step 3 of the DirectAccess Setup Wizard.
If you are not using an alias name, you cannot connect to the IIS server that is acting as a network location server from a DirectAccess client that is on the Internet.
To complete these procedures, you must be a member of the local Administrators group, or otherwise be delegated permissions to configure IIS global settings. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To mitigate security risks posed by computers on the Internet, you must install the IP and Domain Restrictions role service for IIS on the network location server.
To install the IP and Domain Restrictions role service
On the IIS server, click Start, click Run, type servermanager.msc, and then press ENTER.
In the console tree, click Roles, and then click Web Server (IIS). In the details pane, in Role Services, click Add Role Services.
On the Select Role Services page, in Role services, under Security, click IP and Domain Restrictions, and then click Next.
Verify that all installations were successful, and then click Close.
The following procedure describes how to configure IIS to use the custom SSL certificate for network location for the HTTPS security binding.
To configure the HTTPS security binding
On the IIS server, click Start, type inetmgr.exe, and then press ENTER.
In the console tree of Internet Information Services (IIS) Manager, open the Sites container for the IIS server, and then click Default Web site.
In the Actions pane, click Bindings.
In the Site Bindings dialog box, click Add.
In the Add Site Binding dialog box, in the Type list, click https. In SSL Certificate, click the certificate with the FQDN of the network location server (example: nls.corp.contoso.com).
Click OK, and then click Close.
If you are using an alias name, you cannot use an IIS server that is also being used for Secure Hypertext Transfer Protocol (HTTPS)-based connections. The certificate configured for HTTPS bindings is for the alias name and HTTPS connections using other FQDNs will not validate.
If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.