Appendix B – Manual DirectAccess Client Configuration

Updated: October 7, 2009

Applies To: Windows Server 2008 R2


This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (

Manual configuration of DirectAccess clients consist of IPv6 transition technology settings and the Name Resolution Policy Table (NRPT).

IPv6 transition technology settings

Purpose Command Group Policy Setting

Configure the Teredo client as an enterprise client and configure the Internet Protocol version 4 (IPv4) address of the Teredo server (the DirectAccess server).

netsh interface teredo set state type=enterpriseclient servername=FirstPublicIPv4AddressOfDirectAccessServer

Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\Teredo State=Enterprise Client and Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\Ipv6 transition Technologies\Teredo Server Name=FirstPublicIPv4AddressOfDirectAccessServer

Configure the public IPv4 address of the 6to4 relay (the DirectAccess server).

netsh interface 6to4 set relay name=FirstPublicIPv4AddressOfDirectAccessServer

Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\Ipv6 transition Technologies\6to4 Relay Name=FirstPublicIPv4AddressOfDirectAccessServer

Enable the IP-HTTPS client and configure the IP-HTTPS Uniform Resource Locator (URL).

netsh interface httpstunnel add interface client https://SubjectOfIP-HPPTSCertificate/IPHTTPS

Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\Ipv6 transition Technologies\IP-HTTPS State set to Enabled and the IP-HTTPS URL of https://SubjectOfIP-HPPTSCertificate:443/IPHTTPS


For DirectAccess, the NRPT must be configured with the namespaces of your intranet with a leading dot (for example, or For a DirectAccess client, any name request that matches one of these namespaces will be sent to the specified intranet Domain Name System (DNS) servers. Include all intranet DNS namespaces that you want DirectAccess client computers to access.

There are no command line methods for configuring NRPT rules. You must use Group Policy settings. To configure the NRPT through Group Policy, use the Group Policy add-in at Computer Configuration\Policies\Windows Settings\Name Resolution Policy in the Group Policy object for DirectAccess clients. You can create a new NRPT rule and edit or delete existing rules. For more information, see Configure the NRPT with Group Policy.