Checklist: Preparing Your Infrastructure for DirectAccess

Updated: October 7, 2009

Applies To: Windows Server 2008 R2


This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (

This checklist includes cross-reference links to help you prepare your network and security infrastructure for a DirectAccess deployment. It also contains links to procedures that will help you complete the tasks that are required to implement this design.


Complete the tasks in this checklist in order. When a reference link takes you to a conceptual topic, a procedure, or to another checklist, return to this topic so that you can proceed with the remaining tasks in this checklist.

Checklist: Preparing your infrastructure for DirectAccess

  Task Reference

Review important concepts for DirectAccess.

Appendix B: Reviewing Key DirectAccess Concepts

Review the client, server, and network infrastructure requirements for DirectAccess.

Appendix A: DirectAccess Requirements

Create Active Directory security groups for DirectAccess clients (required) and selected servers (optional) and add members.

Create DirectAccess Groups in Active Directory

Configure packet filtering on Internet and intranet firewalls.

Packet Filters for Your Internet Firewall

Packet Filters for Your Intranet Firewall

Configure packet filtering for Internet Control Message Protocol for IPv6 (ICMPv6) traffic.

Configure Packet Filters to Allow ICMP Traffic

Configure Settings to Confine ICMPv6 Traffic to the Intranet

Configure packet filtering for remote management computers.

Design for Remote Management

Configure Packet Filters to Allow Management Traffic to DirectAccess Clients

Compile a list of additional Name Resolution Policy Table (NRPT) namespace or exemption rules.

Design Your DNS Infrastructure for DirectAccess

Add intranet A records as needed for your network location server and CRL distribution points.

Design Your DNS Infrastructure for DirectAccess

Add Internet Domain Name System (DNS) Address (A) records as needed for the DirectAccess server as Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) server and certificate revocation list (CRL) distribution points.

Design Your DNS Infrastructure for DirectAccess

Configure your DNS servers running Windows Server 2008 R2 or Windows Server 2008 to support resolution of the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) name.

Remove ISATAP from the DNS Global Query Block List

Configure your public key infrastructure (PKI) for CRL distribution points.

Configure a CRL Distribution Point for Certificates

Configure Active Directory Certificate Services for CRL Locations

Configure autoenrollment of computer certificates.

Configure Computer Certificate Autoenrollment

Modify the permissions on the Web Server certificate template.

Configure Permissions on the Web Server Certificate Template

If needed by your design, configure an Secure Hypertext Transfer Protocol (HTTPS) uniform resource locator (URL) on your separate network location server.

Configure IIS for Network Location

If needed by your design, install a custom SSL certificate on your separate network location server.

Install and Configure IIS for a Network Location Server Certificate