Checklist: Preparing Your DirectAccess Server

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Important

This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=179989).

This checklist includes cross-reference links to important concepts about preparing the computer that will be the DirectAccess server prior to installing the DirectAccess feature and running the DirectAccess Setup Wizard. It also contains links to procedures that will help you complete the tasks that are required to implement this design.

Note

Complete the tasks in this checklist in order. When a reference link takes you to a conceptual topic, a procedure, or to another checklist, return to this topic so that you can proceed with the remaining tasks in this checklist.

Checklist: Preparing Your DirectAccess Server

Task Reference

Install two network adapters (interfaces) on your DirectAccess server. Connect the internal network interface to your internal network.

See your hardware documentation.

From the Network Connections folder, configure your network connections (interfaces) with meaningful names indicating the network to which they are attached, such as “Internet” and “Internal network.”

Configure your internal network interface with a static Internet Protocol version 4 (IPv4) address configuration.

Design Addressing and Routing for the DirectAccess Server

IPv4 General tab (http://go.microsoft.com/fwlink/?LinkId=145843)

Join the DirectAccess server computer to the appropriate Active Directory Domain Services (AD DS) domain.

Active Directory Domain Services Home page on Microsoft Technet (http://go.microsoft.com/fwlink/?Linkid=127814)

Connect the Internet interface to the Internet.

On the Internet interface, configure at least two consecutive, static, public IPv4 addresses that are resolvable and reachable on the Internet. Addresses within the address ranges 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 are not public IPv4 addresses.

Design Addressing and Routing for the DirectAccess Server

IPv4 General tab (http://go.microsoft.com/fwlink/?LinkId=145843)

Configure your Internet and intranet interfaces with different connection-specific Domain Name System (DNS) suffixes. Configure your intranet interface with the DNS suffix for your organization.

Design Addressing and Routing for the DirectAccess Server

IPv4 and IPv6 Advanced DNS tab (http://go.microsoft.com/fwlink/?LinkId=145844)

Configure static routes for your intranet on the DirectAccess server.

Design Addressing and Routing for the DirectAccess Server

If a domain controller is reachable from the Internet interface, configure packet filters to prevent access.

Configure Packet Filters to Block Access to Domain Controllers

Verify that the DirectAccess server has a computer certificate installed with the computer authentication Enhanced Key Usage (EKU).

View Certificates (http://go.microsoft.com/fwlink/?LinkId=145845)

Install a Secure Sockets Layer (SSL) certificate for Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) authentication.

Install an IP-HTTPS Certificate

If the DirectAccess server is acting as the network location server, install the IIS (Web server) role.

Configure the DirectAccess Server as the Network Location Server

If the DirectAccess server is acting as the network location server, install an additional SSL certificate.

Install a Network Location Server Certificate on the DirectAccess Server