Planning DirectAccess with Microsoft Forefront Threat Management Gateway

Updated: October 1, 2009

Applies To: Windows 7, Windows Server 2008 R2


This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (

Microsoft Forefront Threat Management Gateway (TMG) can be installed on a DirectAccess server to provide an additional layer of protection and for additional Forefront TMG features, such as a full Internet Protocol version 4 (IPV4) firewall and secure Web publishing for computers that are not DirectAccess clients.

Forefront TMG integrates with the Internet Protocol security (IPsec) Denial of Service Protection (DoSP) component of DirectAccess to ensure that only IPsec-protected traffic is allowed to pass through. For this reason, you must configure DirectAccess before installing Forefront TMG. Forefront TMG also allows Internet Control Message Protocol (ICMP) traffic through by default, which is required to support Teredo-based DirectAccess clients.

For more information, see Forefront Threat Management Gateway and DirectAccess (