DirectAccess Client Determines that it is on the Intranet When on the Internet

Updated: November 18, 2009

Applies To: Windows Server 2008 R2

If the DirectAccess client can successfully access the Secure Hypertext Transfer Protocol (HTTPS)-based uniform resource locator (URL) hosted by the network location server when directly attached to the Internet, network location detection determines that a DirectAccess client is on the intranet and removes the DirectAccess-based rules in the effective Name Resolution Policy Table (NRPT). If the DirectAccess client computer has an existing, active virtual private network (VPN) connection to the intranet, this is the desired behavior. With an existing layer 2 connection to the intranet, such as that provided by a VPN connection, the network location server is accessible and DirectAccess should not be used to provide intranet connectivity.

If the DirectAccess client computer does not have an existing, active VPN connection to the intranet, the network location server should not be accessible. If it is, the DirectAccess client removes the DirectAccess-based rules in the effective NRPT and the DirectAccess client sends all Domain Name System (DNS) name queries to interface-configured DNS servers. The result is that the DirectAccess client will not be able to resolve intranet DNS server names and connect to intranet DNS servers through the DirectAccess server.

If the network location server is accessible from DirectAccess clients on the Internet, it could be due to the following:

  • Your NRPT does not have an exemption rule for the fully qualified domain name (FQDN) of the network location URL

    If the FQDN of the network location URL matches the namespace rule for your intranet, you must have an additional exemption rule for the FQDN in the NRPT. With this exemption rule, the DirectAccess client uses interface-configured DNS servers for the FQDN, which Internet DNS servers should not be able to resolve. If this exemption rule is missing and the FQDN of the network location URL matches the namespace rule for your intranet, the DirectAccess client will use intranet DNS servers to successfully resolve the FQDN and access the network location server over the DirectAccess connection.

  • The network location URL is accessible from the Internet

    The network location URL is designed to be accessible only from the intranet. You should not be able to access the FQDN of the network location URL or the HTTPS-based URL from an Internet-connected computer. To test this, connect a computer that is not a DirectAccess client to the Internet and attempt to ping the FQDN of the network location URL and use an Internet browser to access the network location URL. If you can resolve the name and access the URL, remove the Internet DNS records for the FQDN or remove the network location server from the Internet. If the DirectAccess server is acting as the network location server, ensure that the IP and Domain Restrictions role service is installed for the Web server (IIS) role to prevent DirectAccess clients on the Internet from reaching the network location URL on the DirectAccess server.

For more information about the technical details of the network location detection process, see Network Location Detection.