Design for Intranet Server Availability Prior to User Logon

Updated: October 1, 2009

Applies To: Windows 7, Windows Server 2008 R2

The intranet servers that are available to a DirectAccess client computer depend on whether the user has logged on. By default, the DirectAccess Setup Wizard for the full intranet access model creates connection security rules for the following Internet Protocol security (IPsec) tunnels:

  • Infrastructure tunnel

    This rule provides connectivity to specific intranet Domain Name System (DNS) servers and uses only computer account-based credentials for authentication. This is a required connection security rule. If the specified DNS servers are also domain controllers, you do not have to add these domain controllers to the list of intranet servers that are available prior to user logon. If the domain controllers that you want to make accessible to DirectAccess clients are separate from the specified DNS servers, you must add them to the intranet servers that are available prior to user logon.

  • Intranet tunnel

    This rule provides connectivity to all intranet resources reachable by the DirectAccess client computer and uses a combination of computer and user account-based credentials for authentication. This is a required connection security rule.

  • Management tunnel

    This rule provides connectivity to DirectAccess client computers on the Internet from management servers on the intranet and uses only computer-based credentials for authentication. Management servers can remotely manage DirectAccess clients on the Internet, such as computers that create remote desktop connections. This is an optional connection security rule, depending on whether you have defined the IPv6 addresses of management servers in Step 3 of the DirectAccess Setup Wizard. If you do not configure management servers, these computers will not be able to initiate communications with DirectAccess clients until the user has logged on.

The security settings for the connection security rules for the infrastructure and management tunnels are the same. Therefore, DirectAccess clients can also use the management tunnel rule to initiate communications with intranet servers in the same way as the infrastructure tunnel rule. Because these connection security rules do not use user account-based credentials, DirectAccess client computers will only have connectivity to those intranet endpoints that are specified for the infrastructure and management tunnel rules before user logon.

Additional computers that should be available to DirectAccess client computers prior to user logon are the following:

  • Domain controllers, which are not DNS servers and have already been configured in Step 3 of the DirectAccess wizard

  • Additional intranet DNS servers that have not been configured in Step 3 of the DirectAccess wizard

  • When using Network Access Protection (NAP), Health Registration Authorities (HRAs) and remediation servers

  • Servers needed for computer logon operations and system health updates, such as operating system and anti-malware update servers

  • If you have configured force tunneling and DirectAccess client computers need to access the Internet prior to user logon, your intranet proxy servers

One way to determine the additional intranet servers that must be made available to the services of a DirectAccess client computer is to analyze the Windows Logs and Application and Services Logs with Event Viewer and note the system services that were unable to start or complete operations prior to computer logon. If the cause of the problem is due to an inability to reach an intranet server and if these failed system services are crucial to the operation of the computer, the intranet server for that service should be added to list of servers that are available prior to user logon.

To add to the set of servers that are available prior to user logon, you can do the following:

  • Use the Management page of step 3 of the DirectAccess Setup Wizard, which adds more Internet Protocol version 6 (IPv6) addresses to the list of permitted endpoints for the management tunnel.

    This is the recommended method because it is much easier to configure, especially if you are not managing a customized DirectAccess deployment and can run the DirectAccess Setup Wizard without modifying one or more custom settings. For more information, see Add Servers that are Available to DirectAccess Clients before User Logon.

  • Use Netsh.exe commands to manually add more IPv6 addresses to the list of permitted endpoints on the infrastructure or management tunnels

    This is not recommended because it must be done manually with multiple commands and if done incorrectly can impair connectivity. However, if you are managing a customized DirectAccess deployment and cannot run the DirectAccess Setup Wizard without modifying one or more custom settings, you must use this method. If you have not already defined management servers with the DirectAccess Setup Wizard, use the infrastructure tunnel. Otherwise, use the management tunnel. For more information, see Add Servers that are Available to DirectAccess Clients before User Logon.