DirectAccess with NAP Solution Overview

Updated: October 1, 2010

Applies To: Windows Server 2008 R2

DirectAccess provides authenticated and protected access to intranet resources across the Internet. Just like typical remote access virtual private network (VPN) solutions, DirectAccess components do not ensure that the DirectAccess client complies with system health requirements prior to gaining access to the intranet. Typical system health requirements can include verifying that anti-malware software is running or the host firewall is enabled.

The following are the benefits of using DirectAccess with Network Access Protection (NAP):

  • Ongoing system health compliance for roaming computers

    Because DirectAccess client computers always connect to intranet infrastructure resources when they have an Internet connection, their system health is checked on an ongoing basis and can always remain in compliance. System heath checks are performed by the computer prior to user logon. This is in contrast to using NAP with VPN, in which system health compliance is checked only when the roaming computer initiates a remote access VPN connection to the intranet.

  • Enforce system health compliance prior to access to the entire intranet

    When the user logs on, the DirectAccess client computer attempts to access the entire intranet. NAP provides the components and infrastructure to ensure that system health requirements are met prior to allowing access to the entire intranet.

DirectAccess clients by default use a computer certificate for Internet Protocol security (IPsec) peer authentication. With DirectAccess and NAP, the certificate used for authentication to gain access to the entire intranet is a health certificate. A health certificate validates the identity of the DirectAccess client computer and certifies that the DirectAccess client complies with system health requirements.

It is possible to use DirectAccess with NAP in the following modes, depending on whether a health certificate is required for authentication when attempting to access the entire intranet:

  • Reporting mode

    The DirectAccess server does not require health certificates. DirectAccess clients can use a health certificate or their computer certificate. The benefit of this mode is that most DirectAccess clients will automatically correct their system health on an ongoing basis. By analyzing the reporting information generated by the NAP health policy server, a server running Network Policy Server (NPS), you can work to correct the system health of noncompliant DirectAccess client computers without blocking their intranet access. In reporting mode, noncompliant DirectAccess client computers have access to the entire intranet.

  • Full enforcement mode

    The DirectAccess server requires health certificates. DirectAccess clients without a health certificate will not be able to access the entire intranet and cannot use their computer certificate for authentication. The benefit of this mode is DirectAccess clients that do not meet system health requirements, which can pose a potential threat to the intranet, are not allowed access to the entire intranet. However, DirectAccess clients that cannot automatically correct their system health might require helpdesk assistance.

The DirectAccess with NAP solution uses full enforcement mode.

For more information about the architecture of the DirectAccess with NAP solution, see DirectAccess with NAP Architecture Overview.

For information about how to deploy the DirectAccess with NAP solution, see the DirectAccess with NAP Deployment Roadmap.