IT tutorials
 
Technology
 

Windows 7 : Understanding DirectAccess Client Connections (part 2) - Understanding DirectAccess Infrastructure Features

12/2/2013 8:14:27 PM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

3. Understanding DirectAccess Infrastructure Features

Figure 4 shows the primary features of a DirectAccess infrastructure. These features include general network infrastructure requirements such as a PKI (including a certification authority and CRL distribution points), domain controllers, IPv6 transition technologies, and DNS servers. A DirectAccess infrastructure also has the elements that form the core of the DirectAccess solution, including DirectAccess clients, DirectAccess servers, and a network location server.

These elements of a DirectAccess infrastructure are described in more detail in the following section.

A DirectAccess infrastructure

Figure 4. A DirectAccess infrastructure

DirectAccess Server

At least one domain-joined server must be running Windows Server 2008 R2 so it can act as the DirectAccess server. This server typically resides on your perimeter network and acts as both a relay for IPv6 traffic and an IPSec gateway. The server can accept connections from DirectAccess clients and (like a VPN server) facilitate communication with intranet resources. The DirectAccess server needs to be configured with two physical network adapters and at least two consecutive, publicly-addressable IPv4 addresses that can be externally resolved through the Internet DNS.

To create a DirectAccess server, use Server Manager to add the DirectAccess Management Console feature in Windows Server 2008 R2. Then use the DirectAccess Setup Wizard in this console to configure the server.

DirectAccess Client

Client computers must be domain-joined and running Windows 7 Enterprise or Ultimate to use DirectAccess. To perform the initial configuration of computers as DirectAccess clients, add them to a Windows group, and then specify this group when you run the DirectAccess Setup Wizard on the DirectAccess server.

To allow DirectAccess clients to separate Internet traffic from intranet traffic, Windows 7 and Windows Server 2008 R2 include the Name Resolution Poilcy Table (NRPT). The NRPT is applied to clients only through Local Computer Policy or Group Policy—it cannot be configured locally on the client. To locate NRPT settings in a GPO, navigate to Computer Configuration\Policies\Windows Settings\Name Resolution Policy.

Note

WHAT IS THE NRPT?

The NRPT is a new feature that allows a client to assign a DNS server address to particular namespaces rather than to particular interfaces. The NRPT essentially stores a list of name resolution rules that are applied to clients through Group Policy. Each rule defines a DNS namespace and DNS client behavior for that namespace. When a DirectAccess client is on the Internet, each name query request is compared against the namespace rules stored in the NRPT. If a match is found, the request is processed according to the settings in the NRPT rule. The settings determine the DNS servers to which each request will be sent.

If a name query request does not match a namespace listed in the NRPT, it is sent to the DNS servers configured in the TCP/IP settings for the specified network interface.

Network Location Server

A network location server is a Web server accessed by a DirectAccess client to determine whether the client is located on the intranet or Internet. The DirectAccess server can act as the network location server, but it is preferable to use a separate, high-availability Web server for the network location server instead. This separate Web server does not have to be dedicated as a network location server. You can configure network location server settings in Local Computer Policy or Group Policy. To find the settings in a GPO, navigate to Computer Configuration\Policies\Administrative Templates\Network\Network Connectivity Status Indicator.

Domain Controllers

An AD DS infrastructure is required for DirectAccess. At least one domain controller in the domain needs to be running Windows Server 2008 or later.

IPv6-capable Network

DirectAccess uses IPv6 to enable remote client computers to maintain connectivity with intranet resources over an Internet connection. Because most of the public Internet currently uses IPv4, however, DirectAccess clients use IPv6 transition technologies when no IPv6 connectivity is available. The order of connection methods attempted by DirectAccess clients is as follows:

  1. Native IPv6 This method is used if the DirectAccess client is assigned a globally routable IPv6 address.

  2. 6to4 This method is used if the DirectAccess client is assigned a public IPv4 address.

  3. Teredo This method is used if the DirectAccess client is assigned a private IPv4 address.

  4. IP-HTTPS This method is attempted if the other methods fail.

For remote client computers to reach computers on the internal corporate network through DirectAccess, the internal computers must be fully IPv6-compatible.

Computers on your IPv4 network are fully IPv6-compatible if any of the following is true:

  • The computers are running Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2.

  • You have deployed ISATAP on your intranet to enable internal servers and applications to be reachable by tunneling IPv6 traffic over your IPv4-only intranet.

  • You are using a NAT-PT device to translate traffic between your DirectAccess clients and your intranet computers that support only IPv4.

IPSec

DirectAccess uses IPSec to provide end-to-end security for remote client computers accessing resources on the internal corporate network. IPSec policies are used for authentication and encryption of all DirectAccess connections. These policies can be configured and applied to client computers using Group Policy.

PKI

A PKI is required to issue computer certificates for client and server authentication and also for issuing health certificates when NAP has been implemented. These certificates can be issued by a CA on the internal network—they do not need to be issued by a public CA.

CRL Distribution Points (CDPs)

In a DirectAccess infrastructure, CDPs are the servers that provide access to the CRL that is published by the CA issuing certificates for DirectAccess. Separate CDPs should be published for clients internal to the corporate network and for external clients on the Internet.

Perimeter Firewall Exceptions

On your corporate network perimeter firewall, the following ports must be opened to support DirectAccess:

  • UDP port 3544 to enable inbound Teredo traffic

  • IPv4 protocol 41 to enable inbound 6to4 traffic

  • TCP port 443 to enable inbound IP-HTTPS traffic

If you need to support client computers that have native IPv6 addresses, the following exceptions will also need to be opened:

  • ICMPv6

  • IPv4 protocol 50
 
Others
 
- Windows 7 : Understanding DirectAccess Client Connections (part 1) - Understanding DirectAccess and IPv6 Transition Technologies
- Windows Server 2011 : Managing Remote Access - Fixing Network Problems
- Windows Server 2011 : Virtual Private Networks (part 2) - Configure VPN Permissions
- Windows Server 2011 : Virtual Private Networks (part 1) - Enabling VPNs
- LINQ to SharePoint and SPMetal : Querying Data Using LINQ to SharePoint (part 4) - Joining Tables Using LINQ
- LINQ to SharePoint and SPMetal : Querying Data Using LINQ to SharePoint (part 3) - Result Shaping Using LINQ
- LINQ to SharePoint and SPMetal : Querying Data Using LINQ to SharePoint (part 2) - Performing a Simple Query
- LINQ to SharePoint and SPMetal : Querying Data Using LINQ to SharePoint (part 1) - Query Limitations
- System Center Configuration Manager 2007 : Client Deployment (part 4) - Client Installation in Image Deployment
- System Center Configuration Manager 2007 : Client Deployment (part 3) - Client Push Installation Wizard
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us