Hands on with Windows Server 2008 R2: DirectAccess

Promises an unprecedented level of connectivity -- but at a very steep price

1 2 3 4 Page 3
Page 3 of 4

In other words, this is definitely a bleeding-edge solution right now.

Preparing your environment for DirectAccess

Here's how the process works overall. It is complex, but most of the difficulty comes in configuring the environment properly, as you'll see. You need to procure a correctly configured server, deploy some transition technologies, poke appropriate holes in firewalls and work somewhat in depth with addressing. You also will need to decide among a number of access and scalability models.

While some of this process can be scripted, I will walk you through a manual preparation and deployment of an end-to-edge solution (the broadest and most comprehensive of the available models) in this feature for the sake of clarity.

Let's begin the preparations:

1) Choose a server with two Ethernet adapters and install Windows Server 2008 R2. Join this server to an Active Directory domain.

2) On this server, connect one network adapter to the Internet and the other network adapter to your intranet. Assign appropriately schemed IPv4 addresses to each respective adapter -- native IPv6 is not required at this point, as other protocols can automatically assist in the transition.

3) Open ports on both the edge and DMZ firewalls. You can use the following table to determine which ports to open on your edge firewall based on which client connectivity protocols you plan to support.

Edge firewall ports to open

Name Teredo 6to4 IP-HTTPS Native IPv6
UDDP3554 X
Protocol41 X
TCP443 X
ICMPv6 X
Protocol50 X

This table lists ports for your DMZ firewall, connecting the DirectAccess server itself to the intranet.

DMZ firewall ports to open

NameISATAPNative IPv6Using NAT-PT
Protocol41X
TCPXX
UDPXX
ICMPv6X
AllIPv6connectivityX
UDP500IKE/AuthIPXX

4) Acquire two public static IPv4 addresses that are consecutive, and publish one of the addresses to your external DNS zone, assigning the name directaccess.company.com or da.company.com. Assign the two public addresses to one of the adapters on the DirectAccess server, which will from that point forward be the Internet-facing interface.

5) Designate the Internet-facing adapter as a "Public" or "Private" interface, and designate the other adapter as a "Domain" interface.

6) Enable IPv6 on clients and servers.

7) Create a security group in your Active Directory domain that contains the computer accounts of all clients that will participate in DirectAccess.

8) Install Web server software on the DirectAccess machine.

9) Install the DirectAccess Management Console feature by going to Server Manager, Initial Configuration Tasks and then choosing Add features. In the resulting wizard, select DirectAccess Management Console and click Add Required Features in the pop-up window to add the Group Policy Management feature. Click Next, Install and then Close to finish the installation.

1 2 3 4 Page 3
Page 3 of 4
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon