Setting up DirectAccess in Windows Server 2022

Posted on 16th June 2023

Overview

DirectAccess is a feature in Windows Server that allows remote users to securely access internal network resources without the need for a virtual private network (VPN) connection. When DirectAccess is deployed, users can connect to their corporate network from any Internet-connected location without having to launch a VPN client. DirectAccess connections are established automatically as soon as users connect to the Internet, so users don’t have to remember to connect to the corporate network or enter credentials.

Planning for DirectAccess

Before you deploy DirectAccess, you need to plan for your deployment. You need to consider the following:

• The DirectAccess server deployment model that you will use
• The network location of your DirectAccess server
• The network infrastructure that you will use
• The DirectAccess client deployment options
• The Group Policy settings that you will configure

DirectAccess Server Deployment Models

There are two DirectAccess server deployment models:

• Single server
• Load-balanced array

Single Server

In a single server deployment model, a single DirectAccess server provides connectivity for all DirectAccess clients. This is the simplest deployment model and is typically used for testing and proof-of-concept deployments. A single server deployment can support up to 500 DirectAccess clients.

Load-Balanced Array

In a load-balanced array deployment model, two or more DirectAccess servers are deployed in an array and load balancing is used to distribute traffic among the servers. This deployment model is recommended for production deployments. A load-balanced array can support an unlimited number of DirectAccess clients.

Network Location

The network location of your DirectAccess server(s) is an important consideration. DirectAccess servers must be located in one of the following network locations:

• An Internet edge network
• A perimeter network

Internet Edge Network

An Internet edge network is a network that is located between the DirectAccess clients and the Internet. In this network location, the DirectAccess server has a public Internet address and is accessible to DirectAccess clients over the Internet. An Internet edge network is the simplest network location for a DirectAccess server, but it does have some security risks. If the DirectAccess server is compromised, an attacker would have direct access to the internal network.

Perimeter Network

A perimeter network, also known as a demilitarized zone (DMZ) or screened subnet, is a network that is located between the DirectAccess server and the Internet. In this network location, the DirectAccess server has a public Internet address and is accessible to DirectAccess clients over the Internet. However, the DirectAccess server is also protected by a firewall that limits access to the internal network. A perimeter network is a more secure network location for a DirectAccess server than an Internet edge network.

Network Infrastructure

The network infrastructure that you use for DirectAccess is an important consideration. DirectAccess can be deployed over the following types of network infrastructure:

• IPv4
• IPv6
• IP-HTTPS
• 6to4
• Teredo
• ISATAP

IPv4

IPv4 is the most common type of network infrastructure and is typically used in small and medium-sized deployments. DirectAccess over IPv4 requires a public IPv4 address for the DirectAccess server and a NAT-enabled router. DirectAccess clients must also have a public IPv4 address.

IPv6

IPv6 is the next generation of network infrastructure and is slowly being adopted by organizations. DirectAccess over IPv6 requires a public IPv6 address for the DirectAccess server and a native IPv6 network. DirectAccess clients must also have a public IPv6 address. If you deploy DirectAccess over IPv6, you can also use the 6to4, Teredo, and ISATAP transition technologies to allow DirectAccess clients that only have an IPv4 address to connect to the DirectAccess server.

IP-HTTPS

IP-HTTPS is a tunneling protocol that encapsulates IPv6 traffic in an IPv4-compatible tunnel. DirectAccess over IP-HTTPS requires a public IPv4 address for the DirectAccess server and a NAT-enabled router. DirectAccess clients must also have a public IPv4 address. If you deploy DirectAccess over IP-HTTPS, you can use the 6to4, Teredo, and ISATAP transition technologies to allow DirectAccess clients that only have an IPv4 address to connect to the DirectAccess server.

6to4

6to4 is a tunneling protocol that encapsulates IPv6 traffic in an IPv4-compatible tunnel. DirectAccess over 6to4 requires a public IPv4 address for the DirectAccess server and a NAT-enabled router. DirectAccess clients must also have a public IPv4 address. If you deploy DirectAccess over 6to4, you can use the Teredo and ISATAP transition technologies to allow DirectAccess clients that only have an IPv4 address to connect to the DirectAccess server.

Teredo

Teredo is a tunneling protocol that encapsulates IPv6 traffic in an IPv4-compatible tunnel. DirectAccess over Teredo requires a public IPv4 address for the DirectAccess server and a NAT-enabled router. DirectAccess clients must also have a public IPv4 address. Teredo is the only transition technology that can be used with DirectAccess over IPv6.

ISATAP

ISATAP is a tunneling protocol that encapsulates IPv6 traffic in an IPv4-compatible tunnel. DirectAccess over ISATAP requires a public IPv4 address for the DirectAccess server and a NAT-enabled router. DirectAccess clients must also have a public IPv4 address. If you deploy DirectAccess over ISATAP, you can use the 6to4 and Teredo transition technologies to allow DirectAccess clients that only have an IPv4 address to connect to the DirectAccess server.

DirectAccess Client Deployment Options

There are two DirectAccess client deployment options:

• Native IPv6
• IP-HTTPS

Native IPv6

The Native IPv6 deployment option requires that the DirectAccess client has a public IPv6 address. This address can be obtained from an IPv6-capable ISP or from an IPv6 tunneling service such as 6to4, Teredo, or ISATAP. If you deploy DirectAccess over IPv6, you can also use the 6to4, Teredo, and ISATAP transition technologies to allow DirectAccess clients that only have an IPv4 address to connect to the DirectAccess server.

IP-HTTPS

The IP-HTTPS deployment option requires that the DirectAccess client has a public IPv4 address. This address can be obtained from an IPv4-capable ISP or from an IPv6 tunneling service such as 6to4, Teredo, or ISATAP. If you deploy DirectAccess over IP-HTTPS, you can use the 6to4, Teredo, and ISATAP transition technologies to allow DirectAccess clients that only have an IPv4 address to connect to the DirectAccess server.

Group Policy Settings

Group Policy is a feature in Windows that allows you to centrally manage settings for users and computers in an Active Directory domain. DirectAccess uses Group Policy to configure settings on DirectAccess clients and servers. You can use the Group Policy Management Console (GPMC) to edit Group Policy objects (GPOs).

DirectAccess Client Settings

The DirectAccess client settings are located in the following GPOs:

• Computer ConfigurationPoliciesAdministrative Templates
  
  

  Previous Post - Implementing Parallax Effects in WordPress Themes

  

  Next Post - Smart Home Security Cameras: Features and Options