LABS GALLERY: Windows 7 DirectAccess Connects Remote Clients sans VPN

by Andrew Garcia

From the Server Manager, administrators can easily install the DirectAccess feature (it’s not a Role), which also installs the Group Policy Management snap-in.

DirectAccess installation must be done from the server itself, directly or via Remote Access. There is no admin pack or tool to install on a Windows desktop.

The DirectAccess setup wizard walks the administrator through the process, defining eligible client machines, the DirectAccess server, target intranet servers and core intranet directory management elements.

Base authentication is per machine, not per user. PCs are assigned to a security group eligible to use DirectAccess. This step sets up a filter, including machines permitted to receive DirectAccess configuration via Group Policy.

The administrator defines which NIC goes to which network.

Using my domain’s certificate services, I created the certificate that is passed here to the client machines.

Administrators must define a location server on the intranet. Clients check this address to determine whether they are local or remote.

DirectAccess leverages a new feature in Windows 7 called the Name Resolution Policy Table. This table maps a DNS namespace to a DNS server, allowing remote clients to know when to phone home and when to go to the regular Internet.

After creating the policy, I could save it and apply it immediately. My first attempt failed due to a DNS suffix problem on the DirectAccess server. I just wish the wizard could have told me that.

Applying the DirectAccess policy creates Group Policy Objects that are applied to the Default Domain Policy, filtered to allowed client machines. Here is a sample policy. As it is an ADMX template, don’t ever expect to find DirectAccess ported to Windows XP (although it may be to Vista one day).

DirectAccess relies on IPv6 for connectivity, so internal application servers and the DNS server must support IPv6.