LABS GALLERY: Windows 7 DirectAccess Connects Remote Clients sans VPN

1 of 12

LABS GALLERY: Windows 7 DirectAccess Connects Remote Clients sans VPN

by Andrew Garcia

2 of 12

Installing DirectAccess

From the Server Manager, administrators can easily install the DirectAccess feature (it's not a Role), which also installs the Group Policy Management snap-in.

3 of 12

No Tools

DirectAccess installation must be done from the server itself, directly or via Remote Access. There is no admin pack or tool to install on a Windows desktop.

4 of 12

DirectAccess Setup

The DirectAccess setup wizard walks the administrator through the process, defining eligible client machines, the DirectAccess server, target intranet servers and core intranet directory management elements.

5 of 12

DA Clients

Base authentication is per machine, not per user. PCs are assigned to a security group eligible to use DirectAccess. This step sets up a filter, including machines permitted to receive DirectAccess configuration via Group Policy.

6 of 12


The administrator defines which NIC goes to which network.

7 of 12


Using my domain's certificate services, I created the certificate that is passed here to the client machines.

8 of 12

Location Server

Administrators must define a location server on the intranet. Clients check this address to determine whether they are local or remote.

9 of 12


DirectAccess leverages a new feature in Windows 7 called the Name Resolution Policy Table. This table maps a DNS namespace to a DNS server, allowing remote clients to know when to phone home and when to go to the regular Internet.

10 of 12

Apply Policy

After creating the policy, I could save it and apply it immediately. My first attempt failed due to a DNS suffix problem on the DirectAccess server. I just wish the wizard could have told me that.

11 of 12

Group Policy Objects

Applying the DirectAccess policy creates Group Policy Objects that are applied to the Default Domain Policy, filtered to allowed client machines. Here is a sample policy. As it is an ADMX template, don't ever expect to find DirectAccess ported to Windows XP (although it may be to Vista one day).

12 of 12


DirectAccess relies on IPv6 for connectivity, so internal application servers and the DNS server must support IPv6.