Separating Internet and Intranet Traffic

Applies To: Windows Server 2008 R2

DirectAccess can separate intranet traffic to the intranet from Internet traffic, as shown in Figure 4, to reduce unnecessary traffic on the corporate network. Most VPNs send all traffic—even traffic that is destined for the Internet—through the VPN connection, which can slow both intranet and Internet access. Because communications to the Internet do not have to travel to the corporate network and back to the Internet, DirectAccess does not slow down Internet access.

Figure 4   The default traffic flow for DirectAccess does not send Internet traffic through the DirectAccess server

IT administrators can also choose to route all traffic, except traffic for the local subnet, through the DirectAccess server and the intranet. When this option is enabled, the DirectAccess client uses IP-HTTPS for IPv6 connectivity to the DirectAccess server, regardless of whether the DirectAccess client is behind a firewall or proxy server.

Combining this option with Windows Firewall with Advanced Security, IT administrators have complete control over which applications can send traffic and which subnets client computers can reach. For example, IT administrators can use outbound Windows Firewall rules to:

  • Allow client computers to connect to the entire Internet, but only one specific subnet on the intranet.

  • Allow client computers to connect directly to the Internet using Internet Explorer®, but send traffic for all other applications through the intranet.

  • Prevent intranet applications from sending communications to the Internet by restricting them to specific servers on your intranet.

While the default DirectAccess traffic configuration is optimized for performance, IT administrators have the flexibility they need to meet their organization’s security requirements.