DirectAccess and Third-party Host Firewalls

Applies To: Windows 7, Windows Server 2008 R2


This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (

Because DirectAccess relies on Internet Protocol security (IPsec), Authenticated Internet Protocol (AuthIP), and Windows Firewall connection security rules, Microsoft recommends that you do not disable the Windows Firewall service when using a third-party host firewall. When Windows Firewall is enabled, DirectAccess clients can use the built-in IPsec functionality and Windows Firewall connection security rules to protect DirectAccess connections and traffic.

Your third-party firewall should be certified by the Microsoft Driver Logo Program for seamless DirectAccess functionality. For a list of logo requirements and certified third-party host firewalls, see Windows Quality Online Services ( Check with your host firewall vendor to see if it supports one of the following options for seamless DirectAccess functionality:

  • Uses Windows Firewall functionality.

    Microsoft Forefront Client Security is an example.

  • Uses Windows Firewall categories and does not replace Windows Firewall connection security (IPsec).

    Windows Firewall categories allow third-party host firewalls in Windows 7 to selectively replace specific elements of Windows Firewall functionality while retaining others. Categories make it possible for third-party host firewalls to operate side-by-side with Windows Firewall.

    To determine if Windows Firewall is providing connection security when a third-party host firewall is installed, type netsh advfirewall monitor show firewall at a command prompt. In Global Settings, in the Categories section, Windows Firewall should be listed for the ConSecRuleRuleCategory category.

Third-party host firewalls should also support edge traversal to allow intranet servers and computers to initiate connections to Teredo-based DirectAccess clients for remote management. Check the documentation for your third-party host firewall to determine if edge traversal is supported and how to enable it. If supported, the documentation for your third-party firewall typically refers to this setting as NAT traversal, enabling Teredo, or IPv6 transition technologies.

For more information, see Enabling Third Party Firewall DirectAccess Clients (

For more information about Windows Firewall categories, see INetFwProduct Interface (

For more information about third-party firewall requirements for Teredo, see Teredo co-existence with third-party firewalls (