Design Your Intranet for Corporate Connectivity Detection
Applies To: Windows 7, Windows Server 2008 R2
This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (https://go.microsoft.com/fwlink/?LinkId=179988).
Computers running Windows 7 or Windows Server 2008 R2 use corporate connectivity detection to determine whether the computer can access the resources of your intranet. Corporate connectivity detection is separate from network location detection. A DirectAccess client can successfully detect corporate connectivity when it is directly connected to the intranet or when it is roaming on the Internet. Corporate connectivity determination is used for the following:
Active Directory® Domain Services (AD DS) domain members detect corporate connectivity before initiating updates of Group Policy settings.
Network Access Protection (NAP) clients use successful corporate connectivity detection to perform another health check if the NAP client determines that it is unhealthy because it could not reach a NAP health policy server in a previous heath check.
DirectAccess clients use corporate connectivity detection to determine when to use Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS). If the DirectAccess client cannot access intranet resources using Teredo, it attempts to connect to the DirectAccess server using IP-HTTPS.
Corporate connectivity detection relies on the ability to perform the following checks for different purposes, depending on the computer’s configuration:
Resolve a specific intranet fully qualified domain name (FQDN) name to a specific Internet Protocol version 6 (IPv6) address.
Determine whether an Internet Protocol security (IPsec) security association (SA) has been established for an IPv6 address that is based on the IPv6 prefix of the intranet.
Access a specific intranet Web site.
The DirectAccess Setup Wizard automatically configures the following for corporate connectivity detection:
The intranet-specific name and IPv6 address and registers the corresponding AAAA record in an intranet Domain Name System (DNS) server.
The IPv6 prefix of the intranet.
The DirectAccess Setup Wizard does not automatically configure the settings and infrastructure needed for DirectAccess clients to access a specific intranet Web site. This additional configuration is required for branch scenarios in which a Web proxy server is between the DirectAccess client and the intranet resources that it is trying to reach. This additional configuration also aids in diagnosing DirectAccess connections.
To configure settings and infrastructure needed for DirectAccess clients to access a specific intranet Web site, do the following:
Determine a Web site on your intranet that is not accessible from the Internet, is highly available, and is reachable with IPv6. To ensure its ongoing reachability with IPv6, either assign a static IPv6 address if you have a native IPv6 infrastructure or a static Internet Protocol version 4 (IPv4) address if you are using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP). For example, the Contoso Corporation uses cweb.corp.contoso.com as its central, highly-available intranet Web site. This Web server uses ISATAP and a static IPv4 address.
Enable the Computer Configuration/Policies/Administrative Templates/Network/Network Connectivity Status Indicator/Corporate Website Probe URL Group Policy setting in the Group Policy object for DirectAccess clients and configure it for the highly available intranet URL. For example, enable and configure the Corporate Website Probe URL setting with https://cweb.corp.contoso.com.
If the name of the highly-available intranet Web site changes, you will have to update the Corporate Website Probe URL setting with the new URL.
You also need to add the IPv6 address for the infrastructure tunnel endpoint to the Computer Configuration/Policies/Administrative Templates/Network/Network Connectivity Status Indicator/Corporate Site Prefix List Group Policy setting in the Group Policy object (GPO) for DirectAccess clients. The IPv6 address for the infrastructure tunnel endpoint is configured in the Windows Firewall with Advanced Security connection security rule named DirectAccess Policy-ClientToDnsDc in the GPO for DirectAccess clients.
For more information, see Configure Corporate Connectivity Detection Settings in the DirectAccess Deployment Guide.
If you use the Use local name resolution if the internal network DNS servers determined that the name does not exist or if the internal network DNS servers are not reachable and the DirectAccess client computer is on a private network option for local host name resolution, the Corporate Website Probe URL setting must be specified as a FQDN, rather than an unqualified, single-label name. If you use an unqualified, single-label name, corporate connectivity detection might incorrectly detect that corporate connectivity exists and diagnostics for DirectAccess can be affected.