DirectAccess Design Guide

Applies To: Windows 7, Windows Server 2008 R2


This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (

DirectAccess is one of the most anticipated features of the Windows Server 2008 R2 operating system. DirectAccess allows remote users to securely access intranet shares, Web sites, and applications without connecting to a virtual private network (VPN). DirectAccess establishes bi-directional connectivity with a user’s intranet every time a user’s DirectAccess-enabled portable computer connects to the Internet, even before the user logs on. Users never have to think about connecting to the intranet, and information technology (IT) administrators can manage remote computers outside the office, even when the computers are not connected to the VPN. DirectAccess is supported by Windows 7 Enterprise, Windows 7 Ultimate, and Windows Server 2008 R2.

The following are the key elements of a DirectAccess solution:

  • DirectAccess client. A domain-joined computer running Windows 7 Enterprise, Windows 7 Ultimate, or Windows Server 2008 R2 that can automatically and transparently connect to an intranet through a DirectAccess server.

  • DirectAccess server. A domain-joined computer running Windows Server 2008 R2 that accepts connections from DirectAccess clients and facilitates communication with intranet resources.

  • Network location server. A server that a DirectAccess client uses to determine whether it is located on the intranet or the Internet.

  • Certificate revocation list (CRL) distribution points. Servers that provide access to the CRL that is published by the certification authority (CA) issuing certificates for DirectAccess.

For more information, see Appendix B: Reviewing Key DirectAccess Concepts.

About this guide

This guide is intended for use by an infrastructure specialist or system architect. The guide provides recommendations to help you plan a new DirectAccess deployment based on the requirements of your organization and the particular design that you want to create. It highlights your main decision points as you plan your DirectAccess deployment. Before you read this guide, you should have a good understanding of your organizational requirements and the capabilities and requirements of DirectAccess.

This guide describes a set of deployment goals that are based on the primary DirectAccess access methods. It helps you determine the most appropriate access method and corresponding design for your environment. You can use these deployment goals to create a comprehensive DirectAccess design that meets the needs of your environment.

Once you have determined your DirectAccess design, you can use the DirectAccess Deployment Guide to plan and implement your design.

This guide, combined with the DirectAccess Deployment and Troubleshooting Guides, is also available as a Microsoft Word file ( in the Microsoft Download Center.