Appendix A: DirectAccess Requirements

Applies To: Windows 7, Windows Server 2008 R2


This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (

Review this section for information about DirectAccess server, DirectAccess client, and network infrastructure requirements.

Hardware and software requirements for Windows 7-based computers described in this section apply to both x86 (32-bit) and x64 (64-bit) systems.

Element Requirements

DirectAccess client

  • Operating system: Windows 7 Ultimate or later, Windows 7 Enterprise or later, Windows Server 2008 R2 or later

  • Member of an Active Directory Domain Services (AD DS) domain

  • Computer certificate for Internet Protocol security (IPsec) authentication

DirectAccess server

  • Operating system: Windows Server 2008 R2 or later

  • Member of an AD DS domain

  • At least two network adapters that are connected to the Internet and your intranet

  • 2 consecutive, public Internet Protocol version 4 (IPv4) addresses configured on the Internet network adapter (cannot be behind a network address translator [NAT])

  • Certificates: Computer certificate for IPsec authentication, Secure Sockets Layer (SSL) certificate for Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS)

  • If acting as a network location server, Internet Information Services (IIS) and an additional SSL certificate installed

There are no built-in limitations on the number of simultaneous DirectAccess connections that a DirectAccess server can support.

Active Directory

At least one Active Directory domain must be deployed with at least one Windows Server 2008 R2 or Windows Server 2008-based domain controller (an Internet Protocol version 6 [IPv6]-capable domain controller and global catalog). Windows Server 2008 R2 domain or forest functional levels are not required. Workgroups are not supported. For more information about installing Active Directory, see the AD DS Installation and Removal Step-by-Step Guide (

Group Policy

Required for centralized administration and deployment of DirectAccess settings. The DirectAccess Setup wizard creates a set of Group Policy objects and settings for DirectAccess clients, the DirectAccess server, and selected servers.

Public key infrastructure (PKI)

Required to issue computer certificates for authentication, and optionally, health certificates when using Network Access Protection (NAP). External certificates are not required. For more information about setting up a PKI with Active Directory Certificate Services (AD CS), see Active Directory Certificate Services (

Domain Name System (DNS) server

At least one running Windows Server 2008 R2, Windows Server 2008 with the Q958194 hotfix (, Windows Server 2008 SP2 or later, or a third-party DNS server that supports DNS message exchanges over the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP).