Design Addressing and Routing for the DirectAccess Server
Applies To: Windows 7, Windows Server 2008 R2
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (https://go.microsoft.com/fwlink/?LinkId=179988).
The DirectAccess server must be configured with addressing and routing to support the following:
Reachability from the Internet Protocol version 4 (IPv4) Internet
Reachability from your intranet for IPv4 traffic
If your intranet is connected to the Internet Protocol version 6 (IPv6) Internet, reachability from the IPv6 Internet for native IPv6 traffic
If your intranet has deployed native IPv6 connectivity, reachability from your intranet for native IPv6 traffic
The following sections describe the address and routing configuration of the DirectAccess server to support these reachability requirements.
IPv4 address and routing configuration
For the Internet interface on the DirectAccess server that is connected to the IPv4 Internet, manually configure the following:
Two, static, consecutive public IPv4 addresses with the appropriate subnet masks.
A default gateway IPv4 address of your Internet firewall or local Internet service provider (ISP) router.
A connection-specific Domain Name System (DNS) suffix that is different from your intranet namespace. In most cases, you can use the DNS suffix of your ISP.
IPv4 addresses in the ranges 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 are private IPv4 addresses and cannot be used. The DirectAccess server requires two consecutive public IPv4 addresses so that it can act as a Teredo server and Windows-based Teredo clients can use the DirectAccess server to perform detection of the type of network address translator (NAT) that they are behind. For more information, see Teredo Overview (https://go.microsoft.com/fwlink/?Linkid=157322).
Important
The DirectAccess Management console sorts the public IPv4 addresses assigned to the Internet adapter alphabetically. Therefore, the DirectAccess Management console does not consider the following sets of addresses as consecutive: w.x.y.9 and w.x.y.10, which is sorted as w.x.y.10, w.x.y.9; w.x.y.99 and w.x.y.100, which is sorted as w.x.y.100, w.x.y.99; w.x.y.1, w.x.y.2, and w.x.y.10, which is sorted as w.x.y.1, w.x.y.10, w.x.y.2. Use a different set of consecutive addresses.
For intranet interfaces on the DirectAccess server that are connected to your IPv4-based intranet, manually configure the following:
An IPv4 intranet address with the appropriate subnet mask.
A connection-specific DNS suffix of your intranet namespace.
Important
Do not configure a default gateway on any intranet interfaces.
To configure the DirectAccess server to reach all the locations on your intranet, do the following:
List the IPv4 address spaces for all the locations on your intranet.
Use the route add -p or netsh interface ipv4 add route commands to add the IPv4 address spaces as static routes in the IPv4 routing table of the DirectAccess server.
Note
The DirectAccess server in the DirectAccess test lab (https://go.microsoft.com/fwlink/?Linkid=150613) does not need a default route or specific routes for the intranet address space because it is directly connected to a single-subnet simulated Internet and a single-subnet simulated intranet.
IPv6 address and routing configuration
For the Internet interface on the DirectAccess server connected to the IPv6 Internet, you can use the autoconfigured address configuration provided by your ISP. Use the route print command to ensure that a default IPv6 route pointing to the ISP router exists in the IPv6 routing table. Additionally, you should manually configure a connection-specific DNS suffix that is different from your intranet namespace on the Internet interface. In most cases, you can use the DNS suffix of your ISP.
Next, determine the following:
If your ISP and your intranet routers are using default router preferences as described in RFC 4191.
If your ISP is using a higher default router preference than your local intranet routers.
If both of these are true, no other configuration for the default route is needed. The higher preference for the ISP router ensures that the active default IPv6 route of the DirectAccess server points to the IPv6 Internet.
If you are not using default router preference levels, configure your intranet interfaces with the netsh interface ipv6 set InterfaceIndex ignoredefaultroutes=enabled command. This command ensures that additional default routes pointing to intranet routers will not be added to the IPv6 routing table. You can obtain the InterfaceIndex of your intranet interfaces from the display of the netsh interface show interface command.
Additionally, you must configure a connection-specific DNS suffix of your intranet namespace on the intranet interface.
To configure the DirectAccess server to reach all the IPv6 locations on your intranet, do the following:
List the IPv6 address spaces for all the locations on your intranet.
Use the netsh interface ipv6 add route command to add the IPv6 address spaces as static routes in the IPv6 routing table of the DirectAccess server.
Note
The instructions in this section only apply if your organization has deployed native IPv6 connectivity and the DirectAccess server is connected to the IPv6 Internet through an IPv6-capable ISP.