Where to Place the DirectAccess Server
Applies To: Windows 7, Windows Server 2008 R2
Important
This topic describes design considerations for DirectAccess in Windows Server 2008 R2. For the design considerations of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Design Guide (https://go.microsoft.com/fwlink/?LinkId=179988).
Because DirectAccess servers provide intranet connectivity to DirectAccess clients on the Internet, DirectAccess servers are installed in your perimeter network, typically between your Internet-facing firewall and your intranet. The following figure shows an example.
The DirectAccess server must be joined to an Active Directory domain, running Windows Server 2008 R2, and have at least two physical network adapters installed.
The DirectAccess server must have at least two, consecutive public Internet Protocol version 4 (IPv4) addresses assigned to the interface that is connected to the perimeter network, or, in the absence of an Internet firewall, connected directly to the Internet. Addresses in the ranges 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 are private IPv4 addresses and cannot be used.
The DirectAccess server requires two consecutive public IPv4 addresses so that it can act as a Teredo server and Windows-based Teredo clients can use the DirectAccess server to perform detection of the type of network address translator (NAT) that they are behind. For more information, see Teredo Overview (https://go.microsoft.com/fwlink/?Linkid=157322).
Note
The DirectAccess Management console sorts the public IPv4 addresses assigned to the Internet adapter alphabetically. Therefore, the DirectAccess Management console does not consider the following sets of addresses as consecutive: w.x.y.9 and w.x.y.10, which is sorted as w.x.y.10, w.x.y.9; w.x.y.99 and w.x.y.100, which is sorted as w.x.y.100, w.x.y.99; w.x.y.1, w.x.y.2, and w.x.y.10, which is sorted as w.x.y.1, w.x.y.10, w.x.y.2. Use a different set of consecutive addresses.
On the DirectAccess server, you install the DirectAccess Management Console feature through Server Manager. You use the DirectAccess management console to configure DirectAccess settings for the DirectAccess server and clients and monitor the status of the DirectAccess server. DirectAccess servers should not host any other primary functions; they should be dedicated to DirectAccess.