Direct Access from the Sky

DA from the SkyI attended an internal Microsoft conference in Atlanta last week and need to catch a flight to Seattle for a training session this morning. Delta was providing onboard Wi-Fi internet access on the flight so I was willing to pay $12 to give it a try……I am a geek after allSmile Having access to email and web was great on the flight and allowed me to be productive on the 5 hour flight. Once the Wi-Fi was connected, I of course wanted to connect to link in an email message to a SharePoint site from a inside Microsoft. This was available to me securely and with no user intervention (VPN login, smart card, etc) as my Windows 7 laptop has DirectAccess enabled.

For those who have not seen me present on Direct Access in the past, DirectAccess in my opinion is the single greatest innovation we have added to the Windows platform in the last 5 years. Why when we have added so many great features and security enhancements across the Windows Server and Client? Well simply put, it makes everyone's life with a corporate computer easier.

Enhance mobility and manageability with DirectAccess

  • Working outside the office is easier than ever. DirectAccess in Windows 7 and Windows Server 2008 R2 enhances the productivity of mobile workers by connecting them seamlessly and more securely to their corporate network any time they have Internet access—without the need to VPN. When your IT department enables DirectAccess, the corporate network’s file shares, intranet websites, and line-of-business applications remain accessible wherever you have an Internet connection.

  • Manage remote machines more effectively. Flexibility gives IT the opportunity to service remote machines on a regular basis and ensure that mobile users stay up to date with company policies. With DirectAccess, IT administrators can manage mobile computers by updating Group Policy settings and distributing software updates any time the mobile computer has Internet connectivity, even if the user is not logged on.

  • Enhance security and access control. To keep data safer as it travels public networks, DirectAccess uses IPv6-over-IPsec to encrypt communications transmitted across the Internet. DirectAccess is designed to reduce unnecessary traffic on the corporate network by sending only traffic destined for the corporate network through the DirectAccess server (running Windows Server 2008 R2), or the administrator can choose to send all traffic through the corporate network. In addition to authenticating the computer, DirectAccess can also authenticate the user and supports multifactor authentication, such as a smart card. IT administrators can configure which intranet resources specific users can access using DirectAccess.

  • If you want more information, here is some documentation on what you need. Basic requirements:

Element Requirements

DirectAccess client

  • Operating system: Windows 7 Ultimate or later, Windows 7 Enterprise or later, Windows Server 2008 R2 or later
  • Member of an Active Directory Domain Services (AD DS) domain
  • Computer certificate for Internet Protocol security (IPsec) authentication

DirectAccess server

  • Operating system: Windows Server 2008 R2 or later
  • Member of an AD DS domain
  • At least two network adapters that are connected to the Internet and your intranet
  • 2 consecutive, public Internet Protocol version 4 (IPv4) addresses configured on the Internet network adapter (cannot be behind a network address translator [NAT])
  • Certificates: Computer certificate for IPsec authentication, Secure Sockets Layer (SSL) certificate for Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS)
  • If acting as a network location server, Internet Information Services (IIS) and an additional SSL certificate installed

Active Directory

At least one Active Directory domain must be deployed with at least one Windows Server 2008 R2 or Windows Server 2008-based domain controller (an Internet Protocol version 6 [IPv6]-capable domain controller and global catalog). Windows Server 2008 R2 domain or forest functional levels are not required. Workgroups are not supported. For more information about installing Active Directory, see the AD DS Installation and Removal Step-by-Step Guide (

Group Policy

Required for centralized administration and deployment of DirectAccess settings. The DirectAccess Setup wizard creates a set of Group Policy objects and settings for DirectAccess clients, the DirectAccess server, and selected servers.

Public key infrastructure (PKI)

Required to issue computer certificates for authentication, and optionally, health certificates when using Network Access Protection (NAP). External certificates are not required. For more information about setting up a PKI with Active Directory Certificate Services (AD CS), see Active Directory Certificate Services (

Domain Name System (DNS) server

At least one running Windows Server 2008 R2, Windows Server 2008 with the Q958194 hotfix (, Windows Server 2008 SP2 or later, or a third-party DNS server that supports DNS message exchanges over the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP).

Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2

Test Lab Guide: Demonstrate DirectAccess with Network Access Protection (NAP)

Test Lab Guide: Troubleshoot DirectAccess with Network Access Protection (NAP)

Test Lab Guide: Troubleshoot DirectAccess

Windows 2008 R2 Direct Access Server Management Pack for SC Operations Manager 2007 SP1



Comments (0)

Skip to main content