In this step of the DirectAccess Setup wizard (step 4), you configure settings for end-to-end authentication and protected communication with application servers on your internal network. For the initial configuration of DirectAccess application server settings from the DirectAccess snap-in, expand the DirectAccess node, click the Setup node, and then click Configure for step 4. You cannot click Configure for step 4 until you have completed the configuration for step 3. To change application server settings, click Edit for step 4.

Before doing step 4, determine the following:

  • Whether you want DirectAccess clients to perform end-to-end authentication and data protection for specific internal network servers. If so, create security groups that contain the computer accounts of those internal network servers.

  • Whether you want to restrict communication from DirectAccess clients to only those servers that are members of specific security groups.

  • Whether you have network equipment that cannot forward IPsec-protected traffic.

On the DirectAccess Application Server Setup page, if you do not want DirectAccess clients to perform end-to-end authentication with internal network servers, select Require no additional end-to-end authentication.

If you want DirectAccess clients to perform end-to-end authentication for internal network servers, select Allow selected servers to perform end-to-end authentication and traffic protection for the specified servers, and then click Add to specify the security groups that contain the internal network servers.

To restrict the access of DirectAccess clients to the set of servers that are the members of the specified security groups, select Allow access to only those servers in the selected security groups.

It is not possible to use the DirectAccess Setup wizard to configure limited access to a specific set of servers without end-to-end authentication and optional data protection. To configure this scenario, you must modify the resulting connection security rules that are applied to DirectAccess clients. For more information, see the DirectAccess home page on Microsoft Technet (https://go.microsoft.com/fwlink/?LinkId=142598).

If you have network equipment that discards or cannot analyze IPsec-protected traffic, select Configure the IPsec connection security rules on these servers to perform authentication without traffic protection. With this setting enabled, DirectAccess clients and the specific internal network servers perform end-to-end IPsec authentication, but do not use IPsec protection to provide data integrity or privacy for the packets sent between DirectAccess clients and internal network servers.

Additional references