In this step of the DirectAccess Setup wizard (step 3), you configure settings for infrastructure servers. For the initial configuration of DirectAccess server settings in the DirectAccess snap-in, expand the DirectAccess node, click the Setup node, and then click Configure for step 3. You cannot click Configure for step 3 until you have finished the configuration for step 2. To change infrastructure server settings, click Edit for step 3.
Before performing step 3, determine the following:
- Whether a highly available internal network Web server can act as the DirectAccess network location server and has an HTTPS-based uniform resource locator (URL) on that Web server. This is optional but highly recommended.
- The set of Domain Name System (DNS) namespaces that correspond to internal network resources (for example, contoso.com).
- The Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) addresses of the internal network DNS servers that you want answering name queries for DirectAccess clients.
- The host names, IPv4 addresses, or IPv6 addresses of the management servers on your internal network that you want to initiate communications with DirectAccess clients. Management servers can include servers that distribute updates or perform software or hardware inventories.
When you click Configure or Edit for step 3, there are pages in the wizard to configure the network location server, DNS and domain controllers, and management servers.
On the Location page, you specify the network location server, which is a server that a DirectAccess client uses to determine whether it is located on the internal network or the Internet. If the DirectAccess client can reach the network location server and access a specified Web page, the DirectAccess client determines that is on the internal network and DirectAccess functionality is not used.
You can specify whether the network location server function is on the DirectAccess server or another server on your internal network.
- If the network location server function is not on the DirectAccess server (recommended), you must type an HTTPS-based URL of a Web page on that server.
- If the network location server function is on the DirectAccess server, you must specify the certificate that is used for authentication of HTTPS-based connections between DirectAccess clients and the DirectAccess server.
In both cases, the network location server must be highly available and is a critical element of the DirectAccess infrastructure. If the network location server cannot be reached on the internal network, DirectAccess clients will enable DirectAccess functionality while they are located on the internal network, which can impair their ability to reach internal network resources.
DNS and domain controller
On the DNS and Domain Controller page, you configure the Name Resolution Policy Table (NRPT) and DirectAccess client name resolution behavior.
The NRPT is a table that DirectAccess clients use to determine where to send their DNS name requests. Entries consist of a DNS domain name that can represent the fully qualified domain name (FQDN) of a specific computer (such as emailsrv21.europe.contoso.com) or a portion of the DNS namespace (such as contoso.com) and a corresponding set of addresses for DNS servers that serve the FQDN or namespace. If no DNS server addresses are specified, the entry is an exemption entry. If a DNS name matches an entry in the NRPT containing the addresses of DNS servers, the DirectAccess client sends the name query to the specified internal network DNS servers. If a DNS name matches an entry in the NRPT that does not contain addresses of DNS servers or does not match an entry in the NRPT, the DirectAccess client sends the name query to an Internet-facing DNS server.
The NRPT might have an existing entry based on the DNS suffix and DNS server configuration of the DirectAccess server. The NRPT might also have an exemption entry corresponding to the network location server. This entry is added so that DirectAccess clients that are on the Internet never attempt to resolve the name of the network location server by using an internal network DNS server.
To add more entries, right-click an empty row, and then click New. Alternately, you can double-click an empty row. In the Namespace Access Information dialog box, type the DNS suffix and specify the set of IPv4 or IPv6 addresses for the internal network DNS servers that resolve names ending with the DNS suffix. After you specify the IPv4 or IPv6 addresses, click Validate to test whether the DNS servers are running and reachable from the DirectAccess server.
To edit an entry in the NRPT, right-click the entry, and then click Edit. Alternately, you can double-click the existing entry. To delete an entry from the NRPT, right-click the entry, and then click Delete.
Name resolution behavior
On the DNS and Domain Controller page, you can also specify the local name resolution behavior of DirectAccess clients. Local name resolution is the use of name resolution techniques that do not include checking the entries in the DNS resolver cache and the querying of internal network DNS servers. These techniques include using Internet-facing DNS servers and querying the local subnet.
You have three options:
- Use local name resolution only if the internal network DNS servers determined that the name does not exist
This is the most secure option because the DirectAccess client will only send DNS queries to Internet-facing DNS servers for server names that cannot be resolved.
- Use local name resolution if the internal network DNS servers determined that the name does not exist or if the internal network DNS servers are not reachable and the DirectAccess client computer is on a private network
This option is recommended because it allows the resolution of names on a separate internal network.
- Use local name resolution if there is any type of error when attempting to resolve the name using internal network DNS servers
This is the least secure option because the names of internal network servers that the DirectAccess client is attempting to resolve can be sent out to Internet-facing DNS servers, allowing an eavesdropper between the DirectAccess client and the Internet-facing DNS server to determine the names of internal network servers.
On the Management page, you configure the list of IPv4 or IPv6 addresses of internal network servers that you want to initiate communications with DirectAccess clients. These servers are typically management servers that contact DirectAccess client computers to perform management functions such as software or hardware inventory assessments or to install updates. Only the DirectAccess clients that are members of the security groups specified in step 1 of the DirectAccess Setup wizard can be contacted by the management servers specified on the Management page.
To add a management server, right-click an empty row, and then click New. Alternately, you can double-click an empty row. In the IPv4 Address or IPv6 Address/Prefix dialog boxes, you can obtain an IPv4 or IPv6 address from the host name of the server or type it manually:
- To obtain an IPv4 or IPv6 address from the host name, select Host name of the specific machine, and then type the name of the server. Click Check Name to resolve the name to its registered addresses. Click one of the addresses, and then click OK.
- To manually specify an IPv4 address, select IPv4 address in the IPv4 Address dialog box, and then type the address. When you are done, click OK.
- To manually specify an IPv6 address or prefix, select IPv6 address or IPv6 prefix in the IPv6 Address/Prefix dialog box, and then type the address or prefix. When you are done, click OK.
To edit an IPv4 address or an IPv6 address or prefix entry in the list, right-click the entry, and then click Edit. To delete an entry, right-click the entry, and then click Delete.