DirectAccess and ISA server

by Marin Franković on 14 July, 2009

DirectAccessIn the past couple of months I did several sessions on Windows Server 2008 R2 and one of his great new features, DirectAccess. VPN technologies have one big disadvantage over DirectAccess, and that is that every time user has to start connection manually. Also, one of the questions is, why DirectAccess server need two consecutive public IP addresses. It is because computer account uses one to connect to DirectAccess server and it is used to manage computer from internal network and second IP address is used when user logs in and authenticates on Domain Controller of local network.

Can DirectAccess server be behind NAT? No. So, you can not put it behind ISA server. You can not install ISA on DirectAccess server since ISA is 32 bit application and it wouldn’t work on Windows Server 2008 R2. The solution will come in form of TMG, the new version of ISA server which has built in rules and protocols that support DirectAccess server feature in Windows Server 2008 R2.

More info on this can be found on this link. Technical white paper on DirectAccess.

{ 2 comments… read them below or add one }

MS July 14, 2009 at 10:02

Isn’t there an option in ISA to use public addresses in DMZ and use routing between outside and dmz interface? Lots of companies use public IP addresses in their DMZ and open only needed ports (e.g. 80 for web server). I am not very familiar with architecture of DirectAccess but I don’t see why it shouldn’t work with DirectAccess server placed in DMZ with public IP addresses?


Marin July 14, 2009 at 10:06

Hi Marinko,
as I sed before, I am not ISA server expert. So please be sure to read Thomas Shinders (ISA server guru) blog entry on this subject. Link is in my blog. 🙂


Leave a Reply

Previous post:

Next post: