In this step of the DirectAccess Setup wizard (step 2), you configure settings for the DirectAccess server. For the initial configuration of DirectAccess server settings in the DirectAccess snap-in, expand the DirectAccess node, click the Setup node, and then click Configure for step 2. You cannot click Configure for step 2 until you have finished the configuration for step 1. To change DirectAccess server settings, click Edit for step 2.
Before performing step 2, see Checklist: Install and Configure Single-Server DirectAccess for DirectAccess server hardware and configuration requirements.
When you click Configure or Edit for step 2, there are pages in the wizard to configure connectivity, IPv6 prefixes for your organization if you have already deployed IPv6, and certificate use.
On the Connectivity page, you must specify the network connection (interface) that is attached to the Internet and the network connection that is attached to your internal network. You can click Details to obtain the configuration of the selected network connection.
If you are testing DirectAccess on your internal network, the Internet network connection must not be connected to a network that contains a domain controller.
On the Connectivity page, you can also specify whether you require remote users to use smart cards when performing authentication with the DirectAccess server. For more information about smart cards, see Windows Authentication (http://go.microsoft.com/fwlink/?LinkId=146076).
If you already have native IPv6 deployed on your network, the Prefix Configuration page allows you to specify the 48-bit IPv6 address prefix that your entire internal network uses. You must use a 48-bit prefix.
The DirectAccess Setup wizard determines a default prefix based on the first global IPv6 address that is assigned to your internal network interface. If your internal network interface has multiple IPv6 addresses assigned and you do not want to use the prefix of the first address that is assigned to your internal network interface, you can manually specify the correct prefix. To view the set of IPv6 addresses assigned to your internal network interface, click Details on the Connectivity page.
The DirectAccess Setup wizard also determines a 64-bit prefix for IP-HTTPS connections. You must use a 64-bit prefix. The DirectAccess Setup wizard determines a default prefix based on the 48-bit internal network prefix, and then chooses a value for the Subnet ID portion of the prefix (the fourth block of the 64-bit prefix). You can also manually specify the correct 64-bit prefix based on your subnetting scheme. The 64-bit prefix must be based on the 48-bit prefix for the internal network.
On the Certificate Components page, you must specify the following:
- The certificate for the root or intermediate
certification authority (CA) in the certification path of the
computer certificates that are installed on DirectAccess clients.
The DirectAccess server uses this root or intermediate CA
certificate to validate the computer certificates sent by the
DirectAccess client computers during the initial connection to the
- A certificate that the DirectAccess server
uses for connectivity over IP-HTTPS. Because DirectAccess clients
perform certificate revocation checking on the HTTPS certificate
submitted by the DirectAccess server, you must ensure that the
certificate revocation list (CRL) distribution points configured in
this certificate are accessible and available from the Internet. If
these CRL distribution points are not accessible to DirectAccess
clients, authentication fails for IP-HTTPS-based DirectAccess
connections. For information about configuring CRL distribution
points for Active Directory Certificate Services (AD CS), see
Specify CRL Distribution Points (http://go.microsoft.com/fwlink/?LinkId=145848).