In this step of the DirectAccess Setup wizard (step 2), you configure settings for the DirectAccess server. For the initial configuration of DirectAccess server settings in the DirectAccess snap-in, expand the DirectAccess node, click the Setup node, and then click Configure for step 2. You cannot click Configure for step 2 until you have finished the configuration for step 1. To change DirectAccess server settings, click Edit for step 2.

Before performing step 2, see Checklist: Install and Configure Single-Server DirectAccess for DirectAccess server hardware and configuration requirements.

When you click Configure or Edit for step 2, there are pages in the wizard to configure connectivity, IPv6 prefixes for your organization if you have already deployed IPv6, and certificate use.


On the Connectivity page, you must specify the network connection (interface) that is attached to the Internet and the network connection that is attached to your internal network. You can click Details to obtain the configuration of the selected network connection.


If you are testing DirectAccess on your internal network, the Internet network connection must not be connected to a network that contains a domain controller.

On the Connectivity page, you can also specify whether you require remote users to use smart cards when performing authentication with the DirectAccess server. For more information about smart cards, see Windows Authentication (

Prefix configuration

If you already have native IPv6 deployed on your network, the Prefix Configuration page allows you to specify the 48-bit IPv6 address prefix that your entire internal network uses. You must use a 48-bit prefix.

The DirectAccess Setup wizard determines a default prefix based on the first global IPv6 address that is assigned to your internal network interface. If your internal network interface has multiple IPv6 addresses assigned and you do not want to use the prefix of the first address that is assigned to your internal network interface, you can manually specify the correct prefix. To view the set of IPv6 addresses assigned to your internal network interface, click Details on the Connectivity page.

The DirectAccess Setup wizard also determines a 64-bit prefix for IP-HTTPS connections. You must use a 64-bit prefix. The DirectAccess Setup wizard determines a default prefix based on the 48-bit internal network prefix, and then chooses a value for the Subnet ID portion of the prefix (the fourth block of the 64-bit prefix). You can also manually specify the correct 64-bit prefix based on your subnetting scheme. The 64-bit prefix must be based on the 48-bit prefix for the internal network.

Certificate components

On the Certificate Components page, you must specify the following:

  • The certificate for the root or intermediate certification authority (CA) in the certification path of the computer certificates that are installed on DirectAccess clients. The DirectAccess server uses this root or intermediate CA certificate to validate the computer certificates sent by the DirectAccess client computers during the initial connection to the DirectAccess server.

  • A certificate that the DirectAccess server uses for connectivity over IP-HTTPS. Because DirectAccess clients perform certificate revocation checking on the HTTPS certificate submitted by the DirectAccess server, you must ensure that the certificate revocation list (CRL) distribution points configured in this certificate are accessible and available from the Internet. If these CRL distribution points are not accessible to DirectAccess clients, authentication fails for IP-HTTPS-based DirectAccess connections. For information about configuring CRL distribution points for Active Directory Certificate Services (AD CS), see Specify CRL Distribution Points (

Additional references