Things to consider before deploying DirectAccess Server
1. Identify applications which support IPv6.
This is important because the communication between Server and Clients using DirectAccess happens on IPV6 unless you are using NAT-PT devices to translate IPv6 to IPv4 and vice versa. The applications which don’t understand IPv6 will not be able to communicate over DirectAccess.
2. Identifying the applications which you want DirectAccess users to access.
This is important and goes hand in hand with the first point. You may want the users to access particular application but that application may not be compatible with IPv6 OR there are so many applications which support IPv6 but you don’t want users to access everything from DirectAccess. Planning the access initially reduces considerable amount of time.
3. Windows 7 deployment across the organization or at least for the machines participating in DirectAccess.
Because DirectAccess is only supported by Windows 7 client machines so, it because necessary to plan the deployment of Windows 7 on workstations / Laptops especially which are always Mobile.
4. Setting up of Certificate Authority if not already existing.
There can be multiple ways to authenticate the client machines to come through the DirectAccess. You may use the machine certificates, Kerberos and / or Smart card authentication. Since, DirectAccess inherits the IPsec capabilities you would require machine certificates to negotiate the communication between clients and the DirectAccess Server.
5. At least one domain controller to be either Windows Server 2008 or Windows Server 2008 R2
Since Windows 2003 server does not support IPv6 completely, you would need one of your Domain Controllers and DNS Servers to be Windows Server 2008 or 2008 R2 so to fully support IPv6.
6. Implementing IPSec Policies and managing the encrypted traffic
IPsec is a baseline security model for protecting the traffic to and from the DirectAccess server and client machines. Check http://technet.microsoft.com/en-us/library/dd637836(WS.10).aspx for more information on Choosing the right model for the DirectAccess.
7. Two consecutive public IP addresses to be assigned to the DirectAccess Server’s external interface connected to the internet
This additional requirement is actually imposed by the Teredo Service (one of the transition technologies for IPv6) and not directly by the DirectAccess Server. Check the RFC at http://www.ietf.org/rfc/rfc4380.txt
Inderjeet 