A. DirectAccess is a new feature in Windows 7 Enterprise and Ultimate editions that enables connectivity to a corporate intranet from anywhere on the Internet without a dedicated VPN connection, through a Windows Server 2008 R2 DirectAccess server on the perimeter of your corporate network.

DirectAccess is based around IPv6 traffic that's encrypted with IPSEC, ensuring security of the data as it travels over the Internet. However, the Internet isn't an IPv6 network (yet), so other technologies have to be used to allow the IPv6 traffic to flow over an IPv4 network. Either:

  • 6to4: Allows IPv6 to be encapsulated in IPv4 traffic, where the host is a direct public-addressable, Internet-accessible IPv4 address (not Network Address Translation—NAT).
  • Teredo: Allows IPv6 to be encapsulated in IPv4 traffic where the host is behind a NAT and has a private address.

If neither 6to4 nor Teredo can be used (most likely due to a firewall), IP-HTTPS is used. This is a new protocol in Windows 7 and Server 2008 R2 that allows IPv6 to be tunneled using HTTPS (port 443).

Once the traffic gets to the corporate Intranet, ISATAP can be used to send the IPv6 packets over an internal IPv4 network, but the target still has to be IPv6 capable. If the target isn't IPv6, you need to use a technology like UAG to act as a IPv6/IPv4 translator (NAT-PT/NAT64).

DirectAccess uses the Name Resolution Policy Table (NRPT) to identify which DNS suffix targets should be accessed via DirectAccess.