DirectAccess and OCS / Lync Edge Services

It’s been a while since I posted anything about DirectAccess, and while this isn’t new info I thought it was worth sharing.

DirectAccess (DA) is a remote access technology included in Windows 7 and Server 2008 R2.  Unlike traditional VPN solutions it establishes a connection into a private network automatically, and transparently.  From the end users perspective once a connection to the internet is made, they can access both websites and any internal resources such as email or file shares.

It’s not all easy going however, as DirectAccess uses IPv6 there are some services which just don’t work well over a DirectAccess tunnel, for example Office Communications Server or Lync.  There are also services such as Outlook Web Access which are typically published to the internet anyway so are better accessed directly.

As DirectAccess gives the remote client access to both the internet directly, and internal services through the DA tunnel, its perfectly possible to access external and internal resources.  To configure this you can specify whether a given DNS name is resolved via the DNS server allocated from the ISP or via the DNS servers on the internal network. This is achieved using the Name Resolution Policy Table (NRPT) which is used to define which namespaces (domains) or DNS records should be resolved where.

Generally this is pretty easy, you use the table to direct your internal namespace down the DA tunnel.  Where you encounter exceptions such as OCS or Lync which may use the internal namespace but should be accessed externally, you can add specific DNS names to the NRPT as exceptions to the NRPT.

DirectAccess with Edge Services

So for example, you may have an internal namespace of mycompany.com with OCS installed.  You’ll probably have a ‘myname@mycompany.com’ SIP address, and OCS will usually be accessed via the name sip.mycompany.com both internally and externally.  If you add DirectAccess you would configure the NRPT to resolve *.mycompany.com addresses via the internal DNS – and therefore access them on the internal namespace over DA – but with exceptions (see below) to ensure that the OCS DNS records are resolved externally and therefore via the internet.

You configure an NRPT exception by adding the relevant fully qualified DNS record, but without an associated DirectAccess DNS server address.  Without the server address the client will use the local ISP assigned DNS server to resolve the address.

As an example, for OCS you’d need to configure exceptions for the following:

Service records (SRV) for auto-config

_sip._tls.mycompany.com

_sip._tcp.mycompany.com

_sipinternaltls._tcp.mycompany.com

_sipinternal._tcp.mycompany.com

Servers

sip.mycompany.com

sipinternal.mycompany.com

sipexternal.mycompany.com

<Your Access Edge>.mycompany.com

<Your Web Conferencing Edge>.mycompany.com

<Your AV Edge>.mycompany.com

For more info on how the NRPT works, the MS Cable Guys did a pretty good write up here.

Leave a comment

Leave a Reply