最近嘗試了解了一下微軟新一代的×××技術DirectAccess（其實也不新了，從WIN2K8R2就開始有了），看了一些資料，現(xiàn)在自己寫點總結來加強理解和記憶。如果有寫錯了的話，歡迎指正！

寧蒗ssl適用于網(wǎng)站、小程序/APP、API接口等需要進行數(shù)據(jù)傳輸應用場景，ssl證書未來市場廣闊！成為創(chuàng)新互聯(lián)建站的ssl證書銷售渠道，可以享受市場價格4-6折優(yōu)惠！如果有意向歡迎電話聯(lián)系或者加微信：18980820575（備注：SSL證書合作）期待與您的合作！

**********************

DirectAcces工作過程中會先后經(jīng)歷兩個與內網(wǎng)建立聯(lián)系的階段。第一階段是和內網(wǎng)DNS、DC建立聯(lián)系。第二階段才是和要訪問的內網(wǎng)資源建立聯(lián)系。DirectAccess與其他×××解決方案的關鍵區(qū)別在于：

1.    只要客戶端連接了互聯(lián)網(wǎng)，它就會自動發(fā)起與內網(wǎng)DNS、DC的聯(lián)系，從而使系統(tǒng)管理員可以隨時管理在外漫游的客戶端。一個典型的應用場景是，漫游客戶端只要連上互聯(lián)網(wǎng)，就可以獲得內網(wǎng)推過去的GPO，補丁等。

2.    采用Name Resolution Policy Table（名稱解析策略表）技術，實現(xiàn)內網(wǎng)與互聯(lián)網(wǎng)流量訪問的分離。

回到區(qū)別1,，如何才能自動發(fā)起與內網(wǎng)DNS、DC的聯(lián)系呢？首先需要一個發(fā)現(xiàn)機制。為此，這里引入了Network Location Server的概念。NLS是企業(yè)內網(wǎng)中的一臺Web服務器?？蛻舳耸紫葒L試與NLS取得聯(lián)系，如果能取得聯(lián)系，說明DirectAccess已經(jīng)在工作。如果不能與NLS取得聯(lián)系，那么開始進入兩個階段的與內網(wǎng)建立聯(lián)系的工作過程。也就是說，NLS的作用體現(xiàn)在下圖步驟中的第2步。

發(fā)現(xiàn)機制之后，才開始了兩個階段的與內網(wǎng)建立聯(lián)系的過程。建立聯(lián)系的過程涉及到：建立流量通道，身份驗證。第一階段的驗證對象是客戶端計算機，需要內網(wǎng)的PKI架構實現(xiàn)對客戶端發(fā)放證書。第二階段的驗證是對客戶端計算機和用戶的雙重驗證，除了驗證計算機證書，還要認證域用戶的憑據(jù)（也就是域用戶登錄時的那一套驗證）。

PS: 以下圖片截取自http://wenku.baidu.com/view/108a09e704a1b0717fd5dd85

PS2: 網(wǎng)上找了前人做的實驗《如何在企業(yè)內部構建Direct Access環(huán)境》http://wenku.baidu.com/link?url=jqQ_xzlSAT9I5zoJ_OFjOqN_gGAVSrSY68ItRzKvICceQLpLbewgaXeTrEzNyjnNIUksLiBj_xPzXFtQN6pIyrB2Ov5wc-RQykD16PKjdLW

最開始是看的英文書，看得有點暈，所以后來去搜了上面的中文資料?？炊酥形?，再看英文解釋就會覺得更好理解了?，F(xiàn)在把英語的也貼上來做參考

This general process can be broken down into the following specific steps:

1. The DirectAccess client computer running Windows 8, Windows 7 Enterprise, or

Windows 7 Ultimate detects that it is connected to a network.

2. The DirectAccess client computer determines whether it is connected to the intranet. If

the client is connected to the intranet, it does not use DirectAccess.

3. The DirectAccess client connects to the DirectAccess server by using IPv6 and IPsec.

4. If the client is not using IPv6, it will try to use 6to4 or Teredo tunneling to send

IPv4-encapsulated IPv6 traffic.

5. If the client cannot reach the DirectAccess server using 6to4 or Teredo tunneling, the

client tries to connect using the Internet Protocol over Hypertext Transfer Protocol Secure

(IP-HTTPS) protocol. IP-HTTPS uses a Secure Sockets Layer (SSL) connection to

encapsulate IPv6 traffic.

6. As part of establishing the IPsec session for the tunnel to reach the intranet DNS server

and domain controller, the DirectAccess client and server authenticate each other using

computer certificates for authentication.

7. If Network Access Protection (NAP) is enabled and configured for health validation, the

Network Policy Server (NPS) determines whether the client is compliant with system

health requirements. If it is compliant, the client receives a health certificate, which is

submitted to the DirectAccess server for authentication.

8. When the user logs on, the DirectAccess client establishes a second IPsec tunnel to access

the resources of the intranet. The DirectAccess client and server authenticate each other

using a combination of computer and user credentials.

9. The DirectAccess server forwards traffic between the DirectAccess client and the intranet

resources to which the user has been granted access.

The Name Resolution Policy Table (NRPT) is used to determine the behavior of the DNS

clients when issuing queries and processing so that internal resources are not exposed to the

public via the Internet and to separate traffic that isn’t DirectAccess Internet traffic from

DirectAccess Internet traffic. By using the NRPT, the DirectAccess clients use the intranet

DNS servers for internal resources and Internet DNS for name resolution of other resources.

The NRPT is managed using group policies, specifically, Computer Configuration\Policies\

Windows Settings\Name Resolution Policy.