The network location server is a key component of DirectAccess. Its purpose is to detect whether computers configured as DirectAccess clients are located in the corporate network. When clients are in the corporate network, DirectAccess is not used to reach internal resources. Instead, clients connect to internal resources directly.
When a DirectAccess client computer enters the internal network, it connects to the network location server over HTTPS. If the connection is successfully the client is presumed to be located in the internal network, and the following occurs:
- The Name Resolution Policy Table (NRPT) is disabled. For more
information about the NRPT, see Using DNS with Forefront
UAG DirectAccess.
- The client resolves name requests using the DNS servers
configured on its network interface settings.
- The client is able to connect to a domain controller, and the
Domain Profile is applied. This profile does not contain the
connection security rules required for the DirectAccess IPsec
tunnels.
If the DirectAccess client cannot connect to the network location server, the NRPT will be enabled, and name resolution requests will be sent via the DirectAccess server.
The network location server is a Web site with an HTTPS server certificate. You specify the HTTPS URL of the network location server when you run the DirectAccess wizard in the Forefront Unified Access Gateway (UAG) Management console. By default Forefront UAG DirectAccess adds the FQDN of the network location server as an exemption rule to the NRPT. This ensures that when DirectAccess client computers attempt to resolve the FQDN of the network location server, the request matches the exemption rule and the name is not resolved via the DirectAccess server. As an exemption rule, the FQDN of the network location server is not accessible from the Internet via the DirectAccess connection.
Note the following:
- The network location server should not be run
on the Forefront UAG DirectAccess server.
- The network location server should be
installed on an internal network server with high availability. If
clients on the internal network cannot access it (including a
revocation check of the Web server certificate) they might not be
able to access internal resources. The network location server must
not be accessible to DirectAccess clients connecting from the
Internet.