This topic describes how to ensure that DirectAccess clients can detect connectivity to the intranet.

Computers running Windows 7 or Windows Server 2008 R2 use corporate connectivity detection to determine whether the computer can access the resources of your intranet. Corporate connectivity detection is separate from network location detection. A DirectAccess client can successfully detect corporate connectivity when it is directly connected to the intranet or when it is roaming on the Internet.

Corporate connectivity determination is used for the following:

Corporate connectivity detection relies on the ability to perform the following checks for different purposes, depending on the computer’s configuration:

The Forefront UAG DirectAccess Configuration Wizard automatically configures the following for corporate connectivity detection:

  1. The intranet-specific name and IPv6 address, and registers the corresponding AAAA record in an intranet Domain Name System (DNS) server.

    If your organization DNS does not support dynamic updates, you must enter an AAAA record with the FQDN and IPv6 address for the NCSI probe host. The default record that should be registered in the DNS for the NCSI probe host is: AAAA UAGDirectAccess-corpConnectivityHost ::1.
  2. The IPv6 prefix of the intranet.

Configuring settings and infrastructure needed for DirectAccess clients to access a specific intranet Web site

The Forefront UAG DirectAccess Configuration Wizard does not automatically configure the settings and infrastructure needed for DirectAccess clients to access a specific intranet Web site. This additional configuration is required for branch scenarios in which a Web proxy server is between the DirectAccess client and the corporate resources it is trying to reach. This additional configuration also aids in diagnosing DirectAccess connections.

To configure settings and infrastructure needed for DirectAccess clients to access a specific intranet Web site

  1. Determine a Web site on your intranet that is not accessible from the Internet, is highly available, and is reachable with IPv6. To ensure its ongoing reachability with IPv6, either assign a static IPv6 address if you have a native IPv6 infrastructure, or a static Internet Protocol version 4 (IPv4) address if you are using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP). For example, the Contoso Corporation uses as its central, highly-available internal Web site. This Web server uses ISATAP and a static IPv4 address.

  2. Create an alternate name for the Web server, and add that name and IPv6 address of the Web server as an AAAA record in your intranet DNS. For example, create an AAAA record in the intranet DNS that resolves to the ISATAP-based IPv6 address of the Web server.

  3. Construct an HTTP-based uniform resource locator (URL) based on the alternate name and test it with your Web browser. For example, the corresponding corporate connectivity URL is

  4. Enable the Computer Configuration/Policies/Administrative Templates/Network/Network Connectivity Status Indicator/Corporate Website Probe URL Group Policy setting in the Group Policy object for DirectAccess clients, and configure it to use the constructed URL. For example, enable and configure the Corporate Website Probe URL setting with

If you use the Fall back to local name resolution if the name does not exist in DNS or the DNS servers are unreachable when the client computer is on a private network option for local host name resolution, the Corporate Website Probe URL setting must be specified as a FQDN, rather than as an unqualified, single-label name. If you use an unqualified, single-label name, corporate connectivity detection might incorrectly detect that corporate connectivity exists and diagnostics for Forefront UAG DirectAccess can be affected.