My Life in IT

All posts tagged DirectAccess

This blog post and topic is one in a series of blog posts on 31 days of our favorite things in Windows Server 2012.

DirectAccess, Wow! What a really cool technology to write about. I know I cannot cover everything about DirectAccess, not even come close, but I will try to highlight why this version of DirectAccess in Windows Server 2012 is so much easier, and simple to deploy than ever before. But, before we go forward, I would like to set the context on where we came from and a little bit of my personal history with DirectAccess and how this applies to me. I know everyone might have their own reasoning on how and why to use DirectAccess but hopefully my experience will help someone who might be contemplating if this should apply to them. If you wish to skip my story, hit the break below to get into new features and deploying Simplified DirectAccess.

In April of 2009, I was on Microsoft campus attending a TAP (Technology Adoption Program) Airlift for Windows 7 and Server 2008 R2. The last session before we left for home after 3 days of presentations and interacting with the product team was on DirectAccess. I sat through the presentation by John Morello who was a Senior PM on the Windows team. When the session ended, I went up to John and told him, whatever you just presented I want it! And thus began my journey with DirectAccess. The reason why I thought it was such an amazing feature was because, at that time I was working for a company that was a small business with 125 employees but about 75 of those employees were remote users, the laptops they used never saw the inside of a corporate network except for when they were provisioned or came in for repair during their lifecycle. These machines were non-domain joined, non-admin controlled machines. The overhead of using VPN and the manual connection method of VPN did not appeal to us and so we never deployed it. This was the solution.

So, I started testing with the help of the product team DirectAccess in Server 2008 R2 and quickly realized that this was a pretty encompassing product. Configuring DirectAccess included knowledge of IPv6, Certificates, DNS, Group Policy etc. Also, one important requirement was that the servers needed to be IPv6 capable or a NAT-PT device would have to be used, which ran into thousands of dollars. After a lot of testing and configuring I was able to get DirectAccess deployed. We used user folder redirection, Mobile Broadband features of Windows 7 to have a great user experience with DirectAccess. However, with my limited knowledge at that point, I know that if I was not part of the TAP, it would have been very difficult to deploy and use DirectAccess in my organization. When I took up a new position with my current employer, we ended up deploying DirectAccess to over 300 machines in 77 locations across the country. We are in the process of deploying DirectAccess in Windows 8 and Server 2012.

Direct Access

Windows Server 2008 R2 introduced DirectAccess, a new remote access feature that allows connectivity to corporate network resources without the need for traditional Virtual Private Network (VPN) connections. DirectAccess provides support only for domain-joined Windows 7 Enterprise and Ultimate edition clients. The Windows Routing and Remote Access Server (RRAS) provides traditional VPN connectivity for legacy clients, non-domain joined clients, and third party VPN clients. RRAS also provides site-to-site connections between servers. RRAS in Windows Server 2008 R2 cannot coexist on the same edge server with DirectAccess, and must be deployed and managed separately from DirectAccess.

Windows Server 2012 combines the DirectAccess feature and the RRAS role service into a new unified server role. This new Remote Access server role allows for centralized administration, configuration, and monitoring of both DirectAccess and VPN-based remote access services. Additionally, Windows Server 2012 DirectAccess provides multiple updates and improvements to address deployment blockers and provide simplified management.

Fast-forward to 2012, in Windows 8 and Windows Server 2012, DirectAccess deployment is a breeze. Go through a wizard and a working configuration of DirectAccess is deployed in a few clicks. Thankfully, for people like me who have had some experience with DirectAccess in the past, there is a way to get a customized deployment going as well.

New Features

DirectAccess in Windows Server 2012 is one of the roles in the “Remote Access” unified role. Here are the new feature highlights

  • DirectAccess and RRAS coexistence
  • Simplified DirectAccess Deployment
  • Removal of PKI (Public Key Infrastructure) as prerequisite
  • Built in NAT64 and DNS64 support for IPv4 only resources
  • Support for DirectAccess behind a NAT device
  • Load Balancing Support
  • Multi Domain Support
  • NAP Integration
  • Manage-Out to clients support
  • User Monitoring / Server Status / Diagnostics
  • IP-HTTPS performance improvements
  • Server Core Support
  • Multisite Support

Deployment Options

  • Single Site Remote Access
  • Remote Access in a Cluster
  • Multiple Remote Access Servers in a Multisite Deployment
  • Remote Access with OTP Authentication
  • Remote Access in a Multi-Forest Environment
  • Remote Access with Network Access Protection
  • Remote Access in the Cloud

Simple Direct Access Deployment Steps

  1. Install the remote access role:
    • In the Server Manager console, in the Dashboard, click add roles.
    • Click Next three times to get to the server role selection screen.
    • On the Select Server Roles dialog, select Remote Access, click Add Required Features, and then click Next.
    • On the Select features dialog, expand Remote Server Administration Tools, expand Role Administration Tools, and then select Remote Access Management Tools, and then click Next.
    • Click Next four times.
    • On the Confirm installation selections dialog, click Install.
    • On the Installation progress dialog, verify that the installation was successful, and then click Close.
  2. Obtain two consecutive public IPv4 IP addresses and configure them on the external adapter of the server. These addresses must be unique.
  3. Create a new DNS record for the server FQDN.
  4. Obtain a server certificate for IP-HTTPS connections, with a subject name that matches the FQDN of the server.
  5. Create client security groups.

After Installing the Remote Access Role. Open up the Remote Access Management Console


Click on the Deploy DirectAccess Only option


If you have two adapters, select the Edge topology and enter the FQDN or External IP address, if not, select the topology that meets your requirements


Click Next and Finish with the default options or select to edit the settings (settings can still be edited later)


The wizard will go through various configurations and finish successfully


That’s it, you are done! At this screen, you can go and look through all the configuration steps and edit as needed/necessary.


More Resources:

Remote Access tech center on TechNet:

Remote Access overview:

This is Cool! How do I get the new DirectAccess?

This article described DirectAccess improvements in Windows Server 2012 to provide easy deployment and monitoring. To explore the new DirectAccess feature for yourself …

  • Join our FREE Windows Server 2012 “Early Experts” Challenge to continue your learning and prepare for MCSA certification!
  • Download the Windows Server 2012 installation bits!
  • Build your own Windows Server 2012 server lab environment!