Fact-checked by Grok 2 weeks ago

DirectAccess

DirectAccess is a remote access solution developed by that enables domain-joined Windows client computers to securely connect to an organization's internal network resources without the need for traditional (VPN) clients or manual connection initiation, providing seamless, always-on access as if the device were on the local network. Introduced with and in 2009, DirectAccess leverages transition technologies and encryption to establish bidirectional connectivity, allowing remote users to access corporate resources like file shares, sites, and servers immediately upon network attachment, even before user logon, while also enabling IT administrators to remotely manage and deploy updates to these clients. It supports specific Enterprise editions of Windows client operating systems, including Enterprise, Enterprise, and earlier versions like Enterprise, but requires domain membership and is not compatible with non-domain-joined devices or certain environments like virtual machines. DirectAccess deployment typically involves configuring a Remote Access server role in , with options for basic single-server setups or advanced multisite configurations integrated with Network Policy Server (NPS) for authentication. However, as of June 2024, has deprecated DirectAccess, stating it will be removed in a future Windows release, and strongly recommends transitioning to the more flexible and modern Always On VPN solution for new and existing remote access needs.

Introduction

Definition and Purpose

DirectAccess is a remote access solution developed by that enables automatic, bidirectional connectivity between domain-joined client devices running supported versions of Windows and an organization's corporate , eliminating the need for traditional (VPN) client software or manual connection initiation. This technology leverages transition mechanisms to establish secure tunnels over the , providing users with transparent access to internal network resources as if they were connected directly to the local network. The primary purpose of DirectAccess is to deliver always-on connectivity for remote s upon detection of an connection, ensuring seamless integration of off-network devices into the corporate environment without intervention. It facilitates secure to resources such as file shares, websites, and enterprise applications, enhancing productivity for distributed workforces while maintaining through features like encryption. Key use cases include enabling remote workers to securely access corporate resources from any Internet-connected location, regardless of network conditions, and supporting "manage out" capabilities that allow IT administrators to remotely monitor, update, and manage off-network client devices as needed. This bidirectional access model addresses common challenges in hybrid work environments by bridging the gap between on-site and remote operations.

History and Development

DirectAccess emerged as a response to the limitations of traditional (VPN) solutions in enterprise environments, which often required manual connections and lacked seamless, always-on access for remote workers. By leveraging transition technologies and , it aimed to provide transparent connectivity to corporate resources without user intervention, addressing the need for persistent secure access in distributed workforces. Microsoft introduced DirectAccess in 2009 as a built-in feature of client and , enabling automatic remote access to internal networks upon internet connectivity. This initial release focused on core remote access capabilities integrated directly into the operating systems, marking a shift toward native support for enterprise mobility. In 2010, enhancements came with the release of Forefront Unified Access Gateway (UAG) 2010, which simplified DirectAccess deployment through wizards in the UAG Management Console and added features such as web application publishing for broader secure access scenarios. UAG extended DirectAccess scalability and ease of management, particularly for complex environments requiring additional gateway protections. DirectAccess achieved full native integration in , further simplifying deployment by supporting single-network-interface-card () configurations behind () devices without requiring additional software like UAG for basic setups. This update streamlined installations and reduced hardware requirements, making it more accessible for standard server deployments. In June 2024, Microsoft announced the deprecation of DirectAccess, stating it would be removed in a future Windows release while continuing support in Windows Server 2025; the company recommended migration to Always On VPN as the successor solution. This decision reflects evolving standards and the maturation of alternative remote access technologies.

Technical Architecture

Core Components

DirectAccess relies on several key hardware, software, and infrastructure elements to enable seamless remote access to corporate networks. The primary components include the DirectAccess server, client devices, and supporting infrastructure such as , (PKI), the Network Location Server (NLS), ISATAP, and DNS servers. These elements work together to provide automatic connectivity without requiring user-initiated VPN connections. The DirectAccess is implemented as a role within the Remote Access server role on editions starting from and supported in subsequent versions up to Windows Server 2025. This functions as the gateway between external and internal networks, featuring at least two network interfaces: one connected to the internal corporate network and another to the external perimeter network or . It supports multi-site topologies, allowing deployment across geographically distributed locations to optimize connectivity for remote users based on their proximity. The handles inbound from clients and routes traffic securely, often using for encryption, though detailed security protocols are configured separately. Client devices are domain-joined computers running supported Windows operating systems, specifically Enterprise, Enterprise (including the 2015 LTSB edition), Enterprise, Enterprise, Ultimate, and Enterprise. These editions are required for full DirectAccess functionality, as consumer versions such as Windows Home or Pro lack the necessary and connectivity features. Clients automatically establish connections upon detecting an external network, enabling always-on access to internal resources without manual intervention. Supporting infrastructure is essential for authentication, location awareness, and connectivity. Active Directory Domain Services (AD DS) provides the foundation for user and computer , enforcing group policies to configure DirectAccess settings on clients and servers. A Public Key Infrastructure (PKI) issues computer certificates for IPsec-based and , ensuring secure tunnel establishment; while not always mandatory for basic deployments, it is recommended for robust security. The Network Location Server (NLS) operates as an internal endpoint that clients query to determine their network location—internal or external—triggering appropriate DirectAccess policies. Additional elements include ISATAP (Intra-Site Automatic Tunnel Addressing Protocol), which facilitates connectivity within the corporate site by tunneling over IPv4 networks when native is unavailable, and DNS servers configured with the Name Resolution Policy Table (NRPT) to direct client queries for internal resources through the DirectAccess tunnel. These components ensure reliable name resolution and transition without disrupting existing IPv4 environments.

Connection and Tunneling Mechanisms

DirectAccess clients initiate connections automatically upon detecting connectivity outside the corporate network. The process begins when the client queries the Network Location Server (NLS) to determine its location; if the response indicates the client is not on the internal network, it proceeds to establish a connection to the DirectAccess server. The tunneling mechanisms prioritize protocols to encapsulate traffic over IPv4 networks, ensuring compatibility across various network environments. The preference order is native connectivity when available, followed by if the client has a public IPv4 address, then Teredo for clients behind devices, and IP-HTTPS as a fallback for restrictive firewalls that block traffic, encapsulating the IPv6 tunnel within over port 443. Once initiated, the client establishes a bi-directional protected by encryption to the DirectAccess server, enabling secure communication. For accessing IPv4-only resources on the , the server employs for synthesizing addresses from IPv4 DNS records and for translating traffic to IPv4, allowing seamless integration without requiring support on all internal systems. The manage-out functionality extends the tunnel's utility by permitting inbound connections from intranet management servers to remote clients, facilitating remote administration tasks such as software updates via (WSUS) or system configuration through System Center Configuration Manager (SCCM). This bidirectional capability ensures that IT administrators can reach clients over the established tunnel without additional VPN setup.

Features and Functionality

Security Features

DirectAccess employs as its core security mechanism, providing mandatory for all traffic between remote clients and resources. This encryption utilizes AuthIP, an extension of , to secure communications over (or IPv4 via transition technologies), ensuring that data cannot be intercepted or tampered with during transit. Authentication for the connection relies on computer certificates for initial machine-level access or user certificates for full end-to-end protection, typically issued through a (PKI) to verify the identity of both clients and servers. Following tunnel establishment, resource access is authenticated using for domain-joined scenarios, with as a fallback for compatible applications, allowing transparent integration with without requiring user intervention. For heightened security, DirectAccess supports optional two-factor , including integration that mandates a physical token alongside user credentials, or one-time password (OTP) mechanisms through external systems. These methods ensure that even after the tunnel is active, sensitive resources remain protected against unauthorized access. Network isolation is achieved through distinct tunnels: an infrastructure tunnel secures connections to essential services like domain controllers and DNS servers, while a separate corporate resources tunnel handles access to other intranet assets, thereby containing potential breaches to specific network segments. This design restricts non-essential exposure and aligns with policy-based access controls.

Management Capabilities

DirectAccess deployments leverage Objects (GPOs) for centralized configuration of both client and server components, enabling administrators to manage settings such as tunnel profiles, location detection, and resource access policies across the enterprise. The DirectAccess client GPO applies IPv6 transition technologies—including IP-HTTPS, , and Teredo for tunnel establishment—along with Name Resolution Policy Table (NRPT) entries that define DNS resolution rules for corporate resources, ensuring seamless without manual intervention. Server-side GPOs handle firewall rules and security settings, while the network location server (NLS) , configured via GPO, facilitates automatic detection of versus extranet connectivity by comparing the client's view of the NLS to a predefined certificate. Resource policies, enforced through NRPT exemptions and IPsec requirements in GPOs, allow granular control over which internal servers require and . Monitoring and maintenance of DirectAccess are primarily handled through the Remote Access Management Console, integrated into Windows Server Manager, which provides real-time visibility into connection status, user activity, and server performance. Administrators can access the dashboard to view operational metrics, such as active client connections and tunnel establishment success rates, while troubleshooting tools within the console enable analysis of event logs for issues like IPsec policy mismatches or connectivity failures. The console also supports reporting on remote client status and load statistics, with PowerShell cmdlets available for scripted monitoring of deployment health, ensuring proactive identification of bottlenecks or outages. For scalability, DirectAccess supports load-balanced clusters of multiple servers, distributing traffic via external load balancers to handle increased user loads and provide redundancy without single points of failure. Multi-site deployments align with sites, allowing regional entry points for efficient resource access while maintaining central management through a unified console for configuration propagation and monitoring across sites. The "manage out" capability in DirectAccess enables bidirectional connectivity, permitting IT administrators to remotely deploy updates and patches to clients over the without requiring user action or full VPN sessions. This feature integrates with tools like (WSUS) for compliance enforcement, allowing management servers to push configurations and software updates to always-on clients regardless of their location.

Benefits and Limitations

Advantages

DirectAccess offers always-on connectivity, automatically establishing a secure connection to the corporate network whenever a DirectAccess-enabled device connects to the , even prior to logon. This feature eliminates the need for manual intervention, significantly reducing support tickets related to connection issues and enabling immediate access to internal resources such as servers and sites. A key strength lies in its bidirectional access capabilities, which support both outbound traffic from remote clients to the organization and inbound traffic for IT management. This allows administrators to remotely push software updates, enforce policies, or perform diagnostics on client devices, even when users are not actively logged in, thereby streamlining device without requiring . DirectAccess enhances security through granular , where policies can restrict remote users to specific resources or subnets rather than granting full exposure. This approach mitigates risks associated with traditional VPNs, which often provide broader access that could expose sensitive , while maintaining for authorized connections. The technology delivers a simplified by requiring no additional VPN client software installation or reconnection processes, providing a seamless, transparent intranet-like from any internet-connected location. Users can work as if they were on the local , boosting without the interruptions common in conventional remote solutions. Although Microsoft has deprecated DirectAccess in favor of Always On VPN for future deployments, these advantages continue to benefit existing implementations.

Drawbacks and Challenges

DirectAccess has notable limitations in terms of client compatibility, restricting its use to specific editions of Windows operating systems. It supports only domain-joined clients running Windows 7 Ultimate or Enterprise, Windows 8 or 8.1 Enterprise, Windows 10 Enterprise or Education, and Windows 11 Enterprise or Education, excluding Home and Professional editions as well as non-Windows devices such as macOS or Linux systems. This exclusivity limits deployment in heterogeneous environments and for consumer-grade hardware, requiring organizations to standardize on qualifying Windows configurations. The setup process for DirectAccess is inherently complex, particularly due to its dependence on IPv6 infrastructure, Public Key Infrastructure (PKI) for certificate-based authentication and encryption, and precise DNS configurations. In environments lacking native IPv6 support—common in legacy IPv4-only networks—administrators must implement transition technologies such as 6to4, ISATAP, or Teredo, which add layers of configuration and potential points of failure, including NAT traversal issues and firewall adjustments. PKI requirements necessitate accessible Certificate Revocation Lists (CRLs) and proper certificate issuance for IP-HTTPS tunneling and computer authentication, often complicating initial deployment without dedicated expertise. DNS setup must handle IPv6 address registration for clients, where misconfigurations can prevent connectivity, especially in multi-site or high-availability scenarios. These elements contribute to prolonged implementation times and elevated administrative overhead compared to simpler remote access solutions. Performance challenges arise from DirectAccess's tunneling mechanisms, which can introduce and overhead, particularly when falling back to IP-HTTPS in IPv4-dominant or restricted network conditions. IP-HTTPS encapsulates traffic over , adding encryption and protocol conversion layers that increase bandwidth consumption and delay, especially for applications sensitive to round-trip times. By default, DirectAccess employs , directing only corporate traffic through the tunnel while allowing internet traffic to bypass it directly; however, enabling optional force tunneling to route all traffic via the corporate network exacerbates bandwidth strain on the and can degrade for non-corporate activities. Tunneling technologies like Teredo also face hurdles with symmetric NATs, potentially requiring persistent mappings and leading to inconsistent connectivity or higher CPU utilization on clients. Microsoft officially deprecated DirectAccess in June 2024, signaling its removal in a future Windows release and recommending migration to Always On VPN for ongoing remote access needs. This deprecation implies no further feature enhancements, diminishing security updates over time, and potential incompatibilities with subsequent Windows versions, posing risks for long-term deployments in evolving IT ecosystems. Organizations relying on DirectAccess must now plan transitions to avoid disruptions as support wanes.

Deployment and Requirements

System and Network Requirements

DirectAccess deployment requires specific server hardware and software configurations to ensure reliable operation as a remote access gateway. Servers must run or later, with and subsequent versions preferred for native integration and simplified management. Minimum hardware includes a 1.4 GHz 64-bit and 512 MB of , though 2 GB of and a 2 GHz or faster are recommended for production environments to handle processing and tunneling overhead. The server requires at least one network interface card (), but a dual-NIC configuration is standard for edge deployments, with the external interface assigned a public IPv4 address to facilitate inbound connections. Single-NIC setups are supported starting with , allowing deployment behind a device for smaller environments.) Client computers must meet stringent software criteria to establish automatic, always-on connections. Supported operating systems include Enterprise, Enterprise, Windows 8/8.1 Enterprise, and Ultimate or Enterprise editions; all clients must be domain-joined to an domain. Hardware compatibility focuses on support for encryption, with optional (TPM) for secure certificate storage in certificate-based authentication scenarios. Windows Firewall must be enabled on all profiles for both clients and servers to permit necessary traffic. Network and infrastructure prerequisites emphasize robust internal connectivity and security foundations. A public IPv4 address (or IPv6 equivalent) is required on the server's external interface, with two consecutive public IPv4 addresses recommended if using Teredo as an IPv6 transition technology; support is mandatory internally, achievable via native or transition mechanisms like , Teredo, or IP-HTTPS. An domain infrastructure is essential, including at least one domain controller, and all components must reside in a two-way trusted domain or forest. Internal DNS servers running or later are required to host DirectAccess-specific zones, such as those for the Network Location Server (NLS) and Name Resolution Policy Table (NRPT). A (PKI) is generally needed for certificate authentication, though it can be waived in basic deployments on or later using the Getting Started Wizard with or newer clients, which support self-signed certificates for IP-HTTPS.

Implementation Steps

The implementation of DirectAccess begins with a thorough phase to ensure compatibility and optimal performance. Administrators must assess the network topology, determining whether the DirectAccess will be deployed at the edge or behind a device or , and configure appropriate network adapters—typically two for internal and external interfaces or one if behind NAT. Static IPv4 addresses are required on the external adapter, including two consecutive public addresses for Teredo support, while internal interfaces need IPv4 and addressing with static routes for all corporate subnets. Force tunneling may be planned if clients should access the via the corporate network, necessitating IP-HTTPS and limiting external IPv4 access. Resources to publish are identified by creating groups for (such as domain controllers) and application servers that require IPsec , ensuring they support IPv6 for full connectivity. A (PKI) must be configured, including an internal certification authority for IPsec computer certificates with Client enhanced key usage (EKU), a public CA for the IP-HTTPS certificate with Server Authentication EKU and accessible certificate revocation list (CRL), and an internal CA for the network location (NLS) certificate. DNS zones are planned using DNS that supports dynamic updates, with Name Resolution Policy Table (NRPT) rules defined for intranet suffixes, exemptions for split-brain DNS, and specific A/AAAA records for connectivity verifiers like directaccess-webprobehost.contoso.com and directaccess-corpconnectivityhost.contoso.com. Server setup follows planning and involves installing the Remote Access role through Server Manager by selecting the DirectAccess and VPN (RAS) role service, followed by a restart if necessary; alternatively, commands like Install-WindowsFeature RemoteAccess can be used. The is then launched from the Remote Access Management console to configure the deployment type, such as a single server behind an edge device or full edge deployment, specifying the server's public (FQDN) for client connections. settings are configured during the wizard, including authentication methods (e.g., computer s) and policies for and application servers, while the NLS is set up using the internal FQDN and a corresponding to detect corporate location. If no PKI exists, the wizard provisions self-signed s, enables proxy authentication, and activates /DNS64 for IPv6-to-IPv4 translation. Client configuration is handled primarily through Objects (GPOs) generated by the DirectAccess Wizard, requiring an security group to target specific client computers, which must be domain-joined and in the same or a trusted one. The wizard enables DirectAccess on clients by applying settings like the server's FQDN for connectivity and NRPT rules, with administrators ensuring permissions to create and link GPOs, optionally using WMI filters to restrict to mobile computers. To test initial client connectivity, administrators run gpupdate /force on clients and use netsh commands such as netsh interface show global to verify NRPT entries and global IPv6 configuration. Testing and are essential post-configuration to validate the deployment. establishment is verified using /all on clients to confirm the presence of the interface with assigned addresses and routes. Common issues, such as certificate mismatches, are diagnosed by checking logs for errors related to or CRL access, ensuring certificates have the correct EKUs and are not expired. Resource constraints like high CPU usage or insufficient NetNat ports (default range 6001-49000) can be monitored via [Performance Monitor](/page/Performance Monitor), while comprehensive data collection uses the Script Content (TSS) tool with scenarios NET_Dacli for clients and NET_DAsrv for servers to generate zipped logs for analysis. An incremental approach—deploying to a small client set, testing connectivity, and monitoring—is recommended to isolate problems efficiently. For multi-site or advanced deployments, additional servers are integrated to support load balancing and geographic distribution. Each entry point server is prepared by assigning IP addresses, joining the domain, and installing the Remote Access role via Server Manager or . Multisite is enabled on the primary server using the Remote Access Management console or Enable-DAMultiSite cmdlet, specifying names and configuring global load balancing if needed. Additional servers are added through the Add Entry Point wizard, setting (e.g., edge or behind ), certificates for IP-HTTPS and NLS, and DNS records for each site's FQDN. Load balancing is achieved using (NLB) clusters on the internal adapters of entry point servers, with the wizard handling GPO updates for client awareness of multiple sites. In deployments supporting it, integration with (NAP) can enforce client health checks via policies, though this feature is supported in Windows Server 2012 but deprecated in Windows Server 2012 R2 and unsupported in later versions.

Alternatives and Future Outlook

Comparison with Traditional VPN

DirectAccess differs fundamentally from traditional (VPN) solutions in its connection model, providing an always-on, automatic connection to the corporate whenever the client device has , without requiring user initiation or prompts. In contrast, traditional VPNs rely on manual client software activation, where users must explicitly connect, often entering credentials, which can take several minutes and may fail or disconnect during network changes like sleep or Wi-Fi switches. This automatic nature of DirectAccess ensures bi-directional connectivity from the moment the device boots and connects to the , even before user logon, enhancing remote and enforcement. Regarding scope of access, DirectAccess offers full connectivity with support for "manage out" scenarios, enabling IT administrators to remotely manage client devices—such as pushing updates or enforcing policies—regardless of the user's activity, through IPv6-based DNS registration and tunnels. Traditional VPNs, however, typically focus on outbound access from the client to the network, often using split-tunneling to route only corporate traffic through the tunnel while allowing direct for other activities, but lacking inherent manage-out capabilities without additional configurations. This broader scope in DirectAccess allows seamless integration of remote devices into the corporate , treating them as if they were on the local network. Deployment overhead for DirectAccess is higher due to its reliance on infrastructure, policies, and server-side components like the DirectAccess server and location , often necessitating transition technologies such as IP-HTTPS for IPv4 and potentially load balancers for scalability. Traditional VPNs, by comparison, involve simpler client- software installation over existing IPv4 networks, with minimal infrastructure changes, though they may require dedicated ports and rules. While DirectAccess demands more upfront planning, including certificate-based authentication, it integrates with for centralized management. From a user impact perspective, DirectAccess delivers a seamless experience that eliminates the need for training on procedures, reduces calls related to VPN failures, and minimizes disruptions from reconnections or bottlenecks caused by full-tunnel . Users with traditional VPNs often face interruptions, such as needing to reconnect after standby or dealing with slower speeds due to all traffic being funneled through the corporate gateway, leading to higher frustration and avoidance of . This transparency in DirectAccess fosters greater adoption of secure remote access practices.

Transition to Always On VPN

Always On VPN, introduced with , serves as Microsoft's recommended successor to DirectAccess, providing seamless remote access capabilities via its user tunnel available in Pro and higher editions of and 11, while the device tunnel for pre-logon connectivity is limited to Enterprise and Education editions, unlike DirectAccess which requires Enterprise editions overall. It leverages the IKEv2 for secure, high-performance connections, enabling features such as split-tunneling to route only corporate traffic through the VPN while allowing direct for other traffic, thereby improving efficiency and reducing latency. A primary enhancement is the dual-tunnel architecture: the device tunnel establishes an always-on connection before user logon using machine authentication, ensuring domain connectivity for updates and management even on boot, while the user tunnel activates post-logon for full resource access with user credentials. This setup offers superior compared to DirectAccess, facilitated by IKEv2's robust mobility extensions, and integrates natively with (formerly Azure AD) for and without requiring on-premises dependencies. Additionally, Always On VPN eliminates DirectAccess's mandatory requirement, supporting flexible IPv4/IPv6 dual-stack configurations to accommodate diverse network environments. Migrating from DirectAccess to Always On VPN follows a phased, side-by-side approach to minimize disruption. Organizations first assess existing DirectAccess policies by comparing feature mappings and identifying gaps, such as authentication methods or network access rules, using Microsoft's documentation to plan migration rings that start with small pilot groups (e.g., 10 IT users) and scale progressively. Next, deploy the Always On VPN infrastructure alongside DirectAccess, including issuing VPN server and client certificates via auto-enrollment Objects targeted to a VPN Users security group; scripts like GetUsersWithCert.ps1 can identify eligible users with valid certificates for inclusion in a deployment-ready group. Client configuration involves deploying VPN profiles using the VPN_Profile.ps1 script or through and System Center Configuration Manager (SCCM) for automated rollout to targeted devices, enabling both device and user tunnels as needed. Coexistence testing ensures seamless operation by monitoring connection success in pilot phases via Intune/SCCM reports, verifying that clients can switch between DirectAccess and Always On VPN without conflicts. Once validated across rings, decommission DirectAccess by removing clients from its security groups, disabling associated Objects, updating DNS records, and uninstalling the DirectAccess server role through Server Manager or Domain Services tools. Microsoft formally deprecated DirectAccess in June 2024, stating it will be removed in a future Windows release, and strongly recommends full migration to Always On VPN for continued support and enhanced capabilities, with tools like the referenced scripts facilitating policy conversion and deployment. Given the current timeline into 2025 and beyond, organizations are urged to prioritize this transition to avoid compatibility risks in upcoming versions.

References

  1. [1]
    DirectAccess | Microsoft Learn
    Nov 1, 2024 · DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.Prerequisites for Deploying... · DirectAccess Unsupported...
  2. [2]
    IPsec (DirectAccess) Overview - MS-WPO - Microsoft Learn
    Oct 26, 2021 · DirectAccess, introduced in Windows 7 operating system and Windows Server 2008 R2 operating system, establishes an IPsec connection that enables network users ...Missing: history | Show results with:history
  3. [3]
    [PDF] Technical Overview of DirectAccess - Microsoft Download Center
    The Windows® 7 and Windows Server® 2008 R2 operating systems introduce. DirectAccess, a new solution that provides users with the same experience working.Missing: history | Show results with:history
  4. [4]
    Install and Configure Basic DirectAccess - Microsoft Learn
    Nov 1, 2024 · This overview provides an introduction to the configuration steps required to deploy a single DirectAccess server running Windows Server 2016, Windows Server ...
  5. [5]
    Deprecated features in the Windows client - Microsoft Learn
    DirectAccess, DirectAccess is deprecated and will be removed in a future release of Windows. We recommend migrating from DirectAccess to Always On VPN. June ...
  6. [6]
    Step 1 Plan the Basic DirectAccess Infrastructure - Microsoft Learn
    Oct 8, 2021 · The first step for a basic DirectAccess deployment on a single server is to perform planning for the infrastructure required for the deployment.
  7. [7]
    [PDF] Using DirectAccess to Provide Secure Access to Corporate ...
    Microsoft IT is implementing. DirectAccess, a new feature in Windows. 7 and Windows Server 2008 R2, to provide remote users with seamless access to internal ...
  8. [8]
    Manage DirectAccess Clients Remotely - Microsoft Learn
    Nov 1, 2024 · This document contains instructions for leveraging the monitoring capabilities of Remote Access by using the DirectAccess management console and the ...
  9. [9]
    Overview of the DirectAccess to Always On VPN migration
    Nov 1, 2024 · Properly decommission the environment after you have migrated everyone off DirectAccess. Remove the DirectAccess configuration from the client.
  10. [10]
    Description of Forefront Unified Access Gateway 2010 Service Pack ...
    This article describes features and fixes that are included in Service Pack 1 (SP1) for Forefront Unified Access Gateway (UAG) 2010.Missing: enhancement | Show results with:enhancement
  11. [11]
    Prerequisites for Deploying DirectAccess - Microsoft Learn
    Nov 1, 2024 · - Only supported for clients running Windows 10®, Windows® 8, and Windows ... The following client operating systems support DirectAccess.
  12. [12]
    Deploy a Single DirectAccess Server with Advanced Settings
    Jun 20, 2023 · The DirectAccess server is the network location server. You want all wireless computers in the domain where you install the DirectAccess server ...
  13. [13]
    Plan a Basic DirectAccess Deployment - Microsoft Learn
    Nov 1, 2024 · This topic describes the planning steps required to deploy a single DirectAccess server running Windows Server 2016, Windows Server 2012 R2, or Windows Server ...
  14. [14]
    Step 1 Plan the Advanced DirectAccess Infrastructure - Microsoft Learn
    Jul 29, 2021 · If the DirectAccess client cannot connect to the DirectAccess server with 6to4 or Teredo, it will use IP-HTTPS. To use Teredo, you must ...
  15. [15]
    What's New in DirectAccess in Windows Server - Microsoft Learn
    Jun 7, 2016 · Windows Server 2012 and Windows Server 2012 R2 DirectAccess provide support for a manage-out only configuration through a deployment wizard ...
  16. [16]
    Step 1 Plan DirectAccess Infrastructure - Microsoft Learn
    Jul 29, 2021 · If the DirectAccess client cannot connect to the DirectAccess server with 6to4, it will use IP-HTTPS. Native IPv6 client computers can connect ...Missing: process | Show results with:process
  17. [17]
    DirectAccess Unsupported Configurations - Microsoft Learn
    Jul 29, 2021 · This topic provides a list of unsupported DirectAccess configurations in Windows Server 2016.
  18. [18]
    Monitor the operations status of the Remote Access server and its ...
    Nov 1, 2024 · To monitor the Remote Access server operations status · In Server Manager, click Tools, and then click Remote Access Management. · Click DASHBOARD ...
  19. [19]
    Deploy Remote Access in an Enterprise - Microsoft Learn
    Aug 31, 2016 · In addition, a multisite deployment allows administrators to align Remote Access deployment to Active Directory sites, providing a simplified ...
  20. [20]
    Manage Remote Access | Microsoft Learn
    Jul 29, 2021 · DirectAccess allows remote management of clients connected to the internet, even when not on the internal network, using management servers.
  21. [21]
    Prerequisites for Deploying DirectAccess | Microsoft Learn
    Jun 25, 2014 · - Only supported for clients running Windows 8.1 Enterprise and Windows 8 Enterprise. - A public key infrastructure is not required. - Not ...
  22. [22]
    [PDF] Microsoft Active Directory Internals - Microsoft Download Center
    DirectAccess – Simple? When a DirectAccess client connects to the ... Drawbacks. Requires a new routing ... The Challenges. Tunnelling technologies for the ...
  23. [23]
    DirectAccess Selective Tunneling | Richard M. Hicks Consulting, Inc.
    May 14, 2018 · DirectAccess uses split tunneling by default. Optionally, it can be configured to use force tunneling if required. Force tunneling is commonly ...
  24. [24]
    Microsoft deprecates Windows DirectAccess, recommends Always ...
    Jun 12, 2024 · Microsoft has announced that the DirectAccess remote access solution is now deprecated and will be removed in a future release of Windows.
  25. [25]
    Prerequisites for Deploying DirectAccess
    ### Summary of Prerequisites for DirectAccess Deployment
  26. [26]
    Install Windows Server 2008 and Windows Server 2008 R2
    Aug 23, 2022 · Hardware Requirements · Minimum: 1 GHz (for x86 processors) or 1.4 GHz (for x64 processors) · Recommended: 2 GHz or faster.Introduction · Operating System Editions
  27. [27]
    Step 1 Configure the Basic DirectAccess Infrastructure
    Jul 29, 2021 · This topic describes how to configure the infrastructure required for a basic DirectAccess deployment using a single DirectAccess server in a mixed IPv4 and ...
  28. [28]
    Step 2 Configure the Basic DirectAccess Server - Microsoft Learn
    Jul 29, 2021 · The wizard will also enable NAT64 and DNS64 for protocol translation in the IPv4-only environment. After the wizard successfully completes ...Missing: IPsec tunnel
  29. [29]
    Guidance for troubleshooting DirectAccess - Windows Server
    Jan 15, 2025 · Infrastructure components. DirectAccess relies on perimeter or internal firewalls, load balancers, routers, switches, and so on. These should ...
  30. [30]
    Step 3 Configure the Multisite Deployment - Microsoft Learn
    Jul 29, 2021 · Configure additional Remote Access servers by setting up IP addresses, joining them to the domain, and installing the Remote Access role. 3.2.
  31. [31]
    About Always On VPN for Windows Server Remote Access
    May 7, 2025 · Always On VPN is available in all Windows editions, and the platform features are available to third parties by way of UWP VPN plug-in support.Supported Integrations · Security Features · Networking FeaturesMissing: introduction | Show results with:introduction
  32. [32]
    Remote Access Always On VPN migration planning - Microsoft Learn
    Jun 20, 2023 · A device tunnel can be initiated automatically and is persistent, resembling a DirectAccess infrastructure tunnel connection.
  33. [33]
    Migration from DirectAccess to Always On VPN - Microsoft Learn
    Mar 14, 2023 · Migrating from DirectAccess to Always On VPN requires a specific process to migrate clients, which helps minimize race conditions that arise from performing ...
  34. [34]
    Features Removed or No Longer Developed in Windows Server
    Sep 24, 2025 · Deprecation means that a feature, functionality, or service is no longer in active development. A deprecated feature might be removed in future ...Missing: DirectAccess June 2024 VPN