Export (0) Print
Expand All

Prerequisites for Deploying DirectAccess

Updated: June 25, 2014

Applies To: Windows Server 2012, Windows Server 2012 Essentials, Windows Server 2012 R2, Windows Server 2012 R2 Essentials



The following table lists the prerequisites necessary for using the configuration wizards to deploy DirectAccess.

 

Scenario

Prerequisites

Deploy a Single DirectAccess Server Using the Getting Started Wizard

  • Windows Firewall must be enabled on all profiles

  • Only supported for clients running Windows 8.1 Enterprise and Windows 8 Enterprise.

  • ISATAP in the corporate network is not supported. If you are using ISATAP, you should remove it and use native IPv6.

  • A public key infrastructure is not required.

  • Not supported for deploying two-factor authentication. Domain credentials are required for authentication.

  • Automatically deploys DirectAccess to all mobile computers in the current domain.

  • Traffic to the Internet does not go through DirectAccess. Force tunnel configuration is not supported.

  • DirectAccess server is the network location server.

  • Network Access Protection (NAP) is not supported.

  • Changing policies by using a feature other than the DirectAccess management console or Windows PowerShell cmdlets is not supported.

Deploy a Single DirectAccess Server with Advanced Settings

  • Windows Firewall must be enabled on all profiles.

  • ISATAP in the corporate network is not supported. If you are using ISATAP, you should remove it and use native IPv6.

  • Computers that are running the following operating systems are supported as DirectAccess clients.

    • Windows Server® 2012 R2

    • Windows 8.1 Enterprise

    • Windows Server® 2012

    • Windows 8 Enterprise

    • Windows Server® 2008 R2

    • Windows 7 Ultimate

    • Windows 7 Enterprise

  • Force tunnel configuration is not supported with KerbProxy authentication.

  • Changing policies by using a feature other than the DirectAccess management console or Windows PowerShell cmdlets is not supported.

  • Separating NAT64/DNS64 and IPHTTPS server roles on another server is not supported.

Deploy Remote Access in a Cluster

  • Default load balancing is through the Network Load Balancing (NLB) feature in Windows Server.

  • External load balancers are supported.

  • Unicast mode is the default and recommended mode for NLB.

  • Changing policies by using a feature other than the DirectAccess management console or Windows PowerShell cmdlets is not supported.

  • When NLB or an external load balancer is used, the IPHTTPS prefix must remain /59.

  • Load balanced nodes must be in the same IPv4 subnet.

  • In external load balancer deployments, if remote management is needed, DirectAccess clients cannot use Teredo. Only IPHTTPS can be used for end-to-end communication.

  • All known hotfixes for Network Load Balancing external load balancing must be installed.

  • ISATAP in the corporate network is not supported. If you are using ISATAP, you should remove it and use native IPv6.

Deploy Multiple Remote Access Servers in a Multisite Deployment

  • Clients running Windows 7 always connect to a specific site. They cannot connect to the closest site based on the location of the client (unlike clients running Windows 8.1 and Windows 8).

  • Changing policies by using a feature other than the DirectAccess management console or Windows PowerShell cmdlets is not supported.

  • The corporate network must be using IPv6. If you are using ISATAP, you should remove it and use native IPv6.

Deploy Remote Access with OTP Authentication

  • Before you deploy a one-time password authentication, follow the guidance in Deploy a single Remote Access server with advanced settings .

  • Clients running Windows 7 Enterprise and Windows 7 Ultimate need to use DCA 2.0 to support one-time password authentication.

  • One-time password authentication does not support a PIN change.

  • Changing policies by using a feature other than the DirectAccess management console or Windows PowerShell cmdlets is not supported.

Deploy Remote Access in a Multi-Forest Environment

  • Two-way trust is required.

Manage DirectAccess Clients Remotely

  • Windows Firewall must be enabled on all profiles.

  • ISATAP in the corporate network is not supported. If you are using ISATAP, you should remove it and use native IPv6.

  • Computers that are running the following operating systems are supported as DirectAccess clients.

    • Windows Server® 2012 R2

    • Windows 8.1 Enterprise

    • Windows Server® 2012

    • Windows 8 Enterprise

    • Windows Server® 2008 R2

    • Windows 7 Ultimate

    • Windows 7 Enterprise

  • Changing policies by using a feature other than the DirectAccess management console or Windows PowerShell cmdlets is not supported.

Migrate from Forefront UAG SP1 DirectAccess to Windows Server 2012

  • ISATAP in the corporate network is not supported. If you are using ISATAP, you should remove it and use native IPv6.

  • If NAP is used in Forefront Unified Access Gateway, NAP requires a separate Network Policy Server.

    NAP was deprecated in Windows Server 2012 R2. This means that NAP may not be supported in future versions of Windows. New deployments with NAP are not recommended.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft