Remote Access (DirectAccess) Unsupported Configurations
Updated: September 9, 2013
Applies To: Windows Server 2012 R2
Review the following list of unsupported DirectAccess configurations before starting your deployment to avoid having to start your deployment over.
NAP is used to determine whether or not remote client computers meet IT policies before they are granted access to the corporate network. NAP was deprecated in Windows Server 2012 R2. This means that NAP may not be supported in future versions of Windows. For this reason, starting a new deployment of DirectAccess with NAP is not recommended. A different method of end point control for security of DirectAccess clients is recommended.
When DirectAccess is configured as a multisite deployment, Windows 8 and Windows 8.1 clients have the capability of connecting to the nearest site. Windows 7 client computers do not have the same capability. Site selection for Windows 7 clients is set to a particular site at the time of policy configuration and these clients will always connect to that designated site, regardless of location.
DirectAccess policies are computer based, not user based. Specifying DirectAccess user policies to control access to the corporate network is not supported.
DirectAccess can be configured using the Remote Access Management console or with Remote Access PowerShell cmdlets. Using any other means to configure DirectAccess, such as modifying DirectAccess GPOs directly, or manually modifying the default policy settings on the server/client, is not supported and may result in an unusable configuration.
When DirectAccess server is configured with the Getting Started Wizard, the server uses KerbProxy for computer and user authentication. As such, the Getting Started Wizard should only be used for single-site deployments with only Windows 8 or Windows 8.1 clients.
If you are configuring, or might configure the following in the future:
The following should not be used with KerbProxy-based authentication:
Load balancing (external load balancer or Windows Load balancer)
Two Factor Authentication (2FA) where smart cards or OTP are needed in the deployment
- Load balancing (external load balancer or Windows Load balancer)
The following deployments are not supported if you have configured KerbProxy-based authentication:
DirectAccess support for Windows 7 clients
You should use the Advanced Configuration Wizard (Deploy a Single Remote Access Server with Advanced Settings) that uses the two tunnel configuration with certificate based computer and user authentication for the above deployments.
ISATAP is a transition technology used to provide IPv6 connectivity in IPv4-only corporate networks. It is limited for small and medium organizations with a single DirectAccess server deployment to allow manage-out capabilities. If you have an ISATAP deployed with multisite, load balancing or multi-domain environments, you must either remove it, or move to a native IPv6 deployment before configuring DirectAccess.