Skip to main content

Using DirectAccess

Applies to: Windows 8, Windows 8.1, Windows Server 2012

Microsoft DirectAccess is not the latest method for priority seating at amusements parks or the new toll lane on freeways. Rather, it is a feature in the Windows 8.1 and Windows Server 2012 operating systems that provides remote connectivity to users. DirectAccess was introduced in the Windows 7 and Windows Server 2008 R2 operating systems but has been improved for Windows 8.1 and Windows Server 2012. DirectAccess is similar in concept to a traditional virtual private network (VPN) but has several advantages.

The biggest advantage is that DirectAccess connections are more transparent than a VPN connection. Whereas users typically initiate and close VPN connections manually, Windows operating systems automatically initiate and close DirectAccess connections. This transparency means that as soon as the user’s device is connected to the Internet, the user is able to access resources on the organization’s intranet without manually initiating the connection. The DirectAccess connection is initiated before the user logs on to the device. This automatic connection works in both directions and allows network administrators to remotely manage the device.

To learn more about DirectAccess, let’s look in on Mark, an IT pro who works for Contoso, Ltd. Contoso has just started a new push to provide more services to its more than 300 mobile users. As a part of this project, these users have been given tablets running the Windows 8.1 Enterprise operating system. Mark has been tasked with providing remote connectivity to these users, who are largely technologically inexperienced. We’ll follow Mark as he creates his remote connectivity solution using DirectAccess.

Mark starts off creating his remote connectivity solution by comparing DirectAccess and traditional VPNs. After investigation, Mark finds that both have similar hardware requirements and provide comparable security for authentication of users and encryption of traffic. The big deciding factors in favor of DirectAccess are:

  • Ease of use and transparency for users. The users who will be using the remote connectivity solution are not familiar with the complexities of VPN remote access technologies. The thought of having to train and support more than 300 users on how to initiate the VPN connection, sign on, and then properly disconnect the connection sends shivers down Mark’s spine. In addition, the more complex the solution, the more likely the users are to log on infrequently, which means that their devices are not current with recent security updates and would be more vulnerable to security attacks.
  • Ease of management of users and their devices. Because DirectAccess automatically establishes a connection to Contoso’s intranet any time the device has an Internet connection, Mark can centrally manage these devices even when the user is not logged on to the device. DirectAccess also allows Mark to manage the devices if they are connected through routers at the users’ home, hotel, or other Wi-Fi hotspot without having to reconfigure router or firewall rules This allows Mark to use the same set of tools that he uses to manage devices directly connected to the Contoso intranet. The remote users are unaware of the connection and do not have to take any action to allow this functionality, unlike VPN connections, in which the user must initiate the connection. This automatic connection allows Mark to publish security updates and Group Policy settings to the remote devices so that the devices are compliant with current configuration baselines and security policies.

So, to keep the user learning curve low, reduce ongoing costs, improve manageability, and reduce the number of calls he’ll receive, Mark selects DirectAccess.

What’s new?

Mark heard about DirectAccess when it was introduced in Windows 7. Lately, there has been a lot of excitement about the new DirectAccess features and requirements in Windows 8.1 and Windows Server 2012, which he reads more about at Remote Access (DirectAccess, Routing and Remote Access) Overview. Table 1 lists the DirectAccess key improvements in Windows 8.1 and Window Server 2012 that are important to Mark’s solution.

Table 1. Improvements to DirectAccess in Windows 8.1 and Windows Server 2012

Public Key Infrastructure (PKI) is not a prerequisiteThe new Getting Started Wizard in Windows Server 2012 Remote Access allows use of DirectAccess for basic deployment scenarios in four steps without the need to set up additional infrastructure servers, such as a certification authority for a PKI.
Simplified deploymentThe new Getting Started Wizard simplifies the setup of DirectAccess and minimizes the need to learn and deploy Internet Protocol version 6 (IPv6) transition technologies. The wizard automatically installs and configures the Window Server 2012 IPv6 transitions technologies. In addition, the Remote Access Setup Wizard can help configure advanced configuration scenarios, such as support for multiple domains and Network Access Protection.
Support for a network address translation (NAT) infrastructureDirectAccess supports the placement of DirectAccess servers behind NAT devices, which removes the need to configure the DirectAccess server with public IP version 4 (IPv4) addresses and thereby allows you to deploy the server behind your organization’s firewalls to help protect the servers from malicious attacks.
Support for multiple sites

DirectAccess supports the placement in multiple geographical sites or entry points to provide efficient access to the nearest entry point by establishing remote connectivity to the closest site for the remote device. Windows 8.1 devices can automatically choose the nearest site, or a user can manually select a site.

note iconNote: Multisite deployments are not discussed in this article. For more information, see Test Lab Guide: Demonstrate a DirectAccess Multisite Deployment.
Support for load balancing

DirectAccess supports load balancing solutions to provide high availability and scalability by using either Windows Network Load Balancing (NLB) or a hardware load balancer. Load balancing allows you to configure two or more DirectAccess servers so that the workload is shared across multiple servers and server failover occurs in the event that one of the servers fails.

note iconNote: Load balancing DirectAccess server is not discussed in this article. For more information, see Test Lab Guide: Demonstrate DirectAccess in a Cluster with Windows NLB.
Integrated Network Connectivity AssistantWindows 8.1 includes the Network Connectivity Assistant, which provides users with information about DirectAccess status and troubleshooting assistance.

Back to top

Where do we start?

Before Mark starts his deployment, he decides to first review the existing Contoso intranet configuration. Figure 1 illustrates the Contoso intranet for Mark’s DirectAccess solution at the New York location.

Figure 1. Intranet in Contoso’s DirectAccess solution

Mark determines that the intranet has the following:

  • A direct connection to the Internet through a device that provides firewall and NAT services
  • Resources located on the intranet, such as web servers, file servers, application servers, domain controllers, and other services

Currently, the Internet connectivity provides Microsoft Outlook Web App, Exchange ActiveSync, and access to public-facing customer resources. A public-facing Domain Name System (DNS) server hosts the necessary DNS records to support these Internet-facing applications. Mark determines that the existing Internet connection has sufficient available bandwidth to support his DirectAccess solution by measuring the network bandwidth that a typical mobile user accessing their applications in his lab environment consume, and then extrapolating that usage for all the users.

What’s the plan?

After reviewing the current environment, Mark creates his DirectAccess design. With the reduced hardware and software prerequisites and requirements for DirectAccess in Windows Server 2012, Mark determines that he can place a single DirectAccess server in the New York location. Also, because Mark can deploy DirectAccess behind a NAT device, he can use the existing device that provides firewall and NAT services. Figure 2 illustrates Mark’s physical placement of the DirectAccess servers in his solution.

Figure 2. Contoso’s DirectAccess design

In addition, Mark notes that he needs to create DNS records for DirectAccess in the existing Contoso public-facing Internet DNS servers. These DNS records are used to provide the public IP addresses for the DirectAccess server. Mark configures the Windows 8.1 devices to use these DNS records to connect to DirectAccess.

As shown in Figure 2, DirectAccess required Mark to make minimal changes to the existing infrastructure design. These changes result in faster deployment and a lower initial cost for deployment.

Back to top

Deploy the infrastructure

With the DirectAccess design complete, Mark is ready to deploy DirectAccess at the New York location. Windows Server 2012 includes the new Getting Started Wizard, which helps simplify the DirectAccess deployment process. Prior to running the Getting Started Wizard, Mark performs the following steps:

  1. Create an Active Directory Domain Services security group called DirectAccessClients for use in deploying DirectAccess Group Policy settings.
  2. Create a DNS record in the public-facing DNS server for each DirectAccess server to be deployed.

Mark uses the Getting Started Wizard to deploy DirectAccess to the designated virtual machine:

  1. Start the Remote Access Management Console.
  2. Start the Getting Started Wizard by clicking the Run the Getting Started Wizard hyperlink, as shown in Figure 3.

  3. Figure 3. Starting the Getting Started Wizard

  4. On the Welcome to Remote Access wizard page, click Deploy DirectAccess only to deploy only DirectAccess (Figure 4). Mark selects this option, because he needs only DirectAccess with no VPN features.

  5. Figure 4. Deploying only DirectAccess

  6. On the Select the network topology of the server wizard page (Figure 5), select Behind an edge device (with a single network adapter).

    Mark chooses this option, because he has deployed the DirectAccess server behind the device providing firewall and NAT services, and the DirectAccess server only has one network adapter.

  7. In the Type the public name or IPv4 address used by clients to connect to the Remote Access server text box, enter the DNS name for the DNS record entered in the public-facing DNS servers.

  8. Figure 5. Configuring DirectAccess for deployment

  9. On the Remote Access settings will be applied wizard page (Figure 6), click Finish to apply the configuration settings.

  10. Figure 6. Applying configuration settings

    After Mark clicks Finish, the wizard displays the Applying Getting Started Wizard Settingprogress dialog box, which displays the configuration progress (Figure 7).

    Figure 7. Configuration progress

Back to top

Configure remote devices

After Mark deploys the DirectAccess servers, he begins the process of configuring the Windows 8.1 devices. All Mark must do is connect the devices to the Contoso intranet and join the devices to the appropriate Contoso domain. After the devices are connected to the appropriate Contoso domain, the Group Policy settings configured in the Getting Started Wizard will properly configure all the devices for DirectAccess.

Mark has identified the scenarios for joining the devices to the appropriate Contoso domain and the method he will use to join the devices to the domain in Table 2.

Table 2. Scenarios for joining devices to Contoso domains

Devices that can be directly connected to the Contoso intranet.Join the device to the domain as a part of the provisioning process by using Windows PowerShell scripts or the Windows 8.1 user interface.
Devices that are remote and unable to connect directly to the Contoso intranetJoin the device to the domain by using the DirectAccess Offline Domain Join process. Using this process, Mark can connect these devices, even though they never directly connect to the Contoso intranet. Mark creates a DirectAccess provisioning package for each device, and then securely transfers the provisioning package to each user with a new device. The user uses the package to securely join the domain through DirectAccess.

What do users experience?

For the first few users, Mark wants to make certain they have a good experience using DirectAccess for the first time. So, Mark decides to observe these users as they initially use DirectAccess to find out what their experience is like.

Contoso uses Group Policy, Microsoft User Experience Virtualization (UE-V), Application Virtualization (App-V), System Center 2012 Configuration Manager, and System Center 2012 - Operations Manager to manage users and devices. It is important that when the remote users log on they see no change in the logon process and their devices are managed as effectively and efficiently as if the devices were directly connected.

For users whose devices are directly attached to the Contoso intranet or who connect using a VPN, the users log on as they normally would. They see the same logon process, and all their network drives and applications are connected as normal. Mark instructs the users to disconnect the device from the Contoso intranet or the VPN connection and use the device’s 4G mobile broadband connection and DirectAccess. The user logs on normally and has the same experience as when they were directly connected to the Contoso intranet.

For users who never connect directly to the Contoso intranet or through a VPN, they must use the DirectAccess Offline Domain Join process to initially join the appropriate domain and configure DirectAccess. When this process is complete, the users log on normally and have the same experience as if they were directly connected to the Contoso intranet.

Because Contoso is using Group Policy, UE-V, and App-V, the user experience always follows the users, regardless of how they are connected. Without Group Policy, UE-V, and App-V, the user experience would change from device to device, because the configuration settings that provide the user experience are stored locally on each device only. After seeing the user experience firsthand, Mark is happy and relieved that he didn’t select the VPN solution!

Back to top

How does management work?

So, how will Mark manage the users and their new Windows 8.1 devices on DirectAccess? He will use the same tools that he uses to manage users and devices directly connected to the Contoso intranet. One reasons Mark selected a DirectAccess solution over a VPN solution is that he can manage the devices anytime they are connected to the Internet, regardless of whether the user is logged on. Again, Mark is happy that he chose a DirectAccess solution, because this level of management is not as transparent with a VPN solution.

Mark can monitor the DirectAccess connections by using the Remote Access Management Console and System Center 2012 - Operations Manager. Mark can determine the performance and overall health of the DirectAccess connections to better manage his DirectAccess solution. He can use any of his typical management or monitoring tools to manage and monitor his DirectAccess solution.


Mark was able to address Contoso’s remote connectivity requirements by using DirectAccess. He was able to deploy DirectAccess easily using the Getting Started Wizard. He was also able to connect user devices, regardless of whether they connect directly to the Contoso intranet. Mark is also able to use his familiar management and monitoring tools for DirectAccess-attached devices. And finally, Mark can scale his solution and provide the availability needed now and in the future.

Now it is your turn to create your own DirectAccess success story using Windows 8.1 and Windows Server 2012. Learn more about how to evaluate and deploy DirectAccess yourself using the Test Lab Guide: Windows Server 2012 Base Configuration, Test Lab Guide: Demonstrate DirectAccess Simplified Setup in an IPv4-only Test Environment in Windows Server "8" Beta, and Remote Access (DirectAccess, Routing and Remote Access) Overview. Oh, and don’t forget to buy that updated amusement park pass so that you can get direct access to the head of the line!

Additional resources