Although DirectAccess has several advantages over VPNs, there are several scenarios where a VPN is still a preferred solution. Some of these include:
Non-domain joined computers. DirectAccess client computers must be joined to a domain. Therefore, computers that are not a member of a domain should use a VPN for remote access.
Client computers not running Windows 7 or Windows Server 2008 R2. Computers that are running Windows Vista or earlier operating system versions, or computers that are running non-Microsoft operating systems, cannot be DirectAccess client computers.
Networks without Windows Server 2008 R2. The DirectAccess server must be running Windows Server 2008 R2. Earlier versions of Windows Server support VPN server functionality and organizations can deploy a wide variety of non-Windows-based VPN servers.
Networks without a public key infrastructure (PKI). Organizations that deploy DirectAccess must use a PKI, such as Active Directory® Certificate Services (AD CS), which is provided with recent versions of the Windows Server operating system, to issue certificates for DirectAccess and IPsec.
Networks that block IPv6 and IPv6 transition technology protocols. DirectAccess uses IPv6. Although IPv6 transition technologies enable DirectAccess to work on existing IPv4 networks (IPv6 needs to be enabled on the client and server computers), several IPv6-related protocols must be allowed to pass through your outward facing firewalls. If firewall rules block these protocols and they cannot be changed, the organization must use a VPN instead of DirectAccess.
For detailed information about these protocols, refer to the Windows Server 2008 R2 Technical Overview (http://go.microsoft.com/fwlink/?LinkId=152315).
In addition to these specific scenarios, VPNs might be easier to deploy for organizations that do not have prior experience with IPv6 and IPsec.