Applies to: Windows 8, Windows 8.1, Windows Server 2012
This article provides answers to common IT professional questions about DirectAccess in the Windows 8.1 and Windows Server 2012 operating systems.
DirectAccess allows remote users to seamlessly access resources inside a corporate network without having to launch a separate VPN. It also helps IT administrators keep remote users’ PCs in compliance by connecting the PC to the corporate network any time it is on the Internet. IT administrators can use their existing management infrastructure to apply the latest policies and software updates to those PCs. When deployed with Windows Server 2012, DirectAccess is even easier to deploy and implement with the existing IPv4 infrastructure.
Using DirectAccess requires Windows 7 Enterprise or Windows 8.1 Enterprise. Some DirectAccess features are not available in Windows 7 Enterprise, requiring Windows 8.1 Enterprise to deploy them.
Other than Windows 8.1 and Windows Server 2012, you need three simple things. First, the clients and the server must have Internet connectivity. Second, you need connectivity to your intranet. Third, you need to be able to configure the clients and server by using Group Policy, which means that the clients and server must be joined to the domain.
DirectAccess in Windows 8.1 and Windows Server 2012 offers many significant new and improved features. In Windows Server 2012, DirectAccess makes it simpler to deploy multisite configurations that connect to the nearest server, improves scalability with high availability, and improves performance in virtual environments. Beyond that, DirectAccess in Windows Server 2012 is easier to deploy than earlier versions, especially for small businesses. Windows Server 2012 combines DirectAccess and Routing and Remote Access Server (RRAS) into a unified server role, which IT administrators can easily configure by using the Getting Started Wizard. They can deploy DirectAccess without a public key infrastructure (PKI) and provide access to IPv4 resources without using additional transition technologies.
With Windows 8.1 and Windows Server 2012, simple deployments of DirectAccess are much easier. You no longer require multiple public IP addresses, and you do not need multiple network interfaces. You do not have to place the DirectAccess server on the network edge, open up non-standard ports, or use Forefront Unified Access Gateway (UAG) to access IPv4 networks. Last, you do not have to have a PKI for DirectAccess in simple scenarios.
In earlier versions of Windows Server, a PKI was required to deploy DirectAccess. DirectAccess used the PKI for server and client certificate-based authentication. Now Windows 8.1 sends client authentication requests by using a Kerberos proxy service running on the DirectAccess server. The Kerberos proxy service sends requests to domain controllers on behalf of the client. As a result, for simple deployments a PKI is not required to deploy DirectAccess, and IT administrator can use the Getting Started Wizard to configure DirectAccess in a few easy steps. For more complex deployment scenarios, PKI is still required.
Yes. In earlier versions of Windows Server, DirectAccess and RRAS cannot coexist on the same edge server. Windows Server 2012 combines DirectAccess and RRAS into a new, unified server role.
DirectAccess in Windows Server 2012 offers native support for NAT64 and DNS64 translations to convert IPv6 communication from the client to IPv4 on the corporate network. Using Forefront UAG is not required to provide NAT64 or DNS64 translations.
Yes. DirectAccess in earlier versions of Windows Server required two network interfaces with two consecutive public IPv4 addresses to allow the server to act as a Teredo server. With Windows Server 2012, you can deploy a DirectAccess server behind network address translation (NAT) devices with only one network interface.
Yes. In Windows Server 2012, DirectAccess supports Windows Network Load Balancing for high availability and scalability. You can configure load balancing easily by using the deployment wizard.
Yes. With earlier versions of Windows Server, if clients will roam between sites, setting up multisite DirectAccess requires careful planning and design to ensure that they connect through DirectAccess servers via the most efficient route. There are many challenges to consider in a multisite environment, such as making sure the client locates the closest IP-HTTPS server, Teredo server, DNS server, and Domain Controller. Windows Server 2012 DirectAccess provides a solution that allows IT administrators to more easily deploy multiple DirectAccess entry points across geographic locations, and allows clients (regardless of their physical location) to access resources within the intranet in an efficient manner.
In previous versions of Windows Server, IT administrators could only configure DirectAccess for a single domain by using the setup wizard. However, they could manually configure multiple domains by editing DirectAccess policies after deployment. DirectAccess in Windows Server 2012 provides integrated support for multiple domains, allowing remote client access to resources that are in different domains.
You can use Offline Domain Join to join computers to the domain and push DirectAccess settings to client computers running Windows 8.1. For more information about Offline Domain Join, see the article DirectAccess Offline Domain Join on TechNet.
Using DirectAccess requires Windows 8.1 Enterprise. The operating system includes built-in support for DirectAccess, so there is no client component that you have to install.
While for simple deployments a PKI is not required to support DirectAccess clients running Windows 8.1, you must deploy a PKI to support DirectAccess clients running Windows 7.
Yes. DirectAccess supports one-time password, smart cards, and virtual smart cards in Windows 8.1. For more information about Virtual SmartCards, see What's New in Smart Cards.
See the article titled Migrate from Forefront UAG SP1 DirectAccess to Windows Server 2012.
To learn more about deploying, configuring, and managing DirectAccess in Windows Server 2012, see Remote Access (DirectAccess, Routing and Remote Access) Overview.