Manage Learn to apply best practices and optimize your operations.

Easier DirectAccess setup means a plausible VPN alternative for admins

DirectAccess used to be a complicated feature, but not anymore. In Windows Server 2012, simpler DirectAccess setup helps admins connect mobile users.

DirectAccess was one of those features introduced with Windows 7 and Windows Server 2008 R2 and never really caught on. The feature was designed to be a next-generation VPN replacement solution, but it suffered from overwhelming complexity. IT pros practically needed a doctorate in computer science to set it up.

But Microsoft reintroduced the DirectAccess feature with Windows 8. In doing so, they made setup of DirectAccess much easier, and organizations might do well to take a fresh look at DirectAccess.

For those not be familiar with DirectAccess, it is a solution designed to provide mobile users with connectivity to the corporate network. Unlike a VPN, the end user does not have to do anything to initiate the connection. If the user has an Internet connection, they are automatically connected to the corporate network.

DirectAccess offers benefits beyond simplifying the end-user experience. One of the problems that has long plagued IT pros is that of managing remote computers. Laptops need to be updated and backed up just like any other computer. The problem is that mobile users spend a lot of time outside of the office, which makes it difficult for the IT department to perform maintenance on mobile user's laptops. As a result, many IT pros write elaborate scripts to apply patches or run backups whenever remote users connect to a VPN.

The problem with this approach is that users are often connected to VPNs for relatively short amounts of time. The duration of the user's session might be inadequate for performing all of the necessary maintenance. DirectAccess can help with this problem because the user is connected to the corporate network any time they have Internet connectivity. Since the amount of time a user's computer is connected to the Internet is often much longer than the amount of time that the user spends logged into a VPN, automated maintenance tasks are more likely to be completed.

The prerequisites that your DirectAccess server must meet are relatively modest. The server must be joined to a domain, and it must have at least one network adapter that has been configured with a static IP address.

Deploying DirectAccess

Figure 1: Install the Remote Access Role with the Server Manager's Add Roles and Features Wizard.

As previously mentioned, DirectAccess is much easier to deploy and configure in Windows Server 2012 than it was in Windows Server 2008 R2. The first step in deploying DirectAccess is to install the Remote Access Role through the Server Manager's Add Roles and Features Wizard (figure 1).

Figure 2: Choose DirectAccess and VPN (RAS) role services and complete the wizard by accepting the defaults.

After selecting the Remote Access role, click Next three times and you will see a screen asking you which Remote Access role services you want to install. Choose the DirectAccess and VPN (RAS) role services and then complete the Add Roles and Features Wizard by accepting the defaults (figure 2).

Figure 3: A warning icon indicates there are post deployment configuration tasks to be performed.

When the Remote Access role and the corresponding role features finish installing, the Server Manager will display a warning icon. Clicking this icon reveals a message indicating that there are post-deployment configuration tasks that must be performed (figure 3). Click on the Open the Getting Started Wizard link, found in the warning message.

Figure 4: After Windows launches the Configure Remote Access wizard, click Deploy DirectAccess Only.

At this point, Windows will launch the Configure Remote Access wizard (figure 4). Click the Deploy DirectAccess Only link.

Figure 5: Specify the edge topology by entering the IP address or the domain name clients will use when connecting to the DirectAccess server.

After a quick prerequisite check, the wizard will ask you to specify your network topology. The DirectAccess Server can act as an edge device, or it can reside behind an edge device. If you choose to place the DirectAccess Server behind an edge device (such as a NAT firewall), you will need to specify whether the DirectAccess server uses a single NIC or two separate NICs.

Figure 6: The Remote Access Management Console can monitor the DirectAccess Server.

After specifying your edge topology, you must enter either the IP address or the fully qualified domain name that clients will use when they connect to the DirectAccess server (figure 5).

Click Finish to complete the wizard. Upon doing so, Windows will display the Remote Access Management Console, which you can use to monitor your DirectAccess Server (figure 6).

Client Requirements

Unfortunately, Windows 8 is the only desktop operating system that is natively compatible with Windows Server 2012's DirectAccess feature.

Even at that, there are some additional requirements that must be met. Client computers must be equipped with a TPM chip and users will need either a physical or a virtual smart card.

The good news is that Microsoft now supports accessing Windows Server 2012 servers from Windows 7 clients as well. To do so, Windows 7 clients must have version 2.0 of the Microsoft DirectAccess Connectivity Assistant installed, available for download here.

The Windows Server 2012 version of DirectAccess is much easier to deploy and configure than the previous version. DirectAccess' simplicity and its automated connectivity make it plausible as a VPN replacement.

Brien Posey is an eight-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a CIO at a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the nation's largest insurance companies and for the Department of Defense at Fort Knox.

Dig Deeper on Windows Server troubleshooting