So you’ve heard a bit about DirectAccess but want to know more. In this posting I’m including a FAQ of the most common questions I field every week with new customers looking at the DirectAccess Technology. This is by no means an all-encompassing list of FAQ so please leave any additional questions down below in the comments section and I’ll be sure to update the list in the future!
Are there any special schema extension required for DirectAccess?
Nope, you just need to have a Windows 2012 member server to get started with DirectAccess!
What are the minimum AD requirements?
You need to ensure you are at minimum running a supported version of Windows AD. At this time, this means you just need a minimum of Windows 2003 running on your domain controllers.
Do I need to have IPv6 running in my environment/ISP?
Nope, there is no IPv6 requirement on your existing network or ISP connection to get started with DirectAccess.
What’s this IPv6 requirement I keep hearing about for DirectAccess?
You just need to ensure that it’s enabled (but not configured) on the DirectAccess server and DirectAccess clients. Make sure the IPv6 checkbox is enabled on your DirectAccess server & DirectAccess client :
Also ensure you don’t have the DisabledComponents key set on any of your DirectAccess Clients & Servers otherwise it can cause issues :
What versions of Windows are supported with DirectAccess?
We support Windows 7 Enterprise & Ultimate Edition, Windows 8 Enterprise, Windows 2008 R2, and Windows 2012 as a DirectAccess client.
What are the client-side requirements for DirectAccess?
Your DirectAccess clients must be domain-joined, have the DirectAccess Client GPO, have IPv6 enabled, and must be running the Windows Firewall on the public and private profiles. If you are running Windows 7 or a mixed Windows 7 & 8 DirectAccess deployment, then you also need to have workstation certificates installed on all your DirectAccess clients.
How do you configure the DirectAccess settings for a client?
The DirectAccess client settings are pushed to clients using group policies. There’s no agent or special software to install to get supported clients all setup and working with DirectAccess. As a matter of fact, you can potentially push the GPO settings silently so users can take their machines home and use DirectAccess without even rebooting!
What type of Internet Access does DirectAccess require?
Nothing special! We at a minimum need to reach TCP/443 to the DirectAccess servers in the infrastructure. Being a field based employee, I’ve used DirectAccess on a wide variety of Internet connections ranging from dial-up, 3G wireless, 4G LTE, Cable, DSL, Starbucks Wi-Fi, Airport Wi-Fi, even Satellite Internet on plane moving at 500 mph (804 kph for all you outside of the US).
How many DirectAccess clients can connect per DirectAccess server?
It really depends more on the sustained network I/O on the DA server rather than the number of clients connecting. The higher the sustained network I/O, the more strain on memory and especially CPU cycles to encrypt/decrypt the IPsec data for the DA Server. A lot will have to do with the activity of your users. If their users are just doing lightweight activities over the DirectAccess connection, you can handle a large number of users per DirectAccess server. If the users have a fast low-latency Internet connection and are pulling in large amounts of sustained data across DirectAccess, they will use significantly more resources on the DirectAccess servers. You can use our published capacity planning information here to start with building a baseline :
Even better, a DirectAccess pilot will give you better real world numbers for your environment.
What can I do to enable high availability with DirectAccess?
Setting up more than one DirectAccess server is a good start. We offer two different ways to have high availability for DirectAccess. First would be to setup an array of DirectAccess servers using a load balancer. We natively support Network Load Balancing (NLB) that’s built into Windows otherwise you can use an External Load Balancer (ELB). We aren’t picky on the brand of the ELB as long as it can pass at a minimum TCP/443 to the DirectAccess servers.
Secondly you can setup multi-site with DirectAccess. This allows you to have DirectAccess servers in multiple data centers for geographic redundancy. Please note this is only officially supported with Windows 8 DirectAccess clients. Windows 7 DirectAccess clients do not have the ability to load more than one connection point at a time in their group policy settings.
Can you limit access for DirectAccess computers?
Yes, there are a couple possible ways to limit access for a specific set of machines. You could use the Windows firewall to natively block access to specific end resources. Secondly you could also manipulate the Name Resolution Policy Table (NRPT) on DirectAccess clients to only allow them to resolve specific internal resources while connected to DirectAccess.
How do I monitor my DirectAccess clients?
The Remote Access console provides a list of currently connected clients, the username of the logged on user, and exactly what internal IP addresses and ports the computer is accessing at any given time. You can also enable historical logging to query historical connection information for auditing purposes as well.
How is my data protected across the Internet?
The DirectAccess clients negotiate AES-192 bit IPsec encryption by default between the DirectAccess server and the DirectAccess client to ensure all your data is protected and secured during transit. This is configurable to different methods but might require more CPU cycles on both the client and the server.
What happens if my DirectAccess computer gets stolen/compromised?
All that is required is to disable the AD computer account of the DirectAccess computer and this will prevent any further connections to the DirectAccess server.
Is the connection active even if nobody is logged in the DirectAccess client?
Yes, there is a limited tunnel that allows the computer account itself to contact the domain controllers and any other internal systems you desire. This means when the user logs on the DirectAccess client, they logon against live domain controllers, process logon scripts, update group policies just as if the user had their computer connected at work.
Can I manage a DirectAccess client from my internal network?
It’s possible to manage-out to a DirectAccess client from your internal network. This does involve either configuring ISATAP settings on your internal computer or using native IPv6 routing but isn’t all that difficult to setup with any type of DirectAccess deployment.