The Drawbacks of Supporting Windows 7 Clients with Windows Server 2012 DirectAccess

Windows Server 2012 DirectAccess includes many new features to enhance scalability and performance. To take full advantage of many of these capabilities you must use Windows 8 Enterprise edition for your DirectAccess clients. Windows 7 Enterprise and Ultimate clients are supported, but there are a few important features that can’t be leveraged. Here are some examples:

IP-HTTPS Improvements – Windows Server 2012 supports NULL encryption for the IP-HTTPS IPv6 transition protocol. This eliminates the performance penalty and negative scalability caused by needlessly redundant encryption of DirectAccess client communication (IPsec encrypted traffic encrypted again with SSL/TLS). Windows 8 clients only request these NULL encryption cipher suites when establishing DirectAccess connectivity. However, Windows 7 clients do not support NULL encryption and will instead request an encrypted cipher suite when performing SSL/TLS negotiations.

Automatic Site Selection for Multi-Site – With Windows Server 2012 the administrator can configure multiple DirectAccess gateways to provide geographic redundancy for DirectAccess clients. Windows 8 clients are configured to intelligently select the nearest entry point and automatically reconnect to another gateway if the connection to the originally selected entry point fails. In contrast, Windows 7 clients can be configured for only a single entry point. The Windows 7 client is unaware of any other entry points and if the original connection becomes unavailable for any reason it will not have corporate network access until that entry point is back online.

Public Key Infrastructure (PKI) – The removal of the requirement to have an internal PKI to support DirectAccess clients is a popular feature for many organizations wanting to deploy DirectAccess (I don’t necessarily agree with this, but that’s the subject of another post!). Although Windows Server 2012 DirectAccess can be configured to use self-signed certificates, this deployment model is only supported for Windows 8 clients. If you plan to provide support for Windows 7 clients you will need a working internal PKI.

DirectAccess Connectivity Assistant – The Windows 8 client includes native functionality to indicate the status of DirectAccess connectivity and also includes a facility with which to quickly gather detailed log data for troubleshooting. Windows 8 clients can also establish DirectAccess connectivity when they are located behind an authenticating web proxy. For Windows 7 clients, the DirectAccess Connectivity Assistant (DCA) provides some of this functionality, but it is an optional component that must be deployed separately. Even with the DCA installed, Windows 7 clients cannot establish DirectAccess connections when a web proxy server requires authentication.

Although Windows 7 Enterprise and Ultimate editions are supported for DirectAccess when connecting to a Windows Server 2012 DirectAccess server, Windows 8 Enterprise clients should be deployed whenever possible to ensure the best and most complete experience.

Leave a comment

10 Comments

  1. Hey Rich,

    Great post!

    The only thing I would add is that for some Enterprise deployments, even with Windows 8 clients, PKI is *still* required; for example when using NAP or OTP not only is PKI required, but a Windows CA is required too.

    Cheers

    JJ

    Reply
  2. mike0788

     /  June 11, 2013

    Just enjoyed your TechEd presentation. Always great to hear about this promising solution.

    1. Can Win7 still use DirectAccess to a single NIC Win2012 beind a firewall?

    2. If not, how safe is it to have a 2 NIC deployment of Win2012 with just its builtin firewall to protect it?

    3. Are there “Advanced” deployment guides to setup DirectAccess manually?

    Thanks!

    Mike

    Reply
    • Hi Mike,

      Glad you found the TechEd session informative! To answer your question, yes, you can configure a Windows Server 2012 DirectAccess server with a single NIC behind a NAT device and still support Windows 7 clients. Keep in mind that Windows 7 clients are inherently less efficient using IP-HTTPS compared to Windows 8, so you won’t be able to accommodate as many Windows 7 IP-HTTPS sessions as you would Windows 8 clients. In addition, you can configure a Windows Server 2012 DirectAccess server with two NICs and still place the server behind an edge firewall for additional protection. In this scenario the “external” network interface would have a private IPv4 address assigned to it and your edge device would perform NAT to deliver the traffic to the DA server.

      Reply
  3. mike0788

     /  June 14, 2013

    Thanks Richard. I think the 2 NIC behind the NAT device looks more reasonable. I was able to find the main portal for all Remote Access at http://technet.microsoft.com/en-us/network/dd420463.aspx.

    Reply
  4. Hugh

     /  September 17, 2014

    I know it can’t be automatic, but are there any workarounds/hacks that can be used to switch Windows 7 clients in the field to a different DirectAccess server? We’re trying to formulate a DR plan for DA and having a hard time with our Win7 clients.

    Reply
    • The only way to reassign Windows 7 clients is to move their computer accounts to another security group assigned to an alternate entry point. If the entry point they were originally assigned to is unavailable, you can bring the clients back to the LAN or use a client-based VPN connection to update group policy.

      Reply
  5. Edward

     /  January 15, 2015

    Great article.
    I watched your TrainSignal videos on DirectAccess and Multi-Site configuration and I was wondering if there was a compelling reason to configure multi-site when all clients are Windows 7? When Windows 7 clients can’t easily (or automatically) switch from a one site to another, is there really an advantage to enabling multi-site?

    Now, with that in mind. I would think that a third party load-balancer using a VIP (virtual IP) to point to two DirectAccess servers could be a better solution for Windows 7 clients, can this be possible?

    Reply
    • In this scenario, multisite still makes sense because it allows you to have a single DirectAccess deployment and single management console for all nodes and entry points. Using a third-party load balancer to direct Windows 7 clients to different sites won’t work because the only thing you’d be doing is moving the transition tunnel from one endpoint to another. The DirectAccess client is still expecting to establish IPsec security associations with a specific tunnel endpoint by IPv6 address, which is unique per site. If the client is assigned to site A and the load balancer connects it to site B, IPsec fails because the DirectAccess server doesn’t have the correct IPv6 address.

      Reply
  6. V Archie

     /  June 6, 2017

    HI whether direct access window server 2012 supportive to window 2007 professional

    Reply
    • I’ll assume you meant Windows 7 Professional, and no, it is not a supported DirectAccess client. Windows 7 only supports DirectAccess using Enterprise or Ultimate editions.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: