DirectAccess No Longer Supported in Microsoft Azure

DirectAccess No Longer Supported on Windows Server in AzureMicrosoft has historically not supported DirectAccess running on Windows Server in the Microsoft Azure public cloud. In the past, this was due to limitations imposed by the underlying cloud infrastructure, as I documented here. When Microsoft moved from the old service manager model (classic) to the newer resource manager infrastructure, many of the issues that prevented the DirectAccess workload from being stable were resolved. There are still some fundamental limitations to deploying DirectAccess in Azure as I documented here, but for the most part it was a workable solution. In fact, Microsoft even updated their support statement for DirectAccess on Azure, quietly removing it from the unsupported roles list in July 2016.

Sadly, Microsoft has reversed their decision on the support of DirectAccess in Azure. As many of you have noticed or commented on some of my posts, Microsoft recently added clarification on support for remote access on Windows Server in Azure, explicitly indicating that DirectAccess was not included in Remote Access support.

Reference: https://support.microsoft.com/en-us/kb/2721672

You’ll be glad to know that DirectAccess is indeed supported in Amazon’s public cloud infrastructure, Amazon Web Services (AWS). I’ll be drafting some guidance for deploying DirectAccess in AWS soon. Stay tuned!

Additional Resources

Azure Resource Manager vs. Classic Deployment: Understand Deployment Models and the State of your Resources

Deploying DirectAccess in Microsoft Azure

Implementing DirectAccess in Windows Server 2016 Book

Leave a comment

12 Comments

  1. Clint

     /  November 7, 2016

    So what is the best way to provide seamless remote connectivity to infrastructure hosted in azure?

    Reply
    • DirectAccess, of course. 😉 You can still implement DirectAccess in Azure if you’re willing to implement a solution without their support. For small and mid-sized organizations this is probably OK. Perhaps not so much for large enterprises though. Strangely, it is supported in AWS and Microsoft has not indicated they will not support it there. Go figure! 🙂

      Reply
  2. Simon

     /  November 7, 2016

    Does this mean that they prevent it from working or simply that they do not support it’s usage in Azure?

    Reply
  3. Colin

     /  April 26, 2017

    Is it true that Microsoft have ceased ongoing development of DirectAccess and will soon be ceasing support?

    Reply
    • DirectAccess in Windows Server 2016 is indeed fully supported, and will be for quite some time. However, Microsoft has stated that they will no longer be investing in DirectAccess in future releases of Windows. They have plans to create a DirectAccess-like solution using traditional client-based VPN. Look for more on that in the future. 🙂

      Reply
  4. Hi Richard, We have had Direct Access on Server 2012 working in Azure for 6 months by following your guidance, the problem we now have is that when the final DC / DNS server moved across, it suddenly all stopped working. The workaround was to move one of the DC’s back to its old location. I have tried recreating the Group Policies by running through the Remote Access Management Console GUI but it still seems to be looking at the old locations for DC / DNS servers. Any thoughts about where it might still be getting that out of date information from? We propose to move to ‘Always on VPN’ as a priority but that has a prerequisite of a Windows 10 rollout which we aren’t able to do yet, so any hints you have would be really helpful! With the final DC migrated we get the IPHTTPS tunnel coming up but not the IPSEC tunnel. Any insight you have would be appreciated! Can’t find any articles about moving / decommissioning DC’s without breaking Direct Access!

    Reply
    • Hi Jon. I’ve encountered a few of these scenarios recently so I’m working on a new article as we speak. 🙂 In the meantime, you will need to update the management servers list by running the Update-DaMgmtServer PowerShell command. If you are using multisite, then you will need to run the Set-DaEntryPointDC command. Contact me directly if you are still having trouble and I’ll provide more guidance.

      Reply
      • Jon Scriven

         /  February 1, 2018

        Thanks! I finally spotted the “Refresh Management Servers” option in the GUI which I assume does the same thing. Mended for most people apart from one Windows 10 client that seems to have everything set correctly but will not create EITHER tunnel. Any thoughts on troubleshooting that?

      • Could be any number of things. Typically though if the DirectAccess server will support one connection it should work for everyone. If one particular client isn’t connect, it would seem to indicate a client issue as opposed to a server issue. I’d look closely at the client to make sure it has all the prerequisites and that it also has the correct DirectAccess client settings policy. Also, no DirectAccess tunnels is commonly caused by the Windows firewall being disabled on the client so don’t overlook that. 🙂

  1. Configuring Windows Server 2012 R2 DirectAccess in Microsoft Azure | Richard Hicks' DirectAccess Blog
  2. Deployment Considerations for DirectAccess on Amazon Web Services (AWS) | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: