5 Things DirectAccess Administrators Should Know About Always On VPN

5 Things DirectAccess Administrators Should Know About Always On VPNWindows 10 Always On VPN hands-on training classes now forming. Details here.

As I’ve written about previously, Microsoft is no longer investing in DirectAccess going forward. There will be no new features or functionality added to the product in the future. Microsoft is now investing in Always On VPN in Windows 10, with new features being released with each semi-annual update of the operating system. But as Microsoft continues to make the push toward Always On VPN over DirectAccess, many administrators have asked about the ramifications of this shift in focus for enterprise remote access. Here are a few points to consider.

It’s the same thing, only different.

Always On VPN provides the same seamless, transparent, always on experience as DirectAccess. Under the covers, the mechanics of how that’s accomplished changes a bit, but fundamentally the user experience is exactly the same. Once a user logs on to their device, a VPN connection is established automatically and the user will have secure remote access to corporate resources.

The connection is still secure.

Where DirectAccess uses IPsec and Connection Security Rules (CSRs) to establish its secure tunnels, Always On VPN uses traditional client-based VPN protocols such as IKEv2, SSTP, L2TP, and PPTP. Both DirectAccess and Always On VPN use certificates for authentication. However, where DirectAccess uses machine certificates to authenticate the computer, Always On VPN leverages user certificates to authenticate the user.

(Note: Machine certificates will be required for Always On VPN when using the optional device tunnel configuration. I will publish more details about this configuration option in a future article.)

Provisioning and managing clients is different.

The administrative experience for Always On VPN is much different than it is with DirectAccess. Where DirectAccess made use of Active Directory and group policy for managing client and server settings, Always On VPN clients must be provisioned using a Mobile Device Management (MDM) solution such as Microsoft Intune, or any third-party MDM platform. Optionally, Always On VPN clients can be provisioned using Microsoft System Center Configuration Manager (SCCM), or manually using PowerShell.

Security is enhanced.

Always On VPN has the potential to provide much more security and protection than DirectAccess. Always On VPN supports traffic filtering, allowing administrators to restrict remote client communication by IP address, protocol, port, or application. By contrast, DirectAccess allows full access to the internal network after user logon with no native capability to restrict access. In addition, Always On VPN supports integration with Azure Active Directory, which enables conditional access and multifactor authentication scenarios.

It’s built for the future.

Always On VPN also provides support for modern authentication mechanisms like Windows Hello for Business. In addition, Windows Information Protection (WIP) integration is supported to provide essential protection for enterprise data.


Microsoft set the bar pretty high with DirectAccess. Users love the seamless and transparent access it provides, and administrators reap the benefit of improved systems management for field based devices. Always On VPN provides those same benefits, with additional improvements in security and protection. If you’d like more information about Always On VPN, fill out the form below and I’ll get in touch with you.

Additional Information

Always On VPN and the Future of DirectAccess

3 Important Advantages of Windows 10 Always On VPN over Microsoft DirectAccess

Windows 10 Always On VPN Hands-On Training

Leave a comment


  1. Alex Hansen

     /  December 7, 2017


    Great blogs!
    I have read a few things about Always On VPN feature. But I have a question about HA in front of the Remote Access Servers. We use Citrix NetScaler as a NLB.
    When I read the MS documentation, it state and that you need to use IP-HTTPS. As we only want to leverage the IPv4 and not IPV6. How can this be accomplished?

    Do yo just forward UDP/500 and UDP/4500

    • Thanks Alex! I have some blog posts in the works about load balancing the various supported Always On VPN protocols, so look for those coming in the near future. Until then, yes, load balancing IKEv2 is a simple as forwarding UDP ports 500 and 4500. The trick is that you need to configure the load balancer so that traffic from one client goes to the same server. How this is done depends on the load balancer as they are all different. That’s what I’ll hopefully be documenting soon. Load balancing SSTP is simple enough because it’s just HTTPS traffic. 🙂

      • Alex Hansen

         /  December 7, 2017

        Thanks! I will try it out, and report back of my findings 🙂

  1. Always On VPN and the Future of Microsoft DirectAccess | Richard M. Hicks Consulting, Inc.
  2. Always On VPN for DirectAccess Administrators – Richard M. Hicks Consulting, Inc.
  3. Always On VPN Device Tunnel Configuration Guidance Now Available | Richard M. Hicks Consulting, Inc.
  4. DirectAccess vs. VPN | Richard M. Hicks Consulting, Inc.
  5. 3 Important Advantages of Always On VPN over DirectAccess | Richard M. Hicks Consulting, Inc.
  6. DirectAccess and FIPS Compliant Algorithms for Encryption | Richard M. Hicks Consulting, Inc.
  7. Always On VPN Windows 10 Device Tunnel Step-by-Step Configuration using PowerShell | Richard M. Hicks Consulting, Inc.
  8. Always On VPN and Windows Routing and Remote Access Service (RRAS) | Richard M. Hicks Consulting, Inc.
  9. Always On VPN Protocol Recommendations for Windows Server Routing and Remote Access Service (RRAS) | Richard M. Hicks Consulting, Inc.
  10. Network Interface Configuration for Multihomed Windows Server 2012 DirectAccess Servers | Richard M. Hicks Consulting, Inc.
  11. What is the Difference Between DirectAccess and Always On VPN? | Richard M. Hicks Consulting, Inc.
  12. Troubleshooting Always On VPN Errors 691 and 812 | Richard M. Hicks Consulting, Inc.
  13. Always On VPN - Überblick - Ein einfaches Netzwerk
  14. Always On VPN and Third Party VPN Devices | Richard M. Hicks Consulting, Inc.

Leave a Reply

%d bloggers like this: