All posts in category DirectAccess

Microsoft DirectAccess Formally Deprecated

Today, Microsoft has announced the formal deprecation of DirectAccess. Microsoft DirectAccess is a widely deployed enterprise secure remote access solution that provides seamless, transparent, always-on remote network connectivity for managed (domain-joined) Windows clients. First introduced in Windows Server 2008 R2, it’s been a popular solution with many advantages over ordinary VPN technologies of the past.

Windows Server 2012

DirectAccess was almost entirely rewritten in Windows Server 2012. Many of the features and enhancements offered for DirectAccess with the Unified Access Gateway (UAG – a separate product with additional costs) were built into the operating system directly. In addition, Microsoft introduced integrated load balancing and geographic redundancy features.

Demise of DirectAccess

DirectAccess relies heavily on classic on-premises technologies like Active Directory. All DirectAccess servers and clients must be joined to a domain. In addition, all DirectAccess clients must be running the Enterprise edition of Windows. With organizations rapidly adopting cloud services such as Azure and Entra ID, Microsoft began to develop an alternative solution that better integrated with the cloud. That solution is Always On VPN. With that, Microsoft stopped developing DirectAccess after the release of Windows Server 2012 R2. No new features or capabilities have been added to DirectAccess since that time.

Deprecation

We’ve been speculating about the end of life for DirectAccess for quite some time now. However, this formal deprecation announcement from Microsoft is official. It is the end of the road for this technology. To be clear, though, DirectAccess is available today in Windows Server 2022 and Windows 11. DirectAccess will be included in the upcoming release of Windows Server 2025. However, formal deprecation from Microsoft means they will remove DirectAccess components from the next release of the operating system.

What Happens Now?

Organizations should begin formal planning efforts to migrate away from DirectAccess. Here are a few popular solutions to consider.

Always On VPN

Always On VPN is the direct replacement for DirectAccess. It was designed to provide feature parity for DirectAccess, with seamless, transparent, always-on remote network connectivity. However, Always On VPN better integrates with Entra ID and supports conditional access. It does not require domain-joined devices or servers and works well with cloud-native endpoints. Always On VPN is a good choice for organizations that employ hybrid Entra-joined devices.

Entra Private Access

Entra Private Access, part of the Entra Global Secure Access suite, is an identity-centric zero-trust network access (ZTNA) solution from Microsoft. It is in public preview now and has some compelling advantages over traditional VPNs. However, Entra Private Access is not feature complete today. In addition, it is best suited to cloud-native (Entra-joined only) endpoints.

Absolute Secure Access

Absolute Secure Access (formerly NetMotion Mobility) is a premium enterprise remote access solution with many advanced options. It is by far the best solution on the market today. Absolute Secure Access is a software solution that supports zero-trust configuration and includes many features to improve and enhance security, performance, and visibility. In addition, it provides cross-platform support, including Windows, macOS, iOS, and Android operating systems.

Learn More

We have several decades of experience working with secure remote access technologies. We can help you and your organization find the best solution for your needs. Fill out the form below for a free one-hour consultation to discuss your DirectAccess migration strategy today.

Additional Information

Deprecated Features for Windows Client

1 Comment

by Richard M. Hicks on June 12, 2024 • Permalink

Posted in Absolute, Absolute Secure Access, Absolute Software, Active Directory, Always On VPN, AOVPN, Azure, Azure Active Directory, Azure AD, Azure AD Join, Azure Conditional Access, cloud, Cloud Service, Consulting Services, Deployment, Device Management, DirectAccess, DirectAccess Deprecated, DirectAccess End of Life, DirectAccess EOL, end of life, Enterprise, enterprise mobility, Entra, Entra Global Secure Access, Entra ID, Entra Private Access, EOL, Forefront UAG 2010, Group Policy, Hybrid Azure AD Join, Infrastructure, Microsoft, Microsoft Entra ID, Microsoft Entra Private Access, Mobility, NetMotion Mobility, Windows 10, Windows 11, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025, Zero Trust, Zero Trust Network Access, ZTNA

Posted by Richard M. Hicks on June 12, 2024

https://directaccess.richardhicks.com/2024/06/12/microsoft-directaccess-formally-deprecated/

Windows Server 2012 and 2012 R2 End of Life

I want to remind you of a critical upcoming milestone that may affect your business. In just 60 days, we will reach the end of support for Windows Server 2012 and Windows Server 2012 R2. As of October 10, 2023, these operating systems will no longer receive security updates or technical support from Microsoft.

End of Support

End of support means your servers will be more vulnerable to security risks and potential threats. It is essential to take action now to ensure your IT infrastructure’s continued security and stability. Upgrading to newer, supported operating systems will protect your data and systems from potential cyber threats and provide access to enhanced features and performance improvements.

Don’t Wait

Now is the time to migrate those remaining workloads for those still running Windows Server 2012 and 2012 R2! Consider the following commonly deployed services that may still be running on Windows Server 2012 or 2012 R2 in your organization.

Remote Access – Windows Server Routing and Remote Access Service (RRAS) is commonly deployed to provide secure remote access for field-based workers. In addition, Absolute Secure Access (formerly NetMotion Mobility) is a widely implemented premium alternative to RRAS. Organizations may be hesitant to migrate these workloads because disrupting remote workers is painful.

DirectAccess – This remote access technology is widely deployed and extremely difficult to migrate. In addition, the complex nature of DirectAccess, with its many intricate interdependencies, poses a significant challenge to organizations migrating this role.

PKI – This is likely the most common enterprise service to be found running on Windows Server 2012 and 2012R2. Most organizations relying on Windows Active Directory Certificate Services (AD CS) to issue and manage enterprise certificates are reluctant to move this workload once it is deployed. This service is much easier to migrate than you might think! It can be done without disruption as well.

Consulting Services

We understand that upgrading might require careful planning and coordination, and our team is here to support you throughout the transition process. Don’t delay – take this opportunity to safeguard your organization’s data and systems by upgrading to the latest Windows Server version or exploring cloud-based solutions.

Get In Touch

Please don’t hesitate to contact us for further assistance or any questions regarding the upgrade process. Together, let’s ensure your business remains secure and productive. You can get started today by booking a free one-hour consultation to discuss your migration strategy. Just fill out the form below and I’ll provide more information.

Inbox Accounting Database Management

The Routing and Remote Access Service (RRAS) role in Windows Server is a popular VPN server choice for administrators deploying Windows Always On VPN. It is easy to configure, scales well, and is cost-effective. After installing RRAS, administrators can optionally enable inbox accounting to log historical data and generate user access and activity reports as described in Always On VPN RRAS Monitoring and Reporting.

Inbox Accounting Database

A Windows Internal Database (WID) is automatically installed and configured for data storage when inbox accounting is enabled.

WID is nothing more than a basic instance of Microsoft SQL Server. As such, the database will require periodic maintenance to perform optimally.

Inbox Accounting Database Management Scripts

I have created a series of PowerShell scripts to address the inbox accounting database management requirements for organizations using Windows Server RRAS. Scripts are available to perform the following inbox accounting database management tasks.

Optimize the inbox accounting database.
View the size of the inbox accounting database files.
Compress the size of the inbox accounting database.
Back up the inbox accounting database to a file on disk.
Restore the inbox accounting database from a backup file.
Move the inbox accounting database file to a different location.
Remove the inbox accounting database.

Optimize Database

A known issue with the inbox accounting database can result in high CPU and memory utilization for very busy RRAS VPN servers. Specifically, a crucial index is missing from one of the tables in the logging database. This issue persists in Windows Server 2022. To correct this issue, download and run the following PowerShell script on each RRAS VPN server in the organization.

Optimize-InboxAccountingDatabase.ps1

View Database Size

The database can grow rapidly depending on how busy the RRAS server is. Administrators can view the current database file sizes by downloading and running the following PowerShell script on the RRAS server.

Get-InboxAccountingDatabaseSize.ps1

Compress Database

Over time, the database can become fragmented, decreasing performance. Compressing the database can improve performance and result in significant recovery of disk space. To compress the inbox accounting database, download and run the following PowerShell script on each RRAS server in the organization.

Compress-InboxAccountingDatabase.ps1

In this example, compressing the database reduced its size by more than 8MB, resulting in a nearly 70% reduction in disk space usage.

Backup Database

Administrators may wish to back up the inbox accounting database before purging older records from the inbox accounting database. Also, backing up the database preservers access records when migrating to a new server. To back up the inbox accounting database, download and run the following PowerShell script on each RRAS server in the organization.

Backup-InboxAccountingDatabase.ps1

Restore Database

Naturally, to restore the inbox accounting database from a previous backup, administrators can download and run the following PowerShell script.

Restore-InboxAccountingDatabase.ps1

Restoring a database from backup will erase all records in the current database. It does not append. Proceed with caution!

Move Database Files

Inbox accounting database and log files are located in C:\Windows\DirectAccess\Db by default.

However, storing database and log files on the system drive is not ideal. A better alternative is to place the inbox accounting database and log files on a separate disk for optimum performance. To move the inbox accounting database, download and run the following PowerShell script on each VPN server in the organization.

Move-InboxAccountingDatabase.ps1

Moving inbox accounting files may not be formally supported by Microsoft. Use caution when making this change.

Remove Database

Occasionally an inbox accounting database becomes corrupt and can no longer be managed. If this happens, completely removing the database is required. It is essential to know that simply disabling and re-enabling inbox accounting on the VPN server does not delete the database. To delete the database completely, download and run the following PowerShell script.

Remove-InboxAccountingDatabase.ps1

PowerShell Module

To simplify things, the PowerShell scripts described in this article are available in a PowerShell module that can be installed from the PowerShell gallery using the following command.

Install-Module InboxAccountingDatabaseManagement