5 Things DirectAccess Administrators Should Know About Always On VPN

5 Things DirectAccess Administrators Should Know About Always On VPNAs I’ve written about previously, Microsoft is no longer investing in DirectAccess going forward. There will be no new features or functionality added to the product in the future. Microsoft is now investing in Always On VPN in Windows 10, with new features being released with each semi-annual update of the operating system. But as Microsoft continues to make the push toward Always On VPN over DirectAccess, many administrators have asked about the ramifications of this shift in focus for enterprise remote access. Here are a few points to consider.

It’s the same thing, only different.

Always On VPN provides the same seamless, transparent, always on experience as DirectAccess. Under the covers, the mechanics of how that’s accomplished changes a bit, but fundamentally the user experience is exactly the same. Once a user logs on to their device, a VPN connection is established automatically and the user will have secure remote access to corporate resources.

The connection is still secure.

Where DirectAccess uses IPsec and Connection Security Rules (CSRs) to establish its secure tunnels, Always On VPN uses traditional client-based VPN protocols such as IKEv2, SSTP, L2TP, and PPTP. Both DirectAccess and Always On VPN use certificates for authentication. However, where DirectAccess uses machine certificates to authenticate the computer, Always On VPN leverages user certificates to authenticate the user.

(Note: Machine certificates will be required for Always On VPN when using the optional device tunnel configuration. I will publish more details about this configuration option in a future article.)

Provisioning and managing clients is different.

The administrative experience for Always On VPN is much different than it is with DirectAccess. Where DirectAccess made use of Active Directory and group policy for managing client and server settings, Always On VPN clients must be provisioned using a Mobile Device Management (MDM) solution such as Microsoft Intune, or any third-party MDM platform. Optionally, Always On VPN clients can be provisioned using Microsoft System Center Configuration Manager (SCCM), or manually using PowerShell.

Security is enhanced.

Always On VPN has the potential to provide much more security and protection than DirectAccess. Always On VPN supports traffic filtering, allowing administrators to restrict remote client communication by IP address, protocol, port, or application. By contrast, DirectAccess allows full access to the internal network after user logon with no native capability to restrict access. In addition, Always On VPN supports integration with Azure Active Directory, which enables conditional access and multifactor authentication scenarios.

It’s built for the future.

Always On VPN also provides support for modern authentication mechanisms like Windows Hello for Business. In addition, Windows Information Protection (WIP) integration is supported to provide essential protection for enterprise data.


Microsoft set the bar pretty high with DirectAccess. Users love the seamless and transparent access it provides, and administrators reap the benefit of improved systems management for field based devices. Always On VPN provides those same benefits, with additional improvements in security and protection. If you’d like more information about Always On VPN, fill out the form below and I’ll get in touch with you.

Additional Information

Always On VPN and the Future of DirectAccess

Pointsharp MFA User Storage Configuration

Pointsharp MFA User Storage ConfigurationPointsharp multifactor authentication can be integrated with most popular remote access solutions to greatly improve security and provide a higher level of assurance for authenticating remote users. Although DirectAccess and Always On VPN natively provide multifactor authentication using certificates, integrating MFA should be considered standard procedure for any traditional client-based VPN solution.

Pointsharp User Storage

The Pointsharp multifactor authentication (MFA) solution uses an Active Directory Organizational Unit (OU) to store user information. This article will provide guidance for the proper configuration and delegation of the OU to ensure proper Pointsharp MFA operation.

Create the OU

A dedicated OU should be created and the Pointsharp service account delegated full control over the OU prior to configuring the software. To do this, open the Active Directory Users and Computers management console, right-click on the domain and choose New and then Organizational Unit.

Pointsharp MFA User Storage Configuration

Note: The OU does not have to be created at the domain level. It can be created or moved to another OU if desired.

Provide a name for the OU and select the option to Protect container from accidental deletion.

Pointsharp MFA User Storage Configuration

Create a Service Account

Establish a service account for Pointsharp by creating a user with no special privileges or group memberships. The Pointsharp service account does not require administrative rights of any kind. Be sure to use a very long and complex password. Select the options User cannot change password and Password never expires.

Pointsharp MFA User Storage Configuration

Delegate Permissions on the OU

In the Active Directory User and Computers management console, right-click the Pointsharp storage OU and choose Delegate Control….

Pointsharp MFA User Storage Configuration

Click Next, and then click Add to add the Pointsharp service account.

Pointsharp MFA User Storage Configuration

Click Next, then select the option to Create a custom task to delegate.

Pointsharp MFA User Storage Configuration

Click Next twice. In the Permissions window select Full Control. This will automatically select all other options. Click Next and then click Finish.

Pointsharp MFA User Storage Configuration

Once complete, proceed with the configuration of Pointsharp MFA user storage by using the service account credentials and storage OU created previously.

Pointsharp MFA User Storage Configuration

Additional Resources

Configure DirectAccess with One-Time Password (OTP) Authentication

%d bloggers like this: