DirectAccess Consulting Services

Microsoft Certified Solutions Associate (MCSA)I’ve been helping organizations large and small deploy DirectAccess since it was first introduced more than five years ago. During this time I have amassed a wealth of knowledge and experience with this unique technology. DirectAccess is not trivial to install, configure, or troubleshoot. Also, it’s easy to make mistakes in the planning and design phase that can turn in to serious issues later in the deployment. To make matters worse, many organizations are deploying DirectAccess for the first time, and without essential guidance they are prone to making common mistakes or choosing configuration options that are less than optimal both in terms of supportability and performance.

Having deployed DirectAccess for some of the largest companies in the world, there isn’t much I haven’t already encountered. If you are looking for the best chance of success for your DirectAccess deployment, consider a consulting engagement with me. I can provide assistance with all facets of DirectAccess implementation including planning and design, installation, configuration, and troubleshooting. Consulting services at reasonable rates are available for all types of DirectAccess work including:

  • New DirectAccess installations
  • Migration from previous versions of DirectAccess
  • Upgrade or expansion of existing DirectAccess deployment
  • Enterprise planning and design for large-scale, multisite DirectAccess deployments
  • DirectAccess high availability (local and geographic)
  • Manage-out for DirectAccess with external hardware load balancers and/or multisite configuration
  • Multisite DirectAccess with geographic redundancy for Windows 7 clients
  • Existing DirectAccess design review and security assessment
  • Windows Server 2012 R2 client-based VPN configuration
  • DirectAccess client connectivity troubleshooting
  • DirectAccess training

Additionally, consulting services are available for a variety of security solutions as well as on-premises and cloud networking technologies such as:

  • Azure networking and infrastructure
  • Cross-premises connectivity to Azure
  • Certificate services (PKI)
  • IP address management
  • ISA Server and Forefront Threat Management Gateway (TMG) migration

All services can be performed on-site or remotely. If you are interested in obtaining my services, give me a call at +1(949)677-3573 or drop me a note at rich@richardhicks.com for more details.

Leave a comment

54 Comments

  1. I have advocated DirectAccess for the last 3 years at our company. We are mainly a Windows shop running Win7 and Server 2008 R2. Our director (of IT) is old school and doesn’t listen to many new ideas. Any thoughts on how to pull him into the 21st century?

    Reply
  2. Hi richard
    I wanna now how can I allow direct access clients in different remote location to contact each other
    The direct access clients in all remote location can successfully connected to the edge and DC server
    But not to each other

    Reply
    • If remote DirectAccess clients can connect to on-premises resources, then they should be able to communicate with other connected DirectAccess clients. If that’s not the case, I’d suggest looking closely at the firewall rules on your clients to ensure they are allowing whichever protocols and ports are required.

      Reply
      • Thanks for reply
        In DirectAccess server GPO
        I already configured firewall to allow ICMP v 4 and 6
        Also
        My DC and Edge can successfully ping and receive ping from DirectAccess Clients from different locations via internet however those clients can also successfully ping DC and Edge from remote location via internet via IPv6
        But when those clients trying to ping each other they failed but
        Without Request timed out
        But the pc can’t resolve this pc name
        Thanks

      • If you know the client’s IPv6 address you can try pinging that directly. However, you’ll definitely want to make sure that DNS name registration is working because remembering IPv6 addresses is prohibitively difficult. 🙂

  3. angelo

     /  January 9, 2016

    Hi Richard, why direct access clients are unable to communicate with system via IPv4.
    In my organization, we have a client soluzion (cyber ark outlook plug-in) installed client side and this plug-in contact the cyber ark vault server) calling his IPV4 IP(not use FQDN) so the communication faults.
    May you please, why the mechanism used by DA client ?
    and, if possible, is there a way to bypass this problem (from infrastructures side) not application side (cyber ark client side–> i should ask to vendor for release new version of client–> too long time)
    thank you very much
    Angelo

    Reply
    • Because DirectAccess is designed to use IPv6 exclusively. The majority of applications work, but some do not. There is no workaround. The application must be able to use host names in order to work over DirectAccess.

      Reply
  4. Hi Richard, I’m looking for some advice on DirectAccess and DPM backup for clients, I thought that DPM could resolve host names. Yet DPM client back up fail for me, do you have any experience in this area?

    Reply
  5. Hi Richard , hope everything going well , can i ask you are there any validation checks when client establish tunnel , what i know it did not do any validation check

    Reply
    • Yes. When the client connects it will attempt to connect to the web probe host URL. You’ll find this information in the output of Get-DAClientExperienceConfiguration under corporate resources.

      Reply
  6. Magali Sourbes

     /  January 25, 2016

    HI Richard, I successfully implemented a 1 server only DirectAccess solution but would now like to make it highly available by adding another server 2012 R2 to the config and utilize the built-in load-balancing. Will there be any downtime (except for when turning off the VM to enable mac address spoofing on the NIC)? I constantly have users connected, working off-site. Does the 2nd server inherit settings from the 1st one when joining the “cluster”?

    Thanks for your input and great site!

    Reply
    • You might experience a bit of downtime, but nothing that will seriously impact availability. And yes, when you add the second server to the cluster it will receive all settings from group policy. Just be sure to have the DirectAccess-VPN role and all certificates installed before joining to the array.

      Reply
  7. To help with the DPM question, we were able to successfully enable remote backup to DPM 2010 using the registry and firewall settings discussed in this link.

    https://social.technet.microsoft.com/forums/en-US/e2267282-5cae-4605-8792-c83e4d99f881/dpm-2010-over-directaccess

    Reply
  8. megatc101

     /  March 31, 2016

    Hi Richard

    I’ve got DA working perfectly, I have a configuration that uses multisite with three entry points. I now need to decommission one of the entry points. I’ve found the powershell commandlet remove-DAEntryPoint but not much else documentation on how to proceed.
    Do I simply run the command and delete the GPO?
    The reason why I’m concerned is because the entry point that I need to remove was the first entry point that was configured.

    Reply
    • You should be able to do this easily enough using the Remote Access Management console. No need to remove the servers first, just highlight the entry point you want to remove and click Remove Entry Point in the Tasks pane. With DirectAccess, there is no concept of primary/secondary, so removing any entry point, even the first one, should not be an issue.

      Reply
      • megatc101

         /  April 4, 2016

        Hi Richards

        Feel a bit foolish that I didn’t spot that. Thanks for the help and thanks for the really great resource.

      • megatc101

         /  April 4, 2016

        Hi Richard

        Thanks again for the response, I removed the entry point and all appeared to be well, until attempt was made to connect a laptop that was using the automatically selected entry point setting. got the following error “multisite settings aren’t available”. Found that my merging the following setting HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\DAMultisite from a working laptop managed to re-establish a connection. If however, automatic selection is chosen again, the error returns.
        I plugged the laptop into the LAN, removed it from the DA group, ran gpupdate, which effectively removed DA. Rebooted and added it back, this did not fix the problem.
        The best guess is that we need to edit the client GPO to assign one of the entry points as default. I also believe that until this is sorted we are not going to be able to automatically configure any more DA clients. Any Ideas?

      • That’s certainly unusual. I would have to believe that somehow the existing GPOs aren’t being updated if they still contain stale entry point information. I’d verify that the information has been removed properly. Perhaps it’s a replication issue also?

  9. Hi Richard,
    My organisation is attempting to get DirectAccess up and running, to support a small (initially), and then a large number of potenial clients. This will be run through a complex Gateway environment, and run on 2012R2 Servers, with Win7 clients initially, and later Win10 clients. It should be noted that we are an IPV4 network internally.
    My question relates to ISATAP. Noting that ISATAP is now unsupported by Microsoft, what would your recommendations be for future-state alternatives for “manage-out” capabilities for DA implementations, in an IPV4 internal network scenario? Enjoy your blog, BTW.

    Reply
    • Hi Michael,

      Glad you are enjoying the site. 🙂 Yes, Microsoft’s official position on outbound management is to deploy IPv6. Obviously that is the ideal situation. However, deploying IPv6 is not trivial, and there are myriad factors that have to be considered when deploying IPv6 on the intranet. It’s an excellent idea, of course, but often not something an organization wants to do just to enable outbound management for DirectAccess clients.

      As for ISATAP, although it is expressly unsupported by Microsoft, it is still fully functional and in my opinion a viable alternative to deploying IPv6. When properly deployed it can serve as an effective solution for outbound management, even in scenarios where the DirectAccess servers are configured with an external load balancer or in a multisite deployment. These scenarios require custom ISATAP configuration, but it works well.

      Reply
  10. simon harris

     /  June 6, 2016

    I have an issue with DA and Citrix XenApp – i can launch xenapp apps from the Web Interface but cannot launch then from a citrix-connector embedded form on an intranet page (i get the ICA file) but it just does not connect to the XenApp server. Telnet 1494 from DA Client shows no connectivity issues….. any ideas??

    Reply
    • Take a close look at the ICA file. If it returns an IPv4 address, it won’t work with DirectAccess. It must be configured to return an FQDN, which is a setting on the Citrix XenApp server.

      Reply
  11. Victor

     /  June 7, 2016

    Everytime I type in directaccess in google your name always seems to pop out 🙂
    I am currently doing an internship in a big firm that still uses VPN for mobile workers to
    access resources on it’s Intranet. One of the requirements for a successful Internship is the carrying out of a project and I have decided to do directaccess (hope it doesn’t come back to bite me ).
    I need help in building a testlab that would represent the firm’s current IT infrastructure.
    Currently the firm has a Citrix farm in place and a cisco ASA550 as Firewall and NAT.
    They also run their own PKI.
    What I have done so far: I have plemented my test lab based on TLGs from microsoft
    and it only seem to work with just simplified wizard. This is just too basic for me.
    I think I may have taken on a project too big for me but I intend to see it through.
    That is why I need some form of guidance or advice.
    The company won’t allow access to the firewall or Citrix farm. In other words, I am on my own. However, the Project will be implemented based on it’s functionability and how well it is presented. Thanks.

    Reply
  12. Victor

     /  June 16, 2016

    Thanks for the reply. I did check the videos and they were quite explanatory.
    I have began following the procedures with a little twist to my LAB. My challange is How do I introduce a real client computer into a virtual domain? My guess is when I bind the Host(Physical) Server’s network card with a virtual External Network Switch and then attach the client to a physical switch attched to the Host Server’s network card?
    Thanks for your time.

    Reply
    • Assuming your lab has real Internet access, you can use offline domain join as described here. Otherwise you’ll have to come up with some way to connect the physical device to your virtual network. For my labs I have a virtual network interface connected to a physical switch. If I need to connect a real computer I connect it to that switch.

      Reply
      • Victor

         /  July 7, 2016

        Thanks a lot Richard. I have never seen someone take so much time out to answer blog post. Kudos to you. I have everything up and running now but still have a question regarding manage-out. I have decided for a selective ISATAP environment. What I have done so far include setting up dns A record ( name-Isatap.domain.com), setting up a management pc (win8) and enabling ISATAP on the management pc via GPO. I also changed firewall setting on DA Clients. My question is would I ttill have to tweak some settings on the DA Server even after all these? And if I do have SCCM on board, would I still require to set up ISATAP? Thanks 🙂

      • Thanks for the kind words Victor. Much appreciated! 🙂

        As long as you have a single DirectAccess server, just configuring your management workstation to use it as its ISATAP router via group policy is all that’s required. If you have more than one DirectAccess server (load balanced, multisite, or a combination of both), additional configuration is required.

  13. Bryan

     /  September 19, 2016

    Hi Richard!

    Thanks for your generous DirectAccess resources! I’ve had a single-server DirectAccess configuration working well in testing for some months now.

    We’ve reached a point where we need to create a few exclusions in our DirectAccess configuration, and I may be interested in engaging you depending on how complex you think the answer may be to my question. We have recently re-configured our Cisco phone system to be published via Cisco’s Expressway gateway product, so that clients can be connected to voice (SIP), presence, and voicemail services when offsite. It’s working properly for Windows clients NOT using DirectAccess, but for my clients testing DirectAccess it’s (as I expected) not connecting properly. Because the DirectAccess tunnel allows clients to successfully resolve DNS queries for internal resources, the Cisco client software thinks it’s on-network and does not try to contact the gateway to establish connections.

    All my googling has returned almost no information about how to exclude specific FQDNs from using the DirectAccess tunnel. I see nothing in the server-side GUI, so I assume it may require PowerShell on the server. Can you shed some light, or let me know if I need to contact you privately for a more thorough discussion about how to engage you?

    Thanks!

    Bryan

    Reply
    • If you were having trouble finding information about configuring NRPT exemptions, perhaps that’s a good idea for a blog post. 🙂 It’s easy enough to configure. Reach out to me directly via email and I’ll provide some guidance. FYI, it can be done in the GUI if you prefer that over PowerShell.

      Reply
  14. Matt

     /  September 20, 2016

    Hi, Been using your blog ever since implementing DA last year. Find it very difficult to get any support for it though. I have one issue at the moment. Some machines I have using DirectAccess often use the sleep power option. Ive found that when users connect again after coming out of sleep mode DNS can fail. Its only when I flush DNS that it will resolve this? Also, for example if a user still has Lotus Notes client open when coming out of sleep it will not be able to ping the Notes server until we flush DNS. Any suggestions on this?

    Reply
    • Hi Matt. Hope you are finding the site informative and useful. 🙂 The issue you describe can be related to IPsec tunnel establishment timing and the client attempting to make name resolution requests before the DirectAccess tunnels are fully established. I’d suggest disabling negative DNS caching on one DirectAccess client to see if it resolves the issue. You can disable negative DNS caching by running the following PowerShell command:

      New-ItemProperty -Path “HKLM:\System\CurrentControlSet\Services\Dnscache\Parameters” -Name MaxNegativeCacheTtl -PropertyType DWORD -Value “0”

      Let me know if that helps!

      Reply
  15. Serghei

     /  September 29, 2016

    Hi Richard,

    Thank you for your great web site. We have single DirectAccess 2012 server implemented several years ago with Windows 2003R2 only Active Directory Servers. We don’t have any issues now but we are in process of upgrading AD servers to the version Windows 2012R2. We are going to demote our old 2003 R2 AD servers but when I checked the DirectAccess Server Settings group policy I found our old domain controllers under Computer Configuration > Polices > Administrative Templates > Extra Registry Settings : Software\Policies\Microsoft\Windows\RemoteAccess\Config\ManagementServerInfo H=DC1.domain.local;T=D;A=aaaa:bbbb:d7b5:7777::c0a8:301,2002:bbbb:1:0:5efe:192.168.3.1
    (IPv6 addresses were changed)

    At the DirectAccess server we don’t have any servers in Remote Access Management Console > Configuration > Infrastructure Servers (Step3) > Management

    How to update this settings with new AD controllers? Will we have any problems if we demote our old AD controllers? I tried to find any info in Internet but without any success.

    Thank you

    Reply
    • After you’ve made the changes to your infrastructure servers, open the Remote Access Management console, highlight DirectAccess and VPN, and then click “Refresh Management Servers” in the Tasks pane. Alternatively you can simply run the Update-DAMgmtServer PowerShell command on the DirectAccess server. This will bring the management and infrastructure servers list up to date in the DirectAccess GPOs. 🙂

      Reply
  16. Vishal

     /  October 11, 2016

    Hi Richard,

    First of all thanks for so much of valuable information around DA.
    We are trying to setup a DA with high availability in Azure and as per your article we can use 3rd party LB for NLB.

    Can you please let me know what 3rd party LB is available in Azure as per your article. I can’t locate one.

    Cheers,
    Vishal

    Reply
    • All of the popular load balancers such as F5, Citrix NetScaler, and KEMP LoadMaster are available in Azure. You can find them in the Azure marketplace. You’ll need to use the new management portal to find them, however.

      Reply
  17. Ajeesh

     /  November 22, 2016

    Hi Richard, Is it recommended to configure DA and NLS in Different VLANS under a L3 switch were inter-vlan routing is enable. Will it create any issues in DA functionality. Your ASAP revert will help me

    Reply
    • The DirectAccess Network Location Server (NLS) can be located anywhere on your internal network. However, if you are enabling load balancing for DirectAccess, the DirectAccess servers themselves must be on the same subnet.

      Reply
  18. Andrew

     /  December 2, 2016

    Richard,
    We are having the same issue as Matt above and we have tried your recommendation – disable negative DNS caching but it did not fix our issue. We have the same issue as Matt but flushing the DNS does not fix the issue. Users have to reboot in order to appear as inside the network. Running the diagnostics shows clients as outside the network, all DA servers are available if you ping the IP address and if you use NSLOOKUP it resolves the names but not thru ping. Any other suggestions to troubleshoot?

    Thanks in advance for your help!

    Andrew

    Reply
    • This might be a driver issue. Make sure your drivers are up to date and see if that helps. If it doesn’t, you’ll probably have to open a support case with Microsoft. I’ve heard of this happening with other customers in the past (not mine) so you probably won’t be the first person calling in with this issue. Hopefully they have a private hotfix they can give you. 🙂

      Reply
  1. DirectAccess and Surface Pro for the Enterprise | Richard Hicks' DirectAccess Blog
  2. DirectAccess and Windows 10 Better Together | Richard Hicks' DirectAccess Blog
  3. Enterprise Nirvana with Surface Pro 4, Windows 10, and DirectAccess | Richard Hicks' DirectAccess Blog
  4. 3 Important Things You Need to Know about Windows 10 and DirectAccess | Richard Hicks' DirectAccess Blog
  5. Windows 10 November Update Available Today | Richard Hicks' DirectAccess Blog
  6. DirectAccess and Windows 10 Professional | Richard Hicks' DirectAccess Blog
  7. DirectAccess vs. VPN | Richard Hicks' DirectAccess Blog
  8. DirectAccess and Windows 10 in Action | Richard Hicks' DirectAccess Blog
  9. DirectAccess and Windows 10 in Education | Richard Hicks' DirectAccess Blog
  10. Deploying DirectAccess in Microsoft Azure | Richard Hicks' DirectAccess Blog
  11. DirectAccess Manage Out with ISATAP Fails on Windows 10 and Windows Server 2016 | Richard Hicks' DirectAccess Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: