Microsoft DirectAccess is an enterprise VPN solution introduced with Windows Server 2008 R2. It was a paradigm shift for remote access technologies, featuring seamless, transparent, always-on corporate network connectivity for managed Windows devices.
Not a VPN?
DirectAccess is often referred to as a VPN solution. While that is technically correct, providing the same secure network access tunnel from the client to the gateway, DirectAccess does not use the Windows VPN client. Instead, DirectAccess uses the IPsec Connection Security rules feature of the Windows Firewall with Advanced Security to establish IPsec tunnels to secure network communication.
IPv6 Only
DirectAccess is an IPv6 network access technology. DirectAccess client’s communication with the DirectAccess server using only IPv6. IPv4 traffic is not routed over the DirectAccess connection.
IPv4 Internet
When DirectAccess was first introduced, IPv6 was not widely deployed on the public Internet. DirectAccess uses IPv6 transition technologies to enable IPv6 connectivity over the IPv4 Internet and establish IPv6 connections between the DirectAccess client and gateway (server). DirectAccess supports three IPv6 transition technologies for DirectAccess client-to-gateway communication.
6to4
The 6to4 IPv6 transition protocol works by encapsulating IPv6 packets in IPv4 packets using IP protocol 41. 6to4 does not work when the client or the server is behind a NAT, so this IPv6 transition protocol is only used when the client and server are assigned public IPv4 addresses.
Teredo
Teredo is an IPv6 transition protocol that is designed to work when a DirectAccess client (but not the DirectAccess server) is behind a NAT. It works by encapsulating IPv6 packets in IPv4 packets using UDP on port 3544. Teredo will be used any time the DirectAccess client has a private IPv4 address or when the client has a public IPv4 address, and the 6to4 protocol is unavailable (e.g., 6to4 is disabled, or outbound access to IP protocol 41 is restricted by firewall policy).
IP-HTTPS
IP-HTTPS is an IPv6 transition protocol that encapsulates IPv6 packets in IPv4 packets using HTTP with SSL/TLS. It is the IPv6 transition protocol of last resort and is used any time 6to4 or Teredo aren’t available. The advantage of using IP-HTTPS is ubiquitous firewall access. Any network with access to the public Internet should, at a minimum, allow outbound HTTP and HTTPS.
DirectAccess Requirements
DirectAccess is a feature of the Windows server and client operating systems. DirectAccess servers must have the DirectAccess-VPN role installed and configured to support DirectAccess client connections. DirectAccess servers and clients must be domain-joined. DirectAccess servers can be Standard or Datacenter Edition. DirectAccess clients must be running Enterprise Edition. DirectAccess server and client configuration settings are deployed and managed using Active Directory group policy.
DirectAccess Advantages
DirectAccess provides many advantages over other enterprise VPN solutions. DirectAccess connects automatically and does not require user interaction to establish secure remote network connectivity. In addition, DirectAccess does not require any additional licensing to use the technology. Since it is part of Windows Server, it does not require proprietary hardware or specialized skill sets to support it.
DirectAccess Disadvantages
DirectAccess is a complex technology with many intricate interdependencies, making it challenging to support at scale. It leverages IPv6 and digital certificates, skills uncommon to many Windows administrators. The solution has many moving parts, with multiple layers of encapsulation and encryption, which can result in poor performance.
Learn More
Want to learn more about DirectAccess? Fill out the form below, and we’ll provide more information.
