Since the introduction of Windows Server 2012 in September of 2012, no new features or functionality have been added to DirectAccess. In Windows Server 2016, the only real change aside from bug fixes for DirectAccess is the removal of Network Access Protection (NAP) integration support.
Figure 1. Remote Access Setup wizard with NAP integration option in Windows Server 2012/R2.
Figure 2. Remote Access Setup wizard without NAP integration option in Windows Server 2016.
DirectAccess Roadmap
It’s clear to see that Microsoft is no longer investing in DirectAccess, and in fact their field sales teams have been communicating this to customers for quite some time now. Microsoft has been actively encouraging organizations who are considering a DirectAccess solution to instead implement client-based VPN with Windows 10.
Always On VPN
New features introduced in the Windows 10 Anniversary Update allow IT administrators to configure automatic VPN connection profiles. This Always On VPN connection provides a DirectAccess-like experience using traditional remote access VPN protocols such as IKEv2, SSTP, and L2TP/IPsec. It comes with some additional benefits as well.
- Conditional access and device compliance with system health checks
- Windows Hello for Business and Azure multifactor authentication
- Windows Information Protection (WIP) integration
- Traffic filters to restrict VPN network access
- Application-trigger VPN connections
DirectAccess Deprecated?
There has been rampant speculation that Microsoft plans to deprecate and retire DirectAccess. While that may in fact be true, Microsoft has yet to make a formal end-of-life announcement. There’s no reason DirectAccess and VPN couldn’t co-exist, so it’s not a certainty Microsoft will do this. However, there’s also no need to have multiple remote access solutions, and it is abundantly clear that the future for Microsoft remote access is Always On VPN and not DirectAccess.
Always On VPN Advantages and Disadvantages
Windows 10 Always On VPN has some important advantages over DirectAccess. It has some crucial limitations as well.
Advantages
- Always On VPN supports non-Enterprise Windows 10 client SKUs (Windows 10 Home and Professional)
- Always On VPN includes support for granular network access control
- Always On VPN can use both IPv4 and IPv6
- Always On VPN is infrastructure independent. In addition to supporting Windows RRAS, any third-party network device can be used such as Cisco, Checkpoint, Juniper, Palo Alto, SonicWALL, Fortinet, Sophos, and many more
Disadvantages
- Always On VPN works only with Windows 10. It is not supported for Windows 7
- Always On VPN cannot be managed natively using Active Directory and group policy. It must be configured and managed using Microsoft System Center Configuration Manager (SCCM), Microsoft Intune, or PowerShell
DirectAccess or Always On VPN?
Should you deploy DirectAccess today or implement Always On VPN with Windows 10 instead? That depends on a number of factors. It’s important to understand that DirectAccess is fully supported in Windows Server 2016 and will likely be for many years to come. If DirectAccess meets your needs today, you can deploy it with confidence that it will still have a long support life. If you have reservations about the future viability of DirectAccess, and if you meet all of the requirements to support Always On VPN with Windows 10, then perhaps that’s a better choice. If you’d like to discuss your remote access options in more detail, fill out the form below and I’ll get in touch with you.
Additional Resources
NetMotion Mobility as an Alternative to DirectAccess
Always On VPN Deployment Guide for Windows Server 2016 and Windows 10
Planning and Implementing DirectAccess with Windows Server 2016 Video Training Course on Pluralsight
Managing and Supporting DirectAccess with Windows Server 2016 Video Training Course on Pluralsight
Implementing DirectAccess with Windows Server 2016 Book
DirectAccess can be configured to enforce strong user authentication using smart cards or one-time passwords (OTP). This provides the highest level of assurance for remote users connecting to the internal network via DirectAccess. OTP solutions are commonly used because they require less administration and are more cost effective than typical smart card implementations. Most OTP solutions will integrate with DirectAccess as long as they support Remote Access Dial-In User Service (RADIUS).
