What is the Difference Between DirectAccess and Always On VPN?

Always On VPN Device Tunnel Configuration Guidance Now AvailableDirectAccess has been around for many years, and with Microsoft now moving in the direction of Always On VPN, I’m often asked “What’s the difference between DirectAccess and Always On VPN?” Fundamentally they both provide seamless and transparent, always on remote access. However, Always On VPN has a number of advantages over DirectAccess in terms of security, authentication and management, performance, and supportability.

Security

DirectAccess provides full network connectivity when a client is connected remotely. It lacks any native features to control access on a granular basis. It is possible to restrict access to internal resources by placing a firewall between the DirectAccess server and the LAN, but the policy would apply to all connected clients.

Windows 10 Always On VPN includes support for granular traffic filtering. Where DirectAccess provides access to all internal resources when connected, Always On VPN allows administrators to restrict client access to internal resources in a variety of ways. In addition, traffic filter policies can be applied on a per-user or group basis. For example, users in accounting can be granted access only to their department servers. The same could be done for HR, finance, IT, and others.

Authentication and Management

DirectAccess includes support for strong user authentication with smart cards and one-time password (OTP) solutions. However, there is no provision to grant access based on device configuration or health, as that feature was removed in Windows Server 2016 and Windows 10. In addition, DirectAccess requires that clients and servers be joined to a domain, as all configuration settings are managed using Active Directory group policy.

Windows 10 Always On VPN includes support for modern authentication and management, which results in better overall security. Always On VPN clients can be joined to an Azure Active Directory and conditional access can also be enabled. Modern authentication support using Azure MFA and Windows Hello for Business is also supported. Always On VPN is managed using Mobile Device Management (MDM) solutions such as Microsoft Intune.

Performance

DirectAccess uses IPsec with IPv6, which must be encapsulated in TLS to be routed over the public IPv4 Internet. IPv6 traffic is then translated to IPv4 on the DirectAccess server. DirectAccess performance is often acceptable when clients have reliable, high quality Internet connections. However, if connection quality is fair to poor, the high protocol overhead of DirectAccess with its multiple layers of encapsulation and translation often yields poor performance.

The protocol of choice for Windows 10 Always On VPN deployments is IKEv2. It offers the best security and performance when compared to TLS-based protocols. In addition, Always On VPN does not rely exclusively on IPv6 as DirectAccess does. This reduces the many layers of encapsulation and eliminates the need for complex IPv6 transition and translation technologies, further improving performance over DirectAccess.

Supportability

DirectAccess is a Microsoft-proprietary solution that must be deployed using Windows Server and Active Directory. It also requires a Network Location Server (NLS) for clients to determine if they are inside or outside the network. NLS availability is crucial and ensuring that it is always reachable by internal clients can pose challenges, especially in very large organizations.

Windows 10 Always On VPN supporting infrastructure is much less complex than DirectAccess. There’s no requirement for a NLS, which means fewer servers to provision, manage, and monitor. In addition, Always On VPN is completely infrastructure independent and can be deployed using third-party VPN servers such as Cisco, Checkpoint, SonicWALL, Palo Alto, and more.

Summary

Windows 10 Always On VPN is the way of the future. It provides better overall security than DirectAccess, it performs better, and it is easier to manage and support.

Here’s a quick summary of some important aspects of VPN, DirectAccess, and Windows 10 Always On VPN.

Traditional VPN DirectAccess Always On VPN
Seamless and Transparent No Yes Yes
Automatic Connection Options None Always on Always on, app triggered
Protocol Support IPv4 and IPv6 IPv6 Only IPv4 and IPv6
Traffic Filtering No No Yes
Azure AD Integration No No Yes
Modern Management Yes No (group policy only) Yes (MDM)
Clients must be domain-joined? No Yes No
Requires Microsoft Infrastructure No Yes No
Supports Windows 7 Yes Yes Windows 10 only

Always On VPN Hands-On Training

If you are interested in learning more about Windows 10 Always On VPN, consider registering for one of my hands-on training classes. More details here.

Additional Resources

Always On VPN and the Future of Microsoft DirectAccess

5 Important Things DirectAccess Administrators Should Know about Windows 10 Always On VPN

3 Important Advantages of Windows 10 Always On VPN over DirectAccess

Managing and Supporting DirectAccess with Windows Server 2016 Video Training Course on Pluralsight

Planning and Implementing DirectAccess with Windows Server 2016I’m pleased to announce my newest video training course, Managing and Supporting DirectAccess with Windows Server 2016, is now available on Pluralsight! This new course is a follow-up to my previous course, Planning and Implementing DirectAccess with Windows Server 2016. This latest course builds upon the first one and covers advanced configuration such as enabling load balancing, configuring geographic redundancy, and enforcing strong user authentication using one-time passwords (OTP) and smart cards.

In addition, monitoring and reporting is covered, as well as implementing manage out for DirectAccess clients in supported scenarios. The course also includes a full hour of in-depth DirectAccess configuration and connectivity troubleshooting that will be valuable for all DirectAccess administrators.

The course includes the following training modules:

Configuring High Availability
Enabling Strong User Authentication
DirectAccess Monitoring and Reporting
Implementing Outbound Management for DirectAccess Clients
DirectAccess Troubleshooting

Throughout the course, I share valuable knowledge and insight gained from more than 5 years of experience deploying DirectAccess for some of the largest organizations in the world. Pluralsight offers a free trial subscription if you don’t already have one, so watch my latest DirectAccess video training course today!

Additional Resources

Planning and Implementing DirectAccess with Windows Server 2016 on Pluralsight
Managing and Supporting DirectAccess with Windows Server 2016 on Pluralsight
Implementing DirectAccess with Windows Server 2016 book

Configure DirectAccess with OTP Authentication

Updated 6/10/2015: This post was revised to include instructions for enabling OTP support for Windows 7 clients and for configuring OTP on the DirectAccess server using the Remote Access Management console.

Introduction

DirectAccess in Windows Server 2012 R2 provides significantly improved authentication over traditional client-based VPN solutions. When configured to use certificate authentication (a recommended best practice) the DirectAccess client is authenticated using its machine certificate and its Active Directory computer account. Once the client machine has been authenticated, the user is also authenticated via Kerberos against a live domain controller over the existing DirectAccess connection. These multiple authentication steps provide a high level of assurance for DirectAccess-connected clients. If that’s not enough to meet your needs, additional strong user authentication is supported using dynamic One-Time Passwords (OTP).

Drawbacks for DirectAccess with OTP

While OTP provides an additional level of assurance, it does come with a few drawbacks. OTP adds additional complexity and makes troubleshooting more difficult. OTP cannot be configured with force tunneling; the two security features are mutually exclusive. DirectAccess OTP does not support RADIUS challenge-response. For Windows 7 clients, the DirectAccess Connectivity Assistant (DCA) v2.0 must be deployed. In addition, enabling OTP with DirectAccess disables the use of null cipher suites for IP-HTTPS. This can potentially have a negative effect on performance and scalability (more details here). Also, OTP fundamentally breaks the seamless and transparent nature of DirectAccess.

Configuring DirectAccess OTP

OTP for DirectAccess makes use of short-lived certificates for user authentication. Thus, enabling OTP for DirectAccess requires making changes to the internal Public Key Infrastructure (PKI). DirectAccess in Windows Server 2012 R2 can be configured to use the same Certificate Authority (CA) that is used to issue computer certificates to the DirectAccess clients and servers. This differs from DirectAccess with Forefront Unified Access Gateway (UAG) 2010, where a separate, dedicated CA was required.

To configure DirectAccess OTP, follow the instructions below.

OTP Certificate Request Signing Template

Open the Certification Authority management console, right-click Certificate Templates, and then choose Manage. Alternatively you can enter certtmpl.msc in the Start/Run box or search from the Windows Start menu. Right-click the Computer template and choose Duplicate Template. On a Windows Server 2008 or 2008 R2 CA, select Windows Server 2008 Enterprise when prompted for the duplicate certificate template version.

Configure DirectAccess with OTP Authentication

On a Windows Server 2012 or 2012 R2 CA, select Compatibility tab and then select Windows Server 2008 R2 for the Certification Authority and Windows 7/Windows Server 2008 R2 for the Certificate recipient.

Configure DirectAccess with OTP Authentication

Select the General tab and provide a descriptive name for the Template Display Name. Specify a validity period of 2 days and a renewal period of 1 day.

Configure DirectAccess with OTP Authentication

Select the Security tab and click Add. Click Object Types and then select Computers and click Ok. Enter the names of each DirectAccess server separated by semicolons and click Check Names. Click Ok when finished. For each DirectAccess server, grant Read, Enroll, and Autoenroll permissions. Select Authenticated Users and remove any permissions other than Read. Select Domain Computers and remove the Enroll permission. Select Domain Admins and grant Full Control permission. Do the same for Enterprise Admins.

Configure DirectAccess with OTP Authentication

Select the Subject Name tab and choose the option to Build from this Active Directory information. Select DNS name in the Subject name format drop-down list and confirm that DNS name is checked under Include this information in alternate subject name.

Configure DirectAccess with OTP Authentication

Select the Extensions tab, highlight Application Policies and click Edit.

Configure DirectAccess with OTP Authentication

Remove all existing application policies and then click Add and then New. Provide a descriptive name for the new application policy and enter 1.3.6.1.4.1.311.81.1.1 for the Object Identifier. Click Ok for all remaining dialog boxes.

Configure DirectAccess with OTP Authentication

OTP Certificate Template

In the Certificate Templates Console, right-click the Smartcard Logon certificate template and choose Duplicate Template. On a Windows Server 2008 or 2008 R2 CA, select Windows Server 2008 Enterprise when prompted for the duplicate certificate template version.

Configure DirectAccess with OTP Authentication

On a Windows Server 2012 or 2012 R2 CA, select the Compatibility tab and then select Windows Server 2008 R2 for the Certification Authority and Windows 7/Windows Server 2008 R2 for the Certificate recipient.

Configure DirectAccess with OTP Authentication

Select the General tab and provide a descriptive name for the Template Display Name. Specify a validity period of 1 hour and a renewal period of 0 hours.

Configure DirectAccess with OTP Authentication

Note: It is not possible to set the validity period to hours on a Windows Server 2003 Certificate Authority (CA). As a workaround, use the Certificate Templates snap-in on another system running Windows 7/Windows Server 2008 R2 or later. Also, if the CA is running Windows Server 2008 R2, the template must be configured to use a Renewal Period of 1 or 2 hours and a Validity Period that is longer but no more than 4 hours.

Select the Security tab, then highlight Authenticated Users and grant Read and Enroll permissions. Select Domain Admins and grant Full Control permission. Do the same for Enterprise Admins.

Configure DirectAccess with OTP Authentication

Select the Subject Name tab and choose the option to Build from this Active Directory information. Select Fully distinguished name in the Subject name format drop-down list and confirm that User principal name (UPN) is checked under Include this information in alternate subject name.

Configure DirectAccess with OTP Authentication

Select the Server tab and choose the option Do not store certificates and requests in the CA database. Clear the checkbox next to Do not include revocation information issued in certificates.

Configure DirectAccess with OTP Authentication

Select the Issuance Requirements tab and set the value for This number of authorized signatures to 1. Confirm that Application Policy is selected from the Policy type required in signature drop-down list and choose the OTP certificate request signing template created previously.

Configure DirectAccess with OTP Authentication

Select the Extensions tab, highlight Application Policies and click Edit. Highlight Client Authentication and click Remove. Ensure that the only application policy listed is Smart Card Logon.

Configure DirectAccess with OTP Authentication

Certificate Authority Configuration

In the Certificate Authority management console, right-click Certificate Templates, choose New, and then Certificate Template to Issue. Highlight both of the certificate templates created previously and click Ok.

Configure DirectAccess with OTP Authentication

Open an elevated command prompt and enter the following command:

certutil.exe -setreg dbflags +DBFLAGS_ENABLEVOLATILEREQUESTS

Configure DirectAccess with OTP Authentication

Restart the Certificate Authority service by right-clicking the CA in the Certificate Authority management console and choosing All Tasks and then Stop Service. Once complete, repeat these steps and choose Start Service.

DirectAccess Server Configuration

In the Remote Access Management console, select DirectAccess and VPN under Configuration in the navigate pane and then click Edit on Step 2 – Remote Access Server. Select Authentication, choose Two-factor authentication (smart card or one-time password (OTP)), and then check the option to Use OTP.

Configure DirectAccess with OTP Authentication

Click Next and then add the RADIUS servers that will be used for OTP authentication. Provide the hostname, FQDN, or IP address of the server, the shared secret, and specify the service port.

Configure DirectAccess with OTP Authentication

Click Next, select the CA server that will be used to issue certificates to DirectAccess clients for OTP authentication, and then click Add.

Click Next, select the CA server that will be used to issue certificates to DirectAccess clients for OTP authentication, and then click Add.

Note: When performing this step you may receive the following error.

No CA servers can be detected, and OTP cannot be configured. Ensure that
servers added to the list are available on each domain controller in the
corporate network.

Configure DirectAccess with OTP Authentication

If this occurs, close out of the Remote Access Management console and install this hotfix.

Click Next and select the certificate templates to be used for the enrollment of certificates that are issued for OTP authentication. Also select a certificate template used to enroll the certificate used by the DirectAccess server to sign OTP certificate enrollment requests.

Configure DirectAccess with OTP Authentication

Click Next and specify whether selected DirectAccess users can authenticate with a user name and password when OTP authentication is disabled. If some users need to be exempted from using OTP, specify the security group as required and click Finish.

Configure DirectAccess with OTP Authentication

Click Edit on Step 3 – Infrastructure Servers. Select Management and add the CA server used for OTP authentication to the list of management servers.

Configure DirectAccess with OTP Authentication

Click Ok and then Finish. Click Finish once more and then apply the changes.

DirectAccess OTP Client Experience

When a DirectAccess client is outside of the corporate network and has established DirectAccess connectivity, users can log on to their machine and access their desktop, but they will not be able to access corporate resources without first providing their OTP.

For Windows 8 clients, swipe in from the right side of the screen or press Window Key + I and click on the active network connection. The DirectAccess Workplace Connection will indicate that action is needed. Clicking on the Workplace Connection will indicate that credentials are needed. Clicking Continue will prompt the user to press Ctrl+Alt+Delete and provide their OTP.

Configure DirectAccess with OTP Authentication

For Windows 7 clients, an alert from the DirectAccess Connectivity Assistant (DCA) in the system tray will indicate that Windows needs your smart card credentials. Clicking on the notification Window will prompt the user to provide their OTP.

Configure DirectAccess with OTP Authentication

Alternatively the user can click on the DCA icon in the system tray and then click Lock and unlock your computer with a smartcard or a one-time password. The user will then press CTRL+ALT+DELETE, choose Other Credentials, select One-time password (OTP), and then provide their OTP.

Configure DirectAccess with OTP Authentication

Summary

Using dynamic, one-time passwords is an effective way to provide the highest level of assurance for remote DirectAccess clients. It does come with some potential drawbacks, so be sure to consider those before implementing OTP.

DirectAccess Clients and TPM

I’ve been frustrated recently with a number of articles and blog posts I’ve seen indicating Windows 8 DirectAccess clients connecting to a Windows Server 2012 DirectAccess server require a Trusted Platform Module (TPM) and the use of smart cards for authentication. This is a myth, and nothing could be further from the truth. TPM and smart cards are indeed supported (TPM with Windows 8, smart cards with Windows 7 and Windows 8 DirectAccess clients) but they are not explicitly required. For the posts I’ve seen I have asked the authors to correct their statements, and to their credit some of them have. Others, unfortunately, have not. I’m not sure if they are simply misinformed or if they are deliberately misleading their readers to downplay DirectAccess in an effort to sell another VPN solution. Regardless, I am compelled to set the record straight here. So, to be perfectly clear:

TPM is NOT a requirement for DirectAccess clients.

There you have it. Now go out and deploy DirectAccess today!

%d bloggers like this: