Simplified Remote Access with DirectAccess: scenario overview

Updated: February 29, 2012

Applies To: Windows Server 8 Beta

[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

An overview of the Simplified Remote Access with DirectAccess deployment scenario utilizing the Remote Access Getting Started Wizard in Windows Server® “8” Beta, its new and changed functionality, practical applications, and links to additional resources.

New and changed functionality

Windows Server® “8” Beta DirectAccess includes features to make it easier for small and medium size organizations to deploy. These new features include a simplified prerequisite list, removal of the need for a full PKI deployment, integrated certificate provisioning, and removal of the requirement for two consecutive public IPv4 addresses.

Administrators can now deploy DirectAccess using the new Remote Access Getting Started Wizard, which presents a greatly simplified configuration experience. The Getting Started Wizard allows for an automated setup in a few simple steps. The administrator no longer requires an understanding of the technical details of, for example, IPv6 transition technologies or Network Location Server (NLS) deployment.

In this scenario

The Simplified Remote Access with DirectAccess deployment scenario includes the following steps:

  • Plan the deployment—There are only a few requirements for planning this scenario:

    • Network and server topology—With DirectAccess, you can place your Remote Access server at the edge of your intranet, or behind a Network Address Translation (NAT) device or firewall.

      You can configure your Remote Access server with one network adapter connected to your domain, or your network topology may require an edge configuration with two network adapters. In this case, one network adapter is connected directly to the Internet and the other is connected to the internal network. Or you might have a NAT device with two network adapters where one is connected to the perimeter network and the other is connected to the internal network. In any case, the Getting Started Wizard will help you choose the appropriate topology for your network.

    • DirectAccess network location server—The network location server is used by DirectAccess clients to determine whether they are located on the internal network. In this scenario, the network location server is installed on the Remote Access server. To install your network location server on a computer other than the Remote Access server, see Deploy Advanced Remote Access.

  • Configure the deployment—Following are the configuration steps for this scenario:

    1. Configuring the infrastructure—When DirectAccess is configured, it automatically creates group policy objects containing DirectAccess settings, and these are applied to DirectAccess clients and servers. By default, the Getting Started Wizard applies the client GPO to mobile computers only, in the Domain Computers security group. You can also create alternate security groups and then add them when you run the Wizard.

    2. Configuring the Remote Access server and network settings—Configure network adapters, IP addresses and routing.

    3. Configuring certificate settingsIn this scenario, the Getting Started Wizard creates a self-signed certificate, or uses one already on your network, if available, so there is no need to configure the more advanced certificate infrastructure used in Deploy Advanced Remote Access.

    4. Configuring the network location serverIn this scenario, the network location server will be installed by the Getting Started Wizard on the Remote Access server.

    5. Configuring the Remote Access server—Install the Remote Access role and Run the DirectAccess Getting Started Wizard to configure DirectAccess.

Practical applications

  • Deploying a Remote Access server with DirectAccess provides constant connectivity for clients to access internal network resources any time they are located on the Internet without needing to log in to a VPN connection.

  • DirectAccess client computers located on the Internet can be remotely managed by remote access administrators over DirectAccess, even when the user is not logged on.


Hardware and software configuration requirements for this scenario include the following:

  • Remote Access server requirements:

    • A computer running Windows Server “8” Beta.

    • The server must have at least one network adapter installed and enabled.

    • The server must be a domain member.

    • If the server is located behind an edge firewall or NAT device, the device must be configured to allow traffic to and from the Remote Access server.

    • The person deploying remote access on the server requires local administrator permissions on the server, domain user permissions. In addition, to take advantage of the features that restrict DirectAccess deployment to mobile computers only (the default for this scenario), permissions to create a WMI filter (Domain Admins) on the domain controller are required.

  • Client requirements:

    • DirectAccess client computers must be running Windows® 8 Consumer Preview (for Windows 7, see Deploy Advanced Remote Access).

    • DirectAccess clients must be domain members. Domains containing clients can belong to the same forest as the Remote Access server, or have a two-way trust with the Remote Access server forest or domain.

  • Infrastructure and management server requirements:

    • During remote management of DirectAccess client computers, clients initiate communications with management servers such as domain controllers, System Center Configuration Servers, and Health Registration Authority (HRA) servers for services that include Windows and antivirus updates and Network Access Protection (NAP) client compliance. The required servers should be deployed before beginning the Remote Access deployment.

      If your remote access requirements include client NAP compliance, NPS and HRA servers, see Deploy Advanced Remote Access

    • A DNS server running Windows Server 2008 SP2; Windows Server 2008 R2; or Windows Server “8” Beta is required.

Roles and features included in this scenario

The following table lists the roles and features required for the scenario:

Role/feature How it supports this scenario

Remote Access role

The role is installed and uninstalled using the Server Manager console. This role encompasses both DirectAccess, which was previously a feature in Windows Server 2008 R2, and Routing and Remote Access Services which was previously a role service under the Network Policy and Access Services (NPAS) server role. The Remote Access role consists of two components:

  1. DirectAccess and Routing and Remote Access Services (RRAS) VPN—DirectAccess and VPN are managed together in the Remote Access Management console.

  2. RRAS Routing—RRAS routing features are managed in the legacy Routing and Remote Access console.

The role depends on the following:

  • Internet Information Services (IIS) Web Server – This feature is required to configure the network location server and default web probe.

  • Windows Internal Database—Used for local accounting on the Remote Access server.

Remote Access Management Tools role

This feature is installed as follows:

  • It is installed by default on a Remote Access server when the Remote Access role is installed, and supports the Remote Management console user interface.

  • It can be optionally installed on a server not running the Remote Access server role. In this case it is used for remote management of a Remote Access computer running DirectAccess and VPN.

The Remote Access Management Tools feature consists of the following:

  1. Remote Access GUI and Command Line Tools

  2. Remote Access module for Windows PowerShell

The role depends on the following:

  1. Group Policy Management Console

  2. RAS Connection Manager Administration Kit (CMAK)

  3. Windows Powershell 3.0

  4. Graphical Management Tools and Infrastructure

See also

The following table provides links to additional information about Remote Access, including DirectAccess and VPN.

Content type References

Product evaluation

Remote Access TechCenter | Remote Access test lab guides, when published


Links to the other Remote Access deployment scenarios when published.


Links to the Remote Access deployment scenarios when published.


Troubleshooting Remote Access, when published

Tools and settings

Windows PowerShell cmdlets for Remote Access, when published.

Community resources

RRAS Product Team blog | Remote Access TechNet Forum

Related technologies

IPv6 - Technology overview