Prerequisites for Deploying DirectAccess

 

Updated: June 25, 2014

Applies To: Windows Server 2012 R2, Windows Server 2012 Essentials, Windows Server 2012, Windows Server 2012 R2 Essentials, Windows Storage Server 2012 R2 Essentials

The following table lists the prerequisites necessary for using the configuration wizards to deploy DirectAccess.

Scenario Prerequisites
Deploy a Single DirectAccess Server Using the Getting Started Wizard - Windows Firewall must be enabled on all profiles

- Only supported for clients running Windows 8.1 Enterprise and Windows 8 Enterprise.

- A public key infrastructure is not required.

- Not supported for deploying two-factor authentication. Domain credentials are required for authentication.

- Automatically deploys DirectAccess to all mobile computers in the current domain.

- Traffic to the Internet does not go through DirectAccess. Force tunnel configuration is not supported.

- DirectAccess server is the network location server.

- Network Access Protection (NAP) is not supported.

- Changing policies by using a feature other than the DirectAccess management console or Windows PowerShell cmdlets is not supported.

- For a multisite configuration, now or in the future, first follow the guidance in Deploy a Single DirectAccess Server with Advanced Settings.
Deploy a Single DirectAccess Server with Advanced Settings - A public key infrastructure must be deployed.
For more information, see Test Lab Guide Mini-Module: Basic PKI for Windows Server 2012.

- Windows Firewall must be enabled on all profiles.
  • Computers that are running the following operating systems are supported as DirectAccess clients. Note that only Windows operating systems support Direct Access.
    • Windows Server 2016
    • Windows 10® Enterprise
    • Windows Server® 2012 R2
    • Windows 8.1 Enterprise
    • Windows Server® 2012
    • Windows 8 Enterprise
    • Windows Server® 2008 R2
    • Windows 7 Ultimate
    • Windows 7 Enterprise

- Force tunnel configuration is not supported with KerbProxy authentication.

- Changing policies by using a feature other than the DirectAccess management console or Windows PowerShell cmdlets is not supported.

- Separating NAT64/DNS64 and IPHTTPS server roles on another server is not supported.
Deploy Remote Access in a Cluster - Default load balancing is through the Network Load Balancing (NLB) feature in Windows Server.

- External load balancers are supported.

- Unicast mode is the default and recommended mode for NLB.

- Changing policies by using a feature other than the DirectAccess management console or Windows PowerShell cmdlets is not supported.

- When NLB or an external load balancer is used, the IPHTTPS prefix must remain /59.

- Load balanced nodes must be in the same IPv4 subnet.

- In external load balancer deployments, if remote management is needed, DirectAccess clients cannot use Teredo. Only IPHTTPS can be used for end-to-end communication.

- All known hotfixes for Network Load Balancing external load balancing must be installed.
Deploy Multiple Remote Access Servers in a Multisite Deployment - For a multisite configuration, now or in the future, first follow the guidance in Deploy a Single DirectAccess Server with Advanced Settings.

- Clients running Windows 7 always connect to a specific site. They cannot connect to the closest site based on the location of the client (unlike clients running Windows 8.1 and Windows 8).

- Changing policies by using a feature other than the DirectAccess management console or Windows PowerShell cmdlets is not supported.

- A public key infrastructure must be deployed.
For more information, see Test Lab Guide Mini-Module: Basic PKI for Windows Server 2012.
Deploy Remote Access with OTP Authentication - Before you deploy a one-time password authentication, follow the guidance in Deploy a single Remote Access server with advanced settings .

- Clients running Windows 7 Enterprise and Windows 7 Ultimate need to use DCA 2.0 to support one-time password authentication.

- One-time password authentication does not support a PIN change.

- A public key infrastructure must be deployed.
For more information, see Test Lab Guide Mini-Module: Basic PKI for Windows Server 2012.

- Changing policies by using a feature other than the DirectAccess management console or Windows PowerShell cmdlets is not supported.
Deploy Remote Access in a Multi-Forest Environment - Two-way trust is required.
Manage DirectAccess Clients Remotely - Windows Firewall must be enabled on all profiles.
  • Computers that are running the following operating systems are supported as DirectAccess clients. Note that only Windows operating systems support Direct Access.
    • Windows Server 2016
    • Windows 10® Enterprise
    • Windows Server® 2012 R2
    • Windows 8.1 Enterprise
    • Windows Server® 2012
    • Windows 8 Enterprise
    • Windows Server® 2008 R2
    • Windows 7 Ultimate
    • Windows 7 Enterprise
- Changing policies by using a feature other than the DirectAccess management console or Windows PowerShell cmdlets is not supported.
Migrate from Forefront UAG SP1 DirectAccess to Windows Server 2012 - If NAP is used in Forefront Unified Access Gateway, NAP requires a separate Network Policy Server.
NAP was deprecated in Windows Server 2012 R2. This means that NAP may not be supported in future versions of Windows. New deployments with NAP are not recommended.