Direct Access vs MS Remote Access Always On VPN – What’s the difference?

Direct Access and Microsoft’s Remote Access Always On VPN (some call it AutoVPN). What are they? How are they alike? How do they differ? Is one better than the other?

In this article, I will cover the basics of what you need to know when deciding on what Microsoft-based remote access solution works best for your organization.

Direct Access

Now everyone knows about DirectAccess. It’s Microsoft’s alternative to traditional VPN remote access. And when configured properly, it can prove to be more secure and more reliable than a tradition remote access VPN solution. But it also has some major requirements that most organizations are not equipped to meet. Direct Access requires that you have the following:

    • Single or Multiple Direct Access Server Deployment running on Windows Server 2008 R2 or higher (multiple can also support multi-site)
    • Windows Firewall protecting all networks (which a lot of orgs have disabled traditionally)
    • Windows 8, 8.1, or 10 Enterprise (the key word here is Enterprise) , or, Windows 7 Enterprise/Ultimate (again, the key word here is Enterprise)
    • IPv6 must be enabled, and IPv6 transition technologies must also not be disabled.
    • An internal PKI to assign machine certificates to DirectAccess clients and the DirectAccess server.
    • A private or public PKI to assign Web site certificates to the IP-HTTPS listener and the Network Location Serve
    • DirectAccess clients must be members of an Active Directory domain
    • A highly available Network Location Server (Web server) must be on the corpnet.
    • If there are firewalls in front of or behind the DirectAccess server, packet filters must be enabled to allow the required traffic.
    • The DirectAccess server must have two network interface adapters.

Now while this seems like a lot to deploy, most mid-size organizations with 1-3 sites can get away with a single-site, single-server deployment. This all depends on where a majority of the server and network infrastructure is housed. Larger organizations would benefit from a multi-server / multi-site DirectAccess deployment, but can still get away with a single-site, single-server or single-site, multi-server deployment if the requirements for VPN access are low or are subject to more remote access scrutiny due to security concerns.

The main killer that comes with deploying DirectAccess is the edition of Windows that is required. While you can can run either Windows Server Standard or Datacenter for deployment, you must be running the Enterprise edition of Windows 7/8/8.1/10 in order to use Direct Access.

This has caused a most SMB’s to stay clear of deploying direct access as they may not have acquired Enterprise licensing as part of their Enterprise Agreement (EA) with Microsoft. And as we all know, the only way you can acquire the Enterprise edition of Windows client versions is through an EA with Microsoft.

Direct Access also requires the use of IPv6 exclusively to distribute addressing to connecting endpoints. While this is not a huge setback, it does present a larger management problem when it comes to client addressing and identification.

Direct Access, however, does allow for manage-out functionality, which gives organizations that utilize SCCM or WSUS to push software updates to end-user devices to continue to control what updates devices receive on and off the network. This is a feature that is more favored towards DirectAccess than traditional VPN connections.

Remote Access Always On VPN

DirectAccess was introduced in Windows 8.1 and Windows Server 2012 operating systems as a feature to allow Windows users to connect remotely. However, following the launch of Windows 10, the deployment of this infrastructure has witnessed a decline. Microsoft has been actively encouraging organizations considering a DirectAccess solution to instead implement client-based VPN with Windows 10. This Always On VPN connection delivers a DirectAccess-like experience using traditional remote access VPN protocols such as IKEv2, SSTP, and L2TP/IPsec. Besides, it comes with some additional benefits as well.

The new feature was introduced in the Windows 10 Anniversary Update to allow IT-administrators to configure automatic VPN connection profiles.

Always On VPN has some important advantages over DirectAccess. For instance, Always On VPN can use both IPv4 and IPv6. Another huge advantage is the ability to control per-app VPN, as well as performing split or force tunneling. But perhaps the biggest advantage of Always On VPN is the fact that it can be run on any edition of Windows 10, as long as it runs update 1607 or higher. That being said, it can also be pushed to mobile devices such as Android and iOS as well and can still allow for the same controllable security features such as logging in with a user certificate (this is an advanced setup feature which won’t be covered in this article)

Always On VPN also comes with it’s disadvantages as well. For example, in order for you to utilize Always On VPN, you must be running Windows 10 1607 or higher. Windows 7/8/8.1 are not supported. Another disadvantage is that you cannot push the VPN configuration down from Group Policy like Direct Access, but rather, through manual PowerShell creation, SCCM deployment, or Intune deployment. While these are not major drawbacks, it can prevent companies from utilizing the technology if that haven’t upgraded to Windows 10 quite yet, or if they do not have SCCM / Intune deployed for management.

Just like Direct Access, Always On VPN has a good number of requirements as well. Here are the basics:

  • One or more VPN Gateway Servers (RRAS) with 2 NIC’s. The design is to have the VPN Gateway Sever in the DMZ with one NIC to the external network, and the other to the internal network. Server must be running Windows Server 2012 R2 or higher.
  • One or more Network Policy Servers (NPS) on the internal domain.
  • An internal PKI to assign machine certificates to users on the devices that they log in from.
  • A private or public PKI to assign Web site certificates to the NPS server, as well as for server to server communication between the NPS and VPN Gateway Server.
  • Client endpoints that are either members of the domain or enrolled into the MDM authority for management and distribution of certificates.
  • Windows 10 devices (1607 or higher) of any edition, Android, or iOS.
  • PowerShell, SCCM, or Intune for VPN profile configuration deployment.

While these requirements are less than what Direct Access requires (some are the same), the need for SCCM or Intune for automated deployment is the biggest disadvantage. You could always write a PowerShell deployment script that runs against all of the targeted client machines to make a call to the configuration PowerShell script that would configure the VPN profile, but unless you are well versed in PowerShell or can find a consultant/friend who would write this for you, it is not the most feasible method of deployment.

So which one do I choose?

Should you deploy DirectAccess today or implement Always On VPN with Windows 10 instead? That depends on a number of factors. It’s important to understand that DirectAccess is fully supported in Windows Server 2016 and will likely be for many years to come.

If DirectAccess meets your needs today, you can deploy it with confidence that it will still have a long support life. However, it should be noted that at the time of writing this article, Microsoft is subtly making a small push for organizations to use Always On VPN over Direct Access. This has caused a lot of speculation in the Microsoft Tech community as to whether or not Microsoft will come forward and deem Direct Access End of Life (EOL), but no announcements have been made yet.

If you have reservations about the future viability of DirectAccess, and if you meet all of the requirements to support Always On VPN with Windows 10, then perhaps that’s a better choice. If you’d like to discuss your remote access options in more detail, feel free to contact me via linked in, or check out the information below.

  • For more information on how you can utilize one of these solutions in your environment, please feel free to contact me or any of us at Exigo Technology Solutions by calling 225-308-4467, or send me an email at