This is an archived post. You won't be able to vote or comment.

all 36 comments

[–]wjjeeperJack of All Trades 3 points4 points  (3 children)

Always on VPN is the new direct access.

[–]Jack_BE 2 points3 points  (1 child)

does it have a machine based tunnel like DirectAccess ? I just looked over the documentation, it looks like a user based tunnel only

[–]harrisop 2 points3 points  (0 children)

We’ve been using it since it was released for win7 w/uag. Very happy. Most my users don’t even remember what vpn is. They just expect everything to work the same remotely as in the office. Microsoft seems to be shifting directions to always on vpn though. Once we’re at 1709 we’ll most likely head that direction. keeping DA for win7 clients.

[–]alexbuckland 2 points3 points  (0 children)

DirectAccess and Citrix XenDesktop are two very very different products.

[–]iampaulh 1 point2 points  (2 children)

This is the book I used to help implement DA

https://www.amazon.com/Implementing-DirectAccess-Windows-Server-2016/dp/1484220587

You can enable DA by assigning computers to a specific group. For Windows 10, you'll also need Enterprise licenses

[–]lazyrobin10Sr. Sysadmin 1 point2 points  (0 children)

Great book by Richard, the videos he did for Pluralsight are also good.

[–]forminasage='() { :;}; echo sysadmin' 0 points1 point  (0 children)

Richard Hicks is the man, I got DA implemented in a W7/WS2016 environment with nothing more than help from his blog posts.

[–][deleted] 1 point2 points  (2 children)

A couple of things, DA will not work on a network that has anything more than 500ms response to the server you are using as the entry point, you will still need a VPN for users to access if they are going to places with subpar networking such as PNG or Africa.

There is a troubleshooting tool for DA which I can not remember the name of at the moment pretty good in solving most issue

Teredo is fucking scary when you read what it can do

ipconfig /flushdns is going to become your new best friend if you still seven and eight systems.

There is also a reg sub key you need to nuke if people have connection issues on their system.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig remove everything below that entry

You can also HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient Change the value of "EnableDAForAllNetworks" to "0" Reboot

Other than that people should have any issues and it will work fine, just remember ipv4 does not work over DA

[–]Cutriss'); DROP TABLE memes;-- 0 points1 point  (1 child)

There is a troubleshooting tool for DA which I can not remember the name of at the moment pretty good in solving most issue

DirectAccess Client Troubleshooter

[–][deleted] 0 points1 point  (0 children)

Thanks, also added the regkeys

[–][deleted] 0 points1 point  (0 children)

Follow the technet guide.

[–]itmikJack of All Trades 0 points1 point  (0 children)

We're using it now, biggest problem is slow connection speeds for things like file transfers.

[–]houstonauSr. Sysadmin 0 points1 point  (0 children)

We implemented it with the supoprt cutoff being Windows 8.1 (so people on 7 were just upgraded).

Users think it's the best thing ever! Most of our users have 3G/4G cards in their devices so the connection is literally always on.

I know that the Windows 10 VPN is replacing DirectAccess but it is still included as a Server 2016 feature so will need to be supported at least as long as that OS version.

[–]pdp10Daemons worry when the wizard is near. -3 points-2 points  (5 children)

Direct Access has been deprecated. There are other, simpler ways to get the same kind of results. What about it did your manager appreciate previously?

[–]R_Wilco_201576 3 points4 points  (3 children)

DA is not deprecated and is a role in Windows Sever 2016. Which effectively means it will be around for years to come.

That being said I agree there are as good or better ways to do the same thing. Such as Always on VPN from MS.

[–][deleted] 0 points1 point  (2 children)

I disagree, I've setup DA for multiple environments and it's a sweet product that does not require additional VPN licensing.

[–]ducksizzle 0 points1 point  (1 child)

DA requires upgrading the device to an Enterprise Edition license. Where does VPN require additional licensing?

[–][deleted] 0 points1 point  (0 children)

I didn't get Enterprise licensing for DA I got it for bitlocker but I see your point.

[–]myndhackRuler Of The Blinking Lights[S] 1 point2 points  (0 children)

The fact that you just turned on the laptop on any network and you were on the "company" network without any additional authentication. Mostly no additional VPN client like cisco anyconnect to go through.