Hello and Welcome! In this two part series, I will guide you through deploying DirectAccess 2016 from start to finish.
Let's get started...
What is DirectAccess?
DirectAccess is a remote access technology built into Windows Server 2008 and later, but for this video, I will focus on DirectAccess on Windows Server 2016. DirectAccess allows machines that are joined to an Active Directory domain access resources on the corporate network from anywhere regardless of whether or not the machine in physically on the corporate LAN or outside the corporate LAN at home or on the road. There is no need to utilize legacy VPN clients to connect to the corporate LAN. DirectAccess is always on and works in the background.
What are the use cases?
Some uses cases for DirectAccess might be for organizations with a highly mobile workforce, organizations that are strictly virtual and employees telecommute, or for organizations that are looking to replace a legacy VPN infrastructure. DirectAccess gives all of these use cases a way to manage PC that are physically off the network and allow users to securely access corporate resources for anywhere.
Some organizations can even utilize DirectAccess as a replacement for a traditional local Active Directory environment. This means that organizations can build an Active Directory environment in the cloud on, for example, AWS, avoid using a Site-to-Site VPN and an on premise Domain Controller, and utilize DirectAccess for a means for their PCs to access Active Directory for management and authentication.
How does it work?
DirectAccess works by establishing an IPSec Tunnel from the end-users machines back to the DirectAccess Server over the Internet. The connection is established using IPv6, but if you using IPv4 or are behind a firewall, no worries, 6to4 translation is supported, and if that fails IP-HTTPS will be failed over to automatically. You will just need to make sure IPv6 is enabled on servers and resources that you will need to access within your network.
What are the requirements to get it working?
At a minimum, you will need a single Windows Server 2016 Standard Server that is a domain-member. This machine CANNOT be a domain controller. Depending on the number of DirectAccess clients, the CPU, RAM, and NIC requirements will vary. A link below will help with proper sizing:
Clients connecting to the network via DirectAccess must be:
Windows Server 2016
Windows 10® Enterprise
Windows Server® 2012 R2
Windows 8.1 Enterprise
Windows Server® 2012
Windows 8 Enterprise
Windows Server® 2008 R2
Windows 7 Ultimate
Windows 7 Enterprise
The following firewall ports must be opened to the DirectAccess Server:
IP Protocol 41
IP Protocol 50
TCP/6200 (if using a single NIC and behind a firewall)
NO PKI is needed!
Clients must be Domain-Joined Machines
DirectAccess is a great tool that will unleash your end-users and allow that to work from anywhere seamlessly, efficiently, and secure. Stay tuned for Part 2 of this series where I will demonstrate how to setup a DirectAccess environment.