End-to-end configuring and troubleshooting DirectAccess

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 EssentialsWindows Server 2012 R2 Foundation


This guide introduces DirectAccess, and provides step-by-step instructions for configuring and troubleshooting it.


DirectAccess gives users the experience of being seamlessly connected to their intranet any time that they have Internet access. When DirectAccess is enabled, requests for intranet resources (such as email servers, shared folders, or intranet websites) are securely directed to the intranet, without the need for users to connect to a VPN. DirectAccess enables increased productivity for a mobile workforce by offering the same connectivity experience both inside and outside the office.

The Windows Routing and Remote Access Server (RRAS) provides traditional VPN connectivity for legacy clients and non-domain members. RRAS also provides site-to-site connections between servers. RRAS in Windows Server 2008 Beta R2 cannot coexist on the same edge server together with DirectAccess, so it must be deployed and managed separately from DirectAccess.

Windows Server 2012 combines the DirectAccess feature and the RRAS role service into a new unified server role. This new Remote Access server role allows for centralized administration, configuration, and monitoring of both DirectAccess and VPN-based remote access services. Additionally, Windows Server 2012 DirectAccess provides multiple updates and improvements to address deployment blockers and provide simplified management.

Administrators can now deploy DirectAccess by using the new Getting Started Wizard, which presents a greatly simplified configuration experience. The Getting Started Wizard masks the complexity of DirectAccess and allows for an automated setup in several simple steps. The administrator no longer requires an understanding of the technical details of things such as IPv6 transition technologies or Network Location Server (NLS) deployment.

The new setup wizard provides a seamless experience for the administrator by configuring Kerberos proxy automatically to eliminate the need for an internal PKI deployment. In this simplified DirectAccess deployment, user-level configuration options such as force tunneling, Network Access Protection (NAP) integration, and two-factor authentication are not available. However, the administrator can modify the simplified deployment later by running the Remote Access Setup Wizard, which provides support for all DirectAccess deployment options.