Step-By-Step: Enabling DirectAccess in Windows Server 2012 R2

With the holidays now behind us, attention becomes focused on the new devices entering the workplace previously received as gifts two weeks or so prior.  To add, this week marks the unveiling of new devices at the 47th annual Consumer Electronic Show in which many manufactures will be showcasing the latest in notebooks, tablets, smartphones and other electronics such as the recently announce Lenovo ThinkPad 8. With that in mind, IT professionals now feel the further push, now more than ever, to allow these devices to access resources within one's organization.  One way to enable employees to have access is via Microsoft's DirectAccess offered in Windows Server 2012 R2. 

What is DirectAccess?

DirectAccess, introduced in Windows Server 2008 R2, is a remote access feature allowing connectivity to corporate network resources without the requirement of Virtual Private Network (VPN) connections. DirectAccess at the time only supported domain-joined Windows 7 Enterprise and Windows 7 Ultimate edition clients. Windows Routing and Remote Access Server (RRAS) will continue to provide traditional VPN connectivity for legacy clients, non-domain joined clients, third party VPN clients and site-to-site server connections. RRAS in Windows Server 2008 R2 must be deployed and managed separately from DirectAccess as it cannot coexist on the same edge server.

In 2012, DirectAccess offered with Windows Server 2012 R2 combines the feature and the RRAS role service into a new unified server role. This new Remote Access role allows for centralized configuration, administration, and monitoring of both VPN-based remote access services and DirectAccess.  Windows Server 2012 R2 DirectAccess also provides multiple updates and improvements to address deployment blockers and provide simplified management.

These features include:

  • DirectAccess and RRAS coexistence
  • Simplified DirectAccess Deployment
  • Removal of PKI (Public Key Infrastructure) as prerequisite
  • Built in NAT64 and DNS64 support for IPv4 only resources
  • Support for DirectAccess behind a NAT device
  • Load Balancing Support
  • Multi Domain Support
  • NAP Integration
  • Manage-Out to clients support
  • User Monitoring / Server Status / Diagnostics
  • IP-HTTPS performance improvements
  • Server Core Support
  • Multisite Support

Windows 8.1 Enterprise and Windows Server 2012 R2, DirectAccess deployment is also now simplified with a working configuration deployed in a few clicks. However, options are also available to allow for DirectAccess accessibility through a multitude of deployment options should the standard configuration not meet your organizations requirements.  These deployment options include:

  • Single Site Remote Access
  • Remote Access in a Cluster
  • Multiple Remote Access Servers in a Multisite Deployment
  • Remote Access with OTP Authentication
  • Remote Access in a Multi-Forest Environment
  • Remote Access with Network Access Protection
  • Remote Access in the Cloud



Download and install Windows Server 2012 R2 in your lab to complete this exercise. Alternatively you can complete this lab in a virtual lab setup by downloading and installing Hyper-V Server 2012 R2.

Direct Access Deployment Steps

  1. Install the remote access role: Obtain two consecutive public IPv4 IP addresses and configure them on the external adapter of the server. These addresses must be unique.
    • In the Server Manager console, in the Dashboard, click add roles.
    • Click Next three times to get to the server role selection screen.
    • On the Select Server Roles dialog, select Remote Access, click Add Required Features, and then click Next.
    • On the Select features dialog, expand Remote Server Administration Tools, expand Role Administration Tools, and then select Remote Access Management Tools, and then click Next.
    • Click Next four times.
    • On the Confirm installation selections dialog, click Install.
    • On the Installation progress dialog, verify that the installation was successful, and then click Close.
  2. Create a new DNS record for the server FQDN.
  3. Obtain a server certificate for IP-HTTPS connections, with a subject name that matches the FQDN of the server.
  4. Create client security groups.
  5. After Installing the Remote Access Role. Open up the Remote Access Management Console

  6. Click on the Deploy DirectAccess Only option


  7. If two network adapters are present, select the Edge topology and enter the FQDN or External IP address, if not, select the topology that meets your requirements


  8. Click Next and Finish with the default options or select to edit the settings (settings can be edited later)


  9. The wizard cycles through various processes and completes the task

Once completed successfully, the ability to look through all the configuration steps and edit as needed/necessary is made available.



To explore the new DirectAccess feature for yourself download the Windows Server 2012 R2 installation kit.




Comments (6)

  1. Anonymous says:

    Pingback from My Experience with: DirectAccess and Server 2012 | FindingsInIT

  2. Anonymous says:

    Pingback from My Experience with: DirectAccess and Server 2012 | FindingsInIT

  3. Anonymous says:

    Pingback from My Experience with: DirectAccess and Server 2012 | FindingsInIT

  4. Anonymous says:

    Pingback from My Experience with: DirectAccess and Server 2012 | FindingsInIT

  5. Anonymous says:

    Pingback from My Experience with: DirectAccess and Server 2012 | FindingsInIT

  6. Anonymous says:

    Can a Windows 7 Ultimate Computer connect to a Windows server 2012 Single Network Adapter (Behind a EDGE/NAT) with a public IPv4 address?

Skip to main content