DirectAccess and Always On VPN – is DA being deprecated?

Unfortunately this is now a very common question, and the answer will probably surprise many of you. With the recent release of the updated Always On VPN (AOVPN) capability in Windows 10 1709, many Microsoft remote access customers are being left with the impression that DirectAccess (DA) is on the way out, and that AOVPN is the replacement. The truth is that DA and AOVPN are different and serve different purposes, and one is not a direct replacement for the other.


Microsoft has never made the statement that DirectAccess is going away or being deprecated, only that there was not any new DA functionality introduced in Server 2016. It is unchanged from 2012R2, because it already does what it is intended to do, and does it well. There is engineering time going into Always On VPN (AOVPN), and since DA and AOVPN live “in the same space” some people assume AOVPN will replace DA, but that isn’t a fair assessment. They serve different purposes, and actually supplement each other nicely.


DirectAccess and Always On VPN can both be active on the same IVO remote access appliance, and we expect many of our customers to run both in order to serve different needs. At this point in time, many feel DirectAccess is the more secure platform, and the large majority of those I am working with are still choosing DA as their connectivity platform for corporate-owned assets. For companies who want a way to connect non-domain-joined machines, like home computers, iPhones, etc. – then adding VPN functionality to your existing DA infrastructure is easily done in order to connect those machines.


One of the primary reasons for running a VPN-based solution is BYOD, though I have to say that as a general security trend, most companies are moving quickly away from the BYOD mentality. For a security-focused corporation, the only devices that you are going to allow to connect back into the corporate network are going to be your company-owned, company-managed laptops and devices. If those devices are running Windows 7, Windows 8 or Windows 10 – there is no better or more seamless way to connect them back to the corporate network than DirectAccess.


The primary point I want to make here is that you don’t have to choose. Run them both. You can have part of your workforce on DA, the BYOD devices on VPN, and also start toying around with AOVPN as you prep new images or roll out new equipment. This will give you an opportunity to see DA and AOVPN side by side on the same platform, so that you can decide for yourself which one fits the needs of your remote workforce in a better way. If or when you are ready to move folks from DA to AOVPN, they will be running in parallel, and you can simply migrate devices from one to the other as needed.


In summary, I am a firm believer in both technologies, and in using them together in order to supplement each other. DirectAccess has been around for 10 years, has been improved a number of times through those years, and is an incredibly stable and efficient technology. There is no easier way to connect your Windows 7, Windows 8 or Windows 10 computers back to the corporate network. Always On VPN promises to bring some benefits that will be useful in certain customer situations and I’m excited to see it continue being developed. Currently, deployment of AOVPN settings is slightly more difficult than rolling out DirectAccess, and AOVPN only works on Windows 10-1709 or newer machines, so implementations are being limited by those two factors. These two remote access technologies can be used in parallel to increase your remote workforce potential. It is not a simple question of one or the other.


Jordan Krause
Microsoft MVP | Cloud and Datacenter Management