Certificate prepare for Direct Access

Provision DA Server with a certificate for IP-HTTPS

  1. Log on DA Server.
  2. From the Start screen, type mmc, and then press ENTER.
  3. Click File, and then click Add/Remove Snap-in.
  4. Click Certificates, click Add, click Computer account, click Next, select Local computer, click Finish, and then click OK.
  5. In the console tree of the Certificates snap-in, open Certificates (Local Computer)\Personal\Certificates.
  6. Right-click Certificates, point to All Tasks, and then click Request New Certificate.
  7. Click Next twice.
  8. On the Request Certificates page, click Web Server, and then click More information is required to enroll for this certificate.
  9. On the Subject tab of the Certificate Properties dialog box, in Subject name, for Type, select Common Name.
  10. In Value, type, and then click Add.
  11. In the Alternative name area, under Type, select DNS.
  12. In Value, type, and then click Add.
  13. On the General tab, under Friendly name, type IP-HTTPS Certificate.
  14. Click OK, click Enroll, and then click Finish.
  15. In the details pane of the Certificates snap-in, verify that a new certificate with the name was enrolled with Intended Purposes of Server Authentication.
  16. Close the console window. If you are prompted to save settings, click No.

Install and Configure Direct Access Server

External DNS Records

External DNS Record Usage Record Type Port IP address External user access A Record 443 Public_IP address


External IP Address Internal IP Address Usage
Public_IP address Direct Access server Private IP address Direct access server for External access

External Firewall Rules

Source Destination Port Direction
Any Public_IP address TCP 443 Inbound

Install the Remote Access Server Role

  1. Log on to DA Server.
  2. Open Server Manager.
  3. In the Dashboard console of Server Manager, under Configure this local server, click Add roles and features.
  4. Click Next three times to get to the server role selection screen.
  5. In the Select Server Roles dialog, select Remote Access, click Add Features when prompted, and then click Next.
  6. Click Next five times to accept the defaults for features, remote access role services, and web server role services.
  7. On the Confirmation screen, click Install.
  8. Wait for the feature installations to complete, and then click Close.

Configure DirectAccess

  1. In Server Manager Screen, Click Tools and then select Remote Access Management.
  2. In the Remote Access Management console, click Run the Remote Access Setup Wizard.
  3. Click Deploy DirectAccess only.

Under Step 1 Remote Clients, click Configure.

5. Select Deploy full DirectAccess for client access and remote management, and then click Next.
On the Select Groups screen, click Add, type DirectAccessClients, click OK.
Clear the Enable DirectAccess for mobile computers only checkbox, and then click Next.
Click Domain Computers (CORP\Domain Computers), and then click Remove.
In the DirectAccess Client setup window, double-click the white box next to the arrow with the asterisk.
In the Type drop-down list, click Ping, and then in the text box, type Your DC Server Name (FQDN).
Click Validate. A green check mark will appear indicating a successful ping.
Click Add.
Enter Helpdesk email address and DirectAccess connection name.
Check Allow DirectAccess clients to use local name resolution and click Finish.
Under Step 2 DirectAccess Server, click Configure.
On the Remote Access Server Setup page, select Behind an edge device (with one network adapters).
Type public FQDN of Remote access server, click Next.
On the Select the certificate used to authenticate IP-HTTPS connections, click Browse….
Select certificate and click OK and then click Next.
Check Use computer certificates and check Use an intermediate certificate and then click Browse….
Select the certificate authority that will be issuing the client certificates and click OK.
Check Enable Windows 7 Client computers to connect via DirectAccess and then click Finish.
Under Step 3 Infrastructure Servers, click Configure.
On the Network Location Server screen, check The network location server is deployed on a remote web server (recommended).
Type in the website address to the Network Location Server, and click Next.

The Network Location Server is merely a server with a website running on it that the client can contact to ensure it has reached the internal network. The webpage can be the default IIS webpage; just ensure the website is NOT accessible externally.

26. On the DNS screen, enter specify additional DNS Servers for name resolution.
Check Use local name resolution if the name does not exist in DNS or DNS servers are unreachable when the client computer is on a private network (recommended) and click Next.
On the DNS Suffix Search List screen, Check Configure DirectAccess clients with DNS client suffix search list.
Ensure local domain’s suffix has been added, and click Next.
On the Management screen, enter SCCM servers click Finish.

31. Under Step 4: Application Servers , click Configure.
32. Check Do not extend authentication to application servers and click Finish.
33. On the Remote Access Management Console page, click Finish.
34. On the Remote Access Review page, click Apply.
35. Click Close once direct access has successfully finished deploying.

Windows 10 Enterprise with DirectAccess

The following client operating systems support DirectAccess:

  • Windows 10 Enterprise
  • Windows 8 and 8.1 Enterprise
  • Windows 7 Ultimate
  • Windows 7 Enterprise

Here we will recommend Windows 10 Enterprise as DirectAccess Client. Because Windows 10 supports automatic entry point selection and transparent failover, better scalability and performance. Also, windows 10 built-in DirectAccess connectivity status indicator, the administrators don’t have to deploy, manage, and maintain additional software.

  1. Login Windows 10.
  2. Press Window Key + I
  3. Click Network & Internet and then click the DirectAccesstab.
  4. Review and configure the settings.

Please make sure the Network Connectivity Assistant service (NcaSvc) is starting if DirectAccess does not appear in the Network & Internet settings window in the user interface.

Hope you enjoy this post.

Cary Sun @SifuSun

About Post Author

Leave a Reply