The ‘Numinous Travel Company’ has such a server in their office, it is a Windows Server 2016 Standard with the Essentials Experience role and DHCP installed. It is the only server they have because ‘Numinous Travel Company’ has only 7 employees. They already configured Anywhere Access through the Windows Server Essentials Dashboard with a free Lets Encrypt certificate. More information on this can be found here Get a free Let’s Encrypt SSL certificate for Access Anywhere and automatically renew it . This is a prerequisite for installing Direct Access so if you have not yet configured Anywhere Access on your server it is now the time to do that. 1. Install Remote Access Management tools. Open Server Manager Choose to add roles and features. Click Next Click Next Click Next Click Next Check Remote Access GUI and Command Line tools Click Add Features. Click Next Click Install Click close. 2. Set the IP address of your server to a static IP address From Server Manager click your Network Adapter Right-click and choose properties Highlight IPv4 and click properties Set Preferred DNS to the IP address of your server. In my case that is 192.168.150.10 3. Add a security group for Direct Access client computers Open Active Directory Users and Computers Right-click and choose New –> Group Give it a name and click OK 4. Grant full permissions to Authenticated users for the Web server certificate template. Open Certification Authority from Server Manager Right-click Certificate Template and choose Manage Right-click Web Server and choose Properties Highlight Authenticated Users and set to allow Full Control, click OK and close the Certification Authority. From an elevated Powershell prompt type Restart-Service certsvc to restart Active Directory Certificate Services. 5. Enroll a certificate for the NLS server with a common name that is unresolvable from the external network Type ‘certi’ and choose to Manage computer certificates from the Start Menu Right-click Certificates in Personal and choose Request New Certificate Click Next Click Next Click ‘More information is required’ and check ‘Web Server’. From the dropdown choose Common Name and in value type ‘DirectAccess-NLS.domain.local’ and click Add. Common name should now be listed on the right side and click OK Click Enroll Click Finish Our new certificate is listed. 6. Create a Host A record for the Network Location Server Open DNS Manager from Server Manager Right-click your local domain and choose New Host A In name type DirectAccess-NLS and the IP address of your server. Click Add Host Click OK and close DNS Manager 7. Open Remote Access Management tool and enable Direct Access Open Remote Access Management If you open Operations Status you will see an error. This can be ignored and do not try to start or restart Rasman. On the configuration tab choose ‘Enable DirectAccess’. Click Next Click Add Click Advanced Click Find Now Highlight the Direct Access Computers group and click OK Click OK Check ‘Enable DirectAccess for mobile computers only’. Choose ‘Behind an edge device (with a single network adapter) and choose Next. Click Next Click Next Click Finish Click on Dashboard and monitor Configuration Status. It is normal that it takes awhile to become active Hit refresh and check again. After some time all but one should be green. Again ignore the red warning. 8. Configure Direct Access so that Windows 7 clients can use it and assign an IP range Click Edit in step 2 Click Next Click Next Check Use Computer certificates and browse Click OK and if that does not work hit enter. I had some trouble with this window acting weird if you click OK Click Next Click New Fill in the range and click OK Click Finish 9. Configure the Network Location Server with the correct certificate Click Edit in Step 3 Click Browse Sometimes this acts really weird. You cannot click anything in that Windows but if you hit enter it works. Make sure the certificate is chosen that ends with CA Click Next Click Next Click Next Click Finish Click Finish Click Apply Click Close 10. Add a registry key to bypass CA certification when you establish an IPsec channel Open Registry editor from the Start Menu Open the hive HKLM:\SYSTEM\CurrentControlSet\Services\IKEEXT\Parameters Add a new Dword value Name it ikeflags Right-click Modify Set the hexadecimal value to 8000 11. Modify the DirectAccess Client Group Policy and change Name Resolution Policy Table Settings From an elevated Powershell prompt type (Get-NetIPInterface -InterfaceAlias IPHTTPSInterface | Get-NetIPAddress -PrefixLength 128).IPAddress (Get-NetIPInterface -InterfaceAlias IPHTTPSInterface | Get-NetIPAddress -PrefixLength 128).IPAddress Open Group Policy Management from the Start Menu Right-click the DirectAccess Client settings policy and choose edit Click Edit rule Choose the tab DNS settings for Direct and click Add Enter the IP address that you got in step 1 and click Add Click Update Click Apply Close DirectAccess Client Settings 12. Configure TCP and UDP firewall rules for the DirectAccess server GPOs From within Group Policy Manager right click DirectAccess Server Settings and choose Edit Double click Domain Name Server (TCP-In) Choose the tab Scope and add the IPv6 address you got from the previous step and add it Enter the IPv6 address and click OK Do the same for Domain Name Server (UDP-In) and close Group Policy Manager 13. Change the DNS64 configuration to listen to the IP-HTTPS interface and reserve ports for the WinNat service From an elevated Powershell prompt type Set-NetDnsTransitionConfiguration -AcceptInterface IPHTTPSInterface Set-NetDnsTransitionConfiguration -AcceptInterface IPHTTPSInterface From an elevated Powershell prompt type Set-NetNatTransitionConfiguration -IPv4AddressPortPool @('192.168.150.10, 10000-47000') . Replace 192.168.150.10 with the IP address of your own server. Set-NetNatTransitionConfiguration -IPv4AddressPortPool @('192.168.150.10, 10000-47000') Type Restart-Computer to reboot your server Restart-Computer 14. Add an IPv6 Host A record for the DirectAccess-WebProbeHost One of the problems I saw during testing this deployment is that Windows 10 is actually connected to the server through DirectAccess but the status kept saying ‘Connecting’. It seems that this really is a quirk in the way the default has been set up on a typical Windows Server 2016 + Essentials Experience role. The DirectAccess-WebProbeHost is just a switch that tells the client ‘if you can resolve this DNS record I will set my status to Connected’. I decided to add the IPv6 address to the DirectAccess-WebProbeHost Host A Record and immediately all clients flipped to ‘Connected’. Open a Command Prompt and type ipconfig. Copy the IPv6 address as in the screenshot From DNS Manager right-click your local domain name and choose New Host (A or AAAA)… Type in the name of your Network Connectivity Assistant host ‘directaccess-WebProbeHost’ and fill in the IPv6 address fro earlier and click add host. Click OK and close DNS Manager. 15. Testing and troubleshooting Windows 10 Enterprise Direct Access clients. Remember that we checked ‘Enable DirectAccess for mobile computers only’ when we ran the Direct Access setup wizard? What this means is that Computer accounts that are in the Direct Access Computers security group AND have a Mobile Processor will be able to connect to DirectAccess, all others will not be able to connect. When you configure DirectAccess clients in the Getting Started Wizard, you can choose to allow only mobile computers in the specified security groups to connect using DirectAccess. If you restrict access to mobile computers, DirectAccess automatically configures a WMI filter to ensure that the DirectAccess client GPO is applied only to mobile computers in the specified security groups. Technet - Plan the DirectAccess Deployment For testing purposes, it is a good idea to turn that off because you possibly want to test this from a Desktop computer or Virtual Machine. Now did we have changed the setting above we can start testing the configuration with client computers connected inside your Lan. We do this to make sure the configuration is correct. Start a Windows 10 client computer that is joined to the domain and is a member of the Direct Access Client computers security group. Test from inside your Lan From within ‘Settings’ we see that the computer is connected Locally or through Lan. Now, this the result of unchecking ‘Enable DirectAccess for mobile computers only’. In production, this will not be the case obviously but it is good to check if your policies are applied correctly. Type Get-DaConnectionStatus and see the result is that we are connected Locally. Get-DaConnectionStatus Open Windows Defender Firewall with Advanced Security and check if you see the Connection Security rules as in the screenshot. If you do not see those policies are not applied. Maybe you forgot to add the computer account to the Direct Access Computers group or check the Event log for policy related errors. Test from a remote location Check Connectivity from a location outside your Lan. I do that with my phone. I set it up with Connection sharing so I can hook up my laptop to the 4G connection. Type Get-DaConnectionStatus. It should now tell you ‘ConnectedRemotely’. Get-DaConnectionStatus In the Windows Firewall check that we have a security association with the server. This means we are connected to the server. But the easiest way to see if you are connected is to type \\wse2016\sysvol into the explorer address bar. If that resolves it works.