In my current role, the IT Strategy was to decommission all Data Centres and migrate everything to Azure (I know, technically Azure is another Data Centre), when we originally scoped the work out – DirectAccess WAS supported in Azure, however halfway through our migration Microsoft reversed this and stated that Direct Access was NOT supported in Azure.
Great we thought, now what? So it would seem Microsoft are planning to push AutoVPN or AlwaysOnVPN, which will eventually replace DirectAccess from my understanding (It also supports IPV4), but this only works for Windows10 clients – Windows10 deployment was not on our road-map for another 12 months. What now?
Our Head of IT made the decision to setup a Proof of concept for DirectAccess in Azure and if it met our criteria – to go ahead and accept the risk of it being unsupported in Azure as its only for the short term.
So I was given the task to set this up and……It works as normal, however note the two bullet points below:
- Failover Clustering does not work in Azure – therefore you can only have a single instance server in Azure
- ManageOut (ISATAP) does not work – if you rely on this functionality, DA in Azure is not for you – Luckily for us we have other remote tools which was a workaround for us.
Another slightly annoying thing was the console displayed an error against the network location server:
This occurred because I created x2 Network location Servers in an Availability Set with an internal load balancer infront. With Azure load balancers you are not able to ping them by design, so therefore this test was failing and and flagging it as an error, although it was all working fine.
So if you need to deploy Direct Access in Azure – it does indeed work, providing you do not need High Availability and do not require Manage Out (ISATAP) facilities. I would recommend looking at AlwaysOnVPN or AutoVPN, as it looks like Microsoft are pushing this, given that DirectAccess has not been developed since Server 2012.