DirectAccess VPN FAQ for PATH IT Staff

Q: What is DirectAccess?

A: DirectAccess is an always-on client VPN technology  built directly into Windows 10 Enterprise and managed via Group Policy.  DA clients connect to one of several DA servers we have installed in Seattle, DC, Nairobi, Delhi and Hanoi.  Generally, the client will connect to the server that is fastest for it to reach.  Because it connects automatically, it will largely remove the distinction for users between "outside" and "inside."  For more information, check online at https://technet.microsoft.com/en-us/library/dd759144(v=ws.11).aspx

Q: How do I connect with DA?  

A: Once DA is activated, it will periodically check if it can connect to a "check" URL running on an internal server. If it cannot reach this "check" URL, then it assumes it is outside of the network and automatically connects.

Q: How can I tell if a machine is connected?

A: Click the wifi status icon on the bottom right of the screen.  At the top of the list of SSIDs, you will see a network called "PATH Remote Access."  If the computer is connected, it will say "connected" underneath.  

Q: Who gets DA?

A: All users will get DA once their computer meets the criteria. In order to have DA activated, a computer must meet the following criteria

• Windows 10 Enterprise

• Joined to PATH Active Directory

Q: Are there any limitations?

A: DA is not available for home computers or for older operating systems.  It also relies on IPv6 and a helper server to convert hostnames to IPV6 addresses.  This means that there is no way to connect to an IPv4 IP address over DA, only IPv4 hostnames. If the server or application you are trying to connect to must use IP address to communicate then you will be unable to use it over DA. The Cisco softphone client is one known example of this, as its configuration will only accept an IP address for the connecting server.

Q: Where will my users connect?

A: The DA client attempts to connect to the DA server that is both available and responds the fastest.  Generally, this will be the server that is closest to the user, however it can change based on network conditions and other factors.  By clicking on the "PATH Remote Access" network at the top of the list of wifi networks, you can see which server a computer is connecting to and also change it. 

Q: Does all internet traffic go through DA?

A: No. DA acts as a split tunnel. Only traffic destined for the PATH WAN will travel over DA, all other traffic will go directly over the internet.

Q: What happens is a user is stuck in the "connecting" state?

A: We have seen a few rare instances when DA gets stuck in a connecting state.  As soon as the DA client starts to connect, it attempts to use the DA server for DNS lookups.  The main symptom a user will see is tha t they will be unable to browse the web because their PC is unable to resolve domain names.  In that case, a users will need to disconnect from DA manually (see below)

Q: How can I disconnect a user from DA?  

A: Open the wifi status icon and click on the "PATH Remote Access" network icon.  You will see a disconnect button there as well as an option to send diagnostic data to helpdesk.

Q: Can I check to see who is connected to a specific DA server?  

A: If you have the necessary user rights, you can connect to any DA server, run server manager, and from Tools select Remote Access Management.  From there you will be able to view connected users and PCs and get other information about their connection

Q: Can I connect a user's home machine to DA?

A: No.  DA is limited to domain joined Windows 10 Enterprise computers

Q: Will the Citrix SSL VPN (vpn.path.org) still work?

A: Yes.  We are going to continue to maintain the Citrix SSL VPN (vpn.path.org) for users to connect with their home computers.  Eventually, when the need for VPN access has been further reduced, it will be phased out. This is likely to be in late 2018.

Q: Can I connect to a DA-connected computer via Teamviewer or RDP?

A: In most cases, yes.  It really depends on the quality of the remote internet connection.

Q: Will DA-connected computers get WSUS and Kaspersky updates?

A: Yes. We have tested this and DA-connected computers will pull updates from WSUS as well as Kaspersky.

Q: What determines if a computer gets DA activated?

A: There is an AD security group called "DirectAccessComputers."  Computers in this group that meet the OS criteria (Windows 10 Enterprise) will have the necessary settings applied to activate and configure DA. Sometimes it takes a few reboots before this occurs.  The group "Domain Computers" is in the "DirectAccessComputers" group, which means all Windows 10 Enterprise computers will get DA.