Steps to have Direct Access VPN connect before user logs onto Win 10

IT Guy
IT Guy used Ask the Experts™
on
What steps do I need to follow to configure the Direct Access VPN to connect to the VPN before a user logs onto his/her Windows 10 laptop while outside of the office?

Or how can I make it so that the Direct Access VPN will connect to the VPN right after the user types in his/her username and password so that the logons to the Windows 10 laptops (while outside of the office) will be authenticated by the Server 2016 domain controller?

I would like to make it so that all logins to the Windows 10 laptops (while outside of the office) will be authenticated by the Server 2016 domain controller.

According to our corporate policies, the only places users are allowed to log in to their laptops is while at home and all users have internet access at home.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
DirectAccess isn't a VPN. But it will connect by default. You don't need to do anything special.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Even given the above, you probably want to allow access while travelling on business outside of office or home.
Managing Consultant
Commented:
DirectAccess is a VPN (two of them as a matter of fact, a user VPN and a device VPN). But as @Cliff wrote, given internet access it will connect automatically.

If your goal is to prevent logins when DirectAccess isn't connected and when the user isn't inside the corporate LAN, then you need to suppress cached logons.

To do that, you configure a GPO [Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Number of previous logons to cache (in case domain controller is not available] should be set to zero (0). For a one-off basis, [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\cachedlogonscount] can be set to zero (0).

The default number of cached logons is 10.

Think about it carefully before implementing this! Test it on several people first! Yourself included. :-) You may find that the pain outways the benefit.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2018
Commented:
Just to be specific, DirectAccess isn't a VPN in the traditional sense. Itnis an IPv6 tunnel over IPv4, and does have some behavioral differences that can make the distinction important. So I try to be precise when discussing DA.
Michael B. SmithManaging Consultant
Commented:
Just to be specific, DirectAccess IS a VPN, but it doesn't require you to start it or stop it. It is multiple IPv6 tunnels over IPv4 and each tunnel is encrypted using IPSec, using secrets based on the domain membership of the device and the user.

Does it have behavioral differences than a "traditional VPN"? Yes, but it's still a VPN. And I'm being precise.
ChrisLead Infrastructure Architect
Commented:
Direct Access has both traditional and non-traditional VPN. If using the out of the box Direct Access which is device based (and requires less setup) IPSec tunnel then it will connect as soon as it has a full internet connection.

We only allow laptops to have a login cache for security reasons and wouldn't turn that off as it would make it impossible to connect to some wifi connections i.e. anything free hotspots with a login page, hotels etc etc

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial