Steps to have Direct Access VPN connect before user logs onto Win 10

What steps do I need to follow to configure the Direct Access VPN to connect to the VPN before a user logs onto his/her Windows 10 laptop while outside of the office?

Or how can I make it so that the Direct Access VPN will connect to the VPN right after the user types in his/her username and password so that the logons to the Windows 10 laptops (while outside of the office) will be authenticated by the Server 2016 domain controller?

I would like to make it so that all logins to the Windows 10 laptops (while outside of the office) will be authenticated by the Server 2016 domain controller.

According to our corporate policies, the only places users are allowed to log in to their laptops is while at home and all users have internet access at home.
IT GuyNetwork EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
DirectAccess isn't a VPN. But it will connect by default. You don't need to do anything special.
0
JohnBusiness Consultant (Owner)Commented:
Even given the above, you probably want to allow access while travelling on business outside of office or home.
1
Michael B. SmithExchange & Active Directory ExpertCommented:
DirectAccess is a VPN (two of them as a matter of fact, a user VPN and a device VPN). But as @Cliff wrote, given internet access it will connect automatically.

If your goal is to prevent logins when DirectAccess isn't connected and when the user isn't inside the corporate LAN, then you need to suppress cached logons.

To do that, you configure a GPO [Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Number of previous logons to cache (in case domain controller is not available] should be set to zero (0). For a one-off basis, [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\cachedlogonscount] can be set to zero (0).

The default number of cached logons is 10.

Think about it carefully before implementing this! Test it on several people first! Yourself included. :-) You may find that the pain outways the benefit.
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Cliff GaliherCommented:
Just to be specific, DirectAccess isn't a VPN in the traditional sense. Itnis an IPv6 tunnel over IPv4, and does have some behavioral differences that can make the distinction important. So I try to be precise when discussing DA.
0
Michael B. SmithExchange & Active Directory ExpertCommented:
Just to be specific, DirectAccess IS a VPN, but it doesn't require you to start it or stop it. It is multiple IPv6 tunnels over IPv4 and each tunnel is encrypted using IPSec, using secrets based on the domain membership of the device and the user.

Does it have behavioral differences than a "traditional VPN"? Yes, but it's still a VPN. And I'm being precise.
0
ChrisCommented:
Direct Access has both traditional and non-traditional VPN. If using the out of the box Direct Access which is device based (and requires less setup) IPSec tunnel then it will connect as soon as it has a full internet connection.

We only allow laptops to have a login cache for security reasons and wouldn't turn that off as it would make it impossible to connect to some wifi connections i.e. anything free hotspots with a login page, hotels etc etc
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.