It depends. Remember that DirectAccess (DA) clients must be Windows 7 Enterprise or Ultimate and above. So if you have downlevel clients, you will still need to support VPN connections for those clients. Your DirectAccess clietns can also take advantage of SSTP, which is a very nice VPN protocol that uses HTTPS as a transport, so it goes through "restrictive" firewalls and web proxies. For earlier versions of Vista and for Window XP, you can still use PPTP and L2TP/IPsec. However, UAG does not support these VPN protocols, so you'll need to use a TMG firewall to support these older VPN protocols.

But what if you have Windows 7 clients only? Then you should be able to use DirectAccess all the time. However, there may be applications on your network that won't work with DirectAccess. This is something you might see if you are depending on NAT64/DNS64 where the application protocol embeds an IPv4 address inside the application protocol header, or maybe the client component of the client/server application is not IPv6 aware, or maybe the server side isn't IPv6 aware. This is a problem, since like with IPv4 NAT devices, you need to have a NAT editor to work with those protocols. If you're using IPv6, this isn't a problem, since IPv6 to IPv4 protocol translation isn't required, this includes non-native, but IPv6 aware servers and server applications that can take advantage of ISATAP on your corpnet.

So, even with a Windows 7 client, there might run into legacy applications that will require that you connect over a VPN. Over time, those should go away. Until then, just be aware of the issue. Also, keep in mind that while the VPN connection is active, the DirectAccess client connection will shut down. Why? Because when you're connected to the VPN, your DirectAccess client will be able to resolve the name of the Network Location Server, and thus the DirectAccess client components will shut down.

For more information on DirectAccess and VPN coexistance, please see

(Originally posted at