We are considering deploying DirectAccess to laptops and have some questions.
People are concerned that this is less secure than VPN because the laptop will connected to our LAN at all times it is online and therefore is a bigger risk of data loss (laptop stolen while connected to DA or data stolen while laptop connected to insecure public network). Is it less secure than a traditional VPN client such as AnnyConnect where the user must manually launch the connection and use MFA?
Can you limit DirectAccess to only access certain services such as ConfigMgr management and access to things like domain controllers, KMS etc and still require users to connect to VPN to access other resources such as file shares?
We do not have UAG. If DirectAccess is behind an edge firewall, what are benefits of the DA server having 2 vs 1 network interface?