For those of you who’ve worked with the ISA or TMG firewall for a long time, you’ve probably run into the concept of Direct Access. If not, then pay attention, because it’s something you should know about.
Direct Access (a strange term if you ask me) is when a client application bypasses the Web proxy components on the ISA or TMG firewall. To do this, the application can leverage its Firewall client or SecureNAT client configuration.
This is primarily of interest for machines that are configured as Web proxy clients. Actually, machines aren’t configured as Web proxy clients, applications running on the machines are configured as Web proxy clients, because some applications running on a particular machine can be configured as Web proxy clients, while other applications that are capable of Web proxy client configuration, might not be configured as a Web proxy client.
There might be times when you want an application to bypass its Web proxy client configuration so that it bypasses the Web proxy components on the firewall. You would do this when the destination Web site isn’t compliant with CERN proxies or when you have problematic Java sites. When you identify such sites, you configure the ISA or TMG firewall with a list of these sites, and this list is delivered to the Web proxy clients when the clients are configured to receive this list from the ISA or TMG firewalls. This is typically accomplished by configuring the Web proxy clients to use autodiscovery or by configuring the clients to use the autoconfiguration script (in the former case, the firewall should be configured to publish autodiscovery information).
You might wonder why they call this “Direct Access” since in both cases you’re still getting to the Internet through the ISA or TMG firewall. I think this is related to the firewall’s roots in Proxy Server 1.0/2.0. In those days, clients used Proxy Server as just that – so if there was a Web connection to be established, it went through Proxy Server, but if any other type of connection was required, it went through another gateway. Now that the ISA or TMG firewall is an enterprise grade network level firewall and Web proxy, all connections go through the firewall, thus making legacy terminology such as “Direct Access” a little confusing.
What about DirectAccess? This DirectAccess (which has no space between the words Direct and Access) has nothing to do with ISA or TMG firewalls. DirectAccess is a new VPN technology (yes, DirectAccess is a VPN technology, but they don’t want to tell you that because you they think you won’t like it as much) that allows machines to establish a secure VPN connection to a DirectAccess server on your network even before a user is logged onto the machine. DirectAccess then creates a second connection to the DirectAccess Server after the user logs on.
Direct Access requires Windows 7 and Windows Server 2008 R2. When the user logs onto the computer, the user can get anywhere on the network that you want that user to connect to. The initial connection between the client computer and the DirectAccess server is always secured by IPsec. You also have the option to enable end to end security by requiring IPsec between the client computer and the destination servers that the user connects to. DirectAccess also enables bidirectional communications, so that admins can now manage machines that are off network even when the user isn’t logged onto the network. All that’s required is that the machine is turned on and you can manage those machines.
However, DirectAccess does require that you have some understanding of IPv6 and that IPv6 has been deployed in key areas on your network. Since not too many people I know are really good with IPv6 at this time, deploying DirectAccess is probably not going to be a “wine and roses” experience for you. You’ll need to bone up on your network skills and get a working knowledge of IPv6. If you don’t have those now, then there’s no better time to get started than today.
So, don’t confuse Direct Access with Direct Access. The first allows you to bypass the Web proxy components on the ISA or TMG firewall and the second is a new, cool and very exciting VPN technology.
HTH,
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)