If you haven’t heard of DirectAccess, then now is a great time to start to get to know it. DirectAccess is a new remote access technology (some might even consider it a VPN technology, but that depends on your definition of virtual private networking) that is available when you pair Windows 7 clients with Windows Server 2008 R2.
DirectAccess allows your Windows 7 clients to connect to the corporate network when the machine starts up. Users do not need to log onto the machine – the VPN connection is established automatically on machine startup. Once the machine connects to the DirectAccess server, the machine can be accessed by your network management infrastructure. This allows you to have external devices managed to the extent that your internal machines are managed. And when the user logs on, that user will be exposed to your NAP infrastructure, so that these machines are have their health status checked in the same way as your corpnet clients.
DirectAccess allows you to extend your domain to clients located anywhere in the world. However, DirectAccess is highly dependent on IPv6. The problem is that it’s pretty unlikely for the foreseeable future that your clients are going to be connected to an IPv6 Internet. To solve this problem, Windows 7 can use a number of IPv6 transition technologies to connect to the DirectAccess server. In most cases the transport is going to be over an HTTPS connection, where the IPsec and IPv6 communications are tunneled over HTTPS.
But there’s a problem. Actually, there are a lot of problems. DirectAccess introduces a number of challenges that many network admins might not be able to meet at this time:
- The DirectAccess server needs to have a public address, this means putting it at the edge of your network in most cases
- DirectAccess requires that your servers and services on the corporate network support IPv6 – this is unlikely the cases for the majority of networks in service today
- DirectAccess depends on complex Group Policy and Windows Firewall configuration settings, which are typically deployed via Group Policy
- High availability is problematic, with current HA solutions for DirectAccess being less than optimal
So does that mean that DirectAccess is going to die on the vine due to high complexity and hard to meet requirements?
Not necessarily. The value provided by DirectAccess is very high, and therefore some organizations will be willing to eat the costs of ramping up their IT staff with the knowledge they need to understand the solution, understand the underlying IPv6 technologies and understand what it takes to integrate a native IPv6 solution with today’s predominantly IPv4 intranets. It will take a lot of corporate resources and IT investments in time and money to get it working.
What about the rest of us? Time is money, and time spent trying to get up to speed on DirectAccess is time lost on other pressing projects that are currently making the company money, or at least keeping the company above water during these tough economic times. Is there is complete DirectAccess solution that provides everything we need, right out of the box, so that we can cut down on expensive hours of training and trial and error?
I think there is. In a recent blog post on the UAG Team Blog, Nitzan Daube revealed that Microsoft intends to make the upcoming UAG a complete DirectAccess solution that combines many enabling technologies required to get DirectAccess to work on the edge of your network.
Consider these facts about the UAG:
- Since UAG runs on top of the TMG firewall, you can safely put it at the edge of your network, so you don’t have to worry about putting another firewall in front of the UAG
- UAG includes on the box support for NAT64 (NAT 6 to 4 or NAT-PT) and DNS64 (DNS 6 to 4 or DNS-ALG) to simplify access to IPv4 servers on the corporate network
- UAG includes enhancements to the Windows NLB network load balancing protocol to provide high availability for your DirectAccess servers (which are located on box with the UAG) in a way you can’t do without the UAG
- Built in wizards that setup, configure, activate your DirectAccess solution so that you don’t have to wade through reams of Windows Server 2008 R2 and Windows 7 documentation to just get started
- Automatic configuration of Group Policy settings so that you don’t have to go through the complex process of configuring these yourself in the Group Policy Management console
There are other advantages to using the UAG as your DirectAccess server solution, but we’ll save those for when the UAG beta is released to the public in the near future. Until then, if you’re considering a DirectAccess deployment, you should consider UAG your first priority in planning your future DirectAccess scheme.
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer