DirectAccess is a new feature in Windows Server 2008 R2 and the Windows 7 client, that serves the same purpose as a traditional virtual private network without the hassle factor that’s often involved in setting up and using a VPN connection. DirectAccess does away with the need for VPN protocols such as PPTP and L2TP. It uses IPsec/IPv6 to create a secure, direct connection between a remote computer and the company LAN. In this article, we get “up close and personal” with this exciting new networking feature: how it works, what you need to use it and how it can benefit your organization.
How it Works
DirectAccess relies on two proven Internet standards: IPv6 and IPsec. IPsec is used to authenticate both the user and the computer. This provides additional security, and also enables management of the computer even if the user has not logged on. IPsec also encrypts the data sent over the DirectAccess connection, using AES or 3DES. If you’re familiar with IPsec, you know that it can operate in two modes: transport mode (host to host) and tunnel mode. IPsec tunnel mode has long been an alternative method for creating a VPN. In tunnel mode, the data and IP header are encrypted and encapsulated into a new IP packet with a new header.
However, using IPsec for VPNs has presented some problems in the past, from both usability and manageability standpoints. It’s not seamless for the user, the administrator is not able to manage the computer until the user manually connects to the VPN gateway.
With DirectAccess, IPsec tunnels are created between the DA client and the DA server. Even though the traffic in the tunnel uses IPv6, it can travel over the IPv4 Internet. The DA server then provides the client with access to the corporate LAN. There are actually two tunnels established, both using the Encapsulating Security Payload (ESP) protocol: one tunnel that uses a computer certificate only and another that uses both a computer certificate and user credentials. The first tunnel gives the client computer access to the DNS server and domain controller. The second authenticates the user and gives the user access to application servers such as Exchange, and other resources on the LAN. The DA server acts as the IPsec gateway or tunnel mode endpoint.
What you need
To deploy DirectAccess, your network must meet certain criteria:
DirectAccess Server running Windows Server 2008 R2
DA Server must have two NICs: one connected to the Internet with at least two consecutive public IPv4 addresses assigned to it and one connected to the intranet (LAN)
Domain controller and DNS server running Windows Server 2008 SP2 or R2
Client computers running Windows 7 Enterprise or Ultimate edition
Public Key Infrastructure (PKI) with a certification authority (CA) to issue certificates
You’ll also need to use transition technologies such as Teredo and 6to4 on the DirectAccess server, to allow IPv6 packets to be transmitted over the IPv4 network.
Both end-to-end and end-to-edge IPsec security are supported by DirectAccess. End-to-end provides the highest level of security but requires the application servers to run Windows Server 2008 or 2008 R2. End-to-edge can be used with any application server that uses IPv6.
NOTE: You should also give a little thought to hardware requirements, since IPsec encryption can be processor-intensive. This isn’t as much of an issue for the client computers, but the DA server that is handling a large number of IPsec connections, you’ll want a high performance processor and/or a solution such as Intel’s networking components that offload the encryption engine onto the LAN controller. Offloading IPsec workloads to the hardware can significantly improve performance.
Benefits of DirectAccess
You may be wondering, given the requirements for deployment, just what the specific benefits of DirectAccess are and why you should replace your tried and true VPN connections with it. Here are a few:
User friendly: when users connect to a VPN, they must go through several steps to establish a connection and then wait for authentication, health checks (if applicable), etc. If they lose the Internet connection, they must go through the same process again to re-establish the VPN connection. With DirectAccess, the connection is much more seamless. It’s an “always on” connection that is established automatically whenever the user is connected to the Internet. Users can connect even when behind a firewall. The client configuration is provisioned via Group Policy so the user doesn’t have to deal with setup and configuration.
Management friendly: Network administrators can manage DA client computers even if the user isn’t logged on, as long as the computer is connected to the Internet. You can monitor the remote computers, deploy updates, etc. Setup on the DA server(s) is easy via the DirectAccess wizard.
Secure: IPsec authentication and encryption provide a secure connection, and for more security, DA supports smart card authentication and integrated with Network Access Protection (NAP) so you can be assured that all clients connecting to the DA server meet the organization’s specified health policies (updates, anti-virus, etc.). The DA server can provide access to the full intranet or it can be configured to restrict what servers and applications users are allowed to access.
Fast: With DirectAccess, users don’t have to wait for the establishment of the VPN, which can take from several seconds to several minutes, and Internet performance isn’t slowed down as it is when both Internet and intranet traffic must go through a VPN.
Policy-based: DirectAccess policies for clients, application servers, domain controller/DNS servers and the IPsec gateway are configured using the DirectAccess wizard. The policies can be customized as required.
For much more detailed information and a guide to deploying DirectAccess, see the DirectAccess Early Adopter’s Guide on the Microsoft web site at http://technet.microsoft.com/en-us/library/dd637789(WS.10).aspx