If you would like to read the next part of this article series please go to The Forefront Unified Access Gateway DirectAccess Wizard – Part2: Examining the UAG DirectAccess Wizard Options.
Introduction
DirectAccess is a hot new technology that is enabled by the pairing of Windows 7 and Windows Server 2008 R2. DirectAccess is completely different from VPNs or other forms of remote access. The goal of DirectAccess is not to just provide another way to allow Internet connected computers access to the corporate network (such as what VPNs and application gateways provide), but to extend the corporate network to anywhere the DirectAccess client might reside. The value of this is that not only are you always connected to the corpnet, but also that IT is always connected to the users and their machines – so that your centralized management and control infrastructure can access all domain members at all times, not just those located behind the corporate firewall or those that have logged onto the corporate network.
This is a big deal. One of the major impediments to end user productivity is the inability to quickly and reliably access information behind the corporate firewall. Sure, there are methods that have been used for years to get around this problem, such as traditional VPNs, application gateways, protocol gateways, and SSL VPNs, but they all fell short of actually solving the real problem the users had. Users need a low friction, low overhead, automatic way to get information so they can get things done, because it’s the users who make the company money by getting work done. The faster they get things done, the faster the company can make money and (in a perfect world) everyone gets a raise.
However, the needs of the IT department sometimes seem to be in direct opposition to the needs of the users. IT needs to be able to control what happens with remote clients – preferably even before those clients connect to the corporate network. Remote clients are often unknown entities. They are of variable security configurations, they could have been previously connected to any number of networks of unknown security status, and sometimes even the users might not be known. For these reasons and more, IT has been wary of remote access clients, and the best IT shops are very careful to make sure that least privilege is applied to any host that connects from outside the corporate firewall.
What if we change the equation? No, I am not talking about “the death of the DMZ” or “the firewall is dead”, because we know both of those statements are not true now, and will never be true. However, now we can provide a remote access solution that:
- Requires two-factor authentication
- Uses IPsec to secure the connection from the client computer to the remote access gateway
- Can use IPsec to secure the connection from the client computer to the destination endpoint
- Uses both computer and user authentication to establish the connection to the remote access gateway
- Enables connectivity even before users log on, so that IT can use its entire arsenal of client management and security tools that it uses for on-network hosts to also have configuration and security control over any domain member located anywhere on the Internet
- Allows you to have complete management control over the managed domain members anywhere on the Internet, without giving users access to the corporate network
- Allows you to give domain member computers and users access to corporate resources in the same way as they access them when on the corporate network
If you are like me, you would be very interested in something like this. In fact, DirectAccess is the remote access solution we have been looking for to provide employees with since the first PPTP tunnel was spun up in the 20th century. It allows your users to be productive anytime, all the time, and takes the heat off the Help Desk. Because DirectAccess works from anywhere, that means no more calls about the VPN not working from the hotel.
Components of a Forefront UAG DirectAccess Remote Access Topology
There are several components to a DirectAccess solution. However, the nice thing about DirectAccess is that the components are those that you are already familiar with (for the most part). These include:
- IPv6 and IPv6 transition technologies
- DNS servers
- Web servers
- IPsec and Connection Security Rules
- Windows Firewall Rules
- Active Directory and Group Policy
- Certificates
IPv6 and IPv6 Transition Technologies
OK, I know that many of you are not all that familiar with IPv6 or IPv6 transition technologies. You know what it is, of course, but you might not have ever worked with it. Organizations have been slow to adopt the new generation of the Internet Protocol. Well, here Is the good news: While these are the underpinnings of a DirectAccess solution, if you use Forefront UAG as your DirectAccess server, you do not need to know anything about IPv6 or IPv6 transition technologies. With UAG, you just set up the UAG server or array and it just works.
DNS Servers
Any IT professional worth his or her salary knows about DNS servers and how to install and configure them. DirectAccess uses DNS to decide what connections should go through the DirectAccess IPsec tunnels and what connections should go directly to the Internet. In addition, DNS is used to register the IPv6 addresses of the DirectAccess clients and servers. However, remember that you do not need to know anything about IPv6; you just need DNS servers that can accept dynamic registrations of IPv6 DNS AAAA records. This is automatic with Windows Vista and above and with Windows Server 2008 and above.
Web Servers
DirectAccess uses something called a “Network Location Server” or NLS. The NLS is used by the DirectAccess client to determine whether the DirectAccess client is located on the corpnet or the Internet. If the DirectAccess client can connect to the NLS, then it knows it’s on the corpnet and it turns off its DirectAccess client configuration. If the NLS is not reachable, then the DirectAccess client assumes it’s not on the corporate network so it turns on its DirectAccess client configuration and tries to establish the IPsec tunnels to the DirectAccess server over the Internet.
IPsec and Connection Security Rules
OK, here is another one you might not know a lot about. Some people say that Network Access Protection didn’t take off because people did not understand the IPsec policies and connection security rules that are used to control the NAP solution. That might be true, or it might not be true, but it doesn’t really matter. With DirectAccess, while IPsec and Connection Security Rules are used to control the connections between the DirectAccess client and DirectAccess server, and optionally between the DirectAccess client and the destination server, the happy news is that the UAG DirectAccess server does all this work for you.
You set what you need in the UAG DirectAccess wizard, and the IPsec policies and Connection Security Rules are configured for you. If you want to understand how they work, great. But there’s no need for you to be an IPsec expert to get a working and highly functional DirectAccess solution in place today.
Windows Firewall Rules
It is likely that many of you have had a chance to work with the Windows Firewall with Advanced Security or WFAS. WFAS is a great, out of the box firewall solution that’s available with Windows Vista and above and Windows Server 2008 and above. You can create very granular policies and you can bind authentication to the firewall rules.
What’s even better is that you can use the WFAS snap-in to Group Policy and deploy WFAS rules to groups of computers automatically. DirectAccess makes use of WFAS to enable the required protocols between the DirectAccess client and servers. But what if you don’t know anything about firewall rules or the WFAS? No problem. The Forefront UAG DirectAccess wizard creates these rules for you, creates the GPOs and GPO settings and then automatically deploys those settings for you. It doesn’t get much easier than that.
Active Directory and Group Policy
You know all about Active Directory and Group policy, don’t you? You’ve been working with them since Windows 2000 Server. DirectAccess takes advantage of Active Directory for authentication and uses Group Policy to make all the required configuration changes that are required on the DirectAccess clients and DirectAccess servers. Even if you’re a little weak with Active Directory and GPOs, though, there’s no need to worry about that. The Forefront UAG DirectAccess wizard will create the GPOs, link the GPOs, and create the GPO settings to deploy to the clients. You don’t have to be an Active Directory wizard or GPO Pro to get the Forefront UAG DirectAccess solution working right now.
Certificates
Certificates, certificates, certificates! They’re everywhere! Most of you have had to deal with digital certificates in one fashion or another. Sometimes the certificate issues were easy, and sometimes they were so difficult you ended up pulling out what hair you had left to figure out the problem. The Forefront UAG DirectAccess solution does take advantage of certificates. You’ll need machine certificates installed on all the DirectAccess clients so that they can create the IPsec connections with the DirectAccess server (used for both authentication and encryption) and you’ll need Web site certificates for the NLS that we talked about earlier and also a Web site certificate for the IP-HTTPS listener on the UAG DirectAccess server (IP-HTTPS is an IPv6 transition technology that allows the DirectAccess client to tunnel IPv6 messages over an IPv4 network; the key is that it encapsulates the messages in an SSL secured HTTP header so that it can get through firewalls and web proxies that limit access to only HTTP and HTTPS).
You will need to be able to work with certificates to get DirectAccess working. However, you would not be required to creep into the bowels of PowerShell or do some kind of arcane scripting to get it to work. The computer certificates require just a couple of clicks in the Group Policy Editor and the Web site certificate takes a few clicks in the Certificates MMC. The IP-HTTPS certificate should be purchased from a commercial certificate provider. Bam! It’s just about as easy as the UAG DirectAccess wizard.
Conclusion
DirectAccess is what you have been wanting for the last 20 years – even if you did not know it. You have wanted it for yourself and you’ve wanted it for your users. DirectAccess is a secure way to connect your domain users and computers to the network so that they can get what they need, when they need it, from anywhere they happen to be, without having to jump through productivity-sapping hoops. DirectAccess also gives IT what it needs to ensure that the connections are encrypted, authenticated, and secure. IT can now expand its influence over all domain users and computers, at virtually any time and all the time, so that off-network machines remain within configuration and security compliance mandates. That means remote machines now represent threat profiles that are little different from any other machine that moves on and off the corporate network.
However, no matter how wonderful the technology might be, and no matter what value it might bring to an organization, if it’s too complex to set up and maintain, it’s not worth the effort. We have seen that happen with other Microsoft “breakthroughs” like NAP and Server and Domain Isolation – two wonderful technologies that should have been world changers, but never made it to the big time. The good news about DirectAccess is that the level of complexity, while it’s there, is much lower than some might lead you to think it would be. In fact, there’s a good chance that you will already know about almost all the technologies that are used in a DirectAccess solution and you can quickly take what you know now and make it work, right out of the box. You won’t have to dig into PowerShell (unless you want to), you won’t have to write custom scripts (unless you want to) and you won’t have to learn a ton of new technologies before you can even get started. The cost/benefit ratio for DirectAccess is much better than just about any other “momentous” technology you ever worked with.
In the second part of this article, I will show you the UAG DirectAccess wizard and go into some more detail about why you would want to use UAG as your DirectAccess server solution. I promise that once you get a taste of DirectAccess, you’ll never again want to spin up a VPN connection or connect to a ragged old SSL VPN portal. See you then! – Deb.
If you would like to read the next part of this article series please go to The Forefront Unified Access Gateway DirectAccess Wizard – Part2: Examining the UAG DirectAccess Wizard Options.
