Direct Access is a new feature in Windows 7, a new feature that allows users to securely access corporate servers from outside the network…without a VPN. This was perhaps the most eye-catching feature for me and could well change the way that people work all over the world but it is something of a big claim. Pretty much any system admin that I’ve mentioned this to has said “Oh yeah-I’d like to see that? How does it work?” with a heavy dose of cynicism but now I can tell them…well show them a white paper at least!
VPN’s or Virtual Private Networks are used by almost everyone who need to access corporate servers, info etc from outside the network so at home, on the road, from the hotel, wherever…and they’re not the easiest things in the world-for both users and admins. The backend needed to set them up and maintain them can be costly and tricky to manage and I’m sure that VPN problems must be in the Top 5 HelpDesk calls at most companies. We’re constantly visited by account managers and reps from a huge array of manufacturers and nearly every single has to call HQ to get access to emails etc via their VPN…but with the advent of Windows 7 and Windows Server 2008 R2-that could all be over.
“DirectAccess establishes bi-directional connectivity with the user’s enterprise network every time the user’s DirectAccess-enabled portable computer is connected to the Internet, even before the user logs on”
“Clients establish an IPsec tunnel for the IPv6 traffic to the DirectAccess server, which acts as a gateway to the intranet. Clients can connect even if they are behind a firewall.”
DirectAccess requires the following:
· One or more DirectAccess servers running Windows Server 2008 R2 with two network adapters: one that is connected directly to the Internet, and a second that is connected to the intranet.
· On the DirectAccess server, at least two consecutive, public IPv4 addresses assigned to the network adapter that is connected to the Internet.
· DirectAccess clients running Windows 7.
· At least one domain controller and Domain Name System (DNS) server running Windows Server 2008 or Windows Server 2008 R2. When smart card-based authentication is required for end-to-end protection, you must use Active Directory Domain Services (AD DS) in Windows Server 2008 R2.
· A public key infrastructure (PKI) to issue computer certificates, smart card certificates, and, for NAP, health certificates. For more information, see http://www.microsoft.com/pki.
· IPsec policies to specify protection for traffic. For more information, see http://www.microsoft.com/ipsec.
· IPv6 transition technologies available for use on the DirectAccess server: ISATAP, Teredo, and 6to4.
Optionally, a third-party NAT-PT device to provide access to IPv4-only resources for DirectAccess clients.
It’s proving quite difficult to truly get the message across in this post without it becoming boringly long (!) so instead go and download the Technical WhitePaper from Microsoft here.