Incorporated into Windows Server 2008 R2 and Windows 7 (Ultimate & Enterprise
Edn), the feature called Direct Access allows the remote users to securely
access the resources of their organization. 'Resources' here mean the
intranet shares, applications & websites. This can be simply achieved without
connecting to a Virtual Private Network (VPN). Unlike the VPN connections that
require authentication, Direct Access provides intranet connectivity even before
the user logs in. It establishes connection with the Direct Access enabled
client computer when connected to the Internet. The advantage here is for both
the users as well as the IT administrators. Without the need of VPN
connectivity, IT administrators can easily manage remote computers outside the
office. The only requirement here is that of the Internet access to administer
the remote computers. Her we delve deep into the secrets of Direct Access.
Direct Hit! |
Applies To: IT Managers USP: Learn how Direct Access lets you access the resources of your enterprise without VPN Primary Link: http://bit.ly/4KKsSp Search Engine Keywords: direct access, windows server 2008 R2 |
How is it different from VPN?
Virtual Private Network uses Internet or for that matter, the public
infrastructure to provide enterprises and individual users the ability to
seamlessly connect to other corporate offices or branch offices. It is a
secure means of connection between the corporate server and the user's computer.
The data traveling over the VPN is generally in an encapsulated form and is
secured using high encryption methods. Direct Access provides access control to
network resources based on the client computer's identity along with the
corporate governance policies. Using the Network Access protection (NAP)
technologies, this ensures a secure & healthy IT environment as it helps in
keeping the clients in-compliance. NAP technology, incorporated in Windows
Server 2008 and other versions of Windows like Vista, XP( SP3), allows network
administrators to define some policies, which define the system health
requirements. For instance, most recent OS updates installed, latest version of
anti-virus software signature & if the computer has a host-based firewall
installed and enabled, etc. Also, you need to ensure that the users are
connected to the exact server that provides data encryption.
How does Direct Access work and how secure is it?
For end-to-end connectivity and protection of intranet traffic, Direct
Access uses IPv6 and Internet protocol security (IPsec). Apart from this,
Direct Access clients uses network location server as it helps in detecting
whether they are on the intranet or not. With this, Name Resolution Policy Table
(NRPT) that separates Domain Name System traffic also plays a major role.
Why IPv6?
For enterprises who are already using a IPv6 infrastructure, it helps in
extending the existing infrastructure to the client computers which in turn can
easily access Internet resources using IPv4. Basically the use of IPv6 is for
the Direct Access clients so that they have globally routable addresses. Even it
provides alternative to those enterprises who are still stuck onto IPv4, by
making use of '6to4' and 'Teredo Ipv6 transition' technologies for connectivity
across the Ipv4 internet.
This shows how the Intranet traffic is separated from |
One thing to note here is that by deploying NAT64 device, the client
computers can easily access resources on the intranet that still do not support
IPv6. With Direct Access with unified access gateway, you will find that NAT64
is already pre-configured.
'6to4' and Teredo are the two transition technologies that help an IPv6 host
in tunneling across IPv4 Internet. These being the most common tunneling
protocols allow an IPv6 host to tunnel the traffic. But this encapsulated IPv6
traffic might be blocked by some firewall or by some web proxy servers. Here
comes the role of IP-HTTPS, which is a new protocol for Windows 7 and Windows
Server 2008 R2. The functionality of IP-HTTPS comes into picture only when the
client is unable to connect to the server using the IPv6 connectivity protocols.
Using Internet Protocol security (IPsec), Direct Access allows for additional
configuration options. For end-to-end authentication and for encryption
purposes, it helps in providing more secure connections than VPN clients.
Direct Access Authentication
As discussed above, there is no interference from the client as the Direct
Access authenticates the computer before the user logs in. Moreover the access
provided by computer for authentication purpose is only given to Direct Access
servers running DNS & domain controllers. Once it is authenticated, the user can
log in with his credentials & it supports standard user authentication process.
You can also implement two-factor authentication for greater security by using
smart cards.
Teredo Infrastructure and its components. Using Teredo |
Restricted to Win Server 2008 R2 and Win 7?
The only disadvantage that we come across for Direct Access is that the
minimum operating system requirements for it are Windows 7 & Windows Server 2008
R2. The clients must run either the Ultimate Edition or the Enterprise Edition
of Windows 7. Also, the Direct Access servers must be joined to the Active
Directory domain services & running on Windows Server 2008 R2. Direct Access
won't work on previous versions of Microsoft's Server like 2003,2007,etc or even
Windows Vista or Windows XP. If an enterprise wants to use this technology,
then they need to migrate to Windows Server 2008 R2 and clients need to use
Windows 7. Hence a lot of cost might be involved in the entire process.
Direct Access and Forefront Unified Access gateway
Forefront Unified access gateway 2010 (UAG) helps in establishing secure
remote access to the resources of an enterprise. The corporate resources are
easily accessible to the users, partners, etc on both managed/unmanaged PCs and
mobile devices. It provides a centralized, simple management platform to system
administrators through which they gain more control & visibility. It also helps
in delivering secure access to applications such as SharePoint, Dynamic CRM,
Exchange, etc.
Other Direct Access requirements
As discussed above, the client needs to have Windows 7 running onto their
system. And no special installation is required on the client side. Only some
part of configuration is required as the Direct Access clients uses AD domain
membership & group policy settings. Once the configuration part is done with
all the necessary group policy settings & when it is connected to LAN or through
VPN connection, then it becomes transparent to the end user.
Other requirements for Direct Access severs running on Windows Server 2008 R2
is the two network adapters; one connected directly to Internet & the other to
intranet. You need at least two consecutive IPv4 addresses assigned to the
network adapter which is connected to the Internet. Also, a domain name server &
at least one domain controller that is running on Windows Server 2008 SP2 / R2
is required.
Unified Access Gateway takes the deployment of Direct |
One important thing to note here is that using unified access gateway, it is
possible to deploy Direct Access with DNS servers & domain controllers running
Windows Server 2003 R2.
Other requirements is that of the certificates, for instance, health
certificate for NAP, smart card certificate for smart card authentication and
public key infrastructure (PKI) to issue computer certificates.
Direct Access in action
Let's look at how Direct Access clients connect to the intranet resources.
Once the client computer that is running on Windows 7 detects the network, it
tries to establish the connection. The connection is between the Direct Access
client & the server using IPsec & IPv6. In case IPv6 network is not available,
then the client tries to make use of either 6to4 or Teredo technologies. In case
the client computer is not able to connect with the Direct Access server which
might be due to firewall or proxy server, then comes the role of IP-HTTPS. Once
the connection is refused or not established, it automatically attempts to
connect with IP-HTTPS. Internet protocol over Secure Hypertext Transfer protocol
uses SSL connection to encapsulate IPv6 traffic. When the session is
established for the tunnel to reach intranet DNS server, then using the
certificates for authentication, the clients & server authenticate each other.
Enabling the Network Access Protection (NAP) helps Direct Access client in
obtaining a health certificate. The client acquires this certificate by Health
Registration Authority (HRA) which is located on the Internet. Then all of the
clients health status information is given to a NAP health policy server. This
information is forwarded by HRA. According to the policies defined within
Network Policy Server (NPS), NAP health policy server processes these policies.
And according to it, it is checked whether the client is compliant with the
system health requirements. Once all that is done, the client connects to the
server & submits the health certificate for authentication.