DirectAccess

DirectAccess is a new feature in Windows 7 (Ultimate and Enterprise editions only) and Windows Server 2008 R2 that provides seamless intranet connectivity to DirectAccess client computers when they are connected to the Internet. Unlike most traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections is designed to connect automatically as soon as the computer connects to the internet. In 2010, Microsoft Forefront Unified Access Gateway was released, which simplifies^[1][2][3] the deployment of DirectAccess, and includes additional components that make it easier to integrate without the need to deploy IPv6 on the network. While DirectAccess is based on Microsoft technology, third-party solutions exist for accessing UNIX and Linux servers through DirectAccess^[4].

Technology

DirectAccess establishes IPSec tunnels from the client to the DirectAccess server, and uses IPv6 to reach intranet resources or other DirectAccess clients. This technology encapsulates the IPv6 traffic over IPv4 to be able to reach the intranet over the Internet, which still relies on IPv4 traffic. All traffic to the intranet is encrypted using SSL and sent through the standard HTTPS port (443), which means that in most cases, no configuration of firewalls or proxies should be required^[5]. A DirectAccess client can use one of several tunnelling technologies, depending on the configuration of the network the client is connected to. The client can use 6to4, Teredo tunneling, or IP-HTTPS, provided the server is configured correctly to be able to use them. For example, a client that is connected to the internet directly will use 6to4, but if it is inside a NATed network, it will use Teredo instead.

DirectAccess in UAG provides enterprise features for a DirectAccess solution, such as centralized management, high availability, and enhanced security (UAG contains a EAL4+ Certified firewall, so it can be used on the edge of your network). UAG also provides a NAT64 and DNS64, allowing you to provide DirectAccess clients with access to IPv4-only resources on your network.

Requirements

DirectAccess requires:

• one or more DirectAccess servers running Windows Server 2008 R2 with two network adapters: one that is connected directly to the Internet, and a second that is connected to the intranet.
• on the DirectAccess server, at least two consecutive, public IPv4 addresses assigned to the network adapter that is connected to the Internet.
• DirectAccess clients running Windows 7 (Ultimate and Enterprise editions only).
• at least one domain controller and Domain Name System (DNS) server running Windows Server 2008 SP2 or Windows Server 2008 R2.
• public key infrastructure (PKI) to issue computer certificates.

Smart card certificates, and health certificates for Network Access Protection may be used along with PKI.

A third-party NAT64 device may be used to provide access to IPv4-only resources to DirectAccess clients.^[6]

Support for Windows Home Server

The latest version of Windows Home Server called Windows Home Server 2011 is based on the Windows Server 2008 R2 code base^[7]. Remote access to the users home computers and resources are one of the key features of the Windows Home Server edition. Even though Windows Home Server 2011 is based on Windows Server 2008 R2 no support for DirectAccess is implemented.

The motivation for this is the steep requirements on the client computers operating systems, as only Windows 7 Ultimate and Enterprise is supported. Further on the server is also required to have two NICs while a typical Windows Home Server only has one. However in future versions of Windows Home Server Microsoft hopes to deliver a simplified version of DirectAccess for home usage^[8].

References

1. ^ Microsoft Forefront Unified Access Gateway 2010
2. ^ Windows Server Division WebLog
3. ^ Portcullis Systems UAG DirectAccess Appliance
4. ^ Centrify DirectSecure - Integrating Windows 7 DirectAccess with UNIX and Linux Systems
5. ^ DirectAccess: Microsoft's Newest VPN Solution - Part 1: Overview of Current Remote Access Solutions
6. ^ DirectAccess Requirements
7. ^ Foley, Mary Jo (27 January 2010). "Early version of Windows Home Server 'Vail' leaks to the Web". ZDNet. http://blogs.zdnet.com/microsoft/?p=5063&tag=content;col1. Retrieved 2 February 2010. 
8. ^ Daniel, Sean (03 May 2010). "Any chance of a light version of DirectAccess for WHS Vail". Microsoft. http://social.microsoft.com/Forums/en-US/whsvailbeta/thread/fdcaae11-0f3e-4b6f-95ab-53bcd4046fe0. Retrieved 10 April 2011. 

External links

• Microsoft's DirectAccess Getting Started page
• Microsoft's DirectAccess TechNet page
• MS-IPHTTPS on MSDN: includes PDF with specification.
• Blogger's posting on DirectAccess