Intro to Windows Server 2008 R2 DirectAccess
In the modern work environment there are a number of different new challenges which exist when trying to deal with a workforce which has expanded outside the traditional workplace.
Traditionally, these types of workers were able to utilize corporate intranet resources via either a Virtual Private Network (VPN) or via web gateways. The problem with these different options is that they are either cumbersome or complex to work with or they are limited in their access to internal resources.
It is for these types of users that DirectAccess was developed. With DirectAccess in Server 2008 R2 the cumbersome setup, authentication and authorization that exists with VPN solutions is done automatically in the background and the limitations which are imposed by web gateways are no longer limited.
DirectAccess works by establishing a bi-directional connection between the client and the internal company resources. This is done either with IPSec or with Hypertext Transfer Protocol Secure (HTTPS) tunnels if IPSec is not permitted. DirectAccess also relies on IPv6 which is transported within these established tunnels.
When establishing the secure tunnels there are two tunnels which are established separately, these include an initial tunnel to the domain controller(s) and DNS server(s) which is used to download group policy objects and to authenticate the computer on the user’s behalf and a second tunnel which is used to authenticate the user and provide access to the permitted intranet resources.
Now there are also two different methods which can be used to implement DirectAccess depending on the currently implemented technologies on your intranet network and servers. These two methods include End-to-End and End-to-Edge protection.
When using the End-to-End method of protection, the second tunnel terminates at the server where the accessed resources exist. When using this method, the endpoint servers must run Windows Server 2008 or Windows Server 2008 R2 and support both IPv6 and IPSec.
When using End-to-Edge protection, the second tunnel terminates at the IPSec gateway server (which is also typically the DirectAccess server). The traffic destined for the endpoint server is then sent unprotected across the internal network. Either implementation requires that the client runs either Windows 7 Ultimate or Enterprise.
DirectAccess has another feature which provides another advantage over VPN connections; this includes its ability to have only intranet based traffic tunneled over the WAN back to a central location. When using a VPN all traffic is typically routed to the central location even if the destination is on the public Internet which can be accessed faster directly. By default, DirectAccess only tunnels traffic destined for the Intranet, although the option to route all traffic back to a central location is available.
DirectAccess Connection Process
- A Windows 7 Ultimate or Enterprise DirectAccess client detects connection to a network
- The client determines whether it is connected to an intranet, if not then DirectAccess is used
- The client connects to the DirectAccess server viaIPv6 and IPSec; if a native IPv6 network is not available the client will use 6to4 or Teredo to send IPv4 encapsulated IPv6 traffic.
- If a firewall prevents the client from establishing a connection to the DirectAccess server then a connection is attempted using HTTPS, when using HTTPS a Secure Sockets Layer (SSL) connection is used to encapsulate IPv6 traffic.
- The client will authenticate the client (computer) and the server via computer certificates
- If NAP is used health validation will occur
- When the user on the client logs in, the DirectAccess client will establish the second tunnel to the resources and authenticate the computer and user credentials.
- If authenticated the resources will be accessible
DirectAccess offers an additional technology which makes the job of accessing internal resources easier and more secure. This is a vital part of the modern working environment and allows businesses the option to allow more employees to work from home or other remote locations.