Windows 7 Direct Access Review – VPN for the 21st Century?

Andrew Garcia eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved,

It’s billed as a seamless connection to the corporate network from anywhere – but those not running Windows 7 Enterprise and Windows Server 2008 should stick with traditional VPs

Are You IPv6 Ready?

Requests intended for the protected network are routed via IPv6 over the Internet to a DirectAccess server that bridges the Internet and the protected intranet. As many networks on the Internet do not yet support IPv6, DirectAccess will automatically employ transition technologies such as 6to4 or Teredo to traverse IPv4 and network address translation (NAT) networks. For clients behind a Web proxy or a firewall with a restrictive outbound policy, DirectAccess can also fall back to IP-HTTPS Tunnelling, cramming the already encrypted IPSec traffic inside another HTTPS-encrypted transmission.

For those, like me, whose protected network was also not entirely IPv6-ready, DirectAccess also utilises ISATAP to provide connectivity on an IPv4 intranet.

With DirectAccess, IPSec encryption is enforced automatically from the endpoint to the DirectAccess server at the network edge. Administrators can, under some circumstances, also extend encryption all the way from the endpoint to the application server.

By default, authentication is performed on a machine basis, as administrators need to create security groups to identify the PCs eligible to use DirectAccess. As with encryption, authentication can terminate at the network edge or extend all the way to the application server. For more granular authentication, DirectAccess supports Smart Cards, although I did not test this configuration.

For many administrators still reliant on Windows Server 2003, supporting DirectAccess connectivity will require some significant upgrades to core domain infrastructure elements.

Initial Set-up

To get started with DirectAccess, a network requires a single system running Windows Server 2008 R2 (on the DirectAccess server that serves to bridge traffic between the Intranet and the Internet). However, a domain controller/DNS server must be running either Windows Server 2008 with Service Pack 2 or Windows Server 2008 R2 because the DNS service needs to support AAAA records for IPv6 nodes.

Administrators also need to have a certificate server for the domain, as Windows 7-based clients assigned to a security group with permission to use DirectAccess must have the right certificate installed in their Certificate store.  Administrators must also create a highly available network location server (an encrypted Web server) on the protected network; this server is used by clients to determine whether they are connected inside or outside the firewall.

How internally hosted application servers work with DirectAccess depends on what operating system they are running, as well. Application servers running Windows Server 2008 R2 or Windows Server 2008 support IPv6 with a dual IP layer architecture and will be easy to access via DirectAccess. But servers with a dual stack architecture, such as with Windows Server 2003, or ones that don’t support IPv6 at6 all cannot be accessed directly by remote DirectAccess clients.