Windows 7 Direct Access Review – VPN for the 21st Century?

Andrew Garcia eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved,

It’s billed as a seamless connection to the corporate network from anywhere – but those not running Windows 7 Enterprise and Windows Server 2008 should stick with traditional VPs

Legacy Set-ups?

To support legacy application servers, administrators will need to deploy at the network perimeter another device that supports NAT-PT to bridge the communications between IPv6 DirectAccess clients and IPv4 application servers. The next version of Microsoft’s gateway solution, now called Microsoft Forefront UAG 2010, will provide NAT-PT functionality. Forefront UAG 2010 is currently in beta, and Microsoft has not yet announced an availability date.

Microsoft officials informed me that some third-party networking partners plan to ship their own NAT-PT solutions. While Microsoft specifically mentioned F5 as one of those partners, F5 officials declined to comment for this story.

Network administrators will also find that they will need Forefront UAG 2010 if they intend to scale their DirectAccess implementations beyond a single DirectAccess server on the network perimeter. As currently designed, each DirectAccess server is an independent entity, to be configured and managed on its own. Forefront UAG must be added to the network to provide array management and load balancing in a DirectAccess scenario.

Load Tolerance

Unfortunately, Microsoft currently does not yet offer much guidance when it comes to right-sizing a DirectAccess implementation. According to Microsoft officials, the company is still gathering telemetry from early beta adopters to better understand show many DirectAccess servers are needed given a certain amount of load. However, they do anticipate there will be a wide variation according to how the network is used, as the number of remote clients connected at one time, the amount of data transmitted back and forth, and the traversal method used by clients at any given time will all combine to determine performance. Microsoft officials told me that on a DirectAccess server, processor utilisation is more likely than memory to present a bottleneck.

As for the clients, DirectAccess is available only to endpoints running Windows 7 Enterprise or Ultimate. Further, machines must be joined to the domain because certificate services and Group Policy play important roles in establishing a remote connection.

DirectAccess will not work on Windows 7 Professional, even though that SKU has Domain Join capabilities, nor is it available for any other consumer editions of Windows 7.

DirectAccess also will not work with Windows Vista, or Windows XP-based systems, nor with systems running Windows versions older than XP. Administrators will need to continue to maintain existing remote access solutions to support these down-level clients or replace those technologies with identical services offered via Forefront UAG 2010.  Microsoft officials leave the door open for DirectAccess support on other client operating systems down the road, although I’d guess that support would not extend beyond Vista.

Administrators also should not expect virtualised clients on a DirectAccess-capable Windows 7 machine (via XP Mode or other hypervisor) to be able to leverage DirectAccess connectivity, even if using NAT between the host and the VM. This is not a big deal when it comes to files or shares, as the Windows 7 host can copy files locally for consumption in an XP Mode application.  But for anyone using XP Mode to access legacy Web applications that require an IE 6 browser on the protected network, DirectAccess will not provide the needed connectivity. A separate VPN solution for the virtualised instance itself may be required.