As I was preparing a presentation on Microsoft's forthcoming Windows 7 I had an opportunity to get better acquainted with DirectAccess. DirectAccess is a new feature in Windows 7 that when combined with Windows Server 2008 R2 brings new meaning to anywhere access to the corporate Intranet.
With DirectAccess enabled the mobile employee can automatically connect to the corporate Intranet through a Windows 2008 R2 DirectAccess server. Once connected the employee can access file server, applications, or any other permitted function. Yes I said permitted. DirectAccess allows you to control which servers and applications are accessible from outside your network. This gives DirectAccess a distinct advantage over most VPN solutions.
Think of the possibilities, not only can the mobile employee function as if they were in the office regardless of location, the IT staff can support them as well. Your IT staff no longer has to deal with deploying, configuring, and supporting VPN clients for mobile employees, just add it to the build. You can also manage those mobile employees because DirectAccess integrates with Windows Server 2008 Network Access Protection. Anytime the mobile employee connects to the Internet anywhere in the world, DirectAccess will automatically attempt to connect to the corporate network and apply your network policies. When NAP is fully integrated with System Center Configuration Manager and DirectAccess you no longer have to hunt those machines down, they come to you and automatically update themselves. Talk about your dynamic architecture!
DirectAccess uses IPv6 and IPSec to provide the connectivity between Windows 7 clients and the Windows 2008 R2 DirectAccess server. But what if you don't have IPv6 deployed? DirectAccess includes IPv6 transition technologies, Teredo, 6to4, and the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), to help ensure IPv6 connectivity over a public network. DirectAccess also supports a new Windows 7/Windows Server 2008 R2 protocol IP-HTTPS. IP-HTTPS allows hosts behind a Web proxy server or firewall to establish connectivity by tunneling IPv6 packets inside an IPv4-based HTTPS session.
Now here's the catch, Microsoft recommends that Intranet servers and applications support native IPv6. There are a couple of workarounds since Microsoft realizes very few organizations currently have native IPv6 infrastructures. You can either deploy ISATAP to make intranet servers and applications reachable by tunneling IPv6 traffic over your IPv4-only intranet. Or you can deploy Network Address Translation–Protocol Translation (NAT-PT) devices. NAT-PTs perform IPv6/IPv4 translation services for traffic between your DirectAccess clients that are using IPv6 and intranet servers and applications that can only use IPv4.
How about security? In addition to IPv6 over IPSec, DirectAccess supports Smart Card authentication as well as computer certificates to ensure only authorized employees are able to connect. DirectAccess provides the ability to lockout clients in the event a computer is lost or stolen.
Earlier I mentioned integration with System Center Configuration Manager, what about Operations Manager? Yes there is a DirectAccess management pack available for System Center Operations Manager Service Pack 1 that includes alerting for DoS or TCP SYN attacks, component performance, and component availabity.
If you're in the market for a low cost, low maintenance, fully integrated, anywhere access solution I invite you to consider this option. Download a copy of DirectAccess Early Adopter's Guide from Microsoft and start your planning (okay playing) today!