Ditch Your VPN for DirectAccess
With DirectAccess and a Windows 7 client, you can provide your mobile workforce with secure, reliable network access without the hassle of a VPN.
Has your IT department been suffering from high support calls regarding Virtual Private Network (VPN) connectivity? Does your company have a large mobile workforce? Has your company been spending a lot on training for end users? With Direct Access, you can cut down on VPN connectivity support calls and decrease the training time.
Traditionally, when mobile users have wanted to access their corporate network, they've needed to use a VPN to dial in, only to find out that the network they're connected to at the conference or hotel has VPN ports disabled. What do they do next? Usually they'll call up either colleagues or IT support to send them their files through email. Another potential headache: Software deployment to mobile users requires them to be connected to the corporate network constantly.
With Direct Access, connecting through a VPN is no longer needed. Mobile users who are joined to the corporate domain will be able to access the corporate network without the need to establish a VPN connection. What does this mean? Mobile users get to connect to the corporate network seamlessly as long as they have Internet connectivity. Software deployment to mobile users will also be seamless. Once internet connectivity is established, it will start downloading the software from the corporate network.
How does Direct Access work?
Direct Access is fairly a simple technology:
- Once a Direct Access enabled client (Windows 7) is connected to the Internet, it will attempt to establish a connection to the intranet's website. If successful, the Direct Access connection process ends.
- If the connection fails, the Direct Access client will attempt to connect to the Direct Access Server using IPv6 and IPSec. If an IPv6 network is not available, the Direct Access client automatically establishes a 6to4 tunnel (or Teredo).
- If, due to a firewall, a 6to4 tunnel or Teredo is not possible, the Direct Access client will fallback to IP-HTTPS to connect to the Direct Access server.
- Establishing connectivity requires the use of IPSec. Direct Access client and server will authenticate with each other through the use of certificates.
- Direct Access client will authenticate with the Active Directory, and check if the computer has access to use Direct Access.
- If Network Access Protection (NAP) is used, the Direct Access client will obtain a health certificate from a Health Registration Authority (HRA) before connecting to the Direct Access Server.
- The Direct Access server will start forwarding traffic from the intranet to the Direct Access client.
Setting Up Direct Access
Without getting too detailed, here's a quick overview on how to set up Direct Access.
For Direct Access to work, we need the following:
- Active Directory running on Windows Server 2008 R2
- Application Server running on Windows Server 2008 R2
- Direct Access feature installed on Windows Server 2008 R2 (Direct Access Server)
- Direct Access Server with 2 network interface cards
- Windows 7 Enterprise/Ultimate
The Direct Access server will need to face the Internet, preferably in the DMZ.
Setting up the Domain Controller (Active Directory)
- Ensure that Forest Functional Level is set to Windows Server 2008 R2.
- Ensure that DNS is installed.
- Setup Enterprise root Certificate Authority (CA).
- Create a security group for Direct Access computers.
- Create a custom certificate template for domain computers to request and authenticate.
- Enable firewall rules for ICMPv4 and ICMPv6.
- Remove the ISATAP from the DNS global block list.
- In the Command Prompt's elevated privilege mode: Dnscmd /config /globalqueryblocklist wpad
- Configure CRL distribution settings
- Enable computer certificate auto-enrollment
Setting up the Direct Access server
- Ensure that two network interface cards are installed.
- Join the Direct Access server to the domain.
- Install the Web Server (IIS) role.
- Create a Web-based CRL distribution point.
- Configure permissions on the CRL distribution point file share.
- Publish the CRL on the Direct Access server.
- Obtain additional certificate.
- Run the Direct Access Setup Wizard.
Setting up the application server (or file server)
- Join the application server to the domain.
- Request for certificate from the CA.
- Install Web Server (IIS).
- Create HTTPS binding to the default website.
Setting up Direct Access client (Windows 7)
- Join the client to the domain.
- Add the client computer to the Direct Access security group.
- Request/Verify that the certificate has been applied to the computer.
On running the Direct Access Setup Wizard, it is necessary to do a Group Policy update and restart the IPv6 service (net restart iphlpsvc) for the servers/clients to work.
Direct Access offers a lot of benefits to companies with lots of remote users. With Direct Access, support and operational costs will be greatly decreased, reducing the workload of the IT staff to focus on improving IT efficiency in the company.