With Microsoft Direct Access, Who Needs VPN?

Do you ever need a file from the office computer, but you’re on the train, at home or away from your desk? Wouldn’t it be great to have immediate access to your data regardless of your location? Direct Access, a feature of Server 2008 R2, makes this possible. Using the Internet and the built in networking function in your Windows 7 PC, data can be retrieved quickly and easily.

What is Direct Access?
Direct Access on Microsoft’s 2008 R2 server is a technology which uses the Internet to connect an end user system and Direct Access servers to other network resources, be they inside or outside the corporate LAN.

In the past, in order for a remote computer to connect to the internal enterprise local area network, a VPN, or virtual private network was required. This too used the Internet as the link between server and client, but requires several things: client software installed on the workstation, end user initiation of the “dialer” to connect their PC to the company LAN, and IT installation and management of the VPN client software.

How is it Used?
Once configured, the remote user connects to the Direct Access server with no user interaction besides turning on the PC and choosing the corporate network. Once the employee connects to the Internet, they will be presented with all the servers and resources to which they have been granted permissions. This includes email, printers, and other computers. For IT professional, there is no need to manage a VPN client as Direct Access operates from the machine level, meaning the computer will “know” what server is on their Direct Access system. On their Windows 7 computer, will be a link to the company’s network. Additionally, the Direct Access server can be used to publish group policies to your end users to help manage software and computer configurations.

For companies that have remote employees, mobile and telecommuting workers, this technology can ease the burden of IT needing to have the computer on site for software updates and management. Not only do remote workstations and end users benefit, but other Direct Access servers can connect to other resource servers running this feature. For instance, if a global company has an internal SharePoint document repository, other Direct Access servers located in regional offices can use the Internet to access remote data, and then present those files or resource to their local users, without the need to have the data stored on the local server. Again, all servers communicating will require Direct Access.

What is Required?
Besides the standards of Active Directory, a Domain Controller and DNS structure, the server must use R2 release of Windows 2008. Also, the server requires two internal network cards and two public IP addresses. Microsoft’s web server, Internet Information Server is mandatory.

How is Security Handled?
As with other servers, you will configure authentication for end user and incoming connections. Other security services needed are PKI and IPSec. PKI certificates are issued to the clients to validate authenticity of the requester and the certificate over a public network, i.e. the Internet. IPv6 is not required on the company LAN, but Direct Access does utilize this protocol. The IPv6 traffic will run across an IPv4 LAN and the Direct Server feature called ISATAP, “Intra-Site Automatic Tunnel Addressing Protocol” which handle this function when configured.

A routing protocol included in Direct Access is Name Resolution Policy Table or NRPT. This protocol creates a routing table on each DA client such that it will know how to handle traffic directed to the DA server versus other Internet traffic, like search engines and basic web browsing. If you are sitting in the airport or a café, DA server traffic will be transferred directly to it and other traffic will be routed accordingly.

The Benefits for You
Features of Windows 2008 R2 provide multiple benefits for IT management and end users. Whether your users are working at home, or sitting at the airport, an Internet connection with Direct Access can easily link remote workers back to the company and server resources. Any data that is transferred in or out is secured using IPSec, certificates, encryption and user authentication. If you are considering using Direct Access, consult Microsoft’s Deployment guide for a successful project and rollout.