TechOnTip Weblog

Run book for Technocrats

Direct Access in Windows 2012

Posted by Brajesh Panda on February 4, 2013

Click here for other Direct Access related articles.

DirectAccess allows domain users to securely access corporate network thru their domain joined remote computer without dialing a traditional VPN dialer or accessing SSL web site for SSL-VPN.

Every time a DirectAccess-enabled computer connects to the Internet it establishes bidirectional connectivity automatically with corporate network.

And by default it uses split technology so only corporate traffics traverse thru the Direct Access Connection. This behavior can be changed to force public internet traffic thru corporate network.

Direct Access technology is based on IPv6. So Direct Access Server & Clients communicate using IPv6 and this is done thru IPv6 transition technologies. Same way Direct Access Client talks to internal IPv4 infrastructure thru Direct Access Server using IPv6 Transition Technologies.

Direct Access was introduced with Windows 2008 R2. But in new version some good enhancement has been done;

  • Windows 2008 R2 need Forefront to use few (NAT64, DNS64) IPv6 transition technologies. However these are right built into this Windows 2012; removing dependency on forefront.
  • IP-HTTPS technology has been improved in Windows 2012 which can come over Teredo limitations.
  • In a simpler deployment IP-HTTPS connection can use a self-signed certificate.
  • In a truly Windows 8 client environment, it don’t need a computer certificate removing PKI requirement. However if you have Windows 7 and want to support it, you need Computer Certificate resulting PKI environment for client version.
  • Both traditional Windows VPN (RRAS) and Direct Access can co-exist on the same server.
  • Supports Load Balancing between multiple servers
  • Support multiple entry points for Site disaster recovery & helps to connect to near access point in the world
  • Supports multiple network architecture like; (check out the diagram)
    • With One NIC inside corporate network,
    • With two NIC; -one nic in DMZ and other one in corporate,
    • Two NIC – one in Public Internet (for Teredo) and one in corporate network

Few things need to be considered for production deployment where both Win 7 & 8 clients are coexisting;

  • PKI infrastructure
  • Public certificate for IP-HTTPS deployment. If you are using internal CA certificate, make sure your CA’s CRL (certification revocation list) URL is available over internet for clients to verify
  • You have to still deploy Direct Access Connectivity 2.0 tool to Windows 7 clients. And have to configure DCA settings manually. Easy way of doing is enable Multisite connectivity in Remote Access configuration where you can define a separate GPO for Windows 7 computers
  • Best practice is to use two different security groups for Windows 7 & 8 clients.
  • Configure internal CA templates to issue computer certificates to clients as per their membership
  • Make sure Network Location Server (NLS) is highly available & its URL is not published to internet. NLS helps clients to determine if they are inside or outside of corporate network. If outside clients start direct access connection. So if clients are inside corporate network and NLS is not accessible that time, they will start Direct Access connection and being inside corporate network they may not able to connect to Direct Access server’s public interface and clients will not able to access network resources.

Will keep updating this article with my findings! Watch out for upcoming articles how to configure Direct Access Infrastructure.

Advertisements

2 Responses to “Direct Access in Windows 2012”

  1. John said

    I flagged your entire article as untrustworthy when you wrote this:
    “In a truly Windows 8 client environment, it don’t need a computer certificate removing PKI requirement.”
    If you have no ability to review your article for basic grammar usage, then I assume you don’t bother to check the rest of the information.

    • As per my understanding we do not need a certificate for a Windows 8 environment but it will limit the environment to a basic level. For complex features you still need a certificate.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: