DirectAccess is new to the Windows Server 2008 R2 and Windows 7 operating systems. DirectAccess
enables a remote user to work on their corporate network when they are
away from the office without the need of a VPN. As long as the remote
user is connected to the Internet, DriectAccess will automatically
connect the remote user to the corporate network without the need of any
user intervention.
When a user's Direct
Access-enabled laptop is connected to the Internet, a bidirectional
connection is automatically established with the user's corporate
network. Because the connection is bidirectional, the IT administrator
can also remotely manage the Windows 7 machine while the machine is away
from the network.
1. DirectAccess vs. VPNs
There are a few problems
with using VPNs to connect to a network. One issue is that when a user
gets disconnected from their VPN connection, they must reestablish the
VPN connection.
Another issue with VPNs is that
many organizations filter VPN connection traffic. It may not be
possible for an organization to open a firewall to allow VPN traffic.
Also if your intranet and your Internet connections are the same as your
VPN connections, this can cause your Internet connections to be slower.
DirectAccess does not face the
same limitations of a VPN. DirectAccess allows a laptop or desktop that
is configured properly to automatically connect by using a bidirectional
connection between the client and the server.
To establish this
connection, DirectAccess uses Internet Protocol Security (IPsec) and
IPv6. IPsec provides a high level of security between the client and the
server, and IPv6 is the protocol that the machines use.
2. Understanding How DirectAccess Works
To better understand
DirectAccess, it helps to understand how DirectAccess operates. The
following steps, taken from the Microsoft white papers, show how
DirectAccess operates.
The Windows 7 DirectAccess client determines whether the machine is connected to a network or to the Internet.
The Windows 7 DirectAccess computer tries to connect to the web server specified during the DirectAccess setup configuration.
The
Windows 7 DirectAccess client computer connects to the Windows Server
2008 R2 DirectAccess server using IPv6 and IPsec. Because most users
connect to the Internet by using IPv4, the client establishes an
IPv6-over-IP v4 tunnel using 6to4 or Teredo.
If
an organization has a firewall that prevents the DirectAccess client
computer using 6to4 or Teredo from connecting to the DirectAccess
server, the Windows 7 client automatically attempts to connect by using
the IP-HTTPS protocol.
As
part of establishing the IPsec session, the Windows 7 DirectAccess
client and server authenticate each other by using computer certificates
for authentication.
The
DirectAccess server uses Active Directory membership, and the
DirectAccess server verifies that the computer and user are authorized
to connect by using DirectAccess.
The
DirectAccess server begins forwarding traffic from the DirectAccess
client to the intranet resources to which the user has been granted
access.
Now that you understand how
DirectAccess works, let's take a look at the requirements for setting up
DirectAccess on your network.
3. Knowing the DirectAccess Infrastructure Requirements
To set up DirectAccess, your
network infrastructure must meet some minimum requirements. The
following show the requirements for setting up DirectAccess:
Windows Server 2008 R2
configured to use DirectAccess. The Windows Server 2008 machine will be
set up as a multihomed system. This means that your server will need two
network adapters so one adapter is connected directly to the Internet
and a second adapter is connected to the intranet. Each network adapter
will be configured with its own TCP/IP address.
Windows 7 client machines configured to use DirectAccess.
Minimum of one domain controller and one DNS server running Windows Server 2008 SP2 or Windows Server 2008 R2.
Certificate authority (CA) server that will issue computer certificates, smart card certificates, or health certificates.
IPsec policies to specify protection for traffic.
IPv6 on the DirectAccess server that uses ISATAP, Teredo, or 6to4.
Complete Exercise 1
to install the DirectAccess feature onto a Windows Server 2008 R2
machine. Remember that the DirectAccess feature needs to be installed on
Windows Server 2008 R2.
Start Server Manager by clicking Start => Administrative Tools => Server Manager. In the left window pane, click Features. In the right window, click the Add Feature link. Click the DirectAccess Management Console check box. A
dialog box may appear, asking you to install any other features
required by DirectAccess. Click the Add Required Features button. Click Next and then click the Install button. Verify that the installation was complete and then close Server Manager.
|
After the DirectAccess
feature is installed, in the Administrative Tools section, the
DirectAccess Manager will appear. When you start the DirectAccess
Manager, click Setup and the DirectAccess Setup Wizard will start.
The setup wizard (see Figure 1)
walks you through a four-stage process (Setting up the Remote Clients,
DirectAccess Server, Infrastructure Servers, and Application Servers)
and it will allow you to choose which Windows 7 computers can use
DirectAccess. Follow the wizard to complete the installation. To
complete the setup and allow this to function properly, you also need to
set up a certificate server, domain controller, and DNS.
