Transparent corporate network access via DirectAccess

Executive Summary

Desktop software integration is part art, part science.  Desktop administration is hard and rarely leads to inspired users.  DirectAccess is going to change all of that.  With Windows Server 2008 R2 and Windows 7 you can now create an environment that is secure, always connected to the corporate network and a joy to use.  A number of benefits can be realized with DirectAccess including greater user satisfaction with the corporate desktop standard, lower training costs, more efficient network use, and a higher degree of management for the mobile workforce.

Some History of the Challenge

Virtual Private Networks (VPN) have been around for many years now.  Users tend to despise VPN because it’s an interruption to their workflow in order to grab a document or access an internal corporate resource.  Corporate network managers haven’t exactly been enamored with VPN either.  The VPN entry point into the network must be safeguarded, VPN client integration into the desktop is problematic, training users is hard, and all of the network traffic associated with the VPN connection comes to the corporate network.

split network What if you could make those connections seamlessly work for the users?  What if the traffic for the corporate connection is only the network traffic for the internal resource and not all of the typical internet browsing?  What if the connection could easily be secured at multiple levels?

DirectAccess to the Rescue 

Well you can do all of that with a new enterprise feature of Windows Server 2008 R2 and Windows 7 called DirectAccess .  DirectAccess splits the traffic and only sends traffic to the corporate network that is needed to use the internal resource like a file share, SharePoint site, or internal line-of-business application.  All of the users internet traffic remains just that, destined for the internet web sites.

There are many benefits to this approach.  The first big one is that this is totally transparent to the user.  They don’t need to be trained to use complicated VPN software and procedures.  Instead, they just access the data they need as if they were sitting in a corporate office directly connected to the corporate LAN.  Internal sites work just like public internet sites as far as the user is concerned.

This was a truly eye opening experience the first time I sat down and tried it.  After thirteen years with the company I felt like my home office was finally part of the corporate network.  It was like sitting in Seattle sixteen hundred miles from Texas.  Here’s a screencast I did of that experience using the beta of Windows 7 in early 2009 :

Get Microsoft Silverlight

Now imagine for a moment how much bandwidth is consumed by VPN users.  It you were the network manager for the company, wouldn’t you like to keep public internet browsing and the associated traffic off your corporate network?  DirectAccess helps you do that.  As you can see in the picture above, the internet traffic never hits your network and causes bottlenecks at the VPN or proxy servers. 

Let’s Talk Security

DirectAccess uses a variety of security technologies and techniques to provide a secure and manageable infrastructure.  Internet Protocol version 6 (IPv6) and Internet Protocol Security (IPSec) are core technologies in the foundation. 

  • Authentication - DirectAccess authenticates the computer, enabling the computer to connect to the intranet before the user logs on. DirectAccess can also authenticate the user and supports two-factor authentication using smart cards.  This is exactly how Microsoft has implemented DirectAccess for employees.  A smart card and the associated X.509 certificates are used for further identity proof.
  • Encryption - DirectAccess uses IPsec to provide encryption for communications across the Internet.  Clients establish an IPsec tunnel for the IPv6 traffic to the DirectAccess server, which acts as a gateway to the intranet. The DirectAccess client establishes two IPsec tunnels:
    • IPsec Encapsulating Security Payload (ESP) tunnel using a computer certificate. This tunnel provides access to an intranet DNS server and domain controller, allowing the computer to download Group Policy objects and to request authentication on the user’s behalf.
    • IPsec ESP tunnel using both a computer certificate and user credentials. This tunnel authenticates the user and provides access to intranet resources and application servers. For example, this tunnel would need to be established before Microsoft Outlook could download email from the intranet Microsoft Exchange Server.
  • Access Control - IT professionals can configure which intranet resources different users can access using DirectAccess, granting DirectAccess users unlimited access to the intranet or only allowing them to use specific applications and access specific servers or subnets.  Granularity and flexibility is key to many implementations of Microsoft product, and DirectAccess was built with that in mind.
  • Access Protection – DirectAccess can be used with other network policies in order to force compliance with the corporate health requirement policies.  This is accomplished using the Windows Server 2008 R2 Network Policy Server (NPS) role and the features collectively called Network Access Protection (NAP).  NPS/NAP policies can be used to check and make sure a DirectAccess computer has the latest security updates, virus/anti-malware signatures and other security settings.  If the DirectAccess node doesn’t pass the health state information check, it will not be allowed to connect to the corporate network thus preventing the potential exposure of a threat to other computers.

Management Benefits

The management benefits are primarily for the enterprise desktop administrators although users may benefit in ways they haven’t seen in the past.  Because DirectAccess is an “always on” style technology, desktop administrators have a greater chance of managing remote users.  The greater the connection speed, the more that can be accomplished across the wire.

For instance, DirectAccess nodes on the network can be queried and patched in a more consistent manner than in the past.  Instead of waiting for the user to come to a corporate campus or branch location, administrators can reach out and touch the machine on a more routine basis.

Management activities might include simple inventory reporting or something more serious like responding to a zero day vulnerability with a patch or fix.  With DirectAccess, administrators can work with the nodes on the network in off hours and lower the impact to the users.  This will make your users happy.  The last thing they want is a required update in the middle of their busy day.  Now you can schedule updates at a more convenient time.

More information

There are a number of whitepapers and guides that are available for DirectAccess. For those of you that are more technically inclined, be sure to check out the Step-by-Step guide for the feature.  You can build and test this in a virtualized environment.

[NOTE] This blog post was posted to the new team blog at https://blogs.technet.com/windowsserverexperts/.  I am cross posting here because I am looking at a Silverlight 2 issue and I want to see how the container is rendered on my “normal” blog.