DirectAccess and how it works

  • Article

Republished with the broken link fixed (thank you to the person who told me via messenger).  

In my last blog post Direct Access - A Step by Step Guide I just linked to a paper showing how you can set it up. However, based on that I got questions on both of my blogs how it actually works. Well, this has two aspects: How it works from a user perspective and how it works technically.

Generally, there is one page to start with if you are looking for DirectAccess Information, which is https://technet.microsoft.com/en-us/network/dd420463.aspx. From there you can have a let of different information on the technology.

Let’s start with the user. On https://technet.microsoft.com/en-us/windows/dd572177.aspx there is a good video showing the way it looks like from a user perspective. Or you can access the video as a wmv-file directly from here.

When it comes to the technology, I would like you to look to the Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. Let me just quote a few paragraphs from there:

DirectAccess overcomes the limitations of VPNs by automatically establishing a bi-directional connection from client computers to the corporate network. DirectAccess is built on a foundation of proven, standards-based technologies: Internet Protocol security (IPsec) and Internet Protocol version 6 (IPv6).

DirectAccess uses IPsec to authenticate both the computer and user, allowing IT to manage the computer before the user logs on. Optionally, you can require a smart card for user authentication.

DirectAccess also leverages IPsec to provide encryption for communications across the Internet. You can use IPsec encryption methods such as Triple Data Encryption Standard (3DES) and the Advanced Encryption Standard (AES).

Clients establish an IPsec tunnel for the IPv6 traffic to the DirectAccess server, which acts as a gateway to the intranet. Figure 1 shows a DirectAccess client connecting to a DirectAccess server across the public IPv4 Internet. Clients can connect even if they are behind a firewall.

This is kind of the key thing. If IPSec cannot be established, it falls back to IP-HTTPS but this is all described in the paper above in just a few pages (with a few pictures). I do not want to repeat this here. Just go and read it yourself.

Roger

Digg This