Hit PDC, WinHEC or any other tech event this month and Windows Server 2008 R2 is going to be a common topic of conversation. And the most common feature discussed in those conversations is likely to be Live Migration, since it's something on which we've received a ton of positive customer feedback. But while LM is on everyone's lips now, my favorite R2 feature is a bit of a sleeper. It's called DirectAccess, and it's got the potential to revolutionize remote access.
Ailing economy = tight budgets = folks looking to save money any way they can. Telecommuting, remote access, virtual meetings, it's all got cost savings stamped on it for everyone except the poor IT manager who needs to manage loads of third-party VPN clients, configure VPN concentrators and deploy fully managed VPN routers at every remote office and telecommuter's home. What if all that could go away? What if all you needed was a Windows Server 2008 R2 management console on one end and Windows 7 on the other? What if that combination automatically found the corporate network, authenticated and then accessed the user's resources no matter to what network the end-user PC connected? That's DirectAccess.
Imagine you're at a hotspot–airport, coffee shop, book store or my personal favorite NYC's Bryant Park in June– and you need a corpnet connection to access a share. No more opening a VPN client, maybe choosing the right RAS server, getting the mystery error. Corpnet is simply there just as if you were logged on back at the office. File shares, network apps, VDI feeds, it's all supported.
DirectAccess does exactly what its name implies: it's always on and directly accesses the user's corpnet resources no matter where she's connecting from – home, a partner or customer's office or the Starbuck's near the airport lounge. And I know what you're thinking…how can this be secure if it's automatic?
For one, it still uses IPsec tunneling for encryption-it just does it automatically using new R2 configuration tools and underlying technologies already contained in Windows Server 2008, like IPv6. For another, you can configure every DA session to hit any router that can manage 6to4 translation OR you can have it hit a DirectAccess Gateway that takes charge of not just 6to4, but also additional security features like NAP. You can even add a Forefront Intelligent Access Gateway (IAG) as these are now DA-aware, too. Best part is that all of it's automatic once you configure it using just a wizard.
The idea isn't to do away with the concept of a secure remote connection as established by VPNs-it's just to do away with the management headaches. The connection is secure and managed. But now instead of dropping, starting and occasionally getting lost, it's always-on. Ubiquitous. In large deployments, users won't need to distinguish between remote and local computing. I've seen it in action and it was the slickest demo I've seen in a long while. Keep an eye out for this one during the beta timeframe, ‘cause if you're saddled with a boatload of VPNs today it's going to rock your world.