Editor's Note: The following MVP Monday post is by ForeFront MVP Jordan Krause.
I have been working with Microsoft DirectAccess for about two years now, and I typically find myself writing or speaking about a deep-dive description of “this” or a technical write-up of “that”. Today I wanted to take a step back and cover DirectAccess at a higher level, both because there are some real world scenarios that anyone, not only the network security team, would be interested in hearing about, and also because speaking with new individuals and organizations almost daily over the past two years has brought me to realize that the majority of the IT population is still unaware of this amazing new technology. So here’s to spreading the word…
I almost titled this one “Users will consider you a hero” but it looked silly on paper. Apparently not too silly as I just typed it anyway. Think of DirectAccess as a completely automatic VPN connection. Around the office here, we like to call it “userless”. A DirectAccess laptop is connected to the corporate network automatically, without user input, the moment that it receives internet connectivity. One of the reasons that I love working with DA so much is the feedback I receive from, well, everyone. Users love it because their workflow processes are exactly the same whether they are sitting in the office or sitting in a coffee shop, IT loves it because those laptops are always available and managed (more on that later), and executives love it not only for their own use, but also because of the reduced helpdesk costs that it brings to the table (also more on this later).
In the majority of my implementations, a reduction in support and helpdesk costs is a bonus side-effect that is often not realized until months after the rollout of DirectAccess. In most companies, a high percentage of helpdesk calls are from remote users struggling with a VPN connection. Here are some of the things you will no longer need to worry about:Forgotten passwords – There aren’t many good options for an employee who has forgotten their password and isn’t going to be back in the office in the near future. Nor for a user who reset an expired password on their desktop at the office, only to find out that this password change was not reflected on their laptop that they are now trying to use from home. IF you can get logged into the laptop with an old cached password you stand a decent chance at getting this situation straightened out, though it’s still going to be a headache and time consuming for the helpdesk. On the other hand, I have seen far too many cases where the password was forgotten and the only recourse is for the helpdesk to reset the password in Active Directory. In this situation, until that laptop is plugged back into the corporate network the only purpose it’s going to serve is to emit a friendly glow while it sits on the login screen. As you may have guessed by now, these problems are non-existent on a DirectAccess laptop. When the helpdesk resets a password in Active Directory, that new password is available for the user to type into their login screen in real-time. The user can literally call the helpdesk – “I forgot my password”, helpdesk resets password, user logs in with new password, and be off the phone in less than a minute.Port restricted firewalls – We have all been in a hotel room or connected to a public WiFi only to discover that we have internet access, but our VPN will not connect. I won’t get into the technical nitty-gritty here, but will simply state that DirectAccess is able to work around these kinds of firewalls that prohibit traditional VPNs from connecting.VPN software not working – Having VPN means you have a VPN software that is installed on the client computer. Sometimes software breaks, it’s inevitable. DirectAccess has no client software. The componentry for DA is baked right into the Windows 7 operating system. There’s nothing to install, nothing to break, and therefore nothing to worry about.
Many of you probably realized this benefit after reading above about the always-on user experience. A seamless, self-connecting tunnel to the corporate network not only enables users to have a continuous connection to the network, but also allows the network to have a continuous connection to the laptops. Even before the user authenticates to the machine, as soon as that machine gets internet access an IPsec tunnel is established that we like to call the “Management Tunnel” or “Infrastructure Tunnel”. This means that if the device is turned on and has an internet connection, even if still sitting at the login screen, the IT department and management servers have the ability to push patches, push SCCM, push Group Policy objects, and even remotely control that remote computer from the corporate network. There’s no more waiting around for users to connect their VPN before patches and antivirus definition files can be updated, with the implementation of DirectAccess organizations see patch application rates immediately skyrocket. This always-on management capability is actually the sole reason that many of the customers I work with decide to use DirectAccess. While they all have plans to move to the “two way street” with DirectAccess enabling the users to access applications in the future, for the present time they may be happy with whatever remote access solution they currently have and instead of scrambling to train all of the users on something new, DirectAccess is being implemented as a “one way street” only allowing this management access and using it only for the continuous updating of their remote devices. Even in this limited one-way street/manage-only kind of installation, you still get the password reset benefits that I mentioned earlier.
Now that you have a grasp on what DirectAccess is and how it could benefit both your remote users and your management systems, let’s expand the playing field a little. In most cases when referencing a “DirectAccess client computer” we are talking about a laptop that is roaming the earth, connecting back to the corporate datacenter automatically whenever that machine gets an internet connection. Another less obvious way to gain benefit from DirectAccess as a technology is what I call the Branch Office Scenario. Many, many companies have multiple physical locations. There is commonly a main office and one or more branch offices which contain a lesser number of personnel. I speak with companies all the time who have branch offices all around the country or the world, and in most cases these branch offices are connecting back to the main office by either a semi-finicky site-to-site VPN, or by an expensive MPLS circuit. I used to work for such a company where we had hundreds of offices, many of them with only 2-5 people, and each had a dedicated frame relay circuit that was a lot of money for very little bandwidth. The monthly cost combined with the equipment cost and the stack of networking equipment piled up in the corner of these mostly single-room offices made the whole thing seem silly at times. How would you like to dump all of those expensive lines for regular internet connections? Enter DirectAccess. With DA running in your main office, you can trade in the dedicated circuits in these remote sites for regular internet connections, giving you much more bandwidth for a fraction of the cost. Then, provided your computers in that remote office are Windows 7, you simply make those computers DirectAccess connected computers and voila, they are all connected back to the corporate datacenter over secure IPsec tunnels 24x7x365. What about that local file server that might be sitting in one of your larger remote offices? Got that covered as well. Not only can Windows 7 operating systems run DirectAccess, but a Server 2008 R2 can also be a DA client and connect seamlessly back to the corporate network.
I don’t want this to be misleading, you do not currently own EVERYTHING that you need to turn DirectAccess on, but if you have already accomplished or are planning to accomplish a Windows 7 rollout like so many companies are right now, you are awfully close. As stated earlier, there is no client software that needs to be installed to run DirectAccess. All of the components necessary to run this technology are baked right into the operating system of Windows 7 Enterprise, Windows 7 Ultimate, or Server 2008 R2. All you need is the DirectAccess “gateway” for which you have a number of options. There are two different flavors of DirectAccess today. The first is native DA for which you only need a simple Server 2008 R2 server in your network to be the gateway. Native DirectAccess comes with some particular requirements and limitations that make it harder to justify, like needing IPv6 inside your network and requiring all of your application servers to be Server 2008 R2. However, by far the more common flavor of DirectAccess is that provided by Microsoft’s Unified Access Gateway (UAG) platform. UAG is available as a software that you can install on your own Server 2008 R2 box, or available from Microsoft OEM system builders as specialized, hardened turn-key networking appliances. UAG brings so many advantages to the table, I will list just a few of them here. When running UAG for DirectAccess:No IPv6 requirements – The need for IPv6 and all Server 2008 R2 inside your network goes out the window. IPv6 is still an integral part to the way that DirectAccess works, but UAG contains translation technologies known as NAT64/DNS64 that will make all of theappropriate translations for you so that you don’t need to change your internal infrastructure to take advantage of DirectAccess. In fact, I have a demo environment running an IPv4-only network and Server 2003 application servers (not the UAG gateway, that is a DirectAccess Concentrator appliance built by IVO Networks) and running Active Directory 2000 and everything works perfectly.Array and load balancing capabilities – Native DirectAccess does not provide you a way to run multiple gateways for redundancy. UAG provides the ability to join multiple gateways together in configuration arrays so that you need not make changes on each gateway individually, and also provides a Network Load Balancing mechanism that allows you to join multiple gateways together in active/active for both growth and redundancy purposes.Security – Native DirectAccess means plugging a regular, general purpose server into the edge of your network. UAG contains Threat Management Gateway, Microsoft’s robust firewall software so that your gateway (and everything behind it) is protected from the www.Web portals – UAG is not only an engine for DirectAccess, but also contains full-fledged SSLVPN functionality. With UAG you can simultaneously provide a DirectAccess entrypoint, and one or more web portals that can provide browser-based access to applications and even full SSLVPN connectivity at the same time. Maybe one of your employees has a DirectAccess laptop but left it at the office and needs to check email or pull a document out of SharePoint from home. With a UAG portal running you have a secure entry-point that they can jump into and grab what they need even without their corporate machine handy. The technical capabilities of UAG can (and have) filled a book, so I will leave it at this for now – UAG is designed to be a one stop shop for remote access. In many cases an implementation of UAG/DirectAccess on a single appliance (or array of appliances) equates to shutting down multiple vendor remote access solutions such as VPN, SSLVPN, virtual desktop solutions, etc. Consolidation of remote access makes life easier for the users, cuts down on administration time, and is good for the budget.
So there you have it, my summary of what I believe to be the future of remote access. I am fortunate enough to be immersed in these technologies daily so if you have any questions, or if there are any particular areas of DirectAccess that you would like to see expanded upon in subsequent articles, please feel free to reach out to me.
Jordan Krause is a Microsoft Forefront MVP and enjoys working “on the edge”. As a Senior Engineer at IVO Networks he spends most of his days designing and implementing the integration of Forefront technologies for enterprises around the world. Jordan’s primary focuses are Unified Access Gateway and Threat Management Gateway, his favorite technology without a doubt being DirectAccess provided by UAG. Committed to continuous learning, Jordan holds multiple certifications including Microsoft Certified IT Professional in Enterprise Administration (MCITP: EA). He posts Forefront related articles and tech notes on the following page: http://www.ivonetworks.com/news/ and can be found via Twitter @jokra.
The MVP Monday Series is created by Melissa Travers. In this series we work to provide readers with a guest post from an MVP every Monday. Melissa is a Community Program Manager for Dynamics, Excel, Office 365, Platforms and SharePoint in the United States. She has been working with MVPs since her early days as Microsoft Exchange Support Engineer when MVPs would answer all the questions in the old newsgroups before she could get to them
the part about direct access not breaking is a pretty far streach I see it break on machiens at least once a month and the only suggestion microsoft has is format it and reinstall windows,,, IE windows breaks when direct access breaks.
Hey Frank, I'm sorry to hear that you are having trouble. What you are experiencing is not normal, and could be caused by a GPO conflicting with DA settings or something in a build image. I have installed DirectAccess hundreds of times and have many customers who are running thousands of users, and clients "breaking", especially to the point of needing to reinstall Windows, is not normal in any way. Only one case sticks out as being close to your symptoms, it's a company who comes across a DirectAccess client once every couple of months where DA stops working, but it's always after their antivirus has cleared out malware, that cleaning process removes parts of the DA transition technologies. Even in those cases they don't have to reinstall Windows. Anyway, I hope you are able to pinpoint the problem, because it shouldn't be that way!
My organisation is looking at Direct Access 2012 however we have found information to suggest that our forest/domain functional level must be at least Windows 2008 R2. Avoiding the technical specifics we have a 2 forest trust with both forests and domains running at Windows 2008 (Not R2) and due to issues with legacy applications it will be costly and time consuming to upgrade the functional levels to 2008 R2 or higher.
We cannot find any official Microsoft information on pre-requisites for the forest/domain functional level for DA 2012 so wondered if anyone can help with this?
Is the functional level of Windows 2008 R2 a minimum requirement for DA 2012 or is our information source just plain wrong with their statement?
At this point I wouldn't recommend anyone embrace DA. Unlike every other VPN technology in the world Direct Access will prevent client machines that are already inside the network form being able to communicate when the DA host machine is down.
Normal VPN + Laptop In Building + VPN down = Connection
Normal VPN + Laptop In Building + VPN up = Connection
Normal VPN + Laptop Out Of Building + VPN up = Connection
Normal VPN + Laptop Out Of Building + VPN down = No Connection
DA VPN + Laptop In Building + VPN down = No Connection
DA VPN + Laptop In Building + VPN up = Connection
DA VPN + Laptop Out Of Building + VPN up = Connection
DA VPN + Laptop Out Of Building + VPN down = No Connection