Mon 2 Feb 2009

Windows 7 DirectAccess – Features

Check out all reviews and tips about Windows 7 on 4sysops.

DirectAccess is a new feature of Windows 7 and Windows Server 2008 R2. It has the same purpose as VPN, i.e., it allows users to connect securely to the corporate network through the Internet. The main difference is that the connection is established in the background without requiring user interaction. This article is mostly a summary of Microsoft’s white paper Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. I also installed DirectAccess on Windows Server 2008 R2, but since there is no technical documentation yet, I had to postpone more detailed tests until Microsoft provides more information. In my next post I will share some practical experiences.

Requirements

DirectAccess server must run on Windows Server 2008 R2
DirectAccess client must run on Windows 7
DirectAccess Server requires two network cards
Active Directory
IPv6
PKI (Public Key Infrastructure)

Advantages of Direct Access

User doesn’t have to establish the connection
User doesn’t have to reconnect if the Internet connection breaks
Group Policy settings get active before user logs on
Users can log on to Active Directory, just like in the intranet
Works together with NAP (Network Access Protection) and NAC (Network Access Control) solutions
Communication to the corporate network is encrypted with IPsec

Two IPsec tunnels (and authentication methods)

Only the machine certificate is used for authentication: The remote computer can only connect to the corporate DNS server, Group Policy, and to Active Directory in order to be able to log on
The machine certificate and user credentials are used for authentication: Only then will DirectAccess grant access to other internal resources

Two connection methods

Selected Server Access: IPsec connection through DirectAccess server to each application server; application servers have to run Windows Server 2008 R2 or Windows Server 2008 and must support IPv6 and IPsec
Full Enterprise Network Access: IPsec connection to an IPsec gateway (can be the DirectAccess server); IPsec gateway forwards traffic to IPv4 application servers

Connection through the Internet

If a native IPv6 network isn’t available, the client has to establish an IPv6 over IPv4 tunnel
Tunnel protocols supported: Teredo, 6to4 or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), IP-HTTPS (firewall friendly)
By default, Internet traffic is not routed through DirectAccess server
Administrators can configure Windows Firewall to route traffic for specific applications or subnets through the DirectAccess server

Also check out my article about the experiences I made with DirectAccess.

20 Comments

Comment feed

Comment by Rune Flo — February 3, 2009 @ 4:40 am

How did you install DirectAccess? I can’t find it, neither in Roles nor Features.
Comment by Michael Pietroforte — February 3, 2009 @ 4:48 am

The name of the feature under Windows Server 2008 R2 is “Direct Access Management Console”. I will post something about this later today.
Comment by Ed Alexander — February 5, 2009 @ 7:49 am

I have also looked through Roles and Features but have found no way to install the feature and run the wizard. Running Windows Server 2008 R2 x64.
Comment by Michael Pietroforte — February 5, 2009 @ 7:51 am

That’s strange. What build do you have?
Comment by Ed Alexander — February 5, 2009 @ 8:23 am

Windows Server 2008 R2 Standard x64… Do I need to upgrade to Enterprise?

My copy is a very recent download from Technet Plus.

btw: the wallpaper note (lower right hand corner) shows Windows 7, Build 7000 …. strange but not suprising either.
Comment by Ed Alexander — February 5, 2009 @ 11:54 am

The issue was indeed that Enterprise is required. Problem solved.

Thanks!
Comment by Michael Pietroforte — February 5, 2009 @ 12:26 pm

Ed, that is interesting. I wasn’t aware of the fact that only the Enterprise edition supports DirectAcess. Were you also able to find the DirectAccess client?
Comment by Ed Alexander — February 6, 2009 @ 2:37 am

I will find out this weekend. First I have to scavenge a second NIC for the R2 server and figure out how to setup an IPV6 scope for DHCP role… When I get it all working (and confirm remote connectivity) I will post the results.
Comment by Sachin — February 9, 2009 @ 9:16 pm

How do i enable directaccess on windows 7
Comment by Michael Pietroforte — February 10, 2009 @ 4:54 am

Sachin, I have been wondering this too. There is a new white paper about DirectAccess. Perhaps it answers your question.
Comment by Bassam N. — March 2, 2009 @ 8:54 pm

I think there is still some security issues that are coming with this technique (DirectAccess), but microsoft tem hidden this point in their white paper. if you have any idea bout it please give us your view that you got from your summary.

Best regards;
Pingback by Synergies of Microsoft Windows 7 and Server 2008 RC « On-Site Computer Services, Inc. in New Orleans Blog 504-469-6991 — May 19, 2009 @ 6:57 am

[...] ballyhooed features resulting from the union of Windows 7 and Server 2008 RC are BranchCache and DirectAccess. BranchCache is designed for improved access to remote files away from corporate headquarters. [...]
Comment by Eric — July 28, 2009 @ 9:33 pm

For people who can’t wait to try or start using this kind of capability, you use a program called VPN Dialer 2009 which is widely available just by looking for it on any search engine. Its key feature is to set up a persistent VPN link from Windows XP/Vista to any RRAS server using a standard VPN user account, and keeps it connected even when no user is logged on, for as long as the remote system has power and Internet access.
Comment by ahollister — March 11, 2010 @ 5:51 am

so how will this deal with the situation of a mobile user connecting via aircard?

currently i have the problem that until the user logs in and activates the aircard software, there is no internet connection….

any ideas or advice much appreciated
Comment by Eric — March 11, 2010 @ 6:45 am

If a mobile user is connecting from a laptop, the laptop is joined to the domain, and the user has previously logged into the domain, the credentials will be cached, so the user can log in even though there is no connection back to the main office at the time of login. As soon as laptop computer is on the Internet, the laptop will have access to the main network (to access shares, etc.). This description is true for both DirectAccess and the VPN Dialer 2009 products.
Comment by Tiago — August 25, 2010 @ 8:23 pm

Hellou Michael i have one question about Direct access
so is possible create one envirioment with direct access but without dmz?

tks
Comment by Michael Pietroforte — August 26, 2010 @ 12:04 am

Tiago, when I wrote the article DirectAccess was not yet available and I haven’t tried it since it is available. However, as far as I know you need at least two NICs in your server. I guess that was your question.
Comment by asd — December 17, 2010 @ 9:58 am

WTF – I spend thousands licensing standard and Win 7 Pro and MS hides the fact DirectAccess and Branch Caching are only in server enterprise and Win7 Ulti or Enterprise. Very productive. Apple servers have come a long way….. every year MS.. you pull another stunt….
Comment by PowerUser — November 13, 2011 @ 9:37 am

asd – the fact that you don’t know the features of the OS’s that you pay “thousands licensing” is really sad. Microsoft publishes all the features and the version of OS that supports it.
I’m not sure how you not being able to read or Google is a Microsoft stunt…but if it is I’m with you on that one. No really….
Comment by PowerUser — November 13, 2011 @ 9:39 am

Tiago – you will need to have 2 environments for this to work. The internet and your LAN, or two different LAN’s.