Windows 7 DirectAccess – Features

Michael PietroforteMVP By Michael Pietroforte - Mon, February 2, 2009 - 20 comments google+ icon

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in system administration.

DirectAccess is a new feature of Windows 7 and Windows Server 2008 R2. It has the same purpose as VPN, i.e., it allows users to connect securely to the corporate network through the Internet. The main difference is that the connection is established in the background without requiring user interaction. This article is mostly a summary of Microsoft’s white paper Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. I also installed DirectAccess on Windows Server 2008 R2, but since there is no technical documentation yet, I had to postpone more detailed tests until Microsoft provides more information. In my next post I will share some practical experiences.
DirectAccess-Internet-traffic-routing

Requirements

  • DirectAccess server must run on Windows Server 2008 R2
  • DirectAccess client must run on Windows 7
  • DirectAccess Server requires two network cards
  • Active Directory
  • IPv6
  • PKI (Public Key Infrastructure)

Advantages of Direct Access

  • User doesn’t have to establish the connection
  • User doesn’t have to reconnect if the Internet connection breaks
  • Group Policy settings get active before user logs on
  • Users can log on to Active Directory, just like in the intranet
  • Works together with NAP (Network Access Protection) and NAC (Network Access Control) solutions
  • Communication to the corporate network is encrypted with IPsec

Two IPsec tunnels (and authentication methods)

  • Only the machine certificate is used for authentication: The remote computer can only connect to the corporate DNS server, Group Policy, and to Active Directory in order to be able to log on
  • The machine certificate and user credentials are used for authentication: Only then will DirectAccess grant access to other internal resources

Two connection methods

    DirectAccess-Selected-Server-Access

  • Selected Server Access: IPsec connection through DirectAccess server to each application server; application servers have to run Windows Server 2008 R2 or Windows Server 2008 and must support IPv6 and IPsec DirectAccess-Full-Enterprise-Network-Access
  • Full Enterprise Network Access: IPsec connection to an IPsec gateway (can be the DirectAccess server); IPsec gateway forwards traffic to IPv4 application servers

Connection through the Internet

  • If a native IPv6 network isn’t available, the client has to establish an IPv6 over IPv4 tunnel
  • Tunnel protocols supported: Teredo, 6to4 or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), IP-HTTPS (firewall friendly)
  • By default, Internet traffic is not routed through DirectAccess server
  • Administrators can configure Windows Firewall to route traffic for specific applications or subnets through the DirectAccess server

Also check out my article about the experiences I made with DirectAccess.

-1+1 - Rate this post
Loading ... Loading ...
Your question wasn't answered? Ask in the new 4sysops forum!

20 Comments- Leave a Reply

  1. Rune Flo says:

    How did you install DirectAccess? I can’t find it, neither in Roles nor Features.

  2. The name of the feature under Windows Server 2008 R2 is “Direct Access Management Console”. I will post something about this later today.

  3. Ed Alexander says:

    I have also looked through Roles and Features but have found no way to install the feature and run the wizard. Running Windows Server 2008 R2 x64.

  4. That’s strange. What build do you have?

  5. Ed Alexander says:

    Windows Server 2008 R2 Standard x64… Do I need to upgrade to Enterprise?

    My copy is a very recent download from Technet Plus.

    btw: the wallpaper note (lower right hand corner) shows Windows 7, Build 7000 …. strange but not suprising either.

  6. Ed Alexander says:

    The issue was indeed that Enterprise is required. Problem solved.

    Thanks!

  7. Ed, that is interesting. I wasn’t aware of the fact that only the Enterprise edition supports DirectAcess. Were you also able to find the DirectAccess client?

  8. Ed Alexander says:

    I will find out this weekend. First I have to scavenge a second NIC for the R2 server and figure out how to setup an IPV6 scope for DHCP role… When I get it all working (and confirm remote connectivity) I will post the results.

  9. Sachin says:

    How do i enable directaccess on windows 7

  10. Sachin, I have been wondering this too. There is a new white paper about DirectAccess. Perhaps it answers your question.

  11. Bassam N. says:

    I think there is still some security issues that are coming with this technique (DirectAccess), but microsoft tem hidden this point in their white paper. if you have any idea bout it please give us your view that you got from your summary.

    Best regards;

  12. [...] ballyhooed features resulting from the union of Windows 7 and Server 2008 RC are BranchCache and DirectAccess.  BranchCache is designed for improved access to remote files away from corporate headquarters. [...]

  13. Eric says:

    For people who can’t wait to try or start using this kind of capability, you use a program called VPN Dialer 2009 which is widely available just by looking for it on any search engine. Its key feature is to set up a persistent VPN link from Windows XP/Vista to any RRAS server using a standard VPN user account, and keeps it connected even when no user is logged on, for as long as the remote system has power and Internet access.

  14. ahollister says:

    so how will this deal with the situation of a mobile user connecting via aircard?

    currently i have the problem that until the user logs in and activates the aircard software, there is no internet connection….

    any ideas or advice much appreciated

  15. Eric says:

    If a mobile user is connecting from a laptop, the laptop is joined to the domain, and the user has previously logged into the domain, the credentials will be cached, so the user can log in even though there is no connection back to the main office at the time of login. As soon as laptop computer is on the Internet, the laptop will have access to the main network (to access shares, etc.). This description is true for both DirectAccess and the VPN Dialer 2009 products.

  16. Tiago says:

    Hellou Michael i have one question about Direct access
    so is possible create one envirioment with direct access but without dmz?

    tks

  17. Tiago, when I wrote the article DirectAccess was not yet available and I haven’t tried it since it is available. However, as far as I know you need at least two NICs in your server. I guess that was your question.

  18. asd says:

    WTF – I spend thousands licensing standard and Win 7 Pro and MS hides the fact DirectAccess and Branch Caching are only in server enterprise and Win7 Ulti or Enterprise. Very productive. Apple servers have come a long way….. every year MS.. you pull another stunt….

  19. PowerUser says:

    asd – the fact that you don’t know the features of the OS’s that you pay “thousands licensing” is really sad. Microsoft publishes all the features and the version of OS that supports it.
    I’m not sure how you not being able to read or Google is a Microsoft stunt…but if it is I’m with you on that one. No really….

  20. PowerUser says:

    Tiago – you will need to have 2 environments for this to work. The internet and your LAN, or two different LAN’s.

===Leave a Comment===

Login

Lost your password?