DirectAccess is a new feature of Windows 7 and Windows Server 2008 R2. It has the same purpose as VPN, i.e., it allows users to connect securely to the corporate network through the Internet. The main difference is that the connection is established in the background without requiring user interaction. This article is mostly a summary of Microsoft's white paper Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. I also installed DirectAccess on Windows Server 2008 R2, but since there is no technical documentation yet, I had to postpone more detailed tests until Microsoft provides more information. In my next post I will share some practical experiences.
DirectAccess-Internet-traffic-routing

Avatar
Latest posts by Michael Pietroforte (see all)

Requirements

  • DirectAccess server must run on Windows Server 2008 R2
  • DirectAccess client must run on Windows 7
  • DirectAccess Server requires two network cards
  • Active Directory
  • IPv6
  • PKI (Public Key Infrastructure)

Advantages of Direct Access

  • User doesn't have to establish the connection
  • User doesn't have to reconnect if the Internet connection breaks
  • Group Policy settings get active before user logs on
  • Users can log on to Active Directory, just like in the intranet
  • Works together with NAP (Network Access Protection) and NAC (Network Access Control) solutions
  • Communication to the corporate network is encrypted with IPsec

Two IPsec tunnels (and authentication methods)

  • Only the machine certificate is used for authentication: The remote computer can only connect to the corporate DNS server, Group Policy, and to Active Directory in order to be able to log on
  • The machine certificate and user credentials are used for authentication: Only then will DirectAccess grant access to other internal resources

Two connection methods

    DirectAccess-Selected-Server-Access

  • Selected Server Access: IPsec connection through DirectAccess server to each application server; application servers have to run Windows Server 2008 R2 or Windows Server 2008 and must support IPv6 and IPsec DirectAccess-Full-Enterprise-Network-Access
  • Full Enterprise Network Access: IPsec connection to an IPsec gateway (can be the DirectAccess server); IPsec gateway forwards traffic to IPv4 application servers

Connection through the Internet

  • If a native IPv6 network isn't available, the client has to establish an IPv6 over IPv4 tunnel
  • Tunnel protocols supported: Teredo, 6to4 or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), IP-HTTPS (firewall friendly)
  • By default, Internet traffic is not routed through DirectAccess server
  • Administrators can configure Windows Firewall to route traffic for specific applications or subnets through the DirectAccess server

Also check out my article about the experiences I made with DirectAccess.

20 Comments
  1. Avatar
    Rune Flo 15 years ago

    How did you install DirectAccess? I can’t find it, neither in Roles nor Features.

  2. Avatar

    The name of the feature under Windows Server 2008 R2 is “Direct Access Management Console”. I will post something about this later today.

  3. Avatar
    Ed Alexander 15 years ago

    I have also looked through Roles and Features but have found no way to install the feature and run the wizard. Running Windows Server 2008 R2 x64.

  4. Avatar

    That’s strange. What build do you have?

  5. Avatar
    Ed Alexander 15 years ago

    Windows Server 2008 R2 Standard x64… Do I need to upgrade to Enterprise?

    My copy is a very recent download from Technet Plus.

    btw: the wallpaper note (lower right hand corner) shows Windows 7, Build 7000 …. strange but not suprising either.

  6. Avatar
    Ed Alexander 15 years ago

    The issue was indeed that Enterprise is required. Problem solved.

    Thanks!

  7. Avatar

    Ed, that is interesting. I wasn’t aware of the fact that only the Enterprise edition supports DirectAcess. Were you also able to find the DirectAccess client?

  8. Avatar
    Ed Alexander 15 years ago

    I will find out this weekend. First I have to scavenge a second NIC for the R2 server and figure out how to setup an IPV6 scope for DHCP role… When I get it all working (and confirm remote connectivity) I will post the results.

  9. Avatar
    Sachin 15 years ago

    How do i enable directaccess on windows 7

  10. Avatar

    Sachin, I have been wondering this too. There is a new white paper about DirectAccess. Perhaps it answers your question.

  11. Avatar
    Bassam N. 15 years ago

    I think there is still some security issues that are coming with this technique (DirectAccess), but microsoft tem hidden this point in their white paper. if you have any idea bout it please give us your view that you got from your summary.

    Best regards;

  12. Avatar
    Eric 14 years ago

    For people who can’t wait to try or start using this kind of capability, you use a program called VPN Dialer 2009 which is widely available just by looking for it on any search engine. Its key feature is to set up a persistent VPN link from Windows XP/Vista to any RRAS server using a standard VPN user account, and keeps it connected even when no user is logged on, for as long as the remote system has power and Internet access.

  13. Avatar
    ahollister 14 years ago

    so how will this deal with the situation of a mobile user connecting via aircard?

    currently i have the problem that until the user logs in and activates the aircard software, there is no internet connection….

    any ideas or advice much appreciated

  14. Avatar
    Eric 14 years ago

    If a mobile user is connecting from a laptop, the laptop is joined to the domain, and the user has previously logged into the domain, the credentials will be cached, so the user can log in even though there is no connection back to the main office at the time of login. As soon as laptop computer is on the Internet, the laptop will have access to the main network (to access shares, etc.). This description is true for both DirectAccess and the VPN Dialer 2009 products.

  15. Avatar
    Tiago 13 years ago

    Hellou Michael i have one question about Direct access
    so is possible create one envirioment with direct access but without dmz?

    tks

  16. Avatar

    Tiago, when I wrote the article DirectAccess was not yet available and I haven’t tried it since it is available. However, as far as I know you need at least two NICs in your server. I guess that was your question.

  17. Avatar
    asd 13 years ago

    WTF – I spend thousands licensing standard and Win 7 Pro and MS hides the fact DirectAccess and Branch Caching are only in server enterprise and Win7 Ulti or Enterprise. Very productive. Apple servers have come a long way….. every year MS.. you pull another stunt….

  18. Avatar
    PowerUser 12 years ago

    asd – the fact that you don’t know the features of the OS’s that you pay “thousands licensing” is really sad. Microsoft publishes all the features and the version of OS that supports it.
    I’m not sure how you not being able to read or Google is a Microsoft stunt…but if it is I’m with you on that one. No really….

  19. Avatar
    PowerUser 12 years ago

    Tiago – you will need to have 2 environments for this to work. The internet and your LAN, or two different LAN’s.

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account