DirectAccess Benefits and Requirements
DirectAccess feature in Windows 7 and Windows Server 2008 (WS08) R2 offers a solution similar to a Virtual Private Network (VPN) where the users can work remotely and have the same experience as if they were working in the office. For example, users can access files shares, use e-mail client, visit Web sites, etc. all without establishing a VPN connection.
DirectAccess provides the following benefits:
- Seamless connectivity. DirectAccess is on whenever the user has an Internet connection, giving users access to intranet resources whether they are traveling, at the local coffee shop, or at home.
- Remote management. IT administrators can connect directly to DirectAccess client computers to monitor them, manage them, and deploy updates, even when the user is not logged on. This can reduce the cost of managing remote computers by keeping them up-to-date with critical updates and configuration changes.
- Improved security. DirectAccess uses IPsec for authentication and encryption. Optionally, you can require smart cards for user authentication. DirectAccess integrates with NAP to require that DirectAccess clients must be compliant with system health requirements before allowing a connection to the DirectAccess server. IT administrators can configure the DirectAccess server to restrict the servers that users and individual applications can access.
DirectAccess also enables users to get more out of other Windows 7 networking improvements, such as:
- Federated Search. With Federated Search, desktop searches can include files and Web pages on your intranet whenever the user is connected to your intranet. Because DirectAccess connects users to the intranet when then connect to the Internet, Federated Search works automatically any time the user has an Internet connection.
- Folder Redirection. With Folder Redirection, folders can automatically synchronize between multiple computers across the network. If you enable DirectAccess, users with both mobile and desktop computers can stay synchronized automatically whenever they connect to the Internet.
- Replaceable computer scenario. In this scenario, a user’s applications, documents, and settings are stored on the network and available from any computer. If a computer is lost or corrupted, the replacement computer does not require user-specific configuration.
The following subsections describe the benefits of DirectAccess over VPNs. | DirectAccess | VPN |
Client computer connects automatically (not user-initiated) | X | |
Works through all firewalls | X | |
Supports selected server access and IPsec authentication with an internet network server | X | |
Supports end-to-end authentication and encryption | X | |
Supports management of remote client computers | X | |
Compatible with Windows Vista® and earlier versions of Windows client computers | X | |
Compatible with client computers running non-Microsoft® operating systems | X | |
Compatible with non-domain joined computers | X | |
Does not require Windows Server 2008 R2 on the remote access server | X |
DirectAccess has the following requirements in 2008 r2 server:
Note these vary in 2008 r2 & 2012
- One or more DirectAccess servers running Windows Server 2008 R2 with two network interface cards (NICs). One NIC connected directly to the Internet and the other connected to the intranet, or private network.
- DirectAccess server should have at least two consecutive, public IPv4 addresses assigned to the NIC that’s connected to the Internet.
- DirectAccess clients should be running Windows 7.
- At least one Domain Controller and DNS server should be running WS08 SP2 or WS08 R2.
- A public key infrastructure (PKI) should be present to issue computer certificates, smart card certificates, and, health certificates for NAP.
- IPsec policies are required to specify protection for network traffic.
- IPv6 transition technologies should be available on the DirectAccess server, e.g. ISATAP, Teredo, and 6to4.
- Optionally, a third-party NAT-PT device to provide access to IPv4-only resources for DirectAccess clients
When the Remote Access Services setup Getting Started Wizard or Remote Access Setup Wizard is run, it will check the status of network interfaces on the server to determine if the DirectAccess server is located behind a NAT device. In this configuration, only IP over HTTPS (IP-HTTPS) will be deployed. The IP-HTTPS protocol is an IPv6 transition technology that allows for a secure IP tunnel to be established using a secure HTTP connection.