Remote Access Technical Preview

Updated: February 29, 2012

Applies To: Windows Server 8 Beta

[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

As increasing numbers of employees are required to remain productive while they are away from the office, the need for solutions that provide secure remote access to corporate networks has grown.

Windows Server “8” Beta provides an integrated remote access solution that is simple to deploy. Employees can access corporate network resources while working remotely, and IT administrators can manage corporate computers that are located outside the internal network.

To provide this functionality, remote access in Windows Server “8” Beta integrates DirectAccess and Routing and Remote Access Services (RRAS) VPN.

  • DirectAccess was introduced in Windows Server 2008 R2. It allows managed computers located outside the corporate network to securely access internal resources without VPN connectivity. It establishes transparent connectivity to the corporate network every time a DirectAccess client computer connects to the Internet, even before the user logs on. In addition, DirectAccess allows administrators to easily monitor connections and remotely manage DirectAccess client computers located on the Internet. Computers running Windows Server “8” Beta, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows 7 can be configured as DirectAccess client computers.

  • RRAS provides remote access VPN connectivity between remote clients and servers, site-to-site connections between servers, and routing. A RRAS VPN provides a remote access solution for client computers that are unmanaged or running operating systems earlier than Windows 7.

In Windows Server “8” Beta, DirectAccess and RRAS are integrated into a single Remote Access server role. The role is divided into two components: DirectAccess and VPN and Routing. DirectAccess and VPN can be configured together in the Remote Access Management console by using a single set of wizards. Other RRAS features can be configured by using the legacy Routing and Remote Management console. The new role allows for easy migration of RRAS and DirectAccess deployments from Windows 7, and it provides a number of new features and improvements.

Deployment requirements

DirectAccess deployment requirements include the following:

  • Server   One or more servers running Windows Server “8” Beta with the Remote Access role installed. The server can be deployed at the edge or behind an edge firewall or other device.

  • Domain   The server must be joined to an Active Directory Domain Services (AD DS) domain.

  • Network adapters   The server must have at least one network adapter installed and enabled. If deployed with a single adapter, IP-HTTPS will be used for client connections.

    Note

    To use Teredo, two network adapters with two public consecutive IPv4 addresses on the external adapter are required.

  • Permissions   The remote access administrator requires local administrator permissions on the server, domain user administrator permissions, and permissions to create a WMI filter (Domain Admins) on the domain controller. The WMI filter is required if the client Group Policy Object should be applied to only mobile computers in the domain.

  • Security groups   An Active Directory security group that contains the computers you want to enable as DirectAccess clients.

  • DNS   DNS server running Windows Server “8” Beta, Windows Server 2008 with SP2, or Windows Server 2008 R2.

  • Client computer support   DirectAccess client computer users must be members of an AD DS domain. DirectAccess client computers must be running Windows 8 Consumer Preview, Windows 7 Enterprise, Windows 7 Ultimate, Windows Server “8” Beta, or Windows Server 2008 R2.

  • Certificate requirements   A public key infrastructure (PKI) if the DirectAccess deployment requires NAP, two-factor authentication, or support for clients running Windows 7.

Technical overview

This section summarizes the benefits of remote access in Windows Server “8” Beta, and new remote access features.

Improved management experience

  • Easy administration   DirectAccess and VPN can be configured, managed, and monitored in a single location by using the new Remote Access Management console. Multiple remote access servers can be managed from the console.

  • Improved monitoring   The Remote Access Management console in Windows Server “8” Beta provides detailed monitoring information as follows:

    • Dashboard: The dashboard provides top-level information about Remote Access servers and client computer activity. Reports can be generated quickly from the dashboard.

    • Operations status: Administrators can investigate the status of specific server components.

    • User and client computer monitoring: Administrators can view users and computers that are connected over VPN or DirectAccess at any time, and they can check the resources that clients are accessing.

    • Accounting: Data can be logged to a local Windows Internal Database or to a remote RADIUS server. The accounting log stores remote user information, operations statistics, server usage, and change history. Server usage logs provide server load statistics for the Remote Access server.

    • Troubleshooting: Detailed events and tracing are provided to help diagnose connectivity issues.

  • Network Connectivity Assistant (NCA)   NCA runs on DirectAccess client computers to provide a quick view of the DirectAccess connection status, links to corporate help resources, diagnostics tools, and troubleshooting information.

  • Windows PowerShell support   Administrators can use Windows PowerShell command-line tools and automated scripts for Remote Access setup, configuration, management, monitoring, and troubleshooting.

Ease-of-deployment

  • Deployment modes   In Windows Server 2008 R2, configuring DirectAccess for remote client management required manual modification of Windows Firewall rules. In Windows Server “8” Beta, DirectAccess can be easily configured for remote client access and remote client management, or for only remote client management.

  • Simplified deployment   DirectAccess in Windows Server “8” Beta provides a simpler configuration experience. Small and medium businesses can set up a working deployment with minimum requirements in only a few steps.

  • No certificate infrastructure   For simple deployments, DirectAccess can be configured without requiring deployment of a certificate infrastructure.

  • Access to IPv4 servers   DirectAccess in Windows Server “8” Beta supports access to internal servers that are running IPv4 only.

  • Simplified IPsec deployment   Traditionally, DirectAccess requires the deployment of two IPsec tunnels. The first tunnel provides a connection to infrastructure servers that are required to authenticate and manage client computers. The second tunnel provides access to corporate resources after users log on. In a Windows Server “8” Beta deployment, DirectAccess can be deployed with a single IPsec tunnel.

New and improved deployment scenarios

  • Single network adapter support   In Windows Server “8” Beta, DirectAccess can be deployed on servers that are configured with a single network adapter running behind a firewall or network address translation (NAT) device.

  • Force tunneling    By default, DirectAccess clients locate Internet access internal resources through DirectAccess and they locate Internet resources by using their local adapter settings. In Windows Server 2008 R2, forcing DirectAccess clients to connect to Internet resources through the DirectAccess server required manual manipulation of Group Policies. In Windows Server “8” Beta, you can enable force tunneling directly in the Remote Access Management console.

  • NAP compliance   In Windows Server 2008 R2, configuring Network Access Protection (NAP) to verify client compliance with corporate policies required manual editing of the Windows Firewall rules. In Windows Server “8” Beta, you can enable NAP directly in the Remote Management console.

  • Multiple domain support   In Windows Server 2008 R2, the DirectAccess server, clients, and internal servers had to belong to the same domain. This setting could only be modified by manually editing DirectAccess Group Policies. In Windows Server “8” Beta, multiple domain support is integrated, and no manual editing is required.

  • Geographical location support   In Windows Server “8” Beta, Remote Access servers can be configured in a multiple site deployment that allows users in dispersed geographical locations to connect to the multiple site entry point that is closest to them. Traffic across a multiple site deployment can be distributed and balanced with an external global load balancer.

  • One-time password (OTP) client authentication   In Windows Server 2008 R2, DirectAccess provided standard client IPsec authentication and two-factor authentication by using smart cards. Windows Server “8” Beta adds support for two-factor authentication by using a one-time password (OTP), which provides the ability to use OTP solutions that are provided by non-Microsoft vendors.

  • Virtual smart card support   In addition to support for standard smart card authentication, DirectAccess can use the Trusted Platform Module (TPM)-based virtual smart card capabilities that are available in Windows Server “8” Beta. The TPM of client computers can act as a virtual smart card for two-factor authentication, which removes the overhead and costs that are incurred in smart card deployment.

  • Behind edge device   Remote Access servers can be placed behind an edge device such as a firewall or NAT router. This removes the requirement to have dedicated public IPv4 addresses for DirectAccess.

  • Off-premises client configuration   In Windows Server 2008 R2, client computers must be connected to the corporate network to join a domain or receive domain settings. Windows Server “8” Beta provides the capability for computers to join a domain and receive domain settings remotely from the Internet.

  • Client computer support   DirectAccess supports client computers running Windows Server “8” Beta, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows 7.

  • Server core support   Windows Server “8” Beta provides a minimal operating system installation known as a Server Core installation option. The Remote Access role can be installed and configured on a Server Core installation.

Scalability improvements

  • High availability and failover   Remote Access in Windows Server “8” Beta provides support for more users, higher performance, and lower costs. Remote Access servers can be gathered into a load-balanced cluster for high availability and failover. Cluster traffic can be load balanced by using Windows Network Load Balancing (NLB) or a hardware load balancer.

  • Improved performance in virtualized environments   With the shift toward virtualized data centers and the reduced costs that are provided by virtualization, the Remote Access server role takes advantage of single root I/O virtualization (SR-IOV) for improved I/O performance when it is run on a virtual machine. In addition, Remote Access improves the overall scalability of the server host with support for IPsec hardware offload capabilities (available on many server interface cards that perform packet encryption and decryption in hardware).

  • IP-HTTPS NULL encryption   IP-HTTPS provides DirectAccess client connectivity to internal IPv4 resources when other IPv4 transition technologies such as Teredo cannot be used. In Windows 2008 R2, IP-HTTPS performance is poor compared with other transition technologies because data that is already encrypted for DirectAccess by using IPsec is encrypted again using SSL. This incurs overhead. In Windows Server “8” Beta, IP-HTTPS is implemented by using NULL encryption, which removes redundant SSL encryption during client communications and improves performance.

  • IP-HTTPS behind a proxy server   IP-HTTPS runs in a system context rather than a user context. This context can cause connection issues. For example, if a DirectAccess client computer is located on the network of a partner company that uses a proxy for Internet access, and Web Proxy Autodiscovery Protocol (WPAD) detection is not used, the user must manually configure proxy settings to access the Internet. These settings are configured in Internet Explorer on a per user basis, and they cannot be retrieved in an intuitive way on behalf of IP-HTTPS. In addition, if the proxy requires authentication, the client provides credentials for Internet access, but IP-HTTPS will not provide the credentials that are required to authenticate to DirectAccess. In Windows Server “8” Beta, a new feature solves these issues. Specifically, the user can configure IP-HTTPS to work behind a proxy that is not configured using WPAD, and IP-HTTPS will request and provide the proxy credentials that are needed for IP-HTTPS to request authentication.

Feature summary

Benefit Feature Description

Improved management experience

Unified Remote Access Management console

DirectAccess and RRAS integrated into the Remote Access role

Deployment of RRAS and DirectAccess on a single server

Management of multiple servers in a single console

Easy migration of RRAS and DirectAccess from Windows Server 2008 R2 to Windows Server “8” Beta

Detailed monitoring, logging, and reporting

Detailed monitoring of servers, clients, and user connections

Accounting in multiple formats

Detailed event logging

Tracing and packet captures

On-demand reporting

Windows PowerShell scripting

Windows PowerShell scripting to configure, manage, and monitor Remote Access servers

Network Connectivity Assistant (NCA) application

Integration with Windows Network Connection manager

DirectAccess connectivity status

Remediation for common failures

Log collection for troubleshooting

OTP connection options if OTP is enabled

Ease-of-deployment

DirectAccess deployment modes

Easy configuration of DirectAccess for client access and remote management or for only remote management

Simplified DirectAccess deployment

Getting Started Wizard with minimum requirements

Deployment without a certificate infrastructure

DirectAccess client IPsec authentication with Active Directory credentials only (no computer certificate is required)

Option to use a self-signed certificate that is created automatically by DirectAccess for authentication of the network location server and for IP-HTTPS

Features that are not available without a certificate infrastructure include:

  • Client compliance checking with NAP

  • Support for client computers running Windows 7

  • Two-factor authentication

Access to internal IPv4 support by using NAT64/DNS64

Support for client access to internal servers not running IPv6

DirectAccess deployment without upgrading IPv4 corporate servers

Simplified IPsec deployment with single tunnel

DirectAccess clients access all resources through a single tunnel

No requirement to manage a quarantine network of infrastructure servers that are only available over a single tunnel

New and improved deployment scenarios

Single network adapter support

Can deploy a server with a single adapter that is located behind an edge or NAT device

Clients connect by using IP-HTTPS

Force tunneling support

Easy configuration of force tunneling during DirectAccess configuration

NAP support

Easy configuration of NAP during DirectAccess configuration

Multiple domain support for DirectAccess

Ability to locate DirectAccess servers and clients in different domains

Multiple geographical locations

Automatically connect clients to the DirectAccess server entry point closest to them

Computers running Windows 8 Consumer Preview can manually specify an entry point, overriding the automatic entry point that is assigned

Support for fail over from one DirectAccess entry point to another

OTP client authentication

Support for two-factor authentication using OTP

Virtual smart card support

Can leverage TPM on DirectAccess client computers to provide two-factor smart card authentication

Can eliminate overhead that is associated with smart card deployment

NAT support

Can deploy Remote Access servers behind an edge firewall or NAT device

No requirement for the server to have an adapter connected directly to the Internet

Off-premises client support

Client computers join a domain and retrieve domain settings through the Internet

DirectAccess client support

Can install DirectAccess on computers running Windows Server “8” Beta, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows 7 Ultimate, or Windows 7 Enterprise

Limitations for client computers running Windows 7:

  • Cannot run the Network Connectivity Assistant (however, the DirectAccess Connectivity Assistant that was introduced in Windows Server 2008 R2 is supported)

  • Must authenticate by using a computer certificate

  • Cannot be automatically routed to a multiple site entry point in a multiple site deployment (each entry point must be statically configured to support client computers running Windows 7)

  • Cannot select the multiple site entry point to which they connect

Server Core installation support

Support for the Remote Access role on computers running a Server Core installation

Scalability

High availability

Can deploy multiple Remote Access servers in a cluster

Can load balance the cluster by using Windows NLB or a hardware load balancer

Windows NLB supports up to eight cluster members

Hardware load balancing supports up to 32 cluster members

Can add and remove servers from the cluster without interrupting connections that are in progress

Support for all RRAS VPN protocols on server cluster deployments

Virtualization improvements

SR-IOV virtualization for improved performance

Support for IPsec Task Offload v2

IP-HTTPS

Support for clients behind a proxy server that requires manual configuration of proxy settings

Faster performance with NULL encryption