Skip to main content

Microsoft DirectAccess = Automatic VPN!

Published: February 19, 2013

Author: Jordan Krause, Enterprise Security MVP

 

Have you ever administered a VPN where…

  • Users had trouble connecting from some networks, resulting in you being the bad guy?
  • You had to figure out how to reinstall VPN software and get it configured over the phone?
  • Passwords were forgotten or expired and you had to explain to the user that there is nothing you can do until they come into the office?
  • A laptop wouldn’t be connected for weeks at a time while on vacation somewhere and was filled with fun new software when it came back into the office?

If you answered “yes” to any of these questions, congratulations! You have earned your VPN administrator title. Today I’m here to tell you that it doesn’t have to be this way!

IMPORTANT NOTE: Before we get into the real reason we are here today, I should also point out that many companies are re-evaluating (or should be) their current remote access solutions right now, because many organizations still use PPTP as their VPN protocol. If this is you, please read this carefully. If you are not sure what protocol your VPN is using, find out. The security surrounding PPTP has been recently compromised to the point that it is now being considered about as secure as plain-text. If you or any of your customers are running a PPTP VPN, change it – now.

Now for the fun part. How can you rid yourself of these problems, and at the same time elevate yourself to “hero” status around the office?

DirectAccess – Always Connected!

Microsoft DirectAccess is a remote access technology that is best described as an automatic VPN. When a user takes their DirectAccess-enabled laptop home, to the coffee shop, or wherever, as soon as they have Internet access they also automatically have corporate network access. There is nothing that the user needs to launch or log on to, to establish this access. Their computer takes a combination of computer credentials (NTLM authentication) and their user credentials that they used to log on to the computer in the first place (Kerberos authentication) and uses those items to establish IPSec tunnels to a DirectAccess server sitting in the company datacenter. Because of the automatic establishment of these tunnels, users can literally be working on their laptop in the office, close the lid and take it home, open the lid when they get home, and continue working as if nothing happened. As long as they are connected to the Internet at home (or wherever they happen to be), these tunnels will build in the background within seconds and the user simply continues to work. They have access to all resources in the network just like they did when they were inside the office.

Installing the Client Software for DirectAccess

You’re done! The components that DirectAccess uses to connect are baked right into the Windows operating system – you already have them. As long as your users are running laptops (or tablets or whatever) with Windows 7 Ultimate, Windows 7 Enterprise, or Windows 8 Enterprise, the client components are already installed and waiting for your users to start using them. All you have to do is throw some configuration settings at the computers so they know how to connect. What’s even cooler is that these configuration settings are distributed by Group Policy. During the DirectAccess configuration process the wizards create a GPO that contains all of the client-side connectivity settings. You will then dedicate a group in Active Directory that will contain your DirectAccess client computers, and after the wizard is complete and the GPO is created, from that point on whenever you want to take a new laptop and make it a DirectAccess laptop, you simply add that computer to the group. You don’t even have to touch that laptop. There is no actual VPN software that you need to install on the client computer, and therefore no software that could eventually break and have to be reinstalled, or have to be updated in the future.

Connecting from Restricted Networks

This is no longer an issue as it is with many existing VPN solutions out there. DirectAccess can make use of three different protocols to establish its connection over the Internet, depending on what kind of network the user is currently sitting in. I won’t go into too much detail on these protocols here or this article would be substantially longer, but basically there is a 1-2-3 priority that the laptops will attempt to use for connecting, and option #3 is a tunneling mechanism that puts all of the IPSec traffic inside HTTPS. So even if the user is sitting in a network that is allowing only HTTP and HTTPS traffic, DirectAccess will still be able to establish its connection and allow the user to have corporate network access through the IPSec tunnels.

Forgotten Passwords

The fact that DirectAccess establishes its connection automatically opens some fun doors for us. For example, if a user is sitting at home and has forgotten their company password, or it has expired, or for whatever reason they can’t authenticate – with a traditional VPN there isn’t much that you can do since they can’t log on to the laptop in the first place to take any steps. Your only real recourse is to reset their password in Active Directory and wait until they come into the office for them to log on with it. Not so with DirectAccess! Because the DirectAccess tunnels establish as soon as Internet access is available, if the user has their laptop at home and is either plugged in with a LAN cable or if their laptop remembers their wireless access point at the location where they are sitting, they have Internet access even while they are sitting looking at the logon screen. And since they have Internet access… they also have DirectAccess. The helpdesk can reset the user’s password in Active Directory, and the user can authenticate to the laptop using the new password right then and there!

Always Protected

If I haven’t said it enough times already – DirectAccess tunnels are automatically created. Any time that the computer has Internet access, it has corporate access. This means that you have management control of those computers all of the time. You no longer have users who can take their computer with them on vacation, never launch their VPN, access a bunch of open wireless hotspots and download neat malware, and then come back into the office weeks later to distribute it. With a DirectAccess computer, every time that Internet access is established so is corporate network access, which means that security updates, patches, antivirus updates, and Group Policy settings are always active and updated.

DirectAccess has many more advantages than the short list that I have put in this article, but my intention here was to address some very common headaches that are present with traditional VPNs and showcase how DirectAccess throws those specific problems out the window. If you are ever interested in learning more about DirectAccess, I regularly host webinars for IVO Networks that anyone is welcome to attend. At IVO, we build specialized hardware appliances, DirectAccess Concentrator appliances, that are a plug-and-play piece of equipment to serve as your DirectAccess server in the corporate network. I design DirectAccess solutions every day and would be more than happy to answer any questions that you have!

About the Author

Jordan Krause photo Jordan Krause is a Microsoft MVP specializing in Enterprise Security. As a Senior Engineer and Security Specialist for IVO Networks, he spends the majority of each workday planning, designing, and implementing DirectAccess using IVO’s DirectAccess Concentrator security appliances for companies of all shapes and sizes. Committed to continuous learning, Jordan holds Microsoft certifications as an MCP, MCTS, MCSA, and MCITP Enterprise Administrator.

Microsoft Security Newsletter

Sign up for a free monthly roundup of security news, bulletins, and guidance for IT pros and developers.