DirectAccess

Applies To: Windows Server 2008 R2

DirectAccess provides users transparent access to internal network resources whenever they are connected to the Internet. Traditionally, users connect to internal network resources with a virtual private network (VPN). However, using a VPN can be cumbersome because:

  • Connecting to a VPN takes several steps, and the user needs to wait for the authentication. For organizations that check the health of a computer before allowing the connection, establishing a VPN can take several minutes.

  • Any time users lose their Internet connection, they need to re-establish the VPN connection.

  • Internet performance is slowed if all traffic is routed through the VPN.

Because of these concerns, many users avoid connecting to a VPN. Instead, they use technologies such as Microsoft Office Outlook® Web Access (OWA) to connect to internal resources. With OWA, users can retrieve internal e-mail without establishing a VPN connection. However, if a user tries to open a document on the internal network (often linked from an e-mail), they are denied access because internal resources are typically not accessible from the Internet.

Avoiding VPNs also causes problems for IT professionals, who can only manage mobile computers when they connect to the internal network. When users avoid establishing an internal connection, mobile computers miss critical updates and changes to Group Policy settings.

Windows 7 and Windows Server 2008 R2 introduce DirectAccess, which enables users to have the same experience working at home or at a wireless hotspot as they would in the office. With DirectAccess, authorized users on Windows 7 computers can access corporate shares, view intranet Web sites, and work with intranet applications without going through a VPN.

DirectAccess also benefits IT professionals by enabling them to manage mobile computers outside of the office—anytime, anywhere—even though the computers are not connected to the VPN. Each time a mobile computer connects to the Internet, before the user logs on, DirectAccess establishes a bi-directional connection that enables the client computer to stay up to date with company policies and to receive software updates.

DirectAccess provides a secure and flexible network infrastructure using technologies such as IPv6 and IPsec. Security and performance features include:

  • Authentication. DirectAccess authenticates the computer before the user logs on, allowing IT professionals to manage the computer when the Internet connection is established. DirectAccess can also authenticate users and supports multifactor authentication methods such as a smart card authentication.

  • IPv6. DirectAccess uses IPv6 to provide globally routable IP addresses for remote access clients. Organizations that are not yet ready to fully deploy IPv6 can use IPv6 transition technologies such as ISATAP, 6to4, and Teredo to enable clients to connect across the IPv4 Internet and to access IPv4 resources on the enterprise network. These technologies provide IPv6 support for devices and servers that do not support IPv6 natively.

  • Encryption. DirectAccess uses IPsec to provide authentication and encryption for communications across the Internet. You can use any IPsec encryption method, including DES, which uses a 56-bit key, and 3DES, which uses three 56-bit keys.

  • Access control. With DirectAccess, IT professionals can configure the internal resources to which each user can connect, granting unlimited access or allowing access only to specific servers or networks.

    DirectAccess uses split-tunnel routing, as illustrated in Figure 1, which reduces unnecessary traffic on the corporate network. Split-tunnel routing sends only traffic destined for the enterprise network through the DirectAccess server. Although split-tunnel routing is the default configuration for DirectAccess, IT professionals can disable the feature to send all traffic through the enterprise network.

Figure 1   DirectAccess traffic flow with split-tunnel routing

For more information about DirectAccess, see DirectAccess for Windows Server 2008 R2.