DirectAccess Benefits
Although the primary purpose of DirectAccess and VPNs is to provide remote users access to your internal network across the Internet, they each have unique benefits. The following table highlights the key differences between DirectAccess and VPNs:
| DirectAccess | VPN | |
|---|---|---|
Client computer connects automatically (not user-initiated) |
X |
|
Works through all firewalls |
X |
|
Supports selected server access and IPsec authentication with an internet network server |
X |
|
Supports end-to-end authentication and encryption |
X |
|
Supports management of remote client computers |
X |
|
Compatible with Windows Vista® and earlier versions of Windows client computers |
X |
|
Compatible with client computers running non-Microsoft® operating systems |
X |
|
Compatible with non-domain joined computers |
X |
|
Does not require Windows Server 2008 R2 on the remote access server |
X |
The following subsections describe the benefits of DirectAccess over VPNs.
End-user productivity
With DirectAccess, users get the same experience as working in the office any time they have an Internet connection. DirectAccess automatically connects the user’s computer to the corporate network every time an Internet connection is available. Therefore, they can read their e-mail, access shared folders, and work with internal network applications without connecting to a VPN. Even if your system allows users to check their e-mail from the Internet, users will appreciate DirectAccess because links to intranet Web sites and shared folders will work correctly.
With VPNs, internal network resources are not accessible until the user manually connects to the VPN. While the effort required to connect to a VPN might seem minimal, it requires several steps and the connection process takes at least several seconds, and often more than a minute. As a result, many remote users choose to not use their VPN, and they miss the opportunity to connect to internal resources and improve their productivity. Additionally, troubleshooting failed VPN connections can make up a significant portion of Help desk calls for many organizations.
Works anywhere
Remote users may be connecting through a wide variety of networks; for example, they might use a cable modem from home, a public wireless network while out, and a wireless WAN card while in a cab or at the airport. Each of these networks has different security rules, and users cannot be expected to understand all these rules.
To allow users to establish a secure connection to the DirectAccess server from anywhere, DirectAccess supports a variety of different protocols to establish IPv6 connectivity to the DirectAccess server. On the IPv6 Internet, DirectAccess client computers connect by using native IPv6. On the IPv4 Internet, DirectAccess client computers connect by using IPv6 transition technologies. If a firewall blocks these protocols, DirectAccess uses IP over HTTPS (IP-HTTPS).
IP-HTTPS uses the same protocol that Web browsers use when communicating with Web sites that require encryption. Therefore, IP-HTTPS can pass through any firewall that allows Web browsing, even if the firewall blocks VPN connections. IP-HTTPS uses Secure Sockets Layer (SSL) encryption to prevent firewalls from examining the data stream. Because DirectAccess protocol selection is automatic, users stay connected to the internal network without having to understand the underlying technical complexity.
On the other hand, VPNs use a more limited set of remote access protocols. Firewalls often block these protocols, preventing users from connecting to the internal network, which results in Help desk incidents. Specialized SSL VPNs can work through firewalls, but they limit the user to a Web browser. They block other applications from connecting to internal resources and prevent managing the remote computer from the internal network.
Manageability and client computer security
VPN-based remote client computers present a challenge to IT pros because these computers might not connect to the internal network for weeks at a time, preventing them from downloading Group Policy objects and software updates. During that time, these unpatched remote computers are at a greater risk of being compromised by malware or other attacks. If these compromised remote computers are allowed to connect to the internal network without any additional health checks, the malware could attempt to spread inside the corporate network through e-mail, shared folders, or automated network attacks. Additionally, having unpatched client computers may impact regulatory requirements.
To mitigate this risk, client computers must be kept up-to-date, requiring remote users to regularly connect to their internal network to download updates. IT pros must rely on users to perform certain actions to keep their computers secure. DirectAccess enables IT pros to continuously manage and update remote computers when they are connected to the Internet. Because users do not need to take action to connect to the corporate network, DirectAccess improves manageability and security for remote computers. Perhaps most importantly, IT pros can use DirectAccess to ensure that the organization meets regulatory compliance requirements.
Connection security
DirectAccess provides comprehensive security to give IT pros the control they need over remote connections. IT pros can grant remote users unlimited access to the internal network, limit them to accessing only e-mail and Web applications, or restrict them to using only those servers required to remotely manage the computer.
Full Intranet Access. Like a VPN, DirectAccess communications are encrypted and authenticated across the Internet. Communications on the internal network are not protected.
Selected Server Access. DirectAccess communications are encrypted and authenticated across the Internet. Additionally, communications between DirectAccess client computers and internal network servers are authenticated, but not encrypted.
End-to-End Access. DirectAccess communications are encrypted and authenticated across the Internet between DirectAccess client computers and internal network servers.
When using the Full Intranet Access model, DirectAccess provides a similar level of connection security to that provided by a VPN.
When using the Selected Server Access model, IT pros gain precise control over which internal resources users have access to and the type of security that is required for each connection. By using Selected Server Access, IT pros can limit users and applications to accessing specific servers.
When using the End-to-End Access model, DirectAccess client computers establish an IPsec connection directly to the resource servers, enabling network-level security to function exactly as it does when computers are connected directly to the internal network. End-to-end security is made possible by using IPv6 and IPsec, which provides end-to-end global addressing and traffic protection capabilities that are not easily available with traditional IPv4-based VPNs. Figure 1 compares the DirectAccess End-to-End Access model with a traditional VPN.
.jpg)
Figure 1 DirectAccess can provide end-to-end connection security
The Selected Server Access and End-to-End Access models require application servers that are running Windows Server 2008 or Windows Server 2008 R2, and have IPv6 enabled.