Microsoft DirectAccess = Automatic VPN!
Published: February 19, 2013
Author: Jordan Krause, Enterprise Security MVP
Have you ever administered a VPN where…
If you answered “yes” to any of these questions, congratulations! You have earned your VPN administrator title. Today I’m here to tell you that it doesn’t have to be this way!
DirectAccess – Always Connected!
Microsoft DirectAccess is a remote access technology that is best described as an automatic VPN. When a user takes their DirectAccess-enabled laptop home, to the coffee shop, or wherever, as soon as they have Internet access they also automatically have corporate network access. There is nothing that the user needs to launch or log on to, to establish this access. Their computer takes a combination of computer credentials (NTLM authentication) and their user credentials that they used to log on to the computer in the first place (Kerberos authentication) and uses those items to establish IPSec tunnels to a DirectAccess server sitting in the company datacenter. Because of the automatic establishment of these tunnels, users can literally be working on their laptop in the office, close the lid and take it home, open the lid when they get home, and continue working as if nothing happened. As long as they are connected to the Internet at home (or wherever they happen to be), these tunnels will build in the background within seconds and the user simply continues to work. They have access to all resources in the network just like they did when they were inside the office.
Installing the Client Software for DirectAccess
You’re done! The components that DirectAccess uses to connect are baked right into the Windows operating system – you already have them. As long as your users are running laptops (or tablets or whatever) with Windows 7 Ultimate, Windows 7 Enterprise, or Windows 8 Enterprise, the client components are already installed and waiting for your users to start using them. All you have to do is throw some configuration settings at the computers so they know how to connect. What’s even cooler is that these configuration settings are distributed by Group Policy. During the DirectAccess configuration process the wizards create a GPO that contains all of the client-side connectivity settings. You will then dedicate a group in Active Directory that will contain your DirectAccess client computers, and after the wizard is complete and the GPO is created, from that point on whenever you want to take a new laptop and make it a DirectAccess laptop, you simply add that computer to the group. You don’t even have to touch that laptop. There is no actual VPN software that you need to install on the client computer, and therefore no software that could eventually break and have to be reinstalled, or have to be updated in the future.
Connecting from Restricted Networks
This is no longer an issue as it is with many existing VPN solutions out there. DirectAccess can make use of three different protocols to establish its connection over the Internet, depending on what kind of network the user is currently sitting in. I won’t go into too much detail on these protocols here or this article would be substantially longer, but basically there is a 1-2-3 priority that the laptops will attempt to use for connecting, and option #3 is a tunneling mechanism that puts all of the IPSec traffic inside HTTPS. So even if the user is sitting in a network that is allowing only HTTP and HTTPS traffic, DirectAccess will still be able to establish its connection and allow the user to have corporate network access through the IPSec tunnels.
The fact that DirectAccess establishes its connection automatically opens some fun doors for us. For example, if a user is sitting at home and has forgotten their company password, or it has expired, or for whatever reason they can’t authenticate – with a traditional VPN there isn’t much that you can do since they can’t log on to the laptop in the first place to take any steps. Your only real recourse is to reset their password in Active Directory and wait until they come into the office for them to log on with it. Not so with DirectAccess! Because the DirectAccess tunnels establish as soon as Internet access is available, if the user has their laptop at home and is either plugged in with a LAN cable or if their laptop remembers their wireless access point at the location where they are sitting, they have Internet access even while they are sitting looking at the logon screen. And since they have Internet access… they also have DirectAccess. The helpdesk can reset the user’s password in Active Directory, and the user can authenticate to the laptop using the new password right then and there!
If I haven’t said it enough times already – DirectAccess tunnels are automatically created. Any time that the computer has Internet access, it has corporate access. This means that you have management control of those computers all of the time. You no longer have users who can take their computer with them on vacation, never launch their VPN, access a bunch of open wireless hotspots and download neat malware, and then come back into the office weeks later to distribute it. With a DirectAccess computer, every time that Internet access is established so is corporate network access, which means that security updates, patches, antivirus updates, and Group Policy settings are always active and updated.
About the Author
Jordan Krause is a Microsoft MVP specializing in Enterprise Security. As a Senior Engineer and Security Specialist for IVO Networks, he spends the majority of each workday planning, designing, and implementing DirectAccess using IVO’s DirectAccess Concentrator security appliances for companies of all shapes and sizes. Committed to continuous learning, Jordan holds Microsoft certifications as an MCP, MCTS, MCSA, and MCITP Enterprise Administrator.