Remote Access Technical Preview
Published: February 29, 2012
Updated: February 29, 2012
Applies To: Windows Server 8 Beta
As increasing numbers of employees are required to remain productive while they are away from the office, the need for solutions that provide secure remote access to corporate networks has grown.
Windows Server “8” Beta provides an integrated remote access solution that is simple to deploy. Employees can access corporate network resources while working remotely, and IT administrators can manage corporate computers that are located outside the internal network.
To provide this functionality, remote access in Windows Server “8” Beta integrates DirectAccess and Routing and Remote Access Services (RRAS) VPN.
DirectAccess was introduced in Windows Server 2008 R2. It allows managed computers located outside the corporate network to securely access internal resources without VPN connectivity. It establishes transparent connectivity to the corporate network every time a DirectAccess client computer connects to the Internet, even before the user logs on. In addition, DirectAccess allows administrators to easily monitor connections and remotely manage DirectAccess client computers located on the Internet. Computers running Windows Server “8” Beta, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows 7 can be configured as DirectAccess client computers.
RRAS provides remote access VPN connectivity between remote clients and servers, site-to-site connections between servers, and routing. A RRAS VPN provides a remote access solution for client computers that are unmanaged or running operating systems earlier than Windows 7.
In Windows Server “8” Beta, DirectAccess and RRAS are integrated into a single Remote Access server role. The role is divided into two components: DirectAccess and VPN and Routing. DirectAccess and VPN can be configured together in the Remote Access Management console by using a single set of wizards. Other RRAS features can be configured by using the legacy Routing and Remote Management console. The new role allows for easy migration of RRAS and DirectAccess deployments from Windows 7, and it provides a number of new features and improvements.
DirectAccess deployment requirements include the following:
- Server One or more servers running Windows Server “8” Beta with the Remote Access role installed. The server can be deployed at the edge or behind an edge firewall or other device.
- Domain The server must be joined to an Active Directory Domain Services (AD DS) domain.
- Network adapters The server must have at least one network adapter installed and enabled. If deployed with a single adapter, IP-HTTPS will be used for client connections.
Note To use Teredo, two network adapters with two public consecutive IPv4 addresses on the external adapter are required.
- Permissions The remote access administrator requires local administrator permissions on the server, domain user administrator permissions, and permissions to create a WMI filter (Domain Admins) on the domain controller. The WMI filter is required if the client Group Policy Object should be applied to only mobile computers in the domain.
- Security groups An Active Directory security group that contains the computers you want to enable as DirectAccess clients.
- DNS DNS server running Windows Server “8” Beta, Windows Server 2008 with SP2, or Windows Server 2008 R2.
- Client computer support DirectAccess client computer users must be members of an AD DS domain. DirectAccess client computers must be running Windows 8 Consumer Preview, Windows 7 Enterprise, Windows 7 Ultimate, Windows Server “8” Beta, or Windows Server 2008 R2.
- Certificate requirements A public key infrastructure (PKI) if the DirectAccess deployment requires NAP, two-factor authentication, or support for clients running Windows 7.
This section summarizes the benefits of remote access in Windows Server “8” Beta, and new remote access features.
- Easy administration DirectAccess and VPN can be configured, managed, and monitored in a single location by using the new Remote Access Management console. Multiple remote access servers can be managed from the console.
- Improved monitoring The Remote Access Management console in Windows Server “8” Beta provides detailed monitoring information as follows:
- Dashboard: The dashboard provides top-level information about Remote Access servers and client computer activity. Reports can be generated quickly from the dashboard.
- Operations status: Administrators can investigate the status of specific server components.
- User and client computer monitoring: Administrators can view users and computers that are connected over VPN or DirectAccess at any time, and they can check the resources that clients are accessing.
- Accounting: Data can be logged to a local Windows Internal Database or to a remote RADIUS server. The accounting log stores remote user information, operations statistics, server usage, and change history. Server usage logs provide server load statistics for the Remote Access server.
- Troubleshooting: Detailed events and tracing are provided to help diagnose connectivity issues.
- Dashboard: The dashboard provides top-level information about Remote Access servers and client computer activity. Reports can be generated quickly from the dashboard.
- Network Connectivity Assistant (NCA) NCA runs on DirectAccess client computers to provide a quick view of the DirectAccess connection status, links to corporate help resources, diagnostics tools, and troubleshooting information.
- Windows PowerShell support Administrators can use Windows PowerShell command-line tools and automated scripts for Remote Access setup, configuration, management, monitoring, and troubleshooting.
- Deployment modes In Windows Server 2008 R2, configuring DirectAccess for remote client management required manual modification of Windows Firewall rules. In Windows Server “8” Beta, DirectAccess can be easily configured for remote client access and remote client management, or for only remote client management.
- Simplified deployment DirectAccess in Windows Server “8” Beta provides a simpler configuration experience. Small and medium businesses can set up a working deployment with minimum requirements in only a few steps.
- No certificate infrastructure For simple deployments, DirectAccess can be configured without requiring deployment of a certificate infrastructure.
- Access to IPv4 servers DirectAccess in Windows Server “8” Beta supports access to internal servers that are running IPv4 only.
- Simplified IPsec deployment Traditionally, DirectAccess requires the deployment of two IPsec tunnels. The first tunnel provides a connection to infrastructure servers that are required to authenticate and manage client computers. The second tunnel provides access to corporate resources after users log on. In a Windows Server “8” Beta deployment, DirectAccess can be deployed with a single IPsec tunnel.
- Single network adapter support In Windows Server “8” Beta, DirectAccess can be deployed on servers that are configured with a single network adapter running behind a firewall or network address translation (NAT) device.
- Force tunneling By default, DirectAccess clients locate Internet access internal resources through DirectAccess and they locate Internet resources by using their local adapter settings. In Windows Server 2008 R2, forcing DirectAccess clients to connect to Internet resources through the DirectAccess server required manual manipulation of Group Policies. In Windows Server “8” Beta, you can enable force tunneling directly in the Remote Access Management console.
- NAP compliance In Windows Server 2008 R2, configuring Network Access Protection (NAP) to verify client compliance with corporate policies required manual editing of the Windows Firewall rules. In Windows Server “8” Beta, you can enable NAP directly in the Remote Management console.
- Multiple domain support In Windows Server 2008 R2, the DirectAccess server, clients, and internal servers had to belong to the same domain. This setting could only be modified by manually editing DirectAccess Group Policies. In Windows Server “8” Beta, multiple domain support is integrated, and no manual editing is required.
- Geographical location support In Windows Server “8” Beta, Remote Access servers can be configured in a multiple site deployment that allows users in dispersed geographical locations to connect to the multiple site entry point that is closest to them. Traffic across a multiple site deployment can be distributed and balanced with an external global load balancer.
- One-time password (OTP) client authentication In Windows Server 2008 R2, DirectAccess provided standard client IPsec authentication and two-factor authentication by using smart cards. Windows Server “8” Beta adds support for two-factor authentication by using a one-time password (OTP), which provides the ability to use OTP solutions that are provided by non-Microsoft vendors.
- Virtual smart card support In addition to support for standard smart card authentication, DirectAccess can use the Trusted Platform Module (TPM)-based virtual smart card capabilities that are available in Windows Server “8” Beta. The TPM of client computers can act as a virtual smart card for two-factor authentication, which removes the overhead and costs that are incurred in smart card deployment.
- Behind edge device Remote Access servers can be placed behind an edge device such as a firewall or NAT router. This removes the requirement to have dedicated public IPv4 addresses for DirectAccess.
- Off-premises client configuration In Windows Server 2008 R2, client computers must be connected to the corporate network to join a domain or receive domain settings. Windows Server “8” Beta provides the capability for computers to join a domain and receive domain settings remotely from the Internet.
- Client computer support DirectAccess supports client computers running Windows Server “8” Beta, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows 7.
- Server core support Windows Server “8” Beta provides a minimal operating system installation known as a Server Core installation option. The Remote Access role can be installed and configured on a Server Core installation.
- High availability and failover Remote Access in Windows Server “8” Beta provides support for more users, higher performance, and lower costs. Remote Access servers can be gathered into a load-balanced cluster for high availability and failover. Cluster traffic can be load balanced by using Windows Network Load Balancing (NLB) or a hardware load balancer.
- Improved performance in virtualized environments With the shift toward virtualized data centers and the reduced costs that are provided by virtualization, the Remote Access server role takes advantage of single root I/O virtualization (SR-IOV) for improved I/O performance when it is run on a virtual machine. In addition, Remote Access improves the overall scalability of the server host with support for IPsec hardware offload capabilities (available on many server interface cards that perform packet encryption and decryption in hardware).
- IP-HTTPS NULL encryption IP-HTTPS provides DirectAccess client connectivity to internal IPv4 resources when other IPv4 transition technologies such as Teredo cannot be used. In Windows 2008 R2, IP-HTTPS performance is poor compared with other transition technologies because data that is already encrypted for DirectAccess by using IPsec is encrypted again using SSL. This incurs overhead. In Windows Server “8” Beta, IP-HTTPS is implemented by using NULL encryption, which removes redundant SSL encryption during client communications and improves performance.
- IP-HTTPS behind a proxy server IP-HTTPS runs in a system context rather than a user context. This context can cause connection issues. For example, if a DirectAccess client computer is located on the network of a partner company that uses a proxy for Internet access, and Web Proxy Autodiscovery Protocol (WPAD) detection is not used, the user must manually configure proxy settings to access the Internet. These settings are configured in Internet Explorer on a per user basis, and they cannot be retrieved in an intuitive way on behalf of IP-HTTPS. In addition, if the proxy requires authentication, the client provides credentials for Internet access, but IP-HTTPS will not provide the credentials that are required to authenticate to DirectAccess. In Windows Server “8” Beta, a new feature solves these issues. Specifically, the user can configure IP-HTTPS to work behind a proxy that is not configured using WPAD, and IP-HTTPS will request and provide the proxy credentials that are needed for IP-HTTPS to request authentication.
Improved management experience
Unified Remote Access Management console
DirectAccess and RRAS integrated into the Remote Access role
Deployment of RRAS and DirectAccess on a single server
Management of multiple servers in a single console
Easy migration of RRAS and DirectAccess from Windows Server 2008 R2 to Windows Server “8” Beta
Detailed monitoring, logging, and reporting
Detailed monitoring of servers, clients, and user connections
Accounting in multiple formats
Detailed event logging
Tracing and packet captures
Windows PowerShell scripting
Windows PowerShell scripting to configure, manage, and monitor Remote Access servers
Network Connectivity Assistant (NCA) application
Integration with Windows Network Connection manager
DirectAccess connectivity status
Remediation for common failures
Log collection for troubleshooting
OTP connection options if OTP is enabled
DirectAccess deployment modes
Easy configuration of DirectAccess for client access and remote management or for only remote management
Simplified DirectAccess deployment
Getting Started Wizard with minimum requirements
Deployment without a certificate infrastructure
DirectAccess client IPsec authentication with Active Directory credentials only (no computer certificate is required)
Option to use a self-signed certificate that is created automatically by DirectAccess for authentication of the network location server and for IP-HTTPS
Features that are not available without a certificate infrastructure include:
Access to internal IPv4 support by using NAT64/DNS64
Support for client access to internal servers not running IPv6
DirectAccess deployment without upgrading IPv4 corporate servers
Simplified IPsec deployment with single tunnel
DirectAccess clients access all resources through a single tunnel
No requirement to manage a quarantine network of infrastructure servers that are only available over a single tunnel
New and improved deployment scenarios
Single network adapter support
Can deploy a server with a single adapter that is located behind an edge or NAT device
Clients connect by using IP-HTTPS
Force tunneling support
Easy configuration of force tunneling during DirectAccess configuration
Easy configuration of NAP during DirectAccess configuration
Multiple domain support for DirectAccess
Ability to locate DirectAccess servers and clients in different domains
Multiple geographical locations
Automatically connect clients to the DirectAccess server entry point closest to them
Computers running Windows 8 Consumer Preview can manually specify an entry point, overriding the automatic entry point that is assigned
Support for fail over from one DirectAccess entry point to another
OTP client authentication
Support for two-factor authentication using OTP
Virtual smart card support
Can leverage TPM on DirectAccess client computers to provide two-factor smart card authentication
Can eliminate overhead that is associated with smart card deployment
Can deploy Remote Access servers behind an edge firewall or NAT device
No requirement for the server to have an adapter connected directly to the Internet
Off-premises client support
Client computers join a domain and retrieve domain settings through the Internet
DirectAccess client support
Can install DirectAccess on computers running Windows Server “8” Beta, Windows Server 2008 R2, Windows 8 Consumer Preview, and Windows 7 Ultimate, or Windows 7 Enterprise
Limitations for client computers running Windows 7:
Server Core installation support
Support for the Remote Access role on computers running a Server Core installation
Can deploy multiple Remote Access servers in a cluster
Can load balance the cluster by using Windows NLB or a hardware load balancer
Windows NLB supports up to eight cluster members
Hardware load balancing supports up to 32 cluster members
Can add and remove servers from the cluster without interrupting connections that are in progress
Support for all RRAS VPN protocols on server cluster deployments
SR-IOV virtualization for improved performance
Support for IPsec Task Offload v2
Support for clients behind a proxy server that requires manual configuration of proxy settings
Faster performance with NULL encryption