We recently covered the basics of the DirectAccess, a new remote access technology that enables users to connect to the corporate network without using a traditional network-level VPN connection or a reverse Web proxy and reverse NAT solution. DirectAccess automatically establishes a connection to the corpnet before users log in. After logging in, they can connect to corporate information resources in the same way as computers directly connected to the corpnet over a wired or wireless connection.
The experience for remote DirectAccess users is the same as for users directly connected to the corpnet. Access to file servers, database servers, mail servers, collaboration servers, and any other type of server you can imagine is the same for DirectAccess remote users at it is for users on the corpnet.
Microsoft Forefront Unified Access Gateway 2010 (UAG) is the next version of the Intelligent Access Gateway 2007 (IAG). UAG is designed to be a single point of inbound access to your corporate network. UAG does this by consolidating a number of remote access technologies onto a single box. These remote access technologies include:
- SSL VPN portal, which uses reverse proxy like capabilities
- Remote port and socket forwarding over an SSL tunnel
- Remote Desktop Gateway (RDG) so that you don't need to install the RDG on a separate machine on your network
- Network-level SSL VPN, with support for both the SSTP and Network Connector protocols, enabling administrators full network access similar to that offered by traditional VPN servers
- DirectAccess server, enabling domain computers to transparently connect to the corporate network regardless of that user's location, without requiring any user input to connect to the network
While DirectAccess is included with Windows Server Standard and Enterprise Editions, there are many advantages to using Forefront Unified Access Gateway 2010 as your DirectAccess server solution. In this article, we'll look at what DirectAccess offers and consider some of the benefits of using UAG.
Note: This article is also available as a PDF download.
1: Manage remote users with the same tools and technologies you use when managing corpnet users
With DirectAccess, remote users use domain member computers to connect to the corpnet over the Internet using secure IPsec tunnels. Domain member users are able to connect to the corpnet to access resources they need. Even more important, IT can manage users in the same way that they manage users on the corpnet. Group Policy Objects can be applied to users, desired configuration and other management settings can be applied using System Center Configuration Manager, and just about any management system you use for end-user command and control can be applied to DirectAccess users located anywhere on the Internet.
2: Manage remote computers with the same tools and technologies you use to manage corpnet computers
Similar to end-user management, you can use the same tools and technologies you use to manage computers on the corpnet and apply those to computers located anywhere over the Internet that connect to the network using DirectAccess. DirectAccess client computers connect to the corpnet even before the user logs in so that these computers are more available for systems management. Unlike the situation where users have to use a VPN connection to connect to the corpnet to establish a link to your management systems, the DirectAccess client is always connected, significantly increasing the chances that the DirectAccess client computer will be updated and managed based on corporate policy and reducing the chances that the computer will fall out of compliance.
3: Increase end-user productivity
The problem with other corpnet connectivity methods is that end users always have to "do something" to connect to internal resources they need. They might have to establish a VPN connection or maybe they need to connect to an SSL VPN portal. Maybe they have to remember a URL to connect to a SharePoint or OWA server or maybe they need to configure their applications to work differently when connecting remotely compared to when they're on the corpnet.
DirectAccess takes the onus of "network location awareness" away from end users. With DirectAccess, they turn on their computer, and the connectivity to what they need just works. No VPN connection required, no special inside versus outside URLs, no application reconfiguration. Users seamlessly connect to resources they need regardless of their location. DirectAccess takes away location as a factor for information access — information is always available to your authorized users.
4: Separate intranet and Internet traffic to improve performance
Traditional VPN solutions often require that all traffic go over the VPN connection between the VPN client and server. This can have a profound negative effect on over corporate Internet bandwidth, since the VPN users must compete with the corpnet users to Internet bandwidth. DirectAccess solves this problem by enabling users to use the DirectAccess connection when connecting to corpnet resources, and use their established Internet connection when connecting to the Internet. This significantly improves performance for both remote DirectAccess users and users located on the corpnet.
5: Provide an always on and secure connection to the corpnet over the Internet
DirectAccess client connections are always on, which means you need to be sure that the connection between the DirectAccess client and server is secure. Security of this connection is assured using IPv6 and IPsec. The DirectAccess client establishes a IPsec connection to the DirectAccess server, which can be the UAG DirectAccess server. During the IPsec connection establishment, the DirectAccess server authenticates to the DirectAccess client and the DirectAccess client authenticates with the DirectAccess server. IPsec encryption is used to insure that private communications are not intercepted over the Internet.
6: Simplify your DirectAccess deployment with UAG
DirectAccess is a technology included with Windows Server 2008 R2 and Windows 7. However, the Windows-based DirectAccess solution can be complex to install and configure. When you use UAG as your DirectAccess solution, you get unified management and control over the DirectAccess solution with UAG DirectAccess arrays. In addition, you can benefit from hardware consolidation by bringing multiple solutions into a single UAG DirectAccess server or array by incorporate multiple remote access technologies, IPv6 to IPv4 translation technologies, network load balancing and array functionality into a single server or array.
7: Expand DirectAccess Client Access to IPv4 only resources
The Windows DirectAccess solution enables DirectAccess clients on the Internet to access information resources on the corporate network without needing to "do anything" to make it work. However, those resources need to be IPv6 aware. If the information is contained on a IPv4 only server, the Windows DirectAccess solution will not provide DirectAccess clients access to the information. The UAG DirectAccess solution solves this problem by using DNS64/NAT64, which enables DirectAccess clients to connect to IPv4-only resources on your corporate network. In fact, with the UAG DirectAccess solution, there is no need for any IPv6 resources on the corporate network - making it possible for you to take complete advantage of all that DirectAccess offers today without needing to embroil yourself in the complexities of IPv6.
8: Ease Management Duties with the UAG DirectAccess Console
With the Windows-only DirectAccess solution, configuration of more than a single DirectAccess server means creating the configuration on each server separately. Also, monitoring and continued management has to be performed on each server, since there is no shared configured available in the Windows only DirectAccess solution. In contrast, with UAG DirectAccess, you can configure DirectAccess server configuration once, and have it automatically deployed to up to 8 servers in a DirectAccess server array. The array also provides a single console where monitoring and reporting are done, provide a single view of the DirectAccess solution from within UAG.
9: Improve High Availability with UAG DirectAccess and Network Load Balancing
The Windows only DirectAccess solution has very limited support for high availability. In contrast, the UAG DirectAccess solution has high availability built-in. UAG DirectAccess integrates with Windows Network Load Balancing to help insure that the array of UAG DirectAccess servers is always available to your users and that the load is distributed evenly among the servers, so that performance is optimized and users have a good end-user experience even if one or more UAG DirectAccess servers go offline.
10: Enhance Remote Access Security with Integrated Support for Smartcards and Network Access Protection (NAP)
DirectAccess clients need to meet the same security requirements as computers you directly connect to your corpnet over a wired or wireless connection. That means you need to make sure that only authorized users can connect over DirectAccess.
One of the best methods to authenticate users is two-factor authentication. You can configure DirectAccess to require that users present a smartcard and pin before they are able to log onto the network over DirectAccess. In addition, you can use DirectAccess with or without UAG, to enforce Network Access Protection (NAP) enforcement for DirectAccess clients. NAP insures that the DirectAccess computer meets your corporate security requirements before the machine is allowed to connect to network resources.
You can configure DirectAccess to provide the NAP clients access to remediation servers so that they can self-remediate, and then provide them full network access after remediation. With UAG DirectAccess, you can enable NAP support by putting a checkmark in a single checkbox - it's that easy!
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.