Windows 7 DirectAccess
by Patrick Nelson
Windows 7 DirectAccess gives mobile users seamless access to
corporate networks without the need to use a Virtual Private
Network (VPN.)
It is available in the Windows 7 Enterprise operating
system and is not available in Windows 7 Professional.
Enabling DirectAccess allows the entire network’s file
shares, intranet websites and other applications to be
available wherever there’s Internet.
DirectAccess also allows administrators to update Group
Policy settings on remote computers.
Administrators can also distribute software updates
whenever the computer is switched on, and has Internet
access, even if the user isn’t logged in.
Windows 7 DirectAccess incorporates Internet Protocol
Version 6 over Internet Protocol security (IPv6-over-IPsec)
for encryption.
Traffic uses either a DirectAccess server which utilizes Windows Server 2008 R2, or all the traffic can just go through the corporate network.
Internet and Intranet traffic is separated by
DirectAccess.
Both users and computers can be authenticated and Windows 7
DirectAccess supports multifactor authentication like smart
cards.
Specific resources on the Intranet can be switched off
for certain users or machines. Administrators can allow only
specific servers or subnets. Other IT advantages include
simplification and cost reduction.
Windows 7’s DirectAccess’ bi-directional connectivity
provides a simplified user experience over VPN.
The user doesn’t have to think in terms of networks and the experience connecting to network resources appears seamless.
Productivity is enhanced because mobile users can keep
connected to corporate networks all the time. The product
ties in nicely with Folder Redirection, which synchronizes
files across the network.
Key elements of DirectAccess are that the client runs
Windows 7 Enterprise, Windows 7 Ultimate, or Windows Server
2008 R2.
A domain-joined computer running Windows Server 2008 R2
can act as the DirectAccess server. A solution needs a
network location server, to let the client know if it’s on
the intranet or Internet, and also Certificate revocation
list (CRL) distribution points—essentially issuing
certificates.
Microsoft suggest that enterprises will use DirectAccess and
VPNs side-by-side for now because VPNs are compatible with
Vista and earlier versions of Windows; VPNs are compatible
with non-Microsoft operating systems; VPNs can work through
non-domain joined computers and that VPNs don’t require
Windows Server 2008 R2.
Deploying Microsoft DirectAccess can be with full intranet
access, selected server access and end-to-end access.
Configurations can include DirectAccess with Network Access Protection (NAP); Using Hyper-V for redundancy issues and adding capacity by using IPSec on another server.
Microsoft has a DirectAccess design guide for system architects on the TechNet website which can help you design a DirectAccess solution. You can access it here.
Tip: Click here to run a free scan for Windows related errors
