DirectAccess
Encyclopedia
DirectAccess is a new feature in Windows 7 (Ultimate and Enterprise editions only) and Windows Server 2008 R2
that provides seamless intranet
connectivity to DirectAccess client computers when they are connected to the Internet. Unlike most traditional VPN
connections, which must be initiated and terminated by explicit user action, DirectAccess connections is designed to connect automatically as soon as the computer connects to the internet. In 2010, Microsoft Forefront Unified Access Gateway
was released, which simplifies the deployment of DirectAccess, and includes additional components that make it easier to integrate without the need to deploy IPv6
on the network. While DirectAccess is based on Microsoft technology, third-party solutions exist for accessing UNIX
and Linux
servers through DirectAccess.
tunnels from the client to the DirectAccess server, and uses IPv6
to reach intranet resources or other DirectAccess clients. This technology encapsulates the IPv6 traffic over IPv4
to be able to reach the intranet over the Internet, which still relies on IPv4 traffic. All traffic to the intranet is encrypted using SSL and sent through the standard HTTPS
port (443), which means that in most cases, no configuration of firewalls or proxies should be required. A DirectAccess client can use one of several tunnelling technologies, depending on the configuration of the network the client is connected to. The client can use 6to4
, Teredo tunneling
, or IP-HTTPS, provided the server is configured correctly to be able to use them. For example, a client that is connected to the internet directly will use 6to4, but if it is inside a NAT
ed network, it will use Teredo instead.
DirectAccess in UAG provides enterprise features for a DirectAccess solution, such as centralized management, high availability, and enhanced security (UAG contains a EAL4+ Certified firewall, so it can be used on the edge of your network). UAG also provides a NAT64
and DNS64, allowing you to provide DirectAccess clients with access to IPv4-only resources on your network.
Smart card certificates, and health certificates for Network Access Protection
may be used along with PKI.
A third-party NAT64
device may be used to provide access to IPv4-only resources to DirectAccess clients.
called Windows Home Server 2011 is based on the Windows Server 2008 R2
code base. Remote access to the users home computers and resources are one of the key features of the Windows Home Server
edition. Even though Windows Home Server 2011 is based on Windows Server 2008 R2
no support for DirectAccess is implemented.
The motivation for this is the steep requirements on the client computers operating systems, as only Windows 7 Ultimate and Enterprise is supported. Further on the server is also required to have two NICs while a typical Windows Home Server
only has one. However in future versions of Windows Home Server
Microsoft hopes to deliver a simplified version of DirectAccess for home usage.
Windows Server 2008 R2
Windows Server 2008 R2 is a server operating system produced by Microsoft. It was released to manufacturing on July 22, 2009 and launched on October 22, 2009. According to the Windows Server Team blog, the retail availability was September 14, 2009. It is built on Windows NT 6.1, the same core...
that provides seamless intranet
Intranet
An intranet is a computer network that uses Internet Protocol technology to securely share any part of an organization's information or network operating system within that organization. The term is used in contrast to internet, a network between organizations, and instead refers to a network...
connectivity to DirectAccess client computers when they are connected to the Internet. Unlike most traditional VPN
Virtual private network
A virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
connections, which must be initiated and terminated by explicit user action, DirectAccess connections is designed to connect automatically as soon as the computer connects to the internet. In 2010, Microsoft Forefront Unified Access Gateway
Microsoft Forefront Unified Access Gateway
Microsoft Forefront Unified Access Gateway , is a reverse proxy and VPN solution that provides secure remote access to corporate networks for remote employees and business partners. It is part of the Microsoft Forefront offering. It incorporates various remote access technologies such as reverse...
was released, which simplifies the deployment of DirectAccess, and includes additional components that make it easier to integrate without the need to deploy IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
on the network. While DirectAccess is based on Microsoft technology, third-party solutions exist for accessing UNIX
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
and Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
servers through DirectAccess.
Technology
DirectAccess establishes IPSecIPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
tunnels from the client to the DirectAccess server, and uses IPv6
IPv6
Internet Protocol version 6 is a version of the Internet Protocol . It is designed to succeed the Internet Protocol version 4...
to reach intranet resources or other DirectAccess clients. This technology encapsulates the IPv6 traffic over IPv4
IPv4
Internet Protocol version 4 is the fourth revision in the development of the Internet Protocol and the first version of the protocol to be widely deployed. Together with IPv6, it is at the core of standards-based internetworking methods of the Internet...
to be able to reach the intranet over the Internet, which still relies on IPv4 traffic. All traffic to the intranet is encrypted using SSL and sent through the standard HTTPS
Https
Hypertext Transfer Protocol Secure is a combination of the Hypertext Transfer Protocol with SSL/TLS protocol to provide encrypted communication and secure identification of a network web server...
port (443), which means that in most cases, no configuration of firewalls or proxies should be required. A DirectAccess client can use one of several tunnelling technologies, depending on the configuration of the network the client is connected to. The client can use 6to4
6to4
6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network without the need to configure explicit tunnels...
, Teredo tunneling
Teredo tunneling
In computer networking, Teredo is a transition technology that gives full IPv6 connectivity for IPv6-capable hosts which are on the IPv4 Internet but which have no direct native connection to an IPv6 network...
, or IP-HTTPS, provided the server is configured correctly to be able to use them. For example, a client that is connected to the internet directly will use 6to4, but if it is inside a NAT
Nat
Nat or NAT may refer to:* Nat., an abbreviation for Natural* Nat , a Burmese spirit worshipped in Myanmar in conjunction with Buddhism...
ed network, it will use Teredo instead.
DirectAccess in UAG provides enterprise features for a DirectAccess solution, such as centralized management, high availability, and enhanced security (UAG contains a EAL4+ Certified firewall, so it can be used on the edge of your network). UAG also provides a NAT64
NAT64
NAT64 is a mechanism to allow IPv6 hosts to communicate with IPv4 servers. The NAT64 server is the endpoint for at least one IPv4 address and an IPv6 network segment of 32-bits . The IPv6 client embeds the IPv4 address it wishes to communicate with using these bits, and sends its packets to the...
and DNS64, allowing you to provide DirectAccess clients with access to IPv4-only resources on your network.
Requirements
DirectAccess requires:- one or more DirectAccess servers running Windows Server 2008 R2Windows Server 2008 R2Windows Server 2008 R2 is a server operating system produced by Microsoft. It was released to manufacturing on July 22, 2009 and launched on October 22, 2009. According to the Windows Server Team blog, the retail availability was September 14, 2009. It is built on Windows NT 6.1, the same core...
with two network adapters: one that is connected directly to the Internet, and a second that is connected to the intranet. - on the DirectAccess server, at least two consecutive, public IPv4 addresses assigned to the network adapter that is connected to the Internet.
- DirectAccess clients running Windows 7 (Ultimate and Enterprise editions only).
- at least one domain controllerDomain controllerOn Windows Server Systems, a domain controller is a server that responds to security authentication requests within the Windows Server domain...
and Domain Name SystemDomain name systemThe Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
(DNS) server running Windows Server 2008 SP2 or Windows Server 2008 R2. - public key infrastructurePublic key infrastructurePublic Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
(PKI) to issue computer certificates.
Smart card certificates, and health certificates for Network Access Protection
Network Access Protection
Network Access Protection is a Microsoft technology for controlling network access of a computer host based on the system health of the host, first introduced in Windows Server 2008....
may be used along with PKI.
A third-party NAT64
NAT64
NAT64 is a mechanism to allow IPv6 hosts to communicate with IPv4 servers. The NAT64 server is the endpoint for at least one IPv4 address and an IPv6 network segment of 32-bits . The IPv6 client embeds the IPv4 address it wishes to communicate with using these bits, and sends its packets to the...
device may be used to provide access to IPv4-only resources to DirectAccess clients.
Support for Windows Home Server
The latest version of Windows Home ServerWindows Home Server
Windows Home Server, code-named Quattro, is a home server operating system from Microsoft. Announced on 7 January 2007, at the Consumer Electronics Show by Bill Gates, Windows Home Server is intended to be a solution for homes with multiple connected PCs to offer file sharing, automated backups,...
called Windows Home Server 2011 is based on the Windows Server 2008 R2
Windows Server 2008 R2
Windows Server 2008 R2 is a server operating system produced by Microsoft. It was released to manufacturing on July 22, 2009 and launched on October 22, 2009. According to the Windows Server Team blog, the retail availability was September 14, 2009. It is built on Windows NT 6.1, the same core...
code base. Remote access to the users home computers and resources are one of the key features of the Windows Home Server
Windows Home Server
Windows Home Server, code-named Quattro, is a home server operating system from Microsoft. Announced on 7 January 2007, at the Consumer Electronics Show by Bill Gates, Windows Home Server is intended to be a solution for homes with multiple connected PCs to offer file sharing, automated backups,...
edition. Even though Windows Home Server 2011 is based on Windows Server 2008 R2
Windows Server 2008 R2
Windows Server 2008 R2 is a server operating system produced by Microsoft. It was released to manufacturing on July 22, 2009 and launched on October 22, 2009. According to the Windows Server Team blog, the retail availability was September 14, 2009. It is built on Windows NT 6.1, the same core...
no support for DirectAccess is implemented.
The motivation for this is the steep requirements on the client computers operating systems, as only Windows 7 Ultimate and Enterprise is supported. Further on the server is also required to have two NICs while a typical Windows Home Server
Windows Home Server
Windows Home Server, code-named Quattro, is a home server operating system from Microsoft. Announced on 7 January 2007, at the Consumer Electronics Show by Bill Gates, Windows Home Server is intended to be a solution for homes with multiple connected PCs to offer file sharing, automated backups,...
only has one. However in future versions of Windows Home Server
Windows Home Server
Windows Home Server, code-named Quattro, is a home server operating system from Microsoft. Announced on 7 January 2007, at the Consumer Electronics Show by Bill Gates, Windows Home Server is intended to be a solution for homes with multiple connected PCs to offer file sharing, automated backups,...
Microsoft hopes to deliver a simplified version of DirectAccess for home usage.
External links
- Microsoft's DirectAccess Getting Started page
- Microsoft's DirectAccess TechNet page
- MS-IPHTTPS on MSDN: includes PDF with specification.
- Blogger's posting on DirectAccess