If someone in your organization ask how he/she can connect to the internal network from remote location, the solution which will come to your mind (most of time) will be “VPN” (Virtual Private Network). Once you setup VPN server in your local network you can allows the users from any remote location to “dial-in” to the server and make particular device in part of network. This communication will happen via secure channel.
All most all of switch/router/firewall manufactures build their products with integrated VPN servers and also we can find ton of VPN server softwares in internet nowadays. Even this solutions works very well there are few common issues. As we know most of the time the people on travel are either company sales staff or management staff. Unfortunately most of them are not too technical. So you need to spend time on training them how to use VPN client in device. Also the troubleshooting is nightmare if they come up with any sort of error. Believe me most of the time they do not know to tell beyond just “VPN is not working”. No offense but this is what mostly happen. Another issue VPN have is connectivity. We cannot expect “solid” internet connections when you travels. It can be hotel wifi, coffeshop wifi, client’s public wifi etc. which used to dial in to the VPN. If the connection is dropping VPN will kick you off from VPN. So you have to dial it in again. But some time you even not know if you already kick off from VPN. So may be most of you time on travel you spend on clicking on “connect” button on your vpn client.
What is direct access?
Along with windows 7 and windows 2008 R2 Microsoft introduce new feature called “DirectAccess”. It is Microsoft product and it act as “always-on” connection from remote location to local network. So remote clients will be automatically connect to the local network and with each and every connection drop it will establish the connection without user interact. This feature is works based on IPsec and IPv6. So if your network is not yet move in to IPv6 you need to use transition mechanism such as Trendo, 6to4 etc to use it along with IPv4.
Once DirectAccess configured when you switch on a device first it will check if it’s connected to the corporation network with local area network. If it’s not it will automatically make connection with direct access server. As I mentioned before this connection will be made based on IPsec and IPv6. If system is not using IPv6 yet it will use transition mechanism which setup by the corporation. Then if Network Policy Server (NPS) setup with policies, the device health will be checked against them before grant access to the network. If its meets the health requirements to be a part of network it will issue health certificate which will submitted to the direct access server for authentication.
Requirements for DirectAccess
To get direct access up and running in your network needs following,
1) It must be active directory domain environment and must be running at least with windows 2008 R2 domain functional level.
2) The server which will run directaccess server role must be added to the domain.
3) DirectAccess clients must be running Windows 7 Enterprise, Ultimate versions or upper. It will not works with home or starter editions. All devices must be member of domain.
4) DirectAccess server must be available for access via internet. It means it should be able to access via a public ip address.
5) If network is not running with IPv6, transitioning technologies such as 6to4, Teredo, ISATAP should be available to use with direct access server.
6) PKI (public key infrastructure) to issue certificates for devices authentication. Direct access server must have SSL installed and must contain valid FQDN which can be access from internet.
This is the end of Part 1 of series of articles which will explain the setup process of DirectAccess role. If you have any questions feel free to contact me on firstname.lastname@example.org