REVIEW: Windows 7 DirectAccess Replaces VPN with Secure, Always-On Connection
Windows 7 DirectAccess is being billed by Microsoft as the "great extender"--a next-generation access technology designed to connect remote clients in the age of the vanishing network perimeter. One of the primary deliverables borne of Microsoft's "better together" development strategy--which leverages the simultaneous release of the new Windows 7 client OS and the new Windows 2008 Server R2 server OS--DirectAccess worked well in eWEEK Labs' tests. However, system and security requirements may make DirectAccess just a pipe dream for many organizations right now.Microsoft advertises Windows 7's DirectAccess as the great extender--a next-generation access technology designed to connect remote clients in the age of the vanishing network perimeter. DirectAccess is designed to replace the trusty VPN with a secure, always-on connection that requires little or no user interaction. Indeed, DirectAccess represents one of the primary deliverables borne of Microsoft's "better together" development strategy, which leverages the simultaneous release of the new Windows 7 client OS and the new Windows 2008 Server R2 server OS to add more features and deliver more value to customers who adopt both at the same time.
Microsoft's New Efficiency cost-savings campaign (which was unveiled in September at an event in San Francisco) touts DirectAccess as one of the pillars of the better-together promise. While virtualization delivered with 2008 Server R2 via Hyper-V aims to deliver cost savings and operational efficiencies in the data center, DirectAccess' pervasive connectivity purports to deliver efficiencies to the workstation--through easier access to data and applications for remote end users and easier ongoing management and troubleshooting for IT departments.
If the client determines it is connected remotely, the next time a DNS name query occurs, the client will check its NRPT (Name Resolution Policy Table)--a new feature of Windows 7 that helps map a protected network's namespace to an internal DNS server, to determine whether the lookup request needs to be sent to the protected network's internal DNS server. Non-matching requests are sent to DNS servers configured to the network adapter, keeping Internet-related traffic off the DirectAccess infrastructure. Requests intended for the protected network are routed via IPv6 over the Internet to a DirectAccess server that bridges the Internet and the protected Intranet. As many networks on the Internet do not yet support IPv6, DirectAccess will automatically employ transition technologies such as 6to4 or Teredo to traverse IPv4 and NAT networks. For clients behind a Web proxy or a firewall with a restrictive outbound policy, DirectAccess can also fall back to IP-HTTPS Tunneling, cramming the already encrypted IPSec traffic inside another HTTPS-encrypted transmission. For those, like me, whose protected network was also not entirely IPv6-ready, DirectAccess also utilizes ISATAP to provide connectivity on an IPv4 intranet. With DirectAccess, IPSec encryption is enforced automatically from the endpoint to the DirectAccess server at the network edge. Administrators can, under some circumstances, also extend encryption all the way from the endpoint to the application server. By default, authentication is performed on a machine basis, as administrators need to create security groups to identify the PCs eligible to use DirectAccess. As with encryption, authentication can terminate at the network edge or extend all the way to the application server. For more granular authentication, DirectAccess supports Smart Cards, although I did not test this configuration.