REVIEW: Windows 7 DirectAccess Replaces VPN with Secure, Always-On Connection

Windows 7 DirectAccess is being billed by Microsoft as the "great extender"--a next-generation access technology designed to connect remote clients in the age of the vanishing network perimeter. One of the primary deliverables borne of Microsoft's "better together" development strategy--which leverages the simultaneous release of the new Windows 7 client OS and the new Windows 2008 Server R2 server OS--DirectAccess worked well in eWEEK Labs' tests. However, system and security requirements may make DirectAccess just a pipe dream for many organizations right now.

Microsoft advertises Windows 7's DirectAccess as the great extender--a next-generation access technology designed to connect remote clients in the age of the vanishing network perimeter.

DirectAccess is designed to replace the trusty VPN with a secure, always-on connection that requires little or no user interaction. Indeed, DirectAccess represents one of the primary deliverables borne of Microsoft's "better together" development strategy, which leverages the simultaneous release of the new Windows 7 client OS and the new Windows 2008 Server R2 server OS to add more features and deliver more value to customers who adopt both at the same time.

Microsoft's New Efficiency cost-savings campaign (which was unveiled in September at an event in San Francisco) touts DirectAccess as one of the pillars of the better-together promise.  While virtualization delivered with 2008 Server R2 via Hyper-V aims to deliver cost savings and operational efficiencies in the data center, DirectAccess' pervasive connectivity purports to deliver efficiencies to the workstation--through easier access to data and applications for remote end users and easier ongoing management and troubleshooting for IT departments.  

In eWEEK Labs' tests on a brand-new domain running the latest and greatest version of Windows on both the server (Windows 2008 Enterprise Server R2) and the client (Windows 7 Enterprise/Ultimate), DirectAccess worked like a dream, providing instant-on, two-way connectivity. But questions about scalability, performance and management abound--and most of the answers rest upon another Microsoft gateway technology that is still beta, called Forefront Unified Access Gateway (UAG). Although based upon numerous industry standards, DirectAccess also needs a thorough vetting from the security industry before customers can be confident of privacy afforded by the solution.  

For many, though, DirectAccess may be viewed as an unattainable pipe dream for at least the near to mid-range future: those whose network infrastructure servers haven't yet progressed beyond Windows Server 2003; those who must slowly stage their endpoint migration to Windows 7 due to limited budget or IT resources and must therefore keep current access technologies active; those yet unfamiliar with the ins and outs of IPv6 networking; and those unwilling or unable to replace certain security implementations with Microsoft's solutions to provide scale or backward compatibility.

Indeed, DirectAccess' reach is limited: Workstations must be running Windows 7 Enterprise or Ultimate, while application servers must be running either Windows Server 2008 R2 or Windows Server 2008 SP2 (unless those additional gateway elements are added to the network).

DirectAccess leverages IPSec and IPv6 to provide the always-on connectivity. When connected to a network, the Windows 7 client performs a quick check to determine whether it connected to a protected network or elsewhere.

To see a slide show of Windows 7 DirectAccess, click here.

If the client determines it is connected remotely, the next time a DNS name query occurs, the client will check its NRPT (Name Resolution Policy Table)--a new feature of Windows 7 that helps map a protected network's namespace to an internal DNS server, to determine whether the lookup request needs to be sent to the protected network's internal DNS server.  Non-matching requests are sent to DNS servers configured to the network adapter, keeping Internet-related traffic off the DirectAccess infrastructure.

Requests intended for the protected network are routed via IPv6 over the Internet to a DirectAccess server that bridges the Internet and the protected Intranet. As many networks on the Internet do not yet support IPv6, DirectAccess will automatically employ transition technologies such as 6to4 or Teredo to traverse IPv4 and NAT networks. For clients behind a Web proxy or a firewall with a restrictive outbound policy, DirectAccess can also fall back to IP-HTTPS Tunneling, cramming the already encrypted IPSec traffic inside another HTTPS-encrypted transmission.

For those, like me, whose protected network was also not entirely IPv6-ready, DirectAccess also utilizes ISATAP to provide connectivity on an IPv4 intranet.

With DirectAccess, IPSec encryption is enforced automatically from the endpoint to the DirectAccess server at the network edge. Administrators can, under some circumstances, also extend encryption all the way from the endpoint to the application server.

By default, authentication is performed on a machine basis, as administrators need to create security groups to identify the PCs eligible to use DirectAccess. As with encryption, authentication can terminate at the network edge or extend all the way to the application server. For more granular authentication, DirectAccess supports Smart Cards, although I did not test this configuration.