|
|
|
REVIEW: Windows 7 DirectAccess Replaces VPN with Secure, Always-On Connection
By: Andrew Garcia
2009-10-05
Article Rating: / 4
There are 2 user comments on this IT Infrastructure story.
REVIEW: Windows 7 DirectAccess Replaces VPN with Secure, Always-On Connection (
Page 1 of 2 ) Windows 7 DirectAccess is being billed by Microsoft as the "great extender"--a next-generation access technology designed to connect remote clients in the age of the vanishing network perimeter. One of the primary deliverables borne of Microsofts better together development strategy--which leverages the simultaneous release of the new Windows 7 client OS and the new Windows 2008 Server R2 server OS--DirectAccess worked well in eWEEK Labs' tests. However, system and security requirements may make DirectAccess just a pipe dream for many organizations right now.Microsoft advertises Windows 7s DirectAccess as the great
extender--a next-generation access technology designed to connect
remote clients in the age of the vanishing network perimeter.
DirectAccess is designed to replace the trusty VPN with a secure,
always-on connection that requires little or no user
interaction. Indeed, DirectAccess represents one of the primary
deliverables borne of Microsofts better together development
strategy, which leverages the simultaneous release of the new Windows 7
client OS and the new Windows 2008 Server R2 server OS to add more
features and deliver more value to customers who adopt both at the same
time.
Microsofts New Efficiency cost-savings campaign (which was unveiled
in September at an event in San Francisco) touts DirectAccess as one of
the pillars of the better-together promise. While virtualization
delivered with 2008 Server R2 via Hyper-V aims to deliver cost savings
and operational efficiencies in the data center, DirectAccess
pervasive connectivity purports to deliver efficiencies to the
workstation--through easier access to data and applications for remote
end users and easier ongoing management and troubleshooting for IT
departments.
In eWEEK Labs' tests on a brand-new domain running the latest and
greatest version of Windows on both the server (Windows 2008 Enterprise
Server R2) and the client (Windows 7 Enterprise/Ultimate), DirectAccess
worked like a dream, providing instant-on, two-way connectivity. But
questions about scalability, performance and management abound--and
most of the answers rest upon another Microsoft gateway technology that
is still beta, called Forefront Unified Access Gateway
(UAG). Although based upon numerous industry standards,
DirectAccess also needs a thorough vetting from the security industry
before customers can be confident of privacy afforded by the
solution.
For many, though, DirectAccess may be viewed as an unattainable pipe
dream for at least the near to mid-range future: those whose network
infrastructure servers havent yet progressed beyond Windows Server
2003; those who must slowly stage their endpoint migration to Windows 7
due to limited budget or IT resources and must therefore keep current
access technologies active; those yet unfamiliar with the ins and outs
of IPv6 networking; and those unwilling or unable to replace certain
security implementations with Microsofts solutions to provide scale or
backward compatibility.
Indeed, DirectAccess reach is limited: Workstations must be running
Windows 7 Enterprise or Ultimate, while application servers must be
running either Windows Server 2008 R2 or Windows Server 2008 SP2
(unless those additional gateway elements are added to the network).
DirectAccess leverages IPSec and IPv6 to provide the always-on
connectivity. When connected to a network, the Windows 7 client
performs a quick check to determine whether it connected to a protected
network or elsewhere.
To see a slide show of Windows 7 DirectAccess, click here.
If the client determines it is connected remotely, the next time a
DNS name query occurs, the client will check its NRPT (Name Resolution
Policy Table)--a new feature of Windows 7 that helps map a protected
networks namespace to an internal DNS server, to determine whether the
lookup request needs to be sent to the protected networks internal DNS
server. Non-matching requests are sent to DNS servers configured
to the network adapter, keeping Internet-related traffic off the
DirectAccess infrastructure.
Requests intended for the protected network are routed via IPv6 over
the Internet to a DirectAccess server that bridges the Internet and the
protected Intranet. As many networks on the Internet do not yet
support IPv6, DirectAccess will automatically employ transition
technologies such as 6to4 or Teredo to traverse IPv4 and NAT
networks. For clients behind a Web proxy or a firewall with a
restrictive outbound policy, DirectAccess can also fall back to
IP-HTTPS Tunneling, cramming the already encrypted IPSec traffic inside
another HTTPS-encrypted transmission.
For those, like me, whose protected network was also not entirely
IPv6-ready, DirectAccess also utilizes ISATAP to provide connectivity
on an IPv4 intranet.
With DirectAccess, IPSec encryption is enforced automatically from
the endpoint to the DirectAccess server at the network
edge. Administrators can, under some circumstances, also extend
encryption all the way from the endpoint to the application server.
By default, authentication is performed on a machine basis, as
administrators need to create security groups to identify the PCs
eligible to use DirectAccess. As with encryption, authentication
can terminate at the network edge or extend all the way to the
application server. For more granular authentication, DirectAccess
supports Smart Cards, although I did not test this
configuration.
|
|
�������xr㶲(;; Yڦx�iJVlҌפ*�EB�c")_v8x��%2o-�D�n4�w�~ IM��ל۔O]sSãw�$5]�2I=*rdz&9%G�jL7�R}f]S� k���kL|N�x � tjOt0.Pk< Z5��35ԗoˏ~e0��-ڎIQ6)�N�մ�<ڴ�$�)qHÑh]
!QQ��ږyDm:
_�N oT|�_�ANé-}!*{�>$E%U5E�hDԸ#|OП��{/�!�X]~�ꄽ4-f돇dh-vux�;2oV�6^�;�s9ȹ�׳�z$fRvn8Gd`jI:@*"4��C6S!1kk�Rը>lY}@|ݑ|Y#Xo:Q� ��æ�&q/#!_TB�p` V�R�Bm
Olˇ�;)xA'�ס"
'�m_j|��uvs<$s~3 r�d�HU
6� �C p==\'DL<:/yӝÌfؖqwh �푦J5(GJ\S#罨r�ӽm˙?X8N�ϿΕiR]vήr$�(֝[p
mKIu]+h5�u=;yظ} �d}+5��UJ�`Z.�
G$�_����::~\B^�,9@FI?j�|%R+
�i��٥zd$Y3)2���,ԐY;~K~6/NM퓳N��l,a�R422V,]鮘FȏwAժu|qӹluoz{MZOv�Y;��i
O�ɗV�\vO|��SQ�&�:aZ+U#3?_$ZW�;'$'MD[�Y��tǷP[,/s$�BrZ~@X*V�� Q3o�f5
tA�[&%Gi)"���:ur�PsfZ[c/�FU M�X�r)
t$uWϝ�7�>hr�
Ce)#p?�݃I��hJq�䰉k>ذ�1�"%��hJ@{�e�
TI��%嗋�mf>�]R${3BD�ȝ`g@qE�!\J��!=!
g�|��8U%Ku}7�peMCzlNTVʒ0Wb{g(�E�ށ:ixnUO�^
S�%g�5F8�,h�eݴ%!�8WGoۛZ\M*%xX=*BE*GU, �F̶#ؠ�S&�s;<�|0��ZG>OtvϧԴPwP�?�:�M��/�G˥qf�1�@�
L�na�
�p|w��͇v1s��/|�\aR���֔zN�j$�nh��-DCwM0Ie!S uG��νdrg�oM~�يС4}a���q�jS?g !Tg ,z�u=
}
�wA���k
6GT[-[�Z6x�GA }Q�P|'sZ(�7^`��y"# E�EK�y3@� $h�5a��z�.��?�
��ޑ�vZ*&R��P*m=!ԑt݁Z*=h3aGe�-n^
$�d6g2+IMiG0V-&D7r"e�.G 7Kᙖ6ZlkVe
y=0�ГޙL�dd��ٚM>�BB13
�{A3u�OP#'Կ����;7u9\v,_zt?�Gc�NEiKJ/ι7�M)j�`>J�7n�2g�NP/h|WY� �3EDVhdF!!
= \Pȭ|3R;=��Mrʳ"�#��@7�X>ť`N)m�t�й+>q^v.iԚv eiֽXK�u7Rum�I�J�ۥa]hk%�T8��7�Bj^[a6�F]��RZRKHDl�Pc/X�+e�zd(�e6LF%jIo2�@n�=�ȢmD�G*+i�#S�OodV-iV9ҴZZ,�<>kp6X"@�@�7w�L)mT.mT^͇Χމ;�i6�E7{L-t����MH
&��Ea e�-6BSbg`m1J���0f&6X#˦>oُ�gWKH�ZSYClX.)�Ui��j"�yd\s˰2X�rGmٔA�utn\?09CL-�˙�@�0ρ6uT8[-O#BE-��Dd�
S??uPV���?_v�sz�>S?؉ ܕV�����R�5SwhlrKcJ�rEu�l{��`�Sքc'M}Xt��yyW��>Ѐ�ap���"=����j�0�hs}�!T0�|*WT�ˈ`m�S@Ak�SU�
Փ.E^~~�V��K
i?aE�"'1ڣ�s!�a*/W+ Z|�;O�jZ(T+19ʪZ��Js�VV�2�:EƟQ���pϣ�*騫VJۂe2&0�ʃF5c�;
[�LY�6Z
ƚAFp5ز@�ngr_�"w�>sԳйtNsl �}~rn�Af �D�|��8 F�.K6,^ira;9Qo@H�ms11� ZH$;QOH07�$pkj fS))r�*H+Ut�Y/sO�Yy"
2ƞnR�HrX%:�i=$>JS-B�tqq#Z7MFBR%%^ͳnvdi&x9L�5�Ll�'P`�R(S&Z�D�]Rx*+nQ/ew���S? &i�=�P3�&tƝ7/��1Tcn?ºe$I`�\&LXt �Z:L�T)�OLJZZ$|p`����F�"{qT2NEM+v@l+J9wwG2M�3����t@�ɢ\�'
WeRUn8J3��,�$�%,rF<��"MMxhG���=a?qq-<92���=�QZ��aǰ�ZPf/�gF�Dccb^f>A*o��P�[�/I6]S�0:;_�ݘ`3ax��-⤔�Q+M?;$�mSv/is�O�0�int/�y01�vY? 0WK?�0�Ї_eCR:"hueK\4?p�Cmtj2�e'A)��pQ�>rfWϊ۫fչ ]:�y��p0Z�<�!hXw/�ΥI{��e[J:^;�j��܃�,=
YE#Bȧ�5�Bk;d4) �3z��0fK#&WDH[�()�u}͙�C�9�kI.Dz=d_5�g0Y
h-� ۯ}oE�9
²V�XȬE`&|]7$��T0�r$�`�$X�)��XAU:]7?G:Ky�9P���^S�(+RJ)"4FYO |F�Zu3��_f��Rt4zUr:Hעo1Mr!}J_cNfo4��~ P=8Y,rh%縵vRt��0?;)}AmN9˝��~DҼ�"g��Í7��6w "HtSOkԛC2L:�&r֚S�D[@csOӖO|�B�a�J;DHa2Su?Is6�uYԺ�[&�N#hA�S:%ə(�F�=�)�*ښIդ"8I5F4A2
uIH?
Md4XPW
Hق�
$O�krwisq�^]ҹsXd`�L`ql)Za"|)Nr
9i�`e>�%;yRb�QגZ4ҫoeW!9�
��|D�s`�=C�D!aFCrWkb~�=ZU${ݝ:��h�cɅ���p
`/a
;eΫ� P|�u{�{eB�s�?݁CO6r=ICo6�OG2M ��.`�Y #z�}
D{O�,ik�n;�;=?P.V=w-h*1
rM/hu5fX%��gNuA�?%>iפy�j�a~%X@R�;#|$~>x�FM{uS棏G�
95�'y�V7�N{m,d�a3fo v/ݻw�~Zؖ[q*A=wC<�L>?Fdc:��M"�I^U֭˯Ȫ̅S.{ۋ�G#S~`q8-<��c�tH_/lځ;�-�3(��m3{F-_2{K�7Kx=W<�cO4��]f+wK�MmJKz%nQh�r;ī�ًKqyeQ�j�ȓG��DK`#i�>R�o�14��m*z3=}z9[fvÏ5"i� ��N6;x1tY��A�AXy� !VorlK9w@rs&�8l��Pf�pvn
֔I���i#ĠHYųsMs ��_5D��N��
X��W+Oi��/!IVܱ�S,*_�1;l�V6֊ v)[ꈧ W�ך�|e�b�֚K�KLBI|�pI�M{fr+��(?8��ܻ'VD�e�[b[0| ttj9J;~|ːuY]QԽRSJM��4ӗ?W>�n,?ӏJvG]<0f�ˢ�O�xA`",5iҢJ�kY`I�e<2TEk�S̈G�8d(,0��SZ(=I�V(�P6œ1+p�a�Ȃ��}A>s量Bld5mh�32Pq�<:&
)�>vc"Ql0�
{�jG[�{ζLSɩ~lOӊد,�3�O2X!_jb?X7:%4)Yl�vš] = RS�58O�wE-b��y}6fr+gm�Nz��wKčByv(JmfL$Nvl˛r=�3CϬb(�NV(Y/{X,4 �L<�7, >����0s~Ԋ4�C$GEX@+%�Y+�'�[՛��Dz&k@Y�fg�'P]b�/.
̟�.xS(�fo7�;F)!o�Qr�Xl�*7iP)ސsFYmI'S�>��Q�ˀ0�RL=_*�kr/;�s?LX�q� #0dh�B�G6{R��wؑ��', tnYI鵘(خ��-��_Jᰜ?�b6gc �;#j6t���XK-1t�D:XUJP_oc�@�>ϳ�_BzE-�ɹ�݇i�9qH�F�38�a�E�!L`}�RD
}{�ۿ�lPb%/Ō`T�0�)�kǗ)
8t\�։T.ivڎ#� 8%H���p_�;=�
l��;
jKܢ9t�+8.ɥk�
Ŋ�}�$�$�7�$�VcFs0S\^�FS��ooooܿ?VT4Xǽ[7B�d�RǤTje0�_S�!鲅*`XӾ,ղ5Hc-|1JI�ܔz��R\!�S^1 KsvkK٢ۓZZPuc$�8[��&�Z@'�<�L��k�/r=^gؒ1�/Ř�� ��'HY0&�½Ëk"C��P�)UǪ�[ǽ9_z�6ykA/6B�ͦ1��pncF�e &DB�:4!�G��$ +��&A$�=>ݒJ/m\?u7�+ˊ$�}zgut/�Ɉ2yږ?ZR[3��.a�<2lD-0 -|eK,"K�Pk�h��D�;{RRM]&U�\S6Z)F+��&Z вa3M�O%gU^ώܱ0ڻ;>]]w�m5De� T&2 +�^+a�%[.q^bnAo%v�n��Хtn{2��Gqaxjɠ�B�`�I�'9�ż~�CL�A
� صƗv^+{O�@�e_�3s�,��ݟ7�$Id�>�a�%FnHƓ~5�NLVݞ��DzJh%)1M&]pMFVPA>'GOհƓIQEs/ތ"�*Y\~]�>ǵl� ;˶�zw�VjXaWCòk>DK\nz«GQ1.0'���kT���|85�}i\ĭVPC]3tb2oAAm�֏�V%*�U;�؆nƮ0=JxdK=Ҳ|6L�zlï^�Ji��f-2Ě�]a+I�錃qlrGo�禈S&ed,��.'? .]�/c�>W&ܹF�?m ۧH?=[�L�_毀qִ@{6�I�q*�!Z�z8R[�xz1LC1P1=0*+S�2l�;CԸl`>�tq"o��(k�ʁV=P�,�M�Y+
Z&ƘKjx�VQjj~zz_ZbiE�.c
2G'L i��/�"�r*ނ0H�Q�&"Т˻@JVH4i``8oh1zy
\<�>)fFll@��Lຶ��b�mj�_ڹ.q� yK-9Z<�hfNDf`h*yvLa�K9��cg]*+vC`m
4,\�=�\πTn��A4�`}"kR%26tZ'BO;�|�}yjUS*ZYQ#��_��/zடHಈ֞uvü�clTҊj9y[G��Ra
)zd1�&q-�>v"A�fko)&9�~w��A�r�|w\�[J[
w5k]
tP�CY �RodhsE{wi/1�~J+kѱF�=Ν(\NW�D
]%F�R)�t)@P\�ׯ0OļX^sn0�؞` 1,9+�`iZ`3+n{lKZIȶ8+il�wAQg)q8�@�ə莥����eЁHz3jXzg
?R)!m%:*=+s\1�oiwg|$TQ�L�&ťbD )�m3F#�Oc+ӘP'iQ�+p��SY�?�YVmIr .�kh�>a,{�R(?hUeQb+�Y75��S�U@�8AnK�e}6
��}L`߄> XPpÑ��MA9(W�TD~��N����̋XH�t4*$:���m;A=~U}DLRO����<\�ND�CVY
`Oh$�~b "uFf."��Q���`B�p�7,$�9'yo_^ C�y��y&��Ly�i9-@g�1��<]7xeϾSc�}Ə 'l�I<��0W�l���:�|e1q=I:�?�ra)��r�� s)J~k7?__RԌHe� �t0��83�b*�!F��2*mG{/�nrn�-i`IkH���J���z�ENITPiF�c�t߰�Þ�1a6�q(�(1At1�\11Faŷ^(�l�;b21#|>Oc|�yT�H"08y�(b�U��
�T�,
���!�⇖z)%nmn$\:�}ys��Li0q�x@g�-�.E�.[q(OpWYN<�&pj��,ywF7`C'[��E9�Y|ob{�LgA~\b�@Ԑ0��~(V$Ѕ:�y,@#!��9ω�k���ka]?X/F`��p���3�W�VjE)OBӁRs]��xf?:|.OjY,f/c�~\iB�R.
��?$-GF쌆�d2�`�fڟ�,\yuuvI^ۤwrݹw}sL֊�_ԝnIi}uݹ��hT湾��,g6OFY�yfvʜPN�:cͅf�.Y3U94dG_0}4��e`)'Qoxe;ʋ KNi21sSl۽M-W'>;Ś�:|jS#�}uLMp܄ ��@1@C|kO{5BJ�6ρ�33_2ʯz}I�8QޅnF9rz}y�hjg@Si�}>@?dG(ku֗wZFQ�d�3ˌr'?r{�埡s��fE\���_�,@ߋ�^�}.2s�_d�y���2z'(Q~�g�d_@EF9e^\f%euwAt3O�K7C\�\e�Կʨ
s?=�e�g__P�>f'(U�}�S�n&�&oon2/9IR<��9k^픊�8k�gK�"~�)�P�5(ge�3�Vڍn�a�{Ar!g�e_/C@q�sum%�R+��]YKxM}%k{[Z1nv�d}חG{1Pi� �+{JyH�2�r hxVyd�b�
bye?VP�w;]�CҤ�]�j.�{%])W[O'i��kr(%s<2g!�gs=*
t�=}}:�HD1�K�AF0_w��ͣ,_5;H_e�xĻO�e�ݞ܃�8*%��.n
ۍ%9����x�L|u�ӚܴO]Yv��<2k]Օ/#B�Af_b
5?'OxVf2��'[�*8�uߚ� u8�y$��} X&@Y$'}Q�?ǰs�3Nq!_
MW+4\1�"u`-�l>EM+�+J9ww~��������z@�b2jJ]N�mJT�L��3B��/(�@#غ̷xR#xC7<8a�Rq�
p+�E�!'\C�xߏ ѱ6;f]W2
dy3�IBoT�;)��@18�L�o�
7X�i- R�W!+BfxK;��f1n!�\ŠMC7a�%Kva[F0�m�|w4�G2[?�Mqgq%B4;Po.@c�mcC{� ,L=�O�~�2R�
S}&ՃoB%\"�9�oъ^\�
΅*K �X-0�3]1�cc6Hm�\wrlC�k��nܙ%\O_ aZ�'Vbg9�4Iأ_BDOv�֢-KH���-C�{)B9n���g�X3Wd]d��A_d|bOh6Mx�[o/TsLHd v"ѱw�PF�v�_ 7'��>$Xm)۹b,ӧ6M\�-On\{.ܿۃ[uO�J�r3f;��U/=�ׇ"�2cX
=��=9��P٥M�u����Y{N6� )4�Mϫ�R���KPRJ��Vm.Q�?�`n6{tϘHmg�X�|@ăHv!$K�&.{�|XT��,sD��?�>7S1U)ւ�_�/gw�d�L�dA��>X�Z��c.,s(ŬBSd��=�)�O?5'[nI
5E`0l4aehDS,T6y�s*>�% �/� �i?;M1xu��A]�=_�v{[>/'_Ş�i#�}��@ =(ۉnfTt
%K@��4{W�
78ǩk�Vmx�j{ݾX�g�
昻�k�OXU\M)�X7lB+`�jk�7�u�ywDL\7xaW_gvC�%�=�Ik �r?qm�r�?0/�rX)>�e5raI�Ƚgz�`Z>^}�]x�
O!0gW�PR
Y
-f�1%IDb88)ҡCCĞBJ>eSC7@n0\|װ
d[\Oօu��\j�/bY4~>��fr*r*]x�D4;N7/sGOg
|I>"�:xqea
��V\r*��`wҝX{y�B(O}y9|C*'ꙺ�UN'ώ�/}B=FBl4*�7·y:�?C[7nyq�ݏ-)|FYzhIwv��jZ��?`(X��E�h��⍿#01�4[3ˬZY$I#;ob[�b$-�U.IM)V�[gqۙ�g۲M�*d.%r�R�۬_fTN�ZJ܄;"�6BKFslx�6� ��!�+��
|
IT Infrastructure 
