IT Infrastructure - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  IT Infrastructure


REVIEW: Windows 7 DirectAccess Replaces VPN with Secure, Always-On Connection



 By: Andrew Garcia
2009-10-05
Article Rating:starstarstarstarstar / 4


There are 2 user comments on this IT Infrastructure story.


  Table of Contents:
  1. REVIEW: Windows 7 DirectAccess Replaces VPN with Secure, Always-On Connection
  2. Network Up to Spec

Rate This Article:
Poor Best
REVIEW: Windows 7 DirectAccess Replaces VPN with Secure, Always-On Connection
( Page 1 of 2 )

Windows 7 DirectAccess is being billed by Microsoft as the "great extender"--a next-generation access technology designed to connect remote clients in the age of the vanishing network perimeter. One of the primary deliverables borne of Microsofts better together development strategy--which leverages the simultaneous release of the new Windows 7 client OS and the new Windows 2008 Server R2 server OS--DirectAccess worked well in eWEEK Labs' tests. However, system and security requirements may make DirectAccess just a pipe dream for many organizations right now.

Microsoft advertises Windows 7s DirectAccess as the great extender--a next-generation access technology designed to connect remote clients in the age of the vanishing network perimeter.

DirectAccess is designed to replace the trusty VPN with a secure, always-on connection that requires little or no user interaction. Indeed, DirectAccess represents one of the primary deliverables borne of Microsofts better together development strategy, which leverages the simultaneous release of the new Windows 7 client OS and the new Windows 2008 Server R2 server OS to add more features and deliver more value to customers who adopt both at the same time.

Microsofts New Efficiency cost-savings campaign (which was unveiled in September at an event in San Francisco) touts DirectAccess as one of the pillars of the better-together promise.  While virtualization delivered with 2008 Server R2 via Hyper-V aims to deliver cost savings and operational efficiencies in the data center, DirectAccess pervasive connectivity purports to deliver efficiencies to the workstation--through easier access to data and applications for remote end users and easier ongoing management and troubleshooting for IT departments.  

In eWEEK Labs' tests on a brand-new domain running the latest and greatest version of Windows on both the server (Windows 2008 Enterprise Server R2) and the client (Windows 7 Enterprise/Ultimate), DirectAccess worked like a dream, providing instant-on, two-way connectivity. But questions about scalability, performance and management abound--and most of the answers rest upon another Microsoft gateway technology that is still beta, called Forefront Unified Access Gateway (UAG). Although based upon numerous industry standards, DirectAccess also needs a thorough vetting from the security industry before customers can be confident of privacy afforded by the solution.  

Resource Library:

For many, though, DirectAccess may be viewed as an unattainable pipe dream for at least the near to mid-range future: those whose network infrastructure servers havent yet progressed beyond Windows Server 2003; those who must slowly stage their endpoint migration to Windows 7 due to limited budget or IT resources and must therefore keep current access technologies active; those yet unfamiliar with the ins and outs of IPv6 networking; and those unwilling or unable to replace certain security implementations with Microsofts solutions to provide scale or backward compatibility.

Indeed, DirectAccess reach is limited: Workstations must be running Windows 7 Enterprise or Ultimate, while application servers must be running either Windows Server 2008 R2 or Windows Server 2008 SP2 (unless those additional gateway elements are added to the network).

DirectAccess leverages IPSec and IPv6 to provide the always-on connectivity. When connected to a network, the Windows 7 client performs a quick check to determine whether it connected to a protected network or elsewhere.

To see a slide show of Windows 7 DirectAccess, click here.

If the client determines it is connected remotely, the next time a DNS name query occurs, the client will check its NRPT (Name Resolution Policy Table)--a new feature of Windows 7 that helps map a protected networks namespace to an internal DNS server, to determine whether the lookup request needs to be sent to the protected networks internal DNS server.  Non-matching requests are sent to DNS servers configured to the network adapter, keeping Internet-related traffic off the DirectAccess infrastructure.

Requests intended for the protected network are routed via IPv6 over the Internet to a DirectAccess server that bridges the Internet and the protected Intranet. As many networks on the Internet do not yet support IPv6, DirectAccess will automatically employ transition technologies such as 6to4 or Teredo to traverse IPv4 and NAT networks. For clients behind a Web proxy or a firewall with a restrictive outbound policy, DirectAccess can also fall back to IP-HTTPS Tunneling, cramming the already encrypted IPSec traffic inside another HTTPS-encrypted transmission.

For those, like me, whose protected network was also not entirely IPv6-ready, DirectAccess also utilizes ISATAP to provide connectivity on an IPv4 intranet.

With DirectAccess, IPSec encryption is enforced automatically from the endpoint to the DirectAccess server at the network edge. Administrators can, under some circumstances, also extend encryption all the way from the endpoint to the application server.

By default, authentication is performed on a machine basis, as administrators need to create security groups to identify the PCs eligible to use DirectAccess. As with encryption, authentication can terminate at the network edge or extend all the way to the application server. For more granular authentication, DirectAccess supports Smart Cards, although I did not test this configuration.  





  Reader Comments: REVIEW: Windows 7 Direct Access Replaces VPN with Secure, Always-On Connection
>>> Post your comment now!
A user comment on this article
Is it possible to configure Direct Access in such a way that traffic to certain external destinations goes from the client via the protected domain?
Posted At: 10-08-09
By: ar
Another method of forced $$ updates?
"Indeed, DirectAccess reach is limited: Workstations must be running Windows 7 Enterprise or Ultimate, while application servers must be running...
Posted At: 10-07-09
By: John Bowling
>>> Post your comment now!
 


 
 
>>> More IT Infrastructure Articles          >>> More By Andrew Garcia
 


xr8(ViW1E]RleMٖR:EB!)/շ_9q_>M %yvW.["2H$Iș3"9)ٝfߧGo-zIjû@@ezNULsJԶnT7n[#3P/?`᳙(,t@T|_ANÉ,}!*{'E%U5EpHԸ#|/Ə;ό3!X]~ꄽ4-jd` vux;2oV6^;s9ȹ׳z$5d#7t#205AR#[dTZ wӁk)p5\`p)jPX6tG,#H>!P;uIV@daS/*! lpa#j)y'CLjXEsؗ}Yͼ`F3l˸;4 @SKVUBX)ځ^TY-ip'oz3jλ ? ?uh;XARy] Z }tvNzuvN4yvy/ȯ;YHM~goDR˅$D>-؁P> ϑkQҋZ-[jZAS T$0yY>E4d™EU2au;-^m^:A,3SAT4 ̠K`WK!eP>9~n_wsE[G.w:Pڟ+Hok*}k! /xR&:aZ+U#3t9}lq.?HN‘,ɿN{g;Beu#7{W=R(y30si2)OςIutO|BMk6tI< EC#ɠ:ڴ;\Vc4!D&MЀ_aNh>[ <{  0&ԟsZ LP#wM۠h&r=kIׇ.[?? [ G`p\&[ xk=`DMtC` V< 2/?>an@ }S(r`OA[9nc@gS̷rHz::3`|= 0Xհݙ2|dܣ%=?p*JNCjVzv}v7MAV?Ty |9p‡9E#rUϚX 5<.&B#5w:Q OjBnLr畔eIY(iJS% LyK).EcwBl㜜;F]s;tOִ=/O꽥ZЬ+mH_ƠT. \[Kž M 2W 0pZZE"b j7{\X2,# l,>D4~hN/a2*)WKivwa=5}nw-?&TYOCxz#kjISʁbY;7l ʸ5MVRQy9:zGȃ`=r=6O68yy4!%6$;~Lc cѭ,hZU%S=#kQbꁊ7_E30kŠ%lDaȁUra; ¢{Z\Sv;~l2\Z歰C`V~`Ng43aJZ6 }~XE>wZB_va֚ үgrI)jL$GP/#[յ ;tm۽˦ sq,bj[,~ɯ‰5r1|*j0&B$V0l^x|hF`+\qW["LJ}N܁e Vl*I b]Pr)RLZ06Aae呯^t@FM@X Gt\d0!P\Q-W0.#_L_LU1(TOn»hCz X]>L,7,@ХCkz]W9(#߬%hh<^HjP֓C+jrPT+ qvX%ZAg~~Ȼ8 iJ @g}s`~:'F2M֧ה{`3|xKߙ[aecƘH`#7\ +RUw5 Ř)2)N<:`rUTՑn OGA.C{a&:`LTnЬ 0Դ'KiM twPJ |~CJh7"0v.eۏTU)&U$jl|T`Z܎:y>-.)W` >N=2Ǩk 01-tp]U*jAe/Y_c7g!h"QkF:Fd@tΈ+6RЎT8ί )q>:(TX7cmE{H^ac7U[@oF)[GG&h6>̳iLZ<*ʗ2wY| RX3͓i4=_@HpbGi |cϺ!G܏p<6L M}G TQW5@e2&0҃F5c;[ LلY2Z Ɗ߼AFp5xl==CݸMY vLzWO!SB9!^%1SsK\7a Z|/I0VRRXU V 3Fˁ; _g.7&aHx}GVUO4ịV1C e 4v=.EЋr}cLBMDoԁh 03RlȪ+> 2*ijAROsGF:Lpz]Qd:)nQ==ՕћYӀ GL)߭q*惪Nr@*5]*; ss4G\0R,W1<ʢ'r]N6._-JV YH/s>P9k۷BlpH75SXp| ^?K{e, ,"zR#.=2a7B^\όԽݽ]VUv$/(0h_pCﻶ$\auv1g +f[I)37xW }qt4M}ҹI'ٗ}<d¼O㇧/;vݹ|@N[(@?^-MwXh\00C~ǭEWORO5<7osV(; J@#䆷$bw}\ɾ3zZ^6+^a>;kFk!$ vzιs޼о_>u!r־hI^zKQ\N{RbG!hUHV*<bShmƛ&a֖5!xndDi+%/ҹ:n]qf빨kZ ^Ok5WE.'27Le8XFs~YRy~¯U2k~ ~ I+U:9>  k@JA=o8nw/Ϛ_i%D( `I/Щ c~?OFrA&zRG>gǭU3f~3Rt8|QrwۿHo1Mr!}K_cOߗf4~PV=8Y,rh%縕vq3a~wbSP݅{_Zr; 0y!D(o E:[Wdl&u"N M5W"v {t1ݻaTwd e~=m2겨uC%Lܟ0GN)tJȓSQ؏ z>RB'T˓$/IYO)yqjhd꒐~~ i&'ءXґԛ^6/6'8{Hpo6+W}1lyTѵl d@T7]X9X16qwv`ϓ;~\@zJĩUrm#ϝ^kͰ4H\/O9#-[ wۭݷ2ߓOݿv_۝t9nin[nǡ850Nd$4P$yUZ¶/"2NIJn':4L|dM#}:Jf:k^x̠t8s 7{~{!.u?.^x:5?_eҰKw= /{7w.+-R!ykE7_d/.)%y u OKt1ڬ/ۥ{H?vBĬhw4hTɞo ?֐u'|ȞF8^jC|yg>,d9_a}40[ɱ-Ι2HB%euw#S''Sc3HF#%kϖSϱ6mF @|Րg ;as*|b \<E/&qFL>>b7\zeRh]6޳4è̳dYWJo,]_бɱ 4# sq G>xùؑkpi 9e E|*Z9o~ vk,SiY?,81IsCDv4^)oaKL^_@=IxMX4anߏђD^Վl49qP }Y`&lU)=IV({P6œ1+paȂ }A>u爛Bld5i32Pq <:& )>vc"Ql0 {jG[{ζLSɩ~nNد,O2X!_jb?X7:%4)Ylvš] =W RS958OE-byu6fr+gmNzjwCčByv(JmfL$N{l˛p=3CϬb(NV(Y/{X,4 j &FyoFY_m} 9?uFqjBiiĹ!MD,kQMD "`QyHI O{j3ҳ./xZ_<ݩ5<o%vRCKR%$RRJ͍=ݾ]   .O%Y8w>H'UI->*X'-Mȳ6qz0e" ,`^dU#H)1ol#)CU\ xJwLnhPIS`w ;LqT媺 фNl߀B$ l {-hШPӔc%\;jfnnfq%< .jqqqqkx+Ztscut 6.ZY-WkH: 9 Xco;;gaN!X|y6om̴Rr-7`݅-`Ϭc@XfYX v,Uc$ 83ggvCÒi 軄g3.a_ 4"ȓx2 \I<,ԁQquP:woj}y;p<:b_-TE `U*>yqlj7bǢz=MpЋ/@i-z"\ۘ9Y :ru`Q$ IdU'z%dGҧ[鹍v:>.]R]$ap < $#k[X*-V[1S cl-ϰ$LYD S9lȉ2+-&1 \.M(5ncM.aB~ ix| 9rv?fogfp$$*L2IXʯi{66{oӒG~Z~Z~Z~Z'z-+jAy^ʼn^Z%vWncХtf;2GqnxkɠB`I'9żzCLA- ضƷvKȄ{O`9Ge_M3F39O7$Id>0гi-7%KU|? WF*nPAc=%&6okoi&^!GK ]I#GD}5hRU%+Qol][73̍u=;K)Wel'|aW b"^{y!Zluw3^q\g4v=gnXcO8[ĩ["n=;f׍35"l[~z*aU=Q'`"WV:.SANr/ |C!h,.ŷą~tMaoٕZ0KF\4o.VM BaD0‡^dXc 1ʵm <~܉.",pZ4%N䀲9Lt 'Ʈ$Jjadg$ƽBtyϽcLl갺MmMn @ja\)bl\M>'p.$XD Pa C/qK&5\/h#8iLʃ aNɰyS,YzKW11\RbRSK.}K\G" N+ߥtW:ѦTHk̘x-r4vWٜA5]/RU BI3izMћOkp_ל>3-iM13bmC쭧50Zf׵l];̈́|W@O[j≠D37{u&r[wnyͳc vXʱK=bea^clSaZ ~r!sg*1̦{B ?}zڡ<$`;#WVRѪErgx]wD:9Eh#usg 楒V,T)[g?u@ +Hх%q09L+G J&_K~C1 'p@O `ʖC/0Rhi\j襃ڵǔ8J F:K{IF^YAO5XdDƎ}юMUbtM-R^@wyj 4Zun-u{cH̋:Z sʒ2? 66Ƕlvn|DuvH1Xp,P ;1I3 J=z%rk1f=z>*1Xbd*F&#ZIi+8:4ƿB< ExeLW<0%# eզٝ$7xgR=[!VUv$ru Y>_E_t[6hZmՇtMx: )<]С reOJoIgI4~X Pmļϴ@BSxu &ԛXiӈ̥7d?= nN8}W boEіIz# ,@yꊍ\Dx56WԄ:jXH6C}F.ZݳV׺ꢇ@85R6#yr0[RMg"`>N=9$.zW\A&.;rZ_A.nr}=g7,>O >BZs4akozEW)L͈n_da@p=S!-2Șh MQ ҖHxDɹ~2&'qBE< ,iMYC) Q?\)X4 1bc36#&8L9 e %6:݋N#;K&(?q E {GLƙ;fQ7sϾ8ʿIc.N.J'EEt0w j9CnbJ zI8F7l<3 lEP00aLn'Ӄ~7]_u:POL=%NfldaQ({b8M t߃3,ȏfKlݜ(8jq$P!%h$`x=9`2cB2߰bJU(IhRW|W |+R0cU-%N+ߺ#SHwV7X)z+i+s9Iˑ!;}*ٷ4 }:>1ƺs1h^^}!'+$'W~:]/{9luo[uss}Ѻj_r Oa~lL_d_T 3%,C rrv3ʿ@g,>v93?Y=g?#(48%Y}MNJ 4tk 7b[yDYAI{R}tEOI>ti;GLw<-7cENj).~QJxd\$h{U26#{"dj =b>s2 'գ,_;HߪexĻ͏eݞ܃8}n}7}Fn_x`: ~iMnڧ,Gp~k;ُϋGkwҗƒ |3/߆zH'<+;}4(wo\gU=j{4oqa n9>|#xC/+/gu޿tك Һh/Z3 쓭?u}NoM:I< ^a`/xIO1EL`Z諡r:Hùzkm ?\wƟn ؑ:Mg\ԴZjRs?7@A{(.#&T$`vXJ D`q9#RB4|;ӌW)57tSs]1cc6Hm\wtlCk.vܙ%\O_~26q?Jh"v]"6 R Ň%0g3gfˎlt|0D 9ϖ$|Ŷr.iG?&l7,!9`7O $qOKupnn=I(}#Ϙm#TF\|gȌa)x`h :BQf6i ki"t\зkdQ9Hr&ze h$.6=/k"6: gCCJrLoN1^RlsmqSun{Xj9#<}"lE a'B 4qiObx`#Y ߚP TDQ$L{yݟG/7~?J D O.y@FC0!6I}.KE0%&(Xp\GAVΙz"w6G}d ȡ(d}j6g ͜5ŧW<߶nRP+ynqt6-%/#Ǟ':K$~Al=dҶ\)Vb5 )tOĕBVt3C֗o,^zeXٽ$'P9N]]Plã5,Wc -<P0_A^u.vrmnBQXƪa#mhT_ )^VDǮS^mǺgyeO ۊ|Va=t+`:igNb+c/φŀ-[g_qxN|,ة9:ˇdg)C2^#s!YX&7I /kta( aaɗvXY[D5R;LP9ɓz0~ _$ͮ%tصa=<żpa&#f)& wAixv4<Tf_E@KE7`)UĔ&\RKnrmm#{ )60MÄr]"+roq=y[әJ p8g0N^Zʩȩ(vU_|JѬd;π/P>Q*'\9ƕ)z@Xqɩ8T5u{_Z wb^; <\y>$gꎾV;yv<;ktۿ a% ѨT_N{K:g, lݸ᥇ͣ:.Ee遢%!\ Dv>e}!"ӳ ~c Wha<y&F{kjuU+kD;ydM^l+:cSEᘸe=)jalw9n~;1{l~r)Us̥D5^JB\rKlxTȉ|q07Nw6Ȅ В#nvbec}+