Windows Server 2012 – DirectAccess
Microsoft offers DirectAccess since Windows Server 2008 R2. With Windows Server 2012 Microsoft has adjusted the functionality of DirectAccess and made the implementation easier. Access data and applications safely on the network through an out-of-the-box solution; and all this very user-friendly and transparent. DirectAccess offers it. Reason enough to check out what DirectAccess is as part of Windows Server 2012.
DirectAccess is a Virtual Private Network (VPN) technology that makes it possible to access data safely inside a company network. This data could be accessed by clients who will have an internet connection. Other than with other technologies, it isn’t necessary with DirectAccess that a user initiates a so called ‘VPN connection’ themselves. The DirectAccess connection is made automatically and is transparent for the user. All the traffic gets encrypted by SSL and transported by the HTTPS (port 443) protocol. Because these standard protocols are being used it is generally possible to get transparently access to DirectAccess from every location. After all, the most firewalls and proxyservers don’t block port 443.
Easy implementation
Microsoft introduced DirectAccess in Windows Server 2008 R2. DirectAccess was in terms of client configuration available for Windows 7 Ultimate & Enterprise edition versions. To be able to monitor DirectAccess with Windows Server 2008 R2 and to be able to make use of IPv4 instead of IPv6 Microsoft Forefront Unified Access Gateway (UAG) was recommended. UAG integrates seamless with DirectAccess. With the launch of Windows Server 2012 DirectAccess has been completely integrated into the operating system. DirectAccess is easy to install from the Server Manager of Windows Server 2012 by the Unified Remote Access (URA) role. For an implementation of DirectAccess with Windows Server 2012 UAG is not required. URA also offers support for Windows 7 (Ultimate & Enterprise) and Windows 8 (Enterprise) clients. Via the URA wizard it’s possible to configure DirectAccess in three easy steps. It’s also possible to use wizards for more complicated configurations. Windows Server 2012 offers DirectAccess support for PowerShell 3.0 scripting. This is a requirement to execute automated rollouts.
Flexible architecture
In this paragraph, we go into detail of a few new architectural possibilities that Windows Server 2012 offers for DirectAccess. Here again it isn’t necessary to implement UAG. To offer even more functionality besides DirectAccess – such as application filtering – UAG works together with Windows Server 2012. DirectAccess now offers support for implementation ‘behind’ an edge firewall or a router or Network Address Translation (NAT) device. With earlier versions of DirectAccess it was necessary that the DirectAccess server with was configured directed to internet with two IPv4 addresses (on different network interface cards). With Windows Server 2012 it is possible to configure DirectAccess with just one network interface card that for example gets configured inside the perimeter of DMZ network. With the addition of ‘Multiple Network entry points’ for DirectAccess clients it is possible to activate transparent and automatic redundancy by ‘intelligent client roaming’. Because of this it is possible to make the DirectAccess configuration highly available in a pretty easy way.
With Windows Server 2008 R2 it is necessary that IPv6 is configured on the local internal network. Because Windows Server 2012 offers standard support for the DNS64 and NAT64 protocol, it is not necessary to configure IPv6. IPv4 satisfies to be able to use DirectAccess. It is also not necessary anymore to have a Public Key Infrastructure (PKI) active for DirectAccess. This makes the architecture easier. It could also still be desirable to implement a PKI infrastructure to for example to activate Network Access Protection (NAP) or ‘strong authentication’.
Improved security
Windows Server 2012 DirectAccess has native support for strong authentication with RADIUS on-time passwords (OTP) or by the use of Virtual Smart Cards that are active on a (laptop) computer Trusted Platform Module (TMP).
DirectAccess could be installed on Windows Server Core edition. This is certainly a recommendation when the DirectAccess server is in the perimeter network. Because of the use of Windows Server Core the operating system is less vulnerable for attacks (the ‘attack surface’) in comparison with a full Windows (GUI) installation. Next to this there are less updates needed that results in decreasing the downtime for patchmanagement.
In Windows 8 the option ‘prompts the user for network credentials’ is present. This makes it possible to use DirectAccess when a user has to authenticate at a proxyserver.
Requirements Windows Server 2012 DirectAccess
- Windows Server 2012 with DirectAccess activated and minimum 1 network interface card
- Windows 8 Enterprise Edition clients (when Windows 7 Ultimate or Enterprise Edition clients are used at least one PKI has to be active)
- At least 1 domain controller and DNS server that is provided with Windows Server 2008 R2 or Windows Server 2008 SP2
Benefits Windows Server 2012 DirectAccess
- Higher productivity of users by means of transparent safe access to data and applications on the companynetwork
- No extra licencing for DirectAccess
- Microsoft Forefront Unified Access Gateway (UAG) not necessary anymore
- Fast implementation, flexible architecture and simplified management by out-of-the-box solution