DirectAccess is a new feature in the Windows 7 and Windows Server 2008 operating systems that provides users the connectivity to their corporate network any time they have Internet access. When DirectAccess is enabled, requests for corporate resources such as e-mail servers, shared folders, or intranet Web sites etc are securely directed to the corporate network, without requiring the users to connect to a virtual private network (VPN). DirectAccess provides increased productivity by offering the same connectivity experience both inside and outside of the office. Without DirectAccess, mobile computers can only be managed when users connect to a VPN or are physically inside the office. With DirectAccess you can now manage the mobile computers by updating Group Policy settings and distributing software updates any time the mobile computer has Internet connectivity, even when the user is not logged on. By using technologies such as Internet Protocol version 6 (IPv6) and Internet Protocol security (IPsec), DirectAccess provides secure and flexible network infrastructure for enterprises. Following are the security and performance capabilities of the direct access:
Better authentication: DirectAccess authenticates the computer and enables it to connect to the intranet before the user logs on and can also authenticate the user and supports two-factor authentication using smart cards.
Encryption: DirectAccess uses IPsec to provide encryption for communications over the Internet.
Better access control: Computer support professionals can configure the intranet resources differently for users. It allows individual users or a group of users access and use specific applications, servers or even subnets.
Simplification and Cost Reduction: DirectAccess separates intranet from Internet traffic, which reduces unnecessary traffic on the corporate network, as it sends only the traffic destined for the corporate network through the DirectAccess server.
DirectAccess resolves the limitations of VPNs by automatically establishing a bi-directional connection from the client computers to the corporate network. DirectAccess uses two technologies: Internet Protocol security (IPsec) and Internet Protocol version 6 (IPv6).
DirectAccess uses IPsec for providing encryption for communications across the Internet. Clients can establish an IPsec tunnel for the IPv6 traffic to the DirectAccess server, which works as a gateway to the intranet.
DirectAccess clients uses the following process to connect to intranet resources:
A computer running Windows 7 Enterprise or Windows 7 Ultimate operating system detects that it is connected to a network.
The DirectAccess client computer attempts to connect to an intranet website specified during DirectAccess configuration.
The DirectAccess client computer connects to the DirectAccess server using IPv6 and IPsec. If a native IPv6 network is not available then the client uses 6to4 or Teredo to send IPv4-encapsulated IPv6 traffic.
If a firewall or proxy server prevents the client computer that is using 6to4 or Teredo from reaching the DirectAccess server, the client automatically attempts to connect by using the Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) protocol. IP-HTTPS uses a Secure Sockets Layer (SSL) connection to encapsulate IPv6 traffic.
As part of establishing the IPsec session for the tunnel to reach the intranet DNS server and domain controller, the DirectAccess client and server authenticate each other using computer certificates for authentication.
If Network Access Protection (NAP) is enabled and configured for health validation, then DirectAccess client obtains a health certificate from the Health Registration Authority (HRA) that is located on the Internet before connecting to the DirectAccess server. The HRA then forwards the DirectAccess client’s health status information to a NAP health policy server. The NAP health policy server processes the policies that are defined within the Network Policy Server (NPS) and determines whether the client satisfies the system health requirements. If it satisfies, the HRA obtains a health certificate for the DirectAccess client. When the DirectAccess client establishes the connection with DirectAccess server, it submits its health certificate for authentication.
When the user logs on, the DirectAccess client establishes the second IPsec tunnel to access the resources of the intranet. The DirectAccess client and server authenticate each other using a combination of computer and user credentials.
The DirectAccess server forwards traffic to and from the DirectAccess client and the intranet resources to which the user has been granted access.
DirectAccess clients get their configuration through Group Policy. This Group Policy is filtered so that it only applies to computers that are members of specific DirectAccess security groups. The policies that apply through this filtering are located in the Computer Configuration\Administrative Templates\TCPIP Settings\IPv6 Transition Technologies node.
DirectAccess requires the following:
One or more DirectAccess servers running Windows Server 2008 R2 with two network adapters: one of them should be directly connected to the Internet and other should be connected to the intranet. DirectAccess servers should be a member of an AD DS domain.
On the DirectAccess server, there should be two consecutive public IPv4 addresses assigned to the network adapter that is connected to the Internet.
DirectAccess client computers running Windows 7 Enterprise or Windows 7 Ultimate. DirectAccess clients should be members of an AD DS domain.
At least one domain controller and DNS server should be running Windows Server 2008 SP2 or Windows Server 2008 R2.
A public key infrastructure (PKI) should be there to issue computer certificates, smart card certificates for smart card authentication, and health certificates for NAP.
DirectAccess with UAG provides a built-in NAT64, but DirectAccess without UAG, an optional NAT64 device can be used to provide access to IPv4-only resources for DirectAccess clients.