Direct Access in Server 2008 R2

I managed to find a spot for myself on the DirectAccess dogfood going on now at Microsoft.  This is by far the single best technology that Microsoft has produced that I can remember. Remember back to when you first got Outlook Anywhere back with Exchange 2003 SP2 and then think about expanding that to the entire corpnet. I tweeted my excitement and Sean Kearney did some investigating and has some information to share and be sure to add his blog to your RSS reader, he has a tendency to find a lot of gems!

P.S. You’ll see a little on Direct Access at EnergizeIT 2009 too :)


You know, listening to Twitter for me pays off.

A little birdie mentioned “DirectAccess” as a means to eliminating VPN and my first words were “What’s DirectAccess”

DirectAccess is a new secure method to connect users to a server Environment vs VPN.  Utilizing IPSec and IPV6, there is now a new, better and more seamless way to connect to the server environment.

Forget VPN.  Forget multiple ID’s passwords, reconnects, additional management.

Throw that headache to the past.

I’ll try to go quickly into what it is but I’m reading THIS WHITEPAPER from Microsoft as a type.

What are the requirements?  Rather than retyping and messing up, I’m going to take the EXACT text from the Whitepaper.

DirectAccess requires the following:

· One or more DirectAccess servers running Windows Server 2008 R2 with two network adapters: one that is connected directly to the Internet, and a second that is connected to the intranet.

· On the DirectAccess server, at least two consecutive, public IPv4 addresses assigned to the network adapter that is connected to the Internet.

· DirectAccess clients running Windows 7.

· At least one domain controller and Domain Name System (DNS) server running Windows Server 2008 or Windows Server 2008 R2. When smart card-based authentication is required for end-to-end protection, you must use Active Directory Domain Services (AD DS) in Windows Server 2008 R2.

· A public key infrastructure (PKI) to issue computer certificates, smart card certificates, and, for NAP, health certificates. For more information, see

· IPsec policies to specify protection for traffic. For more information, see

· IPv6 transition technologies available for use on the DirectAccess server: ISATAP, Teredo, and 6to4.

· Optionally, a third-party NAT-PT device to provide access to IPv4-only resources for DirectAccess clients.


As you can tell, this is a new technology, Native to Windows 7 and Server 2008 R2.  My only comments to Microsoft would be that Vista is a current operating system too.  The DirectAccess client should be provided via a service pack or update.

To the user the connection seems to almost happen,   There is definitely preparation involved from the Administration side.   But the immense advantage is that users can’t just somehow “guess the VPN” gateway and pop it onto a new system.  Certificates are involved, domain credentials, Active Directory and your Server 2008 R2 infrastructure are what control this.  You’re not knocking on a single Cisco VPN box or a Remote Access Server.   You’re banging on a big beefy security team that’ll knock you flat down if you trip on the way in.

THAT’S secure.  

But I’m reading how it’s setup, it’s far superior to VPN.  One of the biggest headaches I had as a user with VPN was the fact my Internet traffic would route to the office whenever I was connected.   This mean if I wanted to download anything off the internet it would automatically route to the office’s slower internet connection as opposed to my nice fast Cable highspeed at home.  

And an added bonus to this setup it is seamless AND secure.  By establishing (via certificates) a direct trust involving both the machine AND the user, it keeps it smooth, it keeps it secure.

The more seamless it is to the user, the better their experience (and by proxy, the fewer headaches I get). 

Read up the Whitepaper.  You’ll see why I’m truly impressed.  And looking forward to it.