DirectAccess is not a Replacement for VPN

I hear a lot of folks talking about deploying DirectAccess as a replacement for their current VPN solution. They often want to move large numbers of their users from working at the office to home offices. This is a great idea, as it saves on the infrastructure costs related to heating and cooling offices, fuel costs related to driving back and forth to work, and ideally increase the employees overall productivity because they could use the time they were driving to work to actually get work done.

That’s all consistent with the goal of DirectAccess – to provide your users an intranet computing experience from anywhere in the world. And when I speak of “users” I’m not just talking about end-users - “users” also include IT, as your IT group will be able to have the same connectivity to, and command and control over, DirectAccess clients as they have with any other client they manage on the intranet today.

When talking to people about DirectAccess, it’s best to not think of DirectAccess as a “VPN” solution – since the vision of DirectAccess is to keep the DirectAccess client continuously connected to the intranet – thus bringing the intranet “out” to all DirectAccess clients. In contrast, VPN connections (SSL and network level) are about temporary connectivity that enables the VPN client “into” the intranet. It might seem like hair splitting, but the practical implications are significant, both from the end-user productivity perspective and the IT management and control perspective.

Because this vision is all about highly managed corporate controlled systems, you still might want to provide VPN access for machines that don’t fit into this vision. You might need to enable partners full network access at times, or perhaps the IT group needs VPN access from unmanaged machines of their own to get work done when out of the office. In this scenario, the DirectAccess and VPN solution can site side by side, or if your VPN clients support SSTP as a remote access VPN protocol (clients are Windows Vista SP1 and above), you can co-locate the SSTP VPN server on the DirectAccess server or array.

So when carrying out your DirectAccess deployment planning, remember that VPN is something that you’ll want to bake into the overall remote access solution.



Tom Shinder
Microsoft ISD iX/SCD iX
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time):
Follow me on Twitter: