Interpreting Microsoft's latest DirectAccess features

Source: Internet
Author: User
Keywords Server features Microsoft if

If you are a mobile office employee who travels a lot in your company, you will often use VPN to connect to your company's internal resources. This traditional technology is being challenged by other new technologies, one of which is Microsoft's accompanying DirectAccess features from Windows 7 and Windows Server 2008.

During a tech Ed training in the morning of November 6, Microsoft Product Manager Ward Ralston described the direct Access features available in the latest Windows Server 2008 R2 and Windows 7. Direct access, known directly as access, enables extranet users to access the resources immediately after a corporate firewall from the Internet without having to establish a VPN connection.

Ward Ralston that VPN technology is not only difficult to use, but also difficult to manage for enterprise IT staff, such as when those mobile computers are not connected to the corporate network, it is difficult for them to manage and update them. The use of DirectAccess almost to the internal and external network of this difference, mobile employees as long as there is an Internet connection can access the internal network resources, whether he is traveling, in the café or at home, this will undoubtedly increase the efficiency of employees, such as you do not worry about the loss of VPN username password, Don't worry about not having a VPN, and it's easier for IT departments to provide services to those mobile computers or to set up a unified management strategy.

If there is no DirectAccess, the mobile computer can be managed only if the user connects to the VPN or enters the office. With DirectAccess, the mobile computer can be managed as long as it has an Internet connection, even if the user is not logged in. This allows for regular management of mobile computers and helps ensure that mobile users maintain up-to-date security and system health policies. DirectAccess helps enterprises to carry out security supervision and data protection for the property roaming outside the Enterprise network.

"VPNs are connecting users to the network, and DirectAccess is extending the network to any company user's computer, which is two different perspectives." The Direct access feature overcomes many of the limitations of VPNs, and it automatically connects two-way connections between an extranet client and a corporate intranet server. Direct Access does this by leveraging some of the features of the IPV6 technology. Direct Access uses IPSec for authentication between computers, which also allows the IT department to administer computers before users log on.

When Direct access works, the client establishes a IPV6 tunnel connection to the DirectAccess server. This IPv6 tunnel connection can work on an ordinary IPV4 network. The DirectAccess server assumes the role of the gateway, connecting the intranet to the extranet.

From the security point of view, DirectAccess access to the intranet resources are controllable. There are two ways to access resources: Selective Service server access (Selected server access) and full enterprise network access (fully enterprise receptacle access). The former, as the name suggests, is selectively allowed to access the intranet specific servers. The advantage of this is that access rules can be configured for security control on the DirectAccess server, but the server version that needs to be accessed must be Windows Server 2008 or 2008 R2, and the servers need to support both IPV6 and IPSec protocols. In the full enterprise network access mode, the DirectAccess server forwards the request from the user to the intranet server in a non IPSec manner. This model is not very high on the intranet, and the network security in intranet can be effectively controlled. This is similar to the RPC over HTTP method for Exchange.

DirectAccess Connection Establishment Process

1. The client computer running Windows 7 first detects the network to which it is connected;

2. The DirectAccess service attempts to connect to an intranet resource specified by the administrator, and if the connection succeeds, the DirectAccess default computer is already in the intranet environment, and the computer shuts down the DirectAccess service to conserve system resources; DirectAccess services continue to work;

3. The client computer then uses IPV6 and IPSec to connect to the DirectAccess server that is previously specified. If the computer is not in a IPV6 network, the computer establishes a Ipv6-over-ipv4 tunnel (using 6to4 or intra-site Automatic crossings Addressingprotocol, ISATAP). These are Windows 7 in the background, do not require user login and intervention;

4. If the firewall does not allow the IPv6 6to4 tunnel to be connected, the computer communicates with the DirectAccess server using the HTTPS protocol (performance affects);

5. Windows 7 Client and DirectAccess server complete mutual authentication (with computer certificate implementation);

6. The DirectAccess server decides whether to allow access based on the identity of the client in AD and the current login user. To avoid possible DDoS attacks, Microsoft uses the Dscps technology (differentiated Services Code Points).

7. If the computer has NAP detection enabled, the Directacces server turns to the NAP server to complete the client's security detection. It can also effectively avoid the security hidden trouble and virus caused by the client from the external network connection;

8. After everything is finished, the DirectAccess server begins to assume the role of information transmission in the intranet.

All of these processes are automated and do not require user intervention.

DirectAccess Software Requirements

one or more DirectAccess servers running Windows Server 2008 R2, which require two network cards to connect intranet and extranet respectively. At least one domain controller and DNS server are running on top of Windows Server 2008 or Windows Server 2008 R2.   Some advanced authentication protocols (Two-factor authentication) require R2 AD DS support.   Public Key Infrastructure (PKI) to provide certificates.   IPSec. DirectAccess server support: Isatap,teredo, and 6to4.

However, Ward Ralston also says DirectAccess is not as easy to deploy as BranchCache. After all, DirectAccess has certain requirements for the infrastructure of the enterprise, including the client to install Windows 7, the data center to install Windows Server 2008 R2 DirectAccess Server, when using Windows Firewall authentication policy, Requires that the application server be a Windows Server 2008 R2, finally support the IPV6 protocol, and, if it is IPv4, need NAT server, and so on.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.