Windows Server 8: Part 4—DirectAccess

Slalom consultant and accomplished Microsoft systems developer Derek Martin sheds light on Windows Server 8 (WS8) through his insightful blog series focusing on his research within the technical preview documentation, personal experimentation with the product, and thoughts of how they can apply to the real world as soon as it is released to manufacturing (RTM).

Slalom Consultant Derek Martin

Slalom Consultant Derek Martin is an accomplished Microsoft systems developer and integrator, experienced in developing and deploying SharePoint and CRM solutions, integrating line of business applications, and leveraging existing infrastructure investments.

Remote access is a tough nut to crack. On the one hand, every employee needs access to their corporate resources at all times of the day and from whatever device they can shake a stick at. On the other hand, IT can’t just tear down the firewall and let everyone in for obvious reasons. For a long time, dedicated virtual private network (VPN) equipment (like an ASA appliance) or VPN software (like Microsoft RRAS) was really the best option for secure, reliable connectivity when not on prem.  The challenge with those solutions are several fold:

  • Yet another system to manage.
  • Not well integrated (although they are getting better) with the rest of your environment.
  • Only provide access, doesn’t provide management/true connectivity (I’ll explain in a bit).

With Windows Remote Desktop Services, you can get much closer to the goal of ubiquitous access—take your Gateway server and drop it onto port 443 in your DMZ and your remote apps, remote desktops, and VDI sessions are available to your end users (there’s a whole RDS post coming soon). But that doesn’t get you true native connectivity—connectivity that has been the dreams of many throughout the ages. Okay, maybe that’s a bit too far.  Connectivity that makes your computer look, act and feel like it is on the corporate network without the need of complicated VPN or RAS dialers. Connectivity that allows you to:

  • Hit internal intranet sites without FQDN (http://myportal).
  • Hit internal shares or mapped drives (\\server1\myfolder).
  • Have group policies applied and updated both during log on and via the standard 90 minute schedule.
  • Have the ability for IT to ‘see’ my computer if I am having troubles and diagnose/work with me as if I were physically present.
  • Not have to reconfigure my internal apps to hit FQDN or the ability of apps that are configured to hit internal IP addresses just work.
  • Only route ‘internal’ traffic to the corporate network—if I hit, route normally (to keep speed going).

Seems like a pipe dream does it not? DirectAccess brings all of those to your company owned workstation/laptop and more! In Server 2008, the promise of such amazing connectivity was largely unused because it was incredibly difficult to setup and maintain. It also required some decent major infrastructure changes throughout your network (like IP6 stuff) to enable. Fortunately, like all things WS8, DirectAccess is now amazing, simple, secure by default (it won’t work insecurely), etc. Here are some of the amazing points from our preview documentation we’ve been working through:

  1. Remote Access (RRAS/VPN) and DirectAccess are now controlled together using a single interface.
  2. Monitoring of the environment is now much easier with all the PowerShell, WMI, GUI monitoring you can shake a stick at.
  3. A new Network Connectivity Assistant which provides the client computers with customizable  connectivity diagnostics. While the default state remains to be transparent to the end user, if things go wrong, this tool will pop up and can help.
  4. When enabling Direct Access, it takes care of all the Firewall goo for you—how many companies you know have a deployment step where the first thing a new server VM gets done to it is to disable the Windows Firewall? That’s BAD and as an aside, WS8 makes this much less ‘necessary.’
  5. Wizards! Small companies can deploy this sucker with just a few clicks—much better.
  6. PKI isn’t required (although still recommended) in that you don’t have to go through all the goo of setting up certificates and trusts when you have a very simple setup.
  7. Direct Access can now access IP4 servers on your network—probably the best enhancement—your servers need not have IP6 setup to be exposed through DA.  DA acts as a proxy to facilitate this magic.
  8. Can work with just a single network adapter (as opposed to dual NICs and weird config settings on the server in 2008R2).
  9. Will work with your Network Access Protection investment (really was surprised this was missing in 2008R2).
  10. Can work with One Time Passwords and key fobs for added security on your RADIUS environment —my test included a very cool toy called Yubikey.
  11. Here’s one—instead of a traditional smart card (something you know and something you have)—Windows 8 now can use the TPM device built onto the board as a virtual smart card.
  12. Works with server core—as do most things in WS8
  13. Can configure computers ‘off network’—the machines don’t have to be physically connected to the corporate network to join the domain and receive its Direct Access settings—that’s black magic if you ask me.

These enhancements, along with the more complex things that changed under the covers, will make DirectAccess not only affordable, but technically attainable for small companies all the way up to the largest enterprises (if you get PKI configured and the cool Geo-Redundant load balancing). It’s all very very cool.

Slalom Consulting’s Dallas office Slalom Consulting's Project & Cloud focus
Learn more about our Dallas office Learn more about Slalom Consulting Cloud

subscribe by emailSubscribe to follow new Cloud posts

4 Responses to Windows Server 8: Part 4—DirectAccess

  1. Arlester Christian says:

    Great article. One question. You write:
    “With Windows Remote Desktop Services, you can get much closer to the goal of ubiquitous access—take your Gateway server and drop it onto port 443 in your DMZ and your remote apps, remote desktops, and VDI sessions are available to your end users (there’s a whole RDS post coming soon). ”
    I agree wholeheartedly with this paragraph and deploy Terminal Servivces/RDS everywhere and with 2012 and RemoteFX with USB direction I am more keen to continue. I have never quite figured out what Direct Access or other VPN solutions would buy me and now with the enhanced RemoteFX 2012 (redirection within VM’s) I see even less value in Direct Access. If you could give me a few scenarios where Direct Access would buy me something that I can’t have with the new RDS/RemoteFX I would appreciate it. Thanks in advance for your attention to this. (And thanks again for all the well-written articles.)

    Arlester Christian

  2. slalomderek says:

    Sorry for the delay in responding – this is a great question! Direct Access can be best used for the mobile road warrior. User on his laptop, domain joined, has anytime access to corporate resources without doing anything extra like dialing up a VPN. Any time there is an internet connection, DA is on. Further, routing is intelligent, so only requests to corporate resources are routed over the pipe (not, etc.). Finally, it allows seamless integration with things like IE so you can visit http://hrweb and it will pass your domain creds right through if you logged in under your domain account. Behind the scenes, connectivity is maintained with things like AD, System Center, DNS, etc so policies and GPOs can be pushed out, troubleshooted, etc.

  3. Arlester Christian says:

    Thanks for the reply – was not looking for a quick answer. However, I still don’t see what DA buys the road warrior that Terminal Services especially with RemoteFX doesn’t offer. If you could detail a few points it would be appreciated.

    • Arlester,

      I think one of the best reasons for DA is the remote manageability aspects of this technologies. Sure, RDS and VDI will get your end users to the tools that they need but are they using company hardware to connect? If so, how do IT organizations manage that hardware…ensuring compliance and a reasonable level of security?

      DA can provide this.

      Instead of treating these laptops as if they’re “offline” most of the time, with DA they instantly become “part of the network” again.

      The idea is to improve the user experience, because that will utlimately increase user productivity. Imagine a scenario where your users don’t have to login to a VPN service. Nice if you ask me.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: