DirectAccess and VPN – Who’s Hurting Who? Part 1

Posted: January 10, 2012 in Industry Commentary, IPv6, Mobile
Tags: , , , , , ,

By Nicholas Greene

It’s been called “The Death of VPN.” It’s been placed on a pedestal as one of the best available solutions to our VPN woes. But, on taking a step back, does DirectAccess  actually deliver on its promise?

Two months ago, VPN Haus ran a story asking just that. What that article found was telling- more and more, experts are saying no. While it’s certainly flexible, powerful, and packaged with a plethora of encryption and authentication options, DirectAccess decisively lacks the comprehensive features to be an all-in-one solution. Aside from only running on Windows 7, this “flexible alternative” is, ironically, more than a little inflexible when it comes to implementation, with a list of requirements a mile long, including mandatory IPv6 implementation.

Proponents of DirectAccess might postulate that it’s possible to circumvent the “mandatory IPV6 rule” by installing Microsoft’s Forefront Unified Access Gateway over DirectAccess to handle VPN requirements- installing most of the required infrastructure for DirectAccess in the process, as well as NAT64 and DNS64.

Of course, this brings to the table a whole new gallery of issues, mostly related to flexibility and client management.

If you decide to install UAG so that you can use DirectAccess over IPv4, The built in firewall will be disabled  and the Microsoft Forefront Threat Management Gateway will install. This offers full support for IPv4 — but no support for IPv6.  Not only that, NAT64 offers no support for reverse NAT mapping- so client management becomes a considerable challenge.

On the other hand, if you install DirectAccess into Windows Server 2008, the built-in firewall will be able to support IPv6. Unfortunately, this comes with a rather crippling caveat —  the firewall will only enable inbound or outbound rules.  In other words, you won’t be able to get any IPv6 traffic past the server.

Either way, there’s the potential to cripple- or at least considerably hobble- your network in some way. This is particularly true if you’re using a non-Microsoft firewall for security. If you are, well…good luck implementing DirectAccess. You’ll need it.

The fact that DirectAccess absolutely requires Windows 7 and Windows Server 2008 R2 with PKI access is extremely problematic for any non-Microsoft devices- and that includes mobile devices. Consider that for a moment- if you’re using a tablet or smartphone, you’re going to have a very, very difficult time connecting via DirectAccess. Even Microsoft’s own mobile offerings are, at the current juncture, incompatible.  This is a huge hurdle, especially in age when many are trumpeting mobile as the future of enterprise.  DirectAccess, meet the Bring Your Own Device craze. You two aren’t going to get along.

  1. Jordan Krause says:

    As a DirectAccess enthusiast, I appreciate the opportunity to read about and “debate” these kinds of feelings on the web. Unfortunately there are a number of incorrect statements in this article which lessen its credibility. First of all, it’s “Threat Management Gateway”, not Trust Management Gateway. Also, while NAT64 does not offer reverse NAT directly (though it does for responses from application servers), this does not present any “considerable challenges” to client management. You are easily able to manage DirectAccess connected client computers from the corporate network. I also do not at all understand the section about hobbling the network, I don’t see any datapoint in there to clarify what you are talking about. Furthermore, when using UAG for DirectAccess you also get all other capabilities of UAG, which include the ability to publish web access portals that can be used for non Windows 7 machines and even from mobile devices. I install UAG DirectAccess for customers all the time, and in many cases it becomes their one and only point of entry for remote access (replacing VPN, SSLVPN, Citrix, etc).

    Jordan Krause | Microsoft MVP

  2. Juergenvpn says:

    Great byline, I’ll call it the Truth about DiractAccess

  3. VPN Haus says:

    Hi Jordan – Thanks for your response, you raise some interesting points. However, the reality is, there are certainly some limitations with DirectAccess and NAT, which was the main point we were trying to get across. While there are add-ons that enable clients other than Windows 7 to connect to DA, installing an add-on is an extra, even unnecessary, step from the perspective of an IT administrator. We regret the “Threat Management Gateway” error and have since corrected it. Keep your comments coming, it’s always great to hear from our readers.

  4. HeyAdmin says:

    Is there an update to this article as a result of Windows Server 2012’s improvements to DirectAccess?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s