By Nicholas Greene
It’s been called “The Death of VPN.” It’s been placed on a pedestal as one of the best available solutions to our VPN woes. But, on taking a step back, does DirectAccess actually deliver on its promise?
Two months ago, VPN Haus ran a story asking just that. What that article found was telling- more and more, experts are saying no. While it’s certainly flexible, powerful, and packaged with a plethora of encryption and authentication options, DirectAccess decisively lacks the comprehensive features to be an all-in-one solution. Aside from only running on Windows 7, this “flexible alternative” is, ironically, more than a little inflexible when it comes to implementation, with a list of requirements a mile long, including mandatory IPv6 implementation.
Proponents of DirectAccess might postulate that it’s possible to circumvent the “mandatory IPV6 rule” by installing Microsoft’s Forefront Unified Access Gateway over DirectAccess to handle VPN requirements- installing most of the required infrastructure for DirectAccess in the process, as well as NAT64 and DNS64.
Of course, this brings to the table a whole new gallery of issues, mostly related to flexibility and client management.
If you decide to install UAG so that you can use DirectAccess over IPv4, The built in firewall will be disabled and the Microsoft Forefront Threat Management Gateway will install. This offers full support for IPv4 — but no support for IPv6. Not only that, NAT64 offers no support for reverse NAT mapping- so client management becomes a considerable challenge.
On the other hand, if you install DirectAccess into Windows Server 2008, the built-in firewall will be able to support IPv6. Unfortunately, this comes with a rather crippling caveat — the firewall will only enable inbound or outbound rules. In other words, you won’t be able to get any IPv6 traffic past the server.
Either way, there’s the potential to cripple- or at least considerably hobble- your network in some way. This is particularly true if you’re using a non-Microsoft firewall for security. If you are, well…good luck implementing DirectAccess. You’ll need it.
The fact that DirectAccess absolutely requires Windows 7 and Windows Server 2008 R2 with PKI access is extremely problematic for any non-Microsoft devices- and that includes mobile devices. Consider that for a moment- if you’re using a tablet or smartphone, you’re going to have a very, very difficult time connecting via DirectAccess. Even Microsoft’s own mobile offerings are, at the current juncture, incompatible. This is a huge hurdle, especially in age when many are trumpeting mobile as the future of enterprise. DirectAccess, meet the Bring Your Own Device craze. You two aren’t going to get along.