Posts Tagged ‘Microsoft’

Over the past week, we’ve featured a series of installments that answer your questions about VPNs and DirectAccess. Of particular interest to you were the hardware requirements for DirectAccess, if DirectAccess supercedes VPNs, and what issues Microsoft could improve or optimize. Before releasing Part 4 of the series, we want to know: How often do you actually use DirectAccess? As always, please elaborate in the comments.

Many people are probably aware that next week, Microsoft is releasing Windows 8. In fact, nearly one in four of our readers have indicated they plan to upgrade to the new operating system. Perhaps less known, however, is that a second version of Windows, Windows RT, will also be launched. While similar in many ways, the one major difference is that Windows RT does not have the ability to install desktop applications. So we want to know – is that distinction a deal breaker? Which version of Windows do you plan to use?

By Nicholas Greene

It’s been called “The Death of VPN.” It’s been placed on a pedestal as one of the best available solutions to our VPN woes. But, on taking a step back, does DirectAccess  actually deliver on its promise?

Two months ago, VPN Haus ran a story asking just that. What that article found was telling- more and more, experts are saying no. While it’s certainly flexible, powerful, and packaged with a plethora of encryption and authentication options, DirectAccess decisively lacks the comprehensive features to be an all-in-one solution. Aside from only running on Windows 7, this “flexible alternative” is, ironically, more than a little inflexible when it comes to implementation, with a list of requirements a mile long, including mandatory IPv6 implementation.

Proponents of DirectAccess might postulate that it’s possible to circumvent the “mandatory IPV6 rule” by installing Microsoft’s Forefront Unified Access Gateway over DirectAccess to handle VPN requirements- installing most of the required infrastructure for DirectAccess in the process, as well as NAT64 and DNS64.

Of course, this brings to the table a whole new gallery of issues, mostly related to flexibility and client management.

If you decide to install UAG so that you can use DirectAccess over IPv4, The built in firewall will be disabled  and the Microsoft Forefront Threat Management Gateway will install. This offers full support for IPv4 — but no support for IPv6.  Not only that, NAT64 offers no support for reverse NAT mapping- so client management becomes a considerable challenge.

On the other hand, if you install DirectAccess into Windows Server 2008, the built-in firewall will be able to support IPv6. Unfortunately, this comes with a rather crippling caveat —  the firewall will only enable inbound or outbound rules.  In other words, you won’t be able to get any IPv6 traffic past the server.

Either way, there’s the potential to cripple- or at least considerably hobble- your network in some way. This is particularly true if you’re using a non-Microsoft firewall for security. If you are, well…good luck implementing DirectAccess. You’ll need it.

The fact that DirectAccess absolutely requires Windows 7 and Windows Server 2008 R2 with PKI access is extremely problematic for any non-Microsoft devices- and that includes mobile devices. Consider that for a moment- if you’re using a tablet or smartphone, you’re going to have a very, very difficult time connecting via DirectAccess. Even Microsoft’s own mobile offerings are, at the current juncture, incompatible.  This is a huge hurdle, especially in age when many are trumpeting mobile as the future of enterprise.  DirectAccess, meet the Bring Your Own Device craze. You two aren’t going to get along.

By Bernd Reder

Microsoft’s DirectAccess allows users to access a company’s IT system from a Windows computer, without using a VPN — but by using IPsec to secure the connection and all data transferred in the communication. In contrast to a VPN, a DirectAccess client sets up a connection to the corresponding server after it has booted and set up a connection to the Internet. The user does not have to start a VPN session manually and log in to the company network. Nor does the administrator have to manage the system—for instance, roll out new software versions—until a client has set up a VPN connection.

So what’s the benefit of DirectAccess? Here are the main ones:

  • It supports different protocols and communication processes like IP-HTTPS, SSL and IPsec.
  • It provides authentication and encryption options.

Before you rush out to get DirectAccess though, you should hear the drawbacks, which are significant.

Restricted to the world of Windows

Does DirectAccess foretell the end for common VPN solutions? Definitely not. Microsoft’s technology only works if the whole system is based on Windows 7: running on Windows 7 (Professional, Business or Ultimate) and a Windows server (Windows server 2008 R2). This means employees working on a Mac or with a Linux notebook can’t access the company network.

Smartphone users with iPhones, BlackBerrys or other devices running Android also can’t access the company network. And even more paradoxical, DirectAccess doesn’t even work on mobile devices running Windows Mobile or the new Windows Phone 7.

It is safe to assume that Windows will support DirectAccess in future versions of its Windows 7 phone, as well as the Windows OS for tablet PCs. However, until then, there is still a long way to go. On top of that, there is hardly any company in which only Windows devices are used across the spectrum of devices—smartphones, client PCs, tablet PCs, servers, etc. In most companies, several platforms and devices are used in parallel, leaving the company with heterogenic IT equipment.

Companies use heterogenic IT equipment

This fact will not change. If anything, trends (like the consumerization of IT) lead to employees bringing a diversity of cell phones, tablets and notebooks at an even faster rate. Of course, with these mobile devices, employees check their business emails on the road or in the home office, synchronize dates and contact details, and download documents from the company server. This simply can’t be done without a VPN solution that supports various operating systems and client systems.

Another problem with DirectAccess is that one of its mandatory pre-requisites is a Public Key Infrastructure (PKI) and the use of IPv6. However, not all companies use this version of the Internet protocol, yet. That’s still years away. In fact, thanks to Network Address Translation (NAT), many companies will continue to use IPv4 for quite a while.

So, what should companies do? Write off DirectAccess? Definitely not. Microsoft’s DirectAccess technology offers solid advantages, like easy handling and easy management—as well as a high level of security. On top of that, it comes as standard with each Windows 7 packet, which means there are no additional charges. But the reality remains, DirectAccess is restricted to the world of Windows. In other words, the end of traditional VPN solutions is still a very long way off—especially for flexible solutions that support various operating systems and devices.