A New Breed of Hero: Direct Access
Posted by: Hunter in DirectAccess, Microsoft, Network Infrastructure, Stuff that is fun, TechED 2009, Technology, Windows 7, Windows Server 2008
Scott Roberts is my hero of TechED 2009. He is unassuming, mild mannered, and has to fight his laptop’s video resolution but underneath his lead program manager geekiness he wields secret powers. His foremost power is the ability to destroy traditional network perimeters and his secondary power is to obliterate the need for VPNs and SSL VPNs.
He is a new breed of hero, he is DirectAccess Man.
I am (almost) not exaggerating here. Scott’s WSV320 session entitled “Reinventing Remote Access with Direct Access” was nothing short of amazing to me. All week I have been wandering the LACC thinking about the most exciting technology of the conference, Exchange 2010, TMG, and Windows 7 are all sexy but DirectAccess blew me away.
DirectAccess seeks to put the corporate network wherever the users are located. Using IPv6, IPSec, and a Windows Server 2008 R2 box (serving as a Direct Access Server) users can seamlessly connect to internal resources from Internet connections. I the past seamless has meant something on the order of less than 5 clicks but this time MS really means it. No clicks, no user config, nothing.. brilliant.
I could labor on about the technology but Microsoft has done a good job of laying out what is needed on its DirectAccess site and in a “DirectAccess Early Adopter’s Guide,” both of which I recommend reading. Instead of rehashing what you can read elsewhere I wanted to give you Scott’s list of DirectAccess prerequisites:
- Windows 7 Clients running either Enterprise or Ultimate
- Domain-joined Clients
- A Domain Controller running Windows 2008 Server SP2 or R2
- A DNS Server running Windows 2008 Server SP2 or R2
- A Direct Access Server running Windows 2008 Server R2
A note about IPv6: Scott indicated that IPv6 would be required in some sense for DirectAccess. The client has a check-down list for connectivity starting with IPv6 and continuing with 6 to 4, Teredo, and IP-HTTPS so in some sense the client must at least have IPv6 installed (sorry Vista and XP clients). From the Direct Access Server to the internal servers Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) or a NAT-PT/DNS-ALG device can be used depending on the resources that need to be accessed. If everything is running Windows Server 2008 R2 then ISATAP is a cheaper implementation.
If a broad deployment is desired, Scott recommended that we evaluate the Forefront UAG (unified access gateway). The UAG would extend several benefits to down-level clients (Vista and XP) through the use of an SSL-VPN and would facilitate the publishing of IPv4 internal resources. (Keep an eye on the Forefront blog for details of the upcoming release of UAG.)
The reason that DirectAccess is the best takeaway from TechED 2009 is that it ties in Windows 7, Windows Server 2008 R2, and the UAG. These technologies, when combined, actually transform the mobile workforce increasing security and decreasing complexity for all users. Fantastic!
Entries (RSS)