Windows DirectAccess signals the death of traditional VPNs

Before the release of Windows 7 last month, traditional Virtual Private Networks were a necessary evil if you wanted to securely extend the corporate network beyond your own walls. But VPNs require additional software on the client system -- software which often does not support new 64-bit workstation architecture.

Besides the perils inherent in loading the network onto any computer, every lost Internet connection and re-start also requires re-establishment of a VPN connection -- which can lead to an increase in help desk calls and training time for end-users. And many VPNs require RADIUS or LDAP integration into your corporate directory for authentication, adding another potential point of failure.

Windows DirectAccess is a Windows 7 and Server 2008 R2 feature that provides seamless, secure connectivity to corporate networks -- at home, on the road, or just down the street at the neighborhood Starbucks.

Like most current VPNs, DirectAccess uses IPSec for encryption, using certificate-based authentication by default. It can also be configured to use smartcard-based authentication mechanisms like RSA tokens.

To utilize DirectAccess, you must be running Windows 7 on your workstations and using Windows Server 2008 R2.

DirectAccess does require IPv6, to allow a globally routable address, but migration of your environment to IPv6 is not necessary. With 6to4 and Teredo IPv6 technology, you can gradually transition your intranet to IPv6, and still take advantage of the enhanced DirectAccess security features.

With DirectAccess, IT administrators control traffic flow, which extends split-tunneling capabilities and ensures your corporate resources are accessible as efficiently as possible.

For example, technologies like Office Communications Server and Microsoft Exchange/Outlook already have remote connection technologies built into the stack. Adding DirectAccess would be counter-efficient, so you may exclude these technologies from DirectAccess connections.

But if you do that, keep in mind that computers will make connections from unsecure networks. Corporate security in those cases must remain just as high a priority as it was when you designed your VPN.

Extending DirectAccess with Network Access Protection, security compliance can be extended to DirectAccess clients with corporate patching and antivirus policies, limiting the opportunities for viruses and malware to spread into the corporate network.

The major issue that must be addressed with DirectAccess is the configuration.

The DirectAccess server must be a domain member, and have a public IP address (actually two consecutive public addresses).

I am typically against putting any domain member on the Internet, or even NAT to one, but the advanced Server 2008 R2 firewall is forced by DirectAccess.

But with an integrated publishing rule on Forefront Threat Management Gateway (the new version of ISA server expected in 2H 2010), a high-security environment for your enterprise is ensured.