Microsoft Direct Access

I have been watching the videos that came with my, "Configuring Windows 7" DVD. Seems like a really VPN feature. Anyone have any thoughts on this feature that comes with Server 2008 R2?

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

Hyper-Me

Its designed to be a VPN without the VPN.

It can be confusing for users to understand the difference in their network connections when they are and are not connected to a VPN. DirectAccess makes it seamless by allowing them to get to network resources inside the corporate network without doing anything special on their end.

Its pretty cool, but the requirement of 2008 R2, 7 Enterprise or Ultimate, IP v6, etc makes it unlikely that it will be widely adopted very soon. In a few years it may become prominent.

veritas_libertas

I like what I am seeing but I think it's strange that it require IPv6. Do you know why they are requiring that?

earweed

Here's an article on it from trainsignas website. You may have already seen this VL. It mentions in the configuration setting about how to use it if your network doesn't use IPv6. You have to have two NIC's on your server and you have to enable IPv6 on your server (The two nic's are configured with IPv4 addresses)
Windows Server HQ by Train Signal.com Direct Access: How It Works And How To Configure It
This may be just a rehash of what you have already seen.

RobertKaucher

veritas_libertas wrote: »

I like what I am seeing but I think it's strange that it require IPv6. Do you know why they are requiring that?

Because clients are required to have globally unique addresses. Remember the idea is that it is a system that allows you to connect directly to the work network via an IPSec tunnel. There is no VPN level authentication nor does the DA server hand out an IP address tot he client. The DA server just sees you have a cert that belongs to the domain, the pc belongs to the domain and you go. No cert, you cannot talk to the DA server over IPSec so you cannot get in.

earweed

So is there anything special we need to do with IPv6 that we can't already do?

veritas_libertas

@RobertK: So you are saying that your Windows 7 PC creates a static IP for this, and doesn't ask a DHCP server for an IP?

RobertKaucher

earweed wrote: »

So is there anything special we need to do with IPv6 that we can't already do?

Not have to use NAT or some other sort of technology. With IPv6 each person alive today could be assigned several billion IPv6 addresses and we would still have A LOT of room to grow. By requiring IPv6 MS has
1. Declared their support for transitioning to this technology as soon as possible
and
2. Made the technology simpler to implement once the transition is in place.

You don't have to deal with NAT, with VPN administration/purchase cost/licensing/etc. Simplicity and cost are a big deal. Less TCO and fewer limitations and frustrations on end users. This totally blurs the lines between office based/remote work force. Imagine how many more would work from home if they did not have to deal with VPN related issues? The trick is we cannot do this easily without a larger address pool.

@veritas_libertas - No. The ultimate goal of the idea would be that each device had its own routable IP address. So I connect via my"Air Card" or whatever and I am assigned an IPv6 address from my ISP and then I just click on my U drive and I have instant access to all my stuff at work. I don't have to worry about the VPN password changing or anything. I am authenticated by my DC and the communication is all done with the security of certificates and the ease of SSO via you already in place AD.