Security Advisor

Can DirectAccess Replace Your VPN?

Despite some drawbacks, DirectAccess will likely become the preferred remote-access method as Windows 7 becomes more prevalent.

Windows Server 2008 R2 and Windows 7 will appeal to IT organizations that would be happy to ditch their VPN infrastructures for a more viable alternative. That's now possible with DirectAccess, a new technology that lets mobile users connect securely to an internal network from the Internet without having to use VPN connections.

With DirectAccess, client computers establish IP connections to corporate resources, such as application servers, whether they're plugged into your internal network or connected to the Internet. It uses the standard IP-based security protocol IPSec between the client and the server, ensuring mutual authentication and encryption of all network packets. In addition to IPSec, DirectAccess uses IPv6 for all network traffic between a client and a server.

To enable IPv6 traffic across an Internet connection that most likely only supports IPv4, DirectAccess encapsulates IPv6 traffic in IPv4 packets using several different methods. Even more impressive, if the traffic must traverse an existing firewall or proxy server that only allows HTTP, all IPv6 traffic can be encapsulated in HTTPS packets. As a result, you might have HTTP traffic in IPv6 packets, which are encapsulated in HTTP packets that are transmitted using IPv4.

How Does It Work?
With DirectAccess, all client connections from the Internet to internal servers are established through one or more DirectAccess servers, which all must be running Windows Server 2008 R2. A DirectAccess server can be connected directly to the Internet or it can be located behind your firewall.

If you've deployed IPv6 in your internal network, the DirectAccess server handles any encapsulated packets connected via the Internet and forwards all IPv6 traffic to the internal application server. If IPv6 is not available internally, DirectAccess forwards traffic to application servers using IPv4. When using IPv4 internally, packet-level encryption and authentication only occurs between the client and DirectAccess server, and packets travel across the internal network unsecured.

Is It Secure Without VPN?
If you're accustomed to using VPNs, you can probably think of some potential security risks that DirectAccess might create. However, on closer examination you'll find that most of them -- if not all -- have been addressed by Microsoft. To begin with, only computers that have a valid and trusted certificate can connect from the Internet. These are most likely the same computers that are already plugged into your network at other times. The only difference is how they're connected.

Worried about not being able to monitor the traffic between external clients and internal servers? If so, you should be just as concerned when the same computers are back on the local network, and you may need to monitor your internal network instead of just the network perimeter. What about malware-laden or insecurely configured remote clients connecting to your network? You can combine DirectAccess with Network Access Protection (NAP) to enforce a number of security settings and prevent computers that don't meet your requirements from connecting.

DirectAccess effectively extends your internal network to your mobile computers while they're out of the office. As far as users and applications are concerned, connections to internal resources happen automatically, regardless of how the mobile clients are connected.

Of course, there are some obstacles to DirectAccess. Most noteworthy are the system requirements. You'll need at least one DirectAccess server running Windows Server 2008 R2, and the clients must run Windows 7. Also, DirectAccess depends on IPSec, IPv6 and a Public Key Infrastructure for the computer certificates.

Despite these drawbacks, DirectAccess will likely become the preferred remote-access method as Windows 7 becomes more prevalent, and you should start becoming familiar with it now so you'll be ready once your Windows 7 deployment takes off. The best way to start is to review the resources on the DirectAccess page on TechNet.

About the Author

Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.


  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

  • Qualcomm Back in Datacenter Fray with AI Chip

    The chip maker joins a crowded field of vendors that are designing silicon for processing AI inference workloads in the datacenter.

  • Microsoft To Ship Surface Hub 2S Conference Device in June

    Microsoft on Wednesday announced a June U.S. ship date for one of its Surface Hub 2S conferencing room products, plus a couple of other product milestones.

  • Kaspersky Lab Nabs Another Windows Zero-Day

    Kaspersky Lab this week described more about a zero-day Windows vulnerability (CVE-2019-0859) that its researchers recently discovered, and how PowerShell was used by the exploit.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.