Is It Time to Retire the Traditional VPN?
Microsoft Direct Access in Windows Server 2008 R2 combined with Microsoft ForeFront United Access Gateway (UAG) 2010 may replace the VPN -- for the better.
- By Greg Shields
It wasn't long ago when the Cisco VPN Client was our company's sweetest remote-access technology. I still remember the day they sent me home with my first keyfob, complete with its tiny keypad and ever-changing series of numbers. With that card, a person could connect to the corporate network from (almost) anywhere.
Actually establishing that connection, on the other hand, wasn't the simplest of processes. And when you finally got an IP address on the internal LAN, connecting to a resource required mapping a drive somewhere, entering in a Windows domain username and password, and searching around for whatever you needed. If you were an IT pro back in those days, you could probably figure it out. If you weren't, having that keyfob was sometimes more problematic than not having one.
Time for a New VPN
That's why I'm excited about Microsoft DirectAccess in Windows Server 2008 R2. DirectAccess extends the LAN to everywhere on the Internet in an always-on fashion.
It's a fantastic improvement for employee efficiency, but it's also a concept that brings night sweats to some security-minded IT pros. Always the optimist, I apply Occam's razor to the prototypical security person's fears: "Microsoft surely knows that unfettered LAN access represents a ridiculously insecure idea. So why would it think of creating such a solution until it has built one that's been ridiculously secured?"
Comprised of high-security technologies like IPv6, IPSec and AES encryption, DirectAccess is ridiculously secure. But it can also be ridiculously difficult to set up. Because it requires a suite of technologies that isn't part of most IT professionals' experience, simply turning it on can be an insurmountable technical challenge.
Enter Microsoft Forefront Unified Access Gateway (UAG) 2010. Designed to operate as a firewall for a wide range of apps, UAG really shines in how it significantly streamlines a DirectAccess implementation.
Microsoft UAG is a 64-bit app that installs to an instance of Windows Server. Like most firewalls, UAG requires a minimum of two physical network connections, one of which connects to your internal LAN, with the other connecting to the outside world. Installing UAG DirectAccess functionality also requires two static and consecutive public IPv4 addresses on its Internet-facing interface.
Installing UAG to a server in your network perimeter automatically installs much of the necessary infrastructure required to support DirectAccess.
That said, using UAG for DirectAccess still isn't a "next, next, finish" activity. Your UAG server and any connecting clients will need a set of trusted certificates, which means you might have to set up your own Public Key Infrastructure. You'll also need some familiarity with IPv6, as DirectAccess relies on it for communication. UAG greatly simplifies this requirement, as its built-in NAT64 functionality serves as a kind of bridge from external IPv6 to internal IPv4. This bridging means that implementing DirectAccess won't also require a forklift migration of your internal servers to IPv6. Your clients must be running Windows 7 Enterprise or Ultimate.
The UAG and DirectAccess combo improves your users' experiences when they're on the road. But an often-overlooked aspect is the ability to "manage out" your clients, changing your organization's approach to administering its clients outside the office. With the DirectAccess manage-out approach, internal services such as Group Policy, Windows Server Update Services and System Center Configuration Manager, among others, can be extended to any device that's connected to the Internet.
DirectAccess has had three hurdles to its widespread adoption. The first has been the embrace of the IT security community. The forthcoming EAL certification of UAG -- in evaluation as of this writing -- in combination with the other DirectAccess technologies, should soon overcome this hurdle. The second has been in its challenging implementation, an activity that's eased through pairing with UAG. Last, there's been the need to upgrade clients to Windows 7. The management- and business-optimization potential DirectAccess brings might just be your business's linchpin reason to make the investment in upgrading to Windows 7.
Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.