Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2
Microsoft Windows Family of Operating Systems
Microsoft Corporation
Published: January 2010
Abstract
The Windows 7 and Windows Server 2008 R2 operating systems introduce DirectAccess, a solution that provides users with the same experience working remotely as they would have when working in the office. With DirectAccess, remote users can access corporate file shares, Web sites, and applications without connecting to a virtual private network (VPN).
Copyright information
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Your right to copy this documentation is limited by copyright law and the terms of the software license agreement. As the software licensee, you may make a reasonable number of copies or printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative works for commercial distribution is prohibited and constitutes a punishable violation of the law.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
© 2010 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Forefront, Internet Explorer, Outlook, Windows, and Windows Server are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
Contents
DirectAccess Technical Overview for Windows 7 and Windows Server 2008 R2 5
Mobile Workforce Needs 6
The Challenges with VPNs 6
DirectAccess Connections 7
End-to-end protection 8
End-to-edge protection 8
The DirectAccess Connection Process 9
Separating Internet and Intranet Traffic 10
DirectAccess Authentication 11
Using IPv6 12
DirectAccess and Network Access Protection 12
Scaling, Extending, and Simplifying DirectAccess Deployments with Forefront UAG 13
DirectAccess Requirements 13
Summary 14
References 15
The Windows® 7 and Windows Server® 2008 R2 operating systems introduce DirectAccess, a new solution that provides users with the same experience working remotely as they would have when working in the office. With DirectAccess, remote users can access corporate file shares, Web sites, and applications without connecting to a virtual private network (VPN).
DirectAccess establishes bi-directional connectivity with the user’s enterprise network every time the user’s DirectAccess-enabled portable computer is connected to the Internet, even before the user logs on. With DirectAccess, users never have to think about whether they are connected to the corporate network. DirectAccess also benefits IT by allowing network administrators to manage remote computers outside of the office, even when the computers are not connected to a VPN. DirectAccess enables organizations with regulatory concerns to extend regulatory compliance to roaming computer assets.
DirectAccess server functionality is included in Windows Server 2008 R2. An enhanced version of DirectAccess is included with Microsoft® Forefront™ Unified Access Gateway (UAG). For more information, see Scaling, Extending, and Simplifying DirectAccess Deployments with Forefront UAG.
This document describes the benefits of DirectAccess, how it works, and what you will need to deploy it in your organization. The following topics are covered:
Mobile Workforce Needs
The Challenges with VPNs
DirectAccess Connections
The DirectAccess Connection Process
Separating Internet and Intranet Traffic
DirectAccess Authentication
Using IPv6
DirectAccess and Network Access Protection
Scaling, Extending, and Simplifying DirectAccess Deployments with Forefront UAG
DirectAccess Requirements
Summary
References
Notes
For a complete view of Windows 7 resources, articles, demos, and guidance, please visit the Springboard Series for Windows 7 on the Windows Client TechCenter.
For a Web version of this document, see the DirectAccess Technical Overview for Windows 7 and Windows Server 2008 R2 in the Windows Client TechCenter (http://go.microsoft.com/fwlink/?LinkId=148643).
More users have become mobile to stay productive while they are away from the office. According to IDC, the third quarter of 2008 marked the point at which computer manufacturers began shipping more mobile computers than desktop computers worldwide (IDC Worldwide Quarterly PC Tracker, December 2008).
The number of mobile users is expected to grow; in 2008, mobile workers worldwide will be 26.8% of the total workforce, and that number will increase to 30.4% by 2011 (IDC, "Worldwide Mobile Worker Population 2007–2011 Forecast," Doc #209813, Dec 2007).
However, the way users access network resources hasn’t changed. Although home broadband, wireless broadband, and Wi-Fi allow users to connect to the Internet while they are away from the office, corporate firewalls prevent them from connecting to resources on the intranet. Only users physically connected to the intranet can access intranet resources. This becomes a management problem because IT administrators can update computers only when they connect to the intranet. To circumvent this limitation, many organizations provide VPNs.
Traditionally, users connect to intranet resources with a VPN. However, using a VPN can be cumbersome because:
· Connecting to a VPN takes several steps, and the user needs to wait for authentication. For organizations that check the health of a computer before allowing the connection, establishing a VPN connection can take several minutes.
· Any time users lose their Internet connection, they need to re-establish the VPN connection.
· VPN connections can be problematic in some environments that filter out VPN traffic.
· Internet performance is slowed if both intranet and Internet traffic goes through the VPN connection.
Because of these inconveniences, many users avoid connecting to a VPN. Instead, they use application gateways, such as Microsoft Outlook® Web Access (OWA), to connect to intranet resources. With OWA, users can retrieve internal e-mail without establishing a VPN connection. However, users still need to connect to a VPN to open documents that are located on intranet file shares, such as those that are linked to in an e-mail message.
DirectAccess overcomes the limitations of VPNs by automatically establishing a bi-directional connection from client computers to the corporate network. DirectAccess is built on a foundation of proven, standards-based technologies: Internet Protocol security (IPsec) and Internet Protocol version 6 (IPv6).
DirectAccess uses IPsec to authenticate both the computer and user, allowing IT to manage the computer before the user logs on. Optionally, you can require a smart card for user authentication.
DirectAccess also leverages IPsec to provide encryption for communications across the Internet. You can use IPsec encryption methods such as Triple Data Encryption Standard (3DES) and the Advanced Encryption Standard (AES).
Clients establish an IPsec tunnel for the IPv6 traffic to the DirectAccess server, which acts as a gateway to the intranet. Figure 1 shows a DirectAccess client connecting to a DirectAccess server across the public IPv4 Internet. Clients can connect even if they are behind a firewall.
Figure 1 DirectAccess clients access the intranet using IPv6 and IPsec
The DirectAccess client establishes two IPsec tunnels:
· IPsec Encapsulating Security Payload (ESP) tunnel using a computer certificate. This tunnel provides access to an intranet Domain Name System (DNS) server and domain controller, allowing the computer to download Group Policy objects and to request authentication on the user’s behalf.
· IPsec ESP tunnel using both a computer certificate and user credentials. This tunnel authenticates the user and provides access to intranet resources and application servers. For example, this tunnel would need to be established before Microsoft Outlook could download e-mail from the intranet Microsoft Exchange Server.
After the tunnels to the DirectAccess server are established, the client can send traffic to the intranet through the tunnels. You can configure the DirectAccess server to control which applications remote users can run and which intranet resources they can access.
DirectAccess clients can connect to intranet resources by using two types of IPsec protection: end-to-end and end-to-edge.
With end-to-end protection, as shown in Figure 2, DirectAccess clients establish an IPsec session (shown in green) through the DirectAccess server to each application server to which they connect. This provides the highest level of security because you can configure access control on the DirectAccess server. However, this architecture requires that application servers run Windows Server 2008 or Windows Server 2008 R2 and use both IPv6 and IPsec.
Figure 2 End-to-end protection
For end-to-edge protection, as shown in Figure 3, DirectAccess clients establish an IPsec session to an IPsec gateway server (which by default is the same computer as the DirectAccess server). The IPsec gateway server then forwards unprotected traffic, shown in red, to application servers on the intranet. This architecture does not require IPsec on the intranet and works with any IPv6-capable application servers.
For information about connecting to IPv4-only application servers, read Using IPv6 later in this document.
Figure 3 End-to-edge protection
For the highest level of security, deploy IPv6 and IPsec throughout your organization, upgrade application servers to Windows Server 2008 or Windows Server 2008 R2, and use end-to-end protection. This allows authentication and, optionally, encryption from the DirectAccess client to the intranet resources. Alternatively, use end-to-edge protection when you want to avoid deploying both IPv6 and IPsec throughout your enterprise network. End-to-edge protection closely resembles VPNs and, as such, can be more straightforward to deploy.
Note
For either of these architectures, you can deploy multiple DirectAccess servers with a load balancer to meet your redundancy and scalability requirements.
DirectAccess clients use the following process to connect to intranet resources:
1. The DirectAccess client computer running Windows 7 Enterprise or Windows 7 Ultimate detects that it is connected to a network.
2. The DirectAccess client computer determines whether it is connected to the intranet. If it is, DirectAccess is not used. If it is not, DirectAccess is used.
3. The DirectAccess client computer connects to the DirectAccess server by using IPv6 and IPsec. If a native IPv6 network is not available (and it probably will not be when the computer is connected to the Internet), the client uses 6to4 or Teredo to send IPv4-encapsulated IPv6 traffic.
4. If a firewall or proxy server prevents the client computer that is using 6to4 or Teredo from reaching the DirectAccess server, the client automatically attempts to connect by using the Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) protocol. IP-HTTPS uses a Secure Sockets Layer (SSL) connection to encapsulate IPv6 traffic.
5. As part of establishing the IPsec session for the tunnel to reach the intranet DNS server and domain controller, the DirectAccess client and server authenticate each other using computer certificates for authentication.
6. If Network Access Protection (NAP) is enabled and configured for health validation, the DirectAccess client obtains a health certificate from a Health Registration Authority (HRA) located on the Internet prior to connecting to the DirectAccess server. The HRA forwards the DirectAccess client’s health status information to a NAP health policy server. The NAP health policy server processes the policies defined within the Network Policy Server (NPS) and determines whether the client is compliant with system health requirements. If so, the HRA obtains a health certificate for the DirectAccess client. When the DirectAccess client connects to the DirectAccess server, it submits its health certificate for authentication.
For more information, see DirectAccess and Network Access Protection later in this document.
7. When the user logs on, the DirectAccess client establishes the second IPsec tunnel to access the resources of the intranet. The DirectAccess client and server authenticate each other using a combination of computer and user credentials.
8. The DirectAccess server forwards traffic between the DirectAccess client and the intranet resources to which the user has been granted access.
The DirectAccess connection process happens automatically, without requiring user intervention.
DirectAccess can separate intranet traffic to the intranet from Internet traffic, as shown in Figure 4, to reduce unnecessary traffic on the corporate network. Most VPNs send all traffic—even traffic that is destined for the Internet—through the VPN, which can slow both intranet and Internet access. Because communications to the Internet do not have to travel to the corporate network and back to the Internet, DirectAccess does not slow down Internet access.
Figure 4 The default traffic flow for DirectAccess does not send Internet traffic through the DirectAccess server
IT administrators can also choose to route all traffic, except traffic for the local subnet, through the DirectAccess server and the intranet. When this option is enabled, all communications use the IP-HTTPS protocol, which creates an IP tunnel within the HTTPS protocol, allowing it to pass through firewalls and proxy servers.
Combining this option with Windows Firewall with Advanced Security, IT administrators have complete control over which applications can send traffic and which subnets client computers can reach. For example, IT administrators can use outbound Windows Firewall rules to:
· Allow client computers to connect to the entire Internet, but only one specific subnet on the intranet.
· Allow client computers to connect directly to the Internet using Internet Explorer®, but send traffic for all other applications through the intranet.
· Prevent intranet applications from sending communications to the Internet by restricting them to specific servers on your intranet.
While the default DirectAccess traffic configuration is optimized for performance, IT administrators have the flexibility they need to meet their organization’s security requirements.
DirectAccess authenticates the computer before the user logs on. Typically, computer authentication grants access only to domain controllers and DNS servers. After the user logs on, DirectAccess authenticates the user, and the user can connect to any resources he or she is authorized to access.
DirectAccess supports standard user authentication using a user name and password. For greater security, you can implement two-factor authentication with smart cards. This type of configuration allows users to access Internet resources without their smart cards, but it requires a smart card before users or computers can connect to intranet resources. This requires a user to insert a smart card in addition to typing his or her user credentials. Smart card authentication prevents an attacker who acquires a user’s password (but not the smart card) from connecting to the intranet. Similarly, an attacker who acquires the smart card but does not know the user’s password is unable to authenticate.
When smart cards are required for end-to-end authentication, you must use Active Directory® Domain Services (AD DS) in Windows Server 2008 R2.
DirectAccess requires the use of IPv6 so that DirectAccess clients have globally routable addresses. For organizations that are already using a native IPv6 infrastructure, DirectAccess seamlessly extends the existing infrastructure to DirectAccess client computers, and those client computers can still access Internet resources using IPv4.
For organizations that have not yet begun deploying IPv6, DirectAccess provides a straightforward way to begin IPv6 deployment without requiring an infrastructure upgrade. You can use the 6to4 and Teredo IPv6 transition technologies for connectivity across the IPv4 Internet and the ISATAP IPv6 transition technology so that DirectAccess clients can access IPv6-capable resources across your IPv4-only intranet.
...
qfx