1. Overview of DirectAccess
DirectAccess is a new technology that automatically establishes
bidirectional connectivity between a remote user's computer and that
user's company intranet. The remote user does not have to initiate the
connection to the intranet manually, and administrators can manage
this and other remote computers outside the office through the same
DirectAccess connection. DirectAccess is supported on Windows 7
Enterprise, Windows 7 Ultimate, and Windows Server 2008 R2.
Understanding the Limitations of VPNs
Traditionally, users connect to intranet resources with a VPN.
However, using a VPN has a number of disadvantages, including the
following:
-
Connecting to a VPN takes several steps, and the user
needs to wait for authentication. For organizations that check
the health of a computer before allowing the connection,
establishing a VPN connection can take several minutes. -
Anytime users lose their Internet connection, they need to
reestablish the VPN connection. -
VPN client machines typically are not subject to Group
Policy. -
Internet performance is slowed if both intranet and
Internet traffic goes through the VPN connection.
Because of these inconveniences, many users avoid connecting
to a VPN. Instead, they use application gateways, such as Microsoft Outlook Web Access (OWA), to connect to
intranet resources. With OWA, users can retrieve internal e-mail
without establishing a VPN connection. However, users still need to
connect to a VPN to open documents that are located on intranet file
shares, such as those that are linked to in an e-mail
message.
Understanding the Benefits of DirectAccess
DirectAccess overcomes the limitations of VPNs by providing the following
benefits to enterprises and their users:
-
Always-on connectivity
Unlike with a VPN, a DirectAccess connection is always on, even before
the user logs on to his or her computer. -
Seamless connectivity To
the user, the DirectAccess connection to the corporate network
is completely transparent. Aside from any delay that could be
caused by a slow Internet connection, the user experience is the
same as if the user's computer were connected directly to the
corporate network. -
Bidirectional access With
DirectAccess, the user's remote computer not only has access to
the corporate intranet, but the intranet can also see the user's
computer. This means that the remote computer can be managed
using Group Policy and other management tools in exactly the
same way that computers located on the internal network are
managed. -
Enhanced security
DirectAccess provides administrators with flexibility in how
they control access to internal resources for remote users and
their computers. For example, DirectAccess can be configured to
provide user access only to selected resources. In addition,
Direct Access fully integrates with Server and Domain Isolation
solutions and the NAP infrastructure to help ensure compliance
with security, access, and health policies for both local and
remote computers.
In addition, DirectAccess includes the following security
features:
-
DirectAccess is built on a foundation of
standards-based technologies: IPSec and IPv6. -
DirectAccess uses IPSec to authenticate both the
computer and user. If you want, you can require a smart card
for user authentication. -
DirectAccess also uses IPSec to provide encryption for
communications across the Internet.
2. Understanding DirectAccess and IPv6 Transition
Technologies
DirectAccess clients must have globally routable IPv6 addresses.
For organizations that are already using a native IPv6 infrastructure,
DirectAccess can easily extend this existing infrastructure to
DirectAccess client computers. These client computers can also still
access Internet resources by using IPv4.
For organizations that have not yet begun deploying IPv6, a
number of IPv6 transition technologies are available to begin IPv6
deployment without requiring an infrastructure upgrade.
These technologies are described in the next sections.
Intra-site Automatic Tunnel Addressing Protocol
(ISATAP) is a tunneling protocol that allows an IPv6 network to
communicate with an IPv4 network through an ISATAP router, as shown
in Figure 1.
ISATAP allows IPv4 and IPv6 hosts to communicate by performing
a type of address translation between IPv4 and IPv6. In this
process, all ISATAP clients receive an address for an ISATAP
interface. This address is composed of an IPv4 address encapsulated
inside an IPv6 address.
ISATAP is intended for use within a private network.
6to4 is a protocol that tunnels IPv6 traffic over IPv4 traffic
through 6to4 routers. 6to4 clients have their router's IPv4 address
embedded in their IPv6 address and do not require an IPv4 address.
Whereas ISATAP is intended primarily for intranets, 6to4 is intended
to be used on the Internet. You can use 6to4 to connect to IPv6
portions of the Internet through a 6to4 relay even if your intranet
or your ISP supports only IPv4.
A sample 6to4 network is shown in Figure 2.
Teredo is a tunneling protocol that allows clients located
behind an IPv4 NAT device to use IPv6 over the Internet. Teredo is
used only when no other IPv6 transition technology (such as 6to4) is
available.
Teredo relies on an infrastructure, illustrated in Figure 3, that includes
Teredo clients, Teredo servers, Teredo relays, and Teredo
host-specific relays.
-
Teredo client A Teredo
client is a computer that is enabled with both IPv6 and IPv4 and
that is located behind a router performing IPv4 NAT. The Teredo
client creates a Teredo tunneling interface and configures a
routable IPv6 address with the help of a Teredo server. Through
this interface, Teredo clients communicate with other Teredo
clients or with hosts on the IPv6 Internet (through a Teredo
relay). -
Teredo server A Teredo
server is a public server connected both to the IPv4 Internet
and to the IPv6 Internet. The Teredo server helps perform the
address configuration of the Teredo client and facilitates
initial communication either between two Teredo clients or
between a Teredo client and an IPv6 host.
To facilitate communication among Windows-based Teredo
client computers, Microsoft has deployed Teredo servers on the
IPv4 Internet. -
Teredo relay A Teredo relay
is a Teredo tunnel endpoint. It is an IPv6/IPv4 router that can
forward packets between Teredo clients on the IPv4 Internet and
IPv6-only hosts. -
Teredo host-specific relay
A Teredo host-specific relay is a host that is enabled with both
IPv4 and IPv6 and that acts as its own Teredo relay. A
Teredo host-specific relay essentially enables a Teredo client
that has a global IPv6 address to tunnel through the IPv4
Internet and communicate directly with hosts connected to the
IPv6 Internet.
IP-HTTPS is a new protocol developed by Microsoft for Windows 7 and Windows Server 2008 R2. It
enables hosts located behind a Web proxy server or firewall to
establish connectivity by tunneling IPv6 packets inside an
IPv4-based Hypertext Transfer Protocol Secure (HTTPS) session. HTTPS
is used instead of HTTP so that Web proxy servers do not attempt to
examine the data stream and terminate the connection. IP-HTTPS is
used as the fallback technology for DirectAccess clients when
neither 6to4 nor Teredo is available.
Some NAT routers are able to provide connectivity between
global IPv6 addresses and private IPv4 addresses. To perform this
function, these devices typically conform to the Network Address Translation/Protocol Translation
(NAT-PT) standard or the Network Address Port Translation + Protocol
Translation (NAPT-PT) standard, as defined in RFC 2766. Although
these two technologies are still available on some networks, they
have been deprecated by the Internet Engineering Task Force (IETF)
because of technical problems. NAT64 is the name of another
mechanism to perform this same function in the future.
Note
CONFIGURING IPV6 SETTINGS IN GROUP
POLICY
You can configure client settings for
IPv6 transition technologies in Local Computer
Policy or Group Policy. You can find these settings in a GPO by
navigating to Computer Configuration\Policies\Administrative
Templates\Network\TCPIPSettings\IPv6 Transition
Technologies.
|
