If you are an office worker in today’s accelerated business
world, you need to be able to access your applications and data from
any device—your personal computer, mobile computer, tablet computer, or
other mobile device. And if you are an IT person involved in supporting
such an environment, you want to be able to implement such capabilities
easily and without hassles or additional costs.
Improvements in several Windows Server 2012 features now make it
simple to deploy, configure, and maintain an IT infrastructure that can
meet the needs of the modern workstyle. Remote access is now an
integrated solution that you can use to deploy DirectAccess and traditional virtual
private network (VPN) solutions quickly. Enhancements to Remote Desktop
Services now make it easier than ever to deploy both session-based
desktops and virtual desktops and to manage your RemoteApp programs
centrally. User-Device Affinity now makes it possible for you to map roaming users to specific computers and devices. BranchCache has been enhanced to improve performance and make better use of expensive wide area network (WAN) bandwidth. And Branch Office Direct Printing enables branch office users to get their print jobs done faster while putting less strain on the WAN.
Today’s enterprises face an increasingly porous perimeter for their
IT infrastructures. With a larger portion of their workforce being
mobile and needing access to mobile data, enterprises are presented
with new security challenges to address. Cloud computing promises to
help resolve some of these issues, but the reality is that most
organizations will deploy a hybrid cloud model that combines
traditional datacenter computing with hosted cloud services.
Providing remote access to corporate network resources in a secure,
efficient, and cost-effective way is essential for today’s businesses.
The previous version of Windows Server supported a number of different
options for implementing remote access, including:
-
Point-to-Point Tunneling Protocol (PPTP) VPN connections
-
Layer 2 Transport Protocol over IPsec (L2TP/IPsec) VPN connections
-
Secure Sockets Layer (SSL) encrypted Hypertext Transfer Protocol
(HTTP) VPN connections using the Secure Socket Tunneling Protocol (SSTP)
-
VPN Reconnect, which uses Internet Protocol Security (IPsec) Tunnel Mode with Internet Key Exchange version 2 (IKEv2)
-
DirectAccess, which uses a combination of Public Key Infrastructure (PKI), IPsec, SSL, and Internet Protocol version 6 (IPv6)
Implementing remote access could be complex in the previous version
of Windows Server because different tools were often needed to deploy
and manage these different solutions. For example, the Remote Access
and Routing (RRAS) component was used for implementing VPN solutions,
whereas DirectAccess was configured separately using other tools.
Beginning with Windows Server 2012, however, the process of
deploying a remote access solution has been greatly simplified by
integrating both DirectAccess and VPN functionality into a single
Remote Access server role. In addition, functionality for managing
remote access solutions based on both DirectAccess and VPN has now been
unified and integrated into the new Server Manager. The result is that
Windows Server 2012 now provides you with an integrated remote access
solution that is easy to deploy and manage. Note that some advanced
RRAS features, such as routing, are configured using the legacy Routing
and Remote Management console.
If remote client devices can be always connected, users can work
more productively. Devices that are always connected are also more
easily managed, which helps improve compliance and reduce support
costs. DirectAccess, first introduced in Windows Server 2008 R2 and
supported by client devices running Windows 7, helps address these
needs by giving users the experience of being seamlessly connected to
their corporate network whenever they have Internet access.
DirectAccess does this by allowing users to access corpnet resources
such as shared folders, websites, and applications remotely, in a
secure manner, without the need of first establishing a VPN connection.
DirectAccess does this by automatically establishing bidirectional
connectivity between the user’s device and the corporate network every time the user’s device connects to the Internet.
DirectAccess alleviates the frustration that remote users often experience when using traditional VPNs.
For example, connecting to a VPN usually takes several steps, during
which the user needs to wait for authentication to occur. And if the
corporate network has Network Access Protection (NAP) implemented for
checking the health of computers before allowing them to connect to the
corporate network, establishing a VPN connection
could sometimes take several minutes or longer depending on the
remediation require, or the length of time of the user’s last
established the VPN connection. VPN connections can also be problematic
for environments that filter out VPN traffic, and Internet performance
can be slow for the user if both intranet and Internet traffic route
through the VPN connection. Finally, any time users lose their Internet
connection, they have to reestablish the connection from scratch.
DirectAccess
solves all these problems. For example, unlike a traditional VPN
connection, DirectAccess connectivity is established even before users
log on so that they never have to think about connecting resources on
the corporate network or waiting for a health check to complete.
DirectAccess can also separate intranet traffic from Internet traffic
to reduce unnecessary traffic on the corporate network. Because
communications to the Internet do not have to travel to the corporate
network and back to the Internet, as they typically do when using a
traditional VPN connection, DirectAccess does not slow down Internet
access for users.
Finally, DirectAccess allows administrators to manage remote
computers outside the office even when the computers are not connected
via a VPN. This also means that remote computers are always fully
managed by Group Policy, which helps ensure that they are secure at all times.
In Windows Server 2008 R2, implementing DirectAccess was a fairly
complex task and required performing a large number of steps, including
some command-line tasks that needed to be performed both on the server
and on the clients. With Windows Server 2012, however, deploying and
configuring DirectAccess servers and clients is greatly simplified. In
addition, DirectAccess and traditional VPN remote access can coexist on
the same server, making it possible to deploy hybrid remote access
solutions that meet any business need. Finally, the Remote Access role
can be installed and configured on a Server Core installation.
DirectAccess—Making “easy” easier
DirectAccess with Windows 7 and Windows Server 2008 R2 was a
tremendous improvement in remote access technologies. In my role, I
work remotely almost 100 percent of the time—either at a customer site
or from home—so my laptop is rarely physically connected to Microsoft’s
internal network.
However, I often need to access internal resources for my work. Now,
I could connect over the Microsoft VPN, which in my case requires
plugging in a smart-card reader, inserting the smart card, and entering
a PIN. Certainly not a terrible experience, but we all prefer “EASY.”
DirectAccess is easy. If I have Internet connectivity, the odds are
pretty good that I have DirectAccess connectivity. I say “pretty good”
because like many technologies, there are times when something prevents
it from working. The question is “What is that something?”
Troubleshooting DirectAccess connectivity can be difficult in Windows 7.
With Windows 8, the client experience is much better. The properties of your DirectAccess connection
are easily accessible through the network’s user interface. This
interface will show you what your current DirectAccess status is and
will offer remediation options if you are not currently connected.
Additionally, in scenarios
where there may be multiple network entry points for DirectAccess
users, the interface will display the current site you are connected to
and allow you to connect to a different site entry point if necessary.
If all else fails, though, the properties page also allows the
client to collect DirectAccess logs (stored in a very readable HTML
format) and email them to your support staff to assist in the
troubleshooting process.
Of course, it wouldn’t qualify as a “cool technology” unless you
could shut it off and prevent people from using it! So naturally, being
able to configure the support staff email address, providing users with
the ability to switch to a different entry point and even the ability
to disconnect from DirectAccess temporarily can be controlled through a
Group Policy Object (GPO).
DirectAccess deployment scenarios
When deploying DirectAccess on Windows Server 2012, keep in mind that there are two types of deployment scenarios: Express Setup and Advanced Configuration. At a high level, the differences between the two are given in this table:
|
Express Setup |
Advanced Configuration |
|---|
|
PKI is optional |
PKI and CA required |
|
Uses a single IPSec tunnel configuration |
Uses double IPSec tunnel configuration |
| Requires Windows 8 clients |
Can use single factor, dual factor, and certificate authentication |
|
Supports clients running both Windows 8 and Windows 7 |
|
Required when designing a multisite configuration |
