Although the underlying technologies are fundamentally different, direct-dial, broadband, VPN, and DirectAccess
connections all make it possible for users to access your
organization’s network remotely. With a typical direct-dial network
configuration, off-site users use their computer’s modem and a standard
telephone line to connect to a modem pool located at the office. A
Windows server managing the modem pool and running Routing And Remote
Access authenticates the logon ID and password and authorizes the user
to connect to the internal network. The user can then access network
resources just as she does when working on-site.
Figure 1
shows direct-dial connections using modem pools. Analog modems use
dedicated telephone lines to connect users to the internal network at
speeds up to 33.6 Kbps per line. Digital modems use channels of a T1
line to connect users to the internal network at speeds up to 56 Kbps
per line. In a standard configuration, you might have 8, 12, or 16
modems configured in the pool, each with its own line (or channel).
Typically, the modem pool has a lead number that users can call. This
number connects to the first modem in the pool. When the lead number is
busy, the line rolls over to the next number, which connects to the next
modem in the pool, and so on, enabling users to dial a single number to
gain access to all modems in the pool.
Unlike direct-dial connections, which can be made directly to the
office network, broadband connections are made through an ISP’s network.
The user’s DSL router, cable modem, or cellular modem establishes a
connection to the ISP, which in turn connects the user to the public
Internet. To connect to the office network, a broadband user must
establish a VPN or DirectAccess connection between his computer and the office network. Figure 2 shows how VPN and DirectAccess work when the user has either a telephone line and DSL router or a cable and a cable modem.
A VPN is an extension of a private network across the public
Internet. Once a user is connected, it appears to her that she is
directly connected to the office network, and she can access network
resources just as she does when working on-site. These seamless
connections are possible because a virtual tunnel is established between
the user’s computer and the office network, where the VPN technology
takes care of routing information over the public Internet. One of two
VPN technologies is typically used: Point-to-Point Tunneling Protocol
(PPTP) or Layer 2 Tunneling Protocol (L2TP).
Both L2TP and PPTP offer encryption and protection from attacks, but
only L2TP uses IPSec for advanced encryption, making it the more secure
of the two technologies. Unfortunately, L2TP is more difficult to
configure. When you use L2TP, you need to use Microsoft Certificate
Services or a third-party certificate server to issue individual
certificates for each system that will connect to the network using
L2TP.
In addition to using a VPN with a broadband connection, you can use a
VPN with a dial-up connection. In this configuration, users go through
their ISP to establish a connection to the public Internet and then
establish a private connection to the office network. When this
configuration becomes standard procedure for dial-up users, your
organization won’t need dedicated private lines like those reserved for a
modem pool.
Another virtual tunneling option is DirectAccess.
Although fundamentally different from VPN, the basic idea is the same—a
DirectAccess connection is an extension of a private network across the
public Internet. Once a user is connected (which happens automatically
after the feature is enabled), it appears to him that he is directly
connected to the office network, and he can access network resources
just as he does when working on-site. These seamless connections are
possible because a virtual tunnel is established between the user’s
computer and the office network, where the DirectAccess technology takes
care of routing information over the public Internet.
For Windows Server 2012, DirectAccess and Routing And Remote Access Service (RRAS) are combined into the Remote
Access server role and the new implementation works differently than
the original implementation for Windows Server 2008 Release 2. With the
new implementation DirectAccess remains a client-server technology that
relies on IPv6 and IPSec, but no longer requires Public Key
Infrastructure (PKI). Although Windows Server 2008 R2 DirectAccess uses
two IPSec tunnels to establish connectivity to the corporate network,
Windows Server 2012 DirectAccess uses a single IPSec tunnel by default
(because the standard implementation doesn’t rely on certificate-based
authentication). However, for two-factor authentication, such as with
smart cards and Network Access Protection (NAP) integration, you’ll need
to deploy DirectAccess using two IPSec tunnels.
Windows Server 2012 DirectAccess supports multiple domains and has
built-in support for network load balancing. Although DirectAccess
clients communicate using IPv6 while connected remotely, the
RemoteAccess server includes a built-in protocol translation (NAT64) and
a name resolution gateway (DNS64) that can convert IPv6 communications
from DirectAccess clients to IPv4 for internal servers. This allows
DirectAccess clients to access IPv4-only intranet computers, but doesn’t
allow IPv4-only intranet computers to initiate connections to
DirectAccess clients. The reason for this is that network address
translation is unidirectional and meant for communications initiated by
DirectAccess clients.
Client computers must run the Enterprise edition of Windows 7 or
later. Server computers must run Windows Server 2008 Release 2 or later.
To use DirectAccess, you must set up and configure IPv6 for use by both
client and server computers throughout the enterprise, including DNSv6
and DHCPv6 as appropriate.
In the Administrative Templates policies for Computer Configuration under Network\Network Connections, you can use the Route All Traffic Through The Internal Network policy to control how DirectAccess
works. By default, when a user is connected to a workplace, the user’s
computer accesses Internet resources directly rather than going through
the workplace network. If you enable the routing policy, the user’s computer accesses the Internet through the workplace network.
Obviously, both configuration approaches have advantages and
disadvantages. If you don’t route Internet traffic through the internal
network, you reduce the workload and traffic levels on the workplace’s
connection to the Internet but lose the additional security and
safeguards that might be in place to protect the internal network. If
you route Internet traffic through the internal network, you increase
the workload and traffic levels on the workplace’s connection to the
Internet, and possibly dramatically increase latency and response times
when the user works with Internet resources, but you ensure that any
additional security and safeguards in place to protect the internal
network are also enforced.
