Have you ever administered a VPN where…
- Users had trouble connecting from some networks, resulting in you being the bad guy?
- You had to figure out how to re-install VPN software and get it configured over the phone?
- Passwords were forgotten or expired and you had to explain to the user that there is nothing you can do until they come into the office?
- A laptop wouldn’t be connected for weeks at a time while on vacation somewhere and was filled with fun new software when it came back into the office?
If you answered “yes” to any of these questions, congratulations! You have earned your VPN administrator title. Today I’m here to tell you that it doesn’t have to be this way!
DirectAccess – Always Connected!
Microsoft DirectAccess is a remote access technology that is best described as an automatic VPN. When a user takes their DirectAccess-enabled laptop home, to the coffee shop, or wherever, as soon as they have Internet access they also automatically have corporate network access. There is nothing that the user needs to launch or log on to, to establish this access. Their computer takes a combination of computer credentials (NTLM authentication) and their user credentials that they used to log on to the computer in the first place (Kerberos authentication) and uses those items to establish IPSec tunnels to a DirectAccess server sitting in the company datacenter. Because of the automatic establishment of these tunnels, users can literally be working on their laptop in the office, close the lid and take it home, open the lid when they get home, and continue working as if nothing happened. As long as they are connected to the Internet at home (or wherever they happen to be), these tunnels will build in the background within seconds and the user simply continues to work. They have access to all resources in the network just like they did when they were inside the office.
Installing the Client Software for DirectAccess
You’re done! The components that DirectAccess uses to connect are baked right into the Windows operating system – you already have them. As long as your users are running laptops (or tablets or whatever) with Windows 7 Ultimate, Windows 7 Enterprise, or Windows 8 Enterprise, the client components are already installed and waiting for your users to start using them. All you have to do is throw some configuration settings at the computers so they know how to connect. What’s even cooler is that these configuration settings are distributed by Group Policy. During the DirectAccess configuration process the wizards create a GPO that contains all of the client-side connectivity settings. You will then dedicate a group in Active Directory that will contain your DirectAccess client computers, and after the wizard is complete and the GPO is created, from that point on whenever you want to take a new laptop and make it a DirectAccess laptop, you simply add that computer to the group. You don’t even have to touch that laptop. There is no actual VPN software that you need to install on the client computer, and therefore no software that could eventually break and have to be reinstalled, or have to be updated in the future.
If I haven’t said it enough times already – DirectAccess tunnels are automatically created. Any time that the computer has Internet access, it has corporate access. This means that you have management control of those computers all of the time. You no longer have users who can take their computer with them on vacation, never launch their VPN, access a bunch of open wireless hotspots and download neat malware, and then come back into the office weeks later to distribute it. With a DirectAccess computer, every time that Internet access is established so is corporate network access, which means that security updates, patches, antivirus updates, and Group Policy settings are always active and updated.
DirectAccess has many more advantages than the short list that I have put in this article, but my intention here was to address some very common headaches that are present with traditional VPNs and showcase how DirectAccess throws those specific problems out the window. If you are ever interested in learning more about DirectAccess, I regularly host webinars for IVO Networks that anyone is welcome to attend. At IVO, we build specialized hardware appliances, DirectAccess Concentrator appliances, that are a plug-and-play piece of equipment to serve as your DirectAccess server in the corporate network. I design DirectAccess solutions every day and would be more than happy to answer any questions that you have!
More on this Feature this Sunday 🙂