April 15, 2012

Part 4 - Direct Access

Remote access is a tough nut to crack.  On the one hand, every employee needs access to their corporate resources at all times of the day and from whatever device they can shake a stick at.  On the other hand, IT can’t just tear down the firewall and let everyone in for obvious reasons.  For a long time, dedicated VPN equipment (like an ASA appliance) or VPN software like Microsoft RRAS was really the best option for secure, reliable connectivity when not on prem.  The challenge with those solutions are several fold:

  1. Yet another system to manage
  2. Not well integrated (although they are getting better) with the rest of your environment
  3. Only provide access, doesn’t provide management/true connectivity (I’ll explain in a bit)

With Windows Remote Desktop Services, you can get much closer to the goal of ubiquitous access – take your Gateway server and drop it onto port 443 in your DMZ and your remote apps, remote desktops and VDI sessions are available to your end users (there’s a whole RDS post coming soon).  But that doesn’t get you true native connectivity – connectivity that has been the dreams of many throughout the ages…ok maybe that’s a bit too far.  Connectivity that makes your computer look, act and feel like it is on the corporate network without the need of complicated VPN or RAS dialers.  Connectivity that allows you to:

  1. Hit internal intranet sites without FQDN (http://myportal)
  2. Hit internal shares or mapped drives (server1myfolder)
  3. Have group policies applied and updated both during log on and via the standard 90 minute schedule
  4. Have the ability for IT to ‘see’ my computer if I am having troubles and diagnose/work with me as if I were physically present
  5. Not have to reconfigure my internal apps to hit FQDN or the ability of apps that are configured to hit internal IP addresses just work
  6. Only route ‘internal’ traffic to the corporate network – if I hit, route normally (to keep speed going)

Seems like a pipe dream does it not?  Direct Access brings all of those to your company owned workstation/laptop and more!  In Server 2008, the promise of such amazing connectivity was largely unused because it was incredibly difficult to setup and maintain.  It also required some decent major infrastructure changes throughout your network (like IP6 stuff) to enable.  Fortunately, like all things WS8, Direct Access is now AMAZING, simple, secure by default (it won’t work insecurely), etc.  Here are some of the amazing points from our preview documentation we’ve been working through:

  1. Remote Access (RRAS/VPN) and Direct Access are now controlled together using a single interface.
  2. Monitoring of the environment is now much easier with all the PowerShell, WMI, GUI monitoring you can shake a stick at.
  3. A new Network Connectivity Assistant which provides the client computers with customizable  connectivity diagnostics.  While the default state remains to be transparent to the end user, if things go wrong, this tool will pop up and can help.
  4. When enabling Direct Access, it takes care of all the Firewall goo for you – how many companies you know have a deployment step where the first thing a new server VM gets done to it is to disable the Windows Firewall?  That’s BAD and as an aside, Windows Server 8 makes this much less ‘necessary.’
  5. Wizards!  Small companies can deploy this sucker with just a few clicks – much better.
  6. PKI isn’t required (although still recommended) in that you don’t have to go through all the goo of setting up certificates and trusts when you have a very simple setup.
  7. Direct Access can now access IP4 servers on your network – probably the best enhancement – your servers need not have IP6 setup to be exposed through DA.  DA acts as a proxy to facilitate this magic.
  8. Can work with just a single network adapter (as opposed to dual NICs and weird config settings on the server in 2008R2).
  9. Will work with your Network Access Protection investment (really was surprised this was missing in 2008R2).
  10. Can work with One Time Passwords and key fobs for added security on your RADIUS environment – my test included a very cool toy called Yubikey.
  11. Here’s one – instead of a traditional smart card (something you know and something you have) – Windows 8 now can use the TPM device built onto the board as a virtual smart card.
  12. Works with server core – as do most things in WS8
  13. Can configure computers ‘off network’ – the machines don’t have to be physically connected to the corporate network to join the domain and receive its Direct Access settings – that’s black magic if you ask me.

These enhancements, along with the more complex things that changed under the covers, will make Direct Access not only affordable, but technically attainable for small companies all the way up to the largest enterprises (if you get PKI configured and the cool Geo-Redundant load balancing).  It’s all very VERY cool 🙂