Remote access of corporate networks can be a pain for employees and IT managers.
Employees have to remember their smart cards or type user names and passwords every time they want to log on, and IT pros have to deal with a variety of VPN clients, concentrators, and routers. A new feature in Windows Server 2008 R2 and Windows 7, DirectAccess, does away with most of that pain, though it requires companies to invest in a number of new technologies.
When an employee or IT pro setting up Windows 7 first logs in to the network with Windows Server 2008 R2 on the back end, DirectAccess saves the user name and password. From then on, the OS will recognize when the user is online and automatically open a DirectAccess session with the corporate network using IPv6-over-IPSec. When connection drops and comes back again, the employee automatically connects back to the corporate network. In short, DirectAccess lets employees connect automatically to the network without having to use a VPN client or enter any user name or password.
At first glance, this may raise security concerns, but those might be mollified by a few features. First, DirectAccess supports two-factor authentication, so smart cards (supported by default) or biometrics (would require third-party software) could still be used as a prerequisite for logging onto the network. Second, DirectAccess sessions are encrypted either between the client and the DirectAccess server or entirely end to end. DirectAccess can also use split tunneling, where all intranet traffic is routed back to the corporate network but Internet traffic isn't, and supports other Microsoft security technologies like NAP and Forefront gateways.
On the server side, IT pros set up a DirectAccess server running on Windows Server 2008 R2. The server authenticates users and allows IT admins to use wizards to manage things like security, user names and passwords, group policy, and remote patching of employee PCs. Since employees are always logged in to the corporate network rather than only logging in manually, Ward Ralston, a Microsoft technical product manager for Windows Server, said in an interview, DirectAccess works as a way to let admins update at any time rather than only when employees log in to the VPN themselves. That way, updates can be pushed through more frequently and with less pain to the end user.
There are a number of scenarios where DirectAccess wouldn't be appropriate, such as when employees use their own PCs to access corporate resources.
"This really is meant to replace the traditional VPN going forward, but I can still see a scenario where a corporation would want to keep a VPN on standby for legacy clients or other interactions," Ralston said.
And while DirectAccess could cut off some of the management and usability pain of VPNs, it will require companies to use both Windows Server 2008 R2 and Windows 7 as well as technologies like IPv6.
"You need to use a lot of stuff on the back end to do this," Microsoft's Bill Hilf, manager of Windows Server marketing and platform strategy, said in an interview. With the next versions of Windows not slated for release until about the end of next year, most companies likely wouldn't even begin using these features in a big way until probably the end of 2010 at the earliest, when real widespread deployment of Windows Server 2008 R2 and Windows 7 will likely begin. However, VPNs have long been a thorn in the side of many an employee and IT manager, and DirectAccess could well be a welcome change even two years out.