DirectAccess
What's better than a VPN that automatically reconnects and retains its connection state? How about not needing a VPN in the first place? DirectAccess is one of the most compelling and game-changing features of Windows 7, both for users and for administrators faced with a remote and roaming work force.
Aside from the issues mentioned above for users trying to stay connected on a VPN and access internal network resources, roaming users also pose a problem for administrators. Mobile computers that aren't connected to the network miss out on security updates, software patches, and Group Policy updates. They will get the updates when they eventually connect, but days or weeks might go by with those remote systems missing critical updates.
DirectAccess provides a persistent and seamless bidirectional connection between the internal network and the Windows 7 system, as long as that Windows 7 system can connect to the Internet. With DirectAccess, remote and roaming users experience the same access to corporate shares, intranet sites, and internal applications as they would if they were sitting in the office connected directly to the network.
DirectAccess works both ways. Not only can the computer access the network seamlessly across any Internet connection, but the IT administrator can also connect to DirectAccess client computers--even when the user is not logged on. With DirectAccess, IT Administrators can monitor, manage, and deploy updates to DirectAccess client computers as long as they are connected to the Internet.
DirectAccess uses IPsec for authentication and encryption. DirectAccess can also integrate with Network Access Protection (NAP) to require that DirectAccess clients be compliant with system health requirements before being allowed to connect to the network. IT administrators can restrict access through DirectAccess and configure the servers that users and individual applications can access.
Built on IPv6
IPv6 is required for DirectAccess. DirectAccess connectivity is built on the foundation of globally routable IP addresses that IPv6 provides. IPv6 has been around for a while, and most systems and network devices are IPv6-capable, but the actual adoption of IPv6 as a replacement for IPv4 networking has been slow.
Microsoft was aware that IPv6 is not available everywhere, so the company designed DirectAccess to take advantage of IPv6 transition tools such as 6to4, Teredo, and ISATAP. Within the network, DirectAccess relies on NAT-PT (Network Address Translation-Protocol Translation) to provide connectivity between DirectAccess and IPv4 resources.
DirectAccess uses split-tunnel routing to intelligently route network traffic based on the intended destination. Only traffic destined for the corporate network is routed through the DirectAccess server, while traffic intended for resources on the public Internet is routed directly to its destination. Split-tunneling ensures that the resources of the DirectAccess server are not consumed by unnecessary network traffic.
Windows Server 2008 R2 Required
DirectAccess cannot function in a vacuum on a Windows 7 system. It requires a DirectAccess server to connect to, and a DirectAccess server means Windows Server 2008 R2. The DirectAccess server must have two network interface cards: one connected to the public Internet and one to provide access to the internal intranet resources. DirectAccess also requires at least two consecutive IPv4 addresses on the network interface card connected to the Internet.
The IPv6 translation technologies mentioned above (6to4, Teredo, and ISATAP) must be implemented on the DirectAccess server. Only a PKI (Public Key Infrastructure) environment can issue the necessary certificate for authentication and security, and a DNS server running on Windows Server 2008 or Windows Server 2008 R2 is required as well.
Users who experience problems connecting to DirectAccess can use the appropriate troubleshooting wizard to identify and resolve problems. Open the Network and Sharing Center and click on Troubleshoot problems; then select the Connection to a Workplace Using DirectAccess wizard to begin troubleshooting.