July, 2010

I attended an internal Microsoft conference in Atlanta last week and need to catch a flight to Seattle for a training session this morning. Delta was providing onboard Wi-Fi internet access on the flight so I was willing to pay $12 to give it a try……I am a geek after all Smile Having access to email and web was great on the flight and allowed me to be productive on the 5 hour flight. Once the Wi-Fi was connected, I of course wanted to connect to link in an email message to a SharePoint site from a inside Microsoft. This was available to me securely and with no user intervention (VPN login, smart card, etc) as my Windows 7 laptop has DirectAccess enabled.

For those who have not seen me present on Direct Access in the past, DirectAccess in my opinion is the single greatest innovation we have added to the Windows platform in the last 5 years. Why when we have added so many great features and security enhancements across the Windows Server and Client? Well simply put, it makes everyone's life with a corporate computer easier.

Enhance mobility and manageability with DirectAccess

Working outside the office is easier than ever. DirectAccess in Windows 7 and Windows Server 2008 R2 enhances the productivity of mobile workers by connecting them seamlessly and more securely to their corporate network any time they have Internet access—without the need to VPN. When your IT department enables DirectAccess, the corporate network’s file shares, intranet websites, and line-of-business applications remain accessible wherever you have an Internet connection.
Manage remote machines more effectively. Flexibility gives IT the opportunity to service remote machines on a regular basis and ensure that mobile users stay up to date with company policies. With DirectAccess, IT administrators can manage mobile computers by updating Group Policy settings and distributing software updates any time the mobile computer has Internet connectivity, even if the user is not logged on.
Enhance security and access control. To keep data safer as it travels public networks, DirectAccess uses IPv6-over-IPsec to encrypt communications transmitted across the Internet. DirectAccess is designed to reduce unnecessary traffic on the corporate network by sending only traffic destined for the corporate network through the DirectAccess server (running Windows Server 2008 R2), or the administrator can choose to send all traffic through the corporate network. In addition to authenticating the computer, DirectAccess can also authenticate the user and supports multifactor authentication, such as a smart card. IT administrators can configure which intranet resources specific users can access using DirectAccess.
If you want more information, here is some documentation on what you need. Basic requirements:

Element	Requirements
DirectAccess client	Operating system: Windows 7 Ultimate or later, Windows 7 Enterprise or later, Windows Server 2008 R2 or later Member of an Active Directory Domain Services (AD DS) domain Computer certificate for Internet Protocol security (IPsec) authentication
DirectAccess server	Operating system: Windows Server 2008 R2 or later Member of an AD DS domain At least two network adapters that are connected to the Internet and your intranet 2 consecutive, public Internet Protocol version 4 (IPv4) addresses configured on the Internet network adapter (cannot be behind a network address translator [NAT]) Certificates: Computer certificate for IPsec authentication, Secure Sockets Layer (SSL) certificate for Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) If acting as a network location server, Internet Information Services (IIS) and an additional SSL certificate installed
Active Directory	At least one Active Directory domain must be deployed with at least one Windows Server 2008 R2 or Windows Server 2008-based domain controller (an Internet Protocol version 6 [IPv6]-capable domain controller and global catalog). Windows Server 2008 R2 domain or forest functional levels are not required. Workgroups are not supported. For more information about installing Active Directory, see the AD DS Installation and Removal Step-by-Step Guide (http://go.microsoft.com/fwlink/?Linkid=139657).
Group Policy	Required for centralized administration and deployment of DirectAccess settings. The DirectAccess Setup wizard creates a set of Group Policy objects and settings for DirectAccess clients, the DirectAccess server, and selected servers.
Public key infrastructure (PKI)	Required to issue computer certificates for authentication, and optionally, health certificates when using Network Access Protection (NAP). External certificates are not required. For more information about setting up a PKI with Active Directory Certificate Services (AD CS), see Active Directory Certificate Services (http://go.microsoft.com/fwlink/?Linkid=106710).
Domain Name System (DNS) server	At least one running Windows Server 2008 R2, Windows Server 2008 with the Q958194 hotfix (http://go.microsoft.com/fwlink/?LinkID=159951), Windows Server 2008 SP2 or later, or a third-party DNS server that supports DNS message exchanges over the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP).

Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2

Test Lab Guide: Demonstrate DirectAccess with Network Access Protection (NAP)

Test Lab Guide: Troubleshoot DirectAccess with Network Access Protection (NAP)

Test Lab Guide: Troubleshoot DirectAccess

Windows 2008 R2 Direct Access Server Management Pack for SC Operations Manager 2007 SP1

If you’re making the move to Windows 7, Windows Server 2008 R2, and/or Office 2010, you need tools and guidance to help you through the process. Microsoft Deployment Toolkit (MDT) 2010, a free Solution Accelerator, is designed to fill that need.

The latest MDT 2010 Update 1 release, now available for download, offers something for everyone:

· For System Center Configuration Manager 2007 customers:

o New “User Driven Installation” deployment method. An easy-to-use UDI Wizard allows users to initiate and customize an OS deployment on their PCs that’s tailored to their individual needs.

o Support for Configuration Manager R3 “Prestaged Media.” For those deploying Windows 7 and Office 2010 along with new PCs, a custom OS image can easily be loaded in the factory and then customized once deployed.

· For Lite Touch Installation:

o Support for Office 2010. Easily configure Office 2010 installation and deployment settings through the Deployment Workbench and integration with the Office Customization Tool.

o Improved driver importing. All drivers are inspected during the import process to accurately determine what platforms they really support, avoiding common inaccuracies that can cause deployment issues.

· For all existing customers:

o A smooth and simple upgrade process. Installing MDT 2010 Update 1 will preserve your existing MDT configuration, with simple wizards to upgrade existing deployment shares and Configuration Manager installations.

o Many small enhancements and bug fixes. Made in direct response to feedback received from customers and partners all around the world, MDT 2010 Update 1 is an indispensible upgrade for those currently using MDT (as well as a great starting point for those just starting).

o Continued support for older products. MDT 2010 Update 1 still supports deployment of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Office 2007, for those customers who need to be able to support these products during the deployment of Windows 7 and Office 2010.

The Irish IT Professional

Direct Access from the Sky

Enhance mobility and manageability with DirectAccess

Microsoft Deployment Toolkit 2010 Update 1 - Now Available!