Ramblings from another nerd on the grid
Remember when you jumped from dial-up to DSL or a cable modem? You know what I mean. Those technology jumps that just make you smile really wide? Well, I have news for you. There’s another one coming that is going to rock your world. It’s called DirectAccess and although I am not particularly fond of the name, the name is accurate.
What is DirectAccess?
Simply put, it’s direct access to your corporate network across an automatically established tunnel. There’s a lot that has to happen in order for that to occur, but thankfully nearly everything is transparent to the user.
DirectAccess clients maintain constant connectivity with the intranet, and Internet Protocol version 6 (IPv6) provides the end-to-end addressing necessary to accomplish this. Since many organizations do not yet have IPv6 deployed, DirectAccess includes IPv6 transition technologies to help ensure IPv6 connectivity.
IP-HTTPS is a new protocol for Windows 7 and Windows Server 2008 R2 that allows hosts behind a Web proxy server or firewall to establish connectivity by tunneling IPv6 packets inside an IPv4-based HTTPS session. HTTPS is used instead of HTTP so that Web proxy servers will not attempt to examine the data stream and terminate the connection.
Want to see this in action? Sure you do! And unlike a lot of the content you see us demo in virtual machines, this demo is the real thing. This is my production Windows 7 laptop. Our MSIT department is hardcore on security so I’ve already logged in using multi factor authentication via a Smartcard.
For More Information
There is a ton of information on the internet about DirectAccess already. I would highly recommend you start studying and learning about IPv6 if you haven’t already. I would also recommend you start learning about the IPv4 to IPv6 transitional technologies that will help you get there. Here are some good references.
Errata and other Stupidity
I am constantly amazed at the stupid stuff I say, but don’t pick up on it until after I’ve published something. For instance, I said “a business people’s lives” instead of “a business persons life”. Close to the end I say, “this is some technical networking” instead of “this is some complex or advanced networking”. Wow. Major idiot moments there. LOL.
And I need a chair that shocks the crap out of me when I say “got” too much. Sigh… I probably won’t re-record the darn thing because I am time boxed at the moment. Maybe I’ll record it again when the Windows 7 RC is available and do it from a VM so you can see the full login process and experience.
So I'm a bit confused... This is just a VPN-over-HTTP, no?
Don't get me wrong, having it built-in and able to connect seamlessly isn't a bad thing, but the whole "transparent to the user" thing can be accomplished with PPTP too if users smack the "Connect to VPN" button before logging in and/or use any sort of VPN endpoint that shares the user's AD credentials, avoiding the whole "login to the VPN" being a separate step, no?
DirectAccess also integrates with other components like NAP. In other words, there is also a whole set of other stuff taking place around checkng the machine against the NPS policies, remediation, etc.
Are you using a quarantine process? Are you already doing a split network design like this?
Keep in mind the traffic is split. All traffic isn't sent across a VPN connection. Only the traffic destined for the corporate network is. The public internet traffic is kept out of the tunnel.
@The Dave, DirectAccess even works when nobody is logged in, allowing IT Administrators to remotely connect and update/maintain a system regardless of where it is in the world. It goes way beyond what is possible with VPN technology.
Frankly it's probably the most awesome piece of sysadmin tech since the invention of AD. Now all I need is to persuade our network guys that it really is time to get IPv6 in place!
Hope to see an implementation and test demo soon. Post the link if you know any.
Right, so more like IPSec over HTTP then PPTP in terms of functionality, offering an always-on connection.
IPSec can be configured to allow certain subnets to be encrypted (and tunneled if necessary if they're private IPs), giving always-on two way communication between laptops and corporate devices, with non-VPN traffic bypassing the corporate VPN and going direct.
Even lowly PPTP lets you uncheck the "Use default gateway" on the VPN connection, allowing split routing with the VPN subnet going through the VPN, and all other user traffic going locally, the only big difference with PPTP is that the user needs to click one more button on the login screen before logging in to Windows (and/or a shortcut from the startup group can take care of it, if the user forgets) -- PPTP doesn't have an "always-on" mode before the initial user logs in, but that would be trivial for Microsoft to add.
As far as I can tell the only thing new here is tunneling over HTTP which is good and bad, good in the sense that it will get through hotspots that only allow HTTP and a few other selected protocols, but bad because it traverses corporate networks that have blocked all outbound VPN intentionally, and so will require modifications to whatever filtering solution is being used.
(As a network admin, I get very angry when I catch users bypassing intentional blocks that exist to enforce corporate policy. Not nearly as mad as the employee's wife though, when the guy gets to explain why he's not getting a paycheque anymore)
Don't get me wrong, handy feature? Yes. But at best evolutionary, certainly not revoluationary.
By the way this direct access type configuration is possible with Windows XP (but painful) and easier with Vista & Server 2008. However it still requires a lot of complex configuration (for the average admin)
Windows 7 + Server 2008 R2 though make it simple to configure.
Really great stuff. I will go through the guide you mentioned in the demo but that these guides often ignore one important thing.
For the testing purposes as well as in small business environment, I want to try this with one server scenario where there is only one server in the whole network. Can you have a Windows 7 and that server (obviously W2K8 R2), working for Direct Access?
Microsoft guides usually have diagrams of like 5 servers for 5 different functions. Small business sometiems don't even make that much money if they wanted to deploy 5 servers, just to achieve DirectAcess for example. I know DirectAccess doesn't need 5 servers, but just taking an example.
Your blog is now in my favorites by the way, brilliant stuff.