Ramblings from another nerd on the grid
Desktop software integration is part art, part science. Desktop administration is hard and rarely leads to inspired users. DirectAccess is going to change all of that. With Windows Server 2008 R2 and Windows 7 you can now create an environment that is secure, always connected to the corporate network and a joy to use. A number of benefits can be realized with DirectAccess including greater user satisfaction with the corporate desktop standard, lower training costs, more efficient network use, and a higher degree of management for the mobile workforce.
Some History of the Challenge
Virtual Private Networks (VPN) have been around for many years now. Users tend to despise VPN because it’s an interruption to their workflow in order to grab a document or access an internal corporate resource. Corporate network managers haven’t exactly been enamored with VPN either. The VPN entry point into the network must be safeguarded, VPN client integration into the desktop is problematic, training users is hard, and all of the network traffic associated with the VPN connection comes to the corporate network.
What if you could make those connections seamlessly work for the users? What if the traffic for the corporate connection is only the network traffic for the internal resource and not all of the typical internet browsing? What if the connection could easily be secured at multiple levels?
DirectAccess to the Rescue
Well you can do all of that with a new enterprise feature of Windows Server 2008 R2 and Windows 7 called DirectAccess. DirectAccess splits the traffic and only sends traffic to the corporate network that is needed to use the internal resource like a file share, SharePoint site, or internal line-of-business application. All of the users internet traffic remains just that, destined for the internet web sites.
There are many benefits to this approach. The first big one is that this is totally transparent to the user. They don’t need to be trained to use complicated VPN software and procedures. Instead, they just access the data they need as if they were sitting in a corporate office directly connected to the corporate LAN. Internal sites work just like public internet sites as far as the user is concerned.
This was a truly eye opening experience the first time I sat down and tried it. After thirteen years with the company I felt like my home office was finally part of the corporate network. It was like sitting in Seattle sixteen hundred miles from Texas. Here’s a screencast I did of that experience using the beta of Windows 7 in early 2009 :
Now imagine for a moment how much bandwidth is consumed by VPN users. It you were the network manager for the company, wouldn’t you like to keep public internet browsing and the associated traffic off your corporate network? DirectAccess helps you do that. As you can see in the picture above, the internet traffic never hits your network and causes bottlenecks at the VPN or proxy servers.
Let’s Talk Security
DirectAccess uses a variety of security technologies and techniques to provide a secure and manageable infrastructure. Internet Protocol version 6 (IPv6) and Internet Protocol Security (IPSec) are core technologies in the foundation.
The management benefits are primarily for the enterprise desktop administrators although users may benefit in ways they haven’t seen in the past. Because DirectAccess is an “always on” style technology, desktop administrators have a greater chance of managing remote users. The greater the connection speed, the more that can be accomplished across the wire.
For instance, DirectAccess nodes on the network can be queried and patched in a more consistent manner than in the past. Instead of waiting for the user to come to a corporate campus or branch location, administrators can reach out and touch the machine on a more routine basis.
Management activities might include simple inventory reporting or something more serious like responding to a zero day vulnerability with a patch or fix. With DirectAccess, administrators can work with the nodes on the network in off hours and lower the impact to the users. This will make your users happy. The last thing they want is a required update in the middle of their busy day. Now you can schedule updates at a more convenient time.
There are a number of whitepapers and guides that are available for DirectAccess. For those of you that are more technically inclined, be sure to check out the Step-by-Step guide for the feature. You can build and test this in a virtualized environment.
[NOTE] This blog post was posted to the new team blog at http://blogs.technet.com/windowsserverexperts/. I am cross posting here because I am looking at a Silverlight 2 issue and I want to see how the container is rendered on my “normal” blog.
Is it possible to add RSS or Atom feeds on Windows Server Experts blog ? It will be easier to follow the updated content.