Benefits of Direct Access

Summary

Direct Access is an exciting new remote access solution that has been released as a stand-alone feature, or part of Microsoft's Forefront Unified Access Gateway 2010. With Direct Access, you can provide remote users with an extremely robust experience - allowing access to internal resources such as applications, internal sites, and files just as if you were physically located on the network - and all this without any sort of VPNs or special user configuration! In addition to the simplicity it offers, Direct Access creates a truly bi-directional connection with the remote client, allowing the continual enforcement of company security policies regardless to whether or not the user is logged on.

Technical Overview

Direct Access is built upon two standards-based technologies, IPsec (with either 3DES or AES encryption) and IPv6. Authentication and communication from client to server is handled via two separate tunnels.

Firstly, an IPsec tunnel is established between the client and Direct Access server using the computer certificate. This tunnel is intended to provide access to Domain Controllers and Domain Name Servers to allow the computer to process group policy and create a secure channel to facilitate user authentication.

Secondly, an IPsec tunnel is established between the client and Direct Access server when the user enters their credentials and initiates a logon request. This is the tunnel that will actually connect the user to the internal network and allow for traffic to pass back and forth.

Now that both tunnels are established, the user has complete (or limited – depending on how you configure security) access to all internal network resources – just as if they were on location inside the network! In addition to the simplicity of the solution, the fact that it uses IPsec tunnels means that it will traverse any firewall that the client is located behind – even those that traditional VPNs had trouble getting through.