I’ve a couple of posts now about Windows 7 DirectAccess (here and here), and particularly about it’s use of IPv6. It’s all been fairly technical, but despite the title of one of those posts I’ve only briefly touched on what DirectAccess is and why you might want to use it in your organisation. So here goes…
There are a few trends to consider when you think about DirectAccess (DA) as it’s been built to answer some of the challenges that they pose. The first is Mobile Working.
In my experience over the past few years the amount of mobile workers, or at least those that are equipped with laptop computers to allow them to work remotely, has been steadily increasing. With home broadband now available to most people, wireless networks common in peoples homes as well as in hotels and airports, peoples ability to work out of the office has never been greater. And with them goes your corporate data, whether that be on their laptop, or a USB key or in an email to their GMail account – applying security closer to your data will become more important as time goes on.
Another trend to think about is cloud computing. ‘Cloud’ is the new buzzword these days but it covers a wide range of topics. The chances are most big companies are already using cloud services of some sort, whether that’s full on Google Enterprise or a Message Labs email filtering service. Either way, that sort of managed or outsourced service will be a big factor over the next few years, and they introduce a few new things to consider. First, relying on systems and services that you don’t have on your network, or managed by your guys, means that again security needs to be moved closer to those systems and the data they contain. Secondly, if the services your end users access are out on the Internet somewhere perhaps the best way of accessing them remotely might not be via your corporate network. Mobile clients may need to access both your network and the wider internet at the same time.
These trends combine with a third which is around the changing nature of the security perimeter around corporate information. On the DA class I went on at Microsoft they referred to this as ‘re-perimeterisation’ which I think is a much better term than ‘de-perimeterisation’ which is favoured by the Jericho forum. Whilst this is a big subject in its own right, the gist is that the traditional model of securing your information by firewalling off you network and relying on that perimeter to protect your systems hasn’t been sufficient for a couple of years now. We need to start moving security in towards the host and the data.
So how does DirectAccess help with all this?
Well DirectAccess provides your organisations remote computers with transparent access to both the Internet and your corporate network. If a DA enabled laptop connects to the Internet, a connection to the corporate network is automatically established at the same time. This connection is authenicated against both the computer and the user, and secured using IPSec between the client and corporate resources it accesses (not just between the client and the gateway).
The computer can be authenticated either using a machine certificate issued to validated it’s from your domain, or by a health certificate from a Network Access Protection system to validate that the computer is ‘healthy’ (patched, AV’ed) enough to enter your network.
As DirectAccess launches the corporate network connection automatically the end user experience is… well… invisible. They just logon as usual and they’re connected (assuming that they have internet access of course). What’s more, the connection to the corporate network does not compromise their general internet connectivity – or visa versa. You can specify the namespace of your internal network (for example intranet.mycompany.com) and any applications that attempt to access resources within that namespace are directed to internal DNS servers to ensure that the right resources are accessed.
Because DA connectivity is ‘always on’ computers connected in that way are much easier to manage and support. With traditional VPN access solutions the remote laptops are only really manageable if and when the VPN is connected, meaning maintenance and patching tasks can be hard to achieve. DA clients are visible to to any internal systems of support teams. Patches can be applied, applications delivered and remote control tools used.
As DA can establish a corporate connection before the user has even logged on you also get the benefit of being able to apply changes to group policy and update the mobile users security token etc. just as if the user was in the office.
So in short, DirectAccess has the potential to greatly improve both the end users remote working experience, and the IT groups ability to support those remote users. It’s good stuff (but you might want to read about some of the pre-requisites!).