Direct Access - A New Replacement for VPN?

It will not completely replace VPN but it will come close.

As employees become more mobile, companies are looking for ways to provide them with more secure, stable and cost effective access. DirectAccess is a new feature in Windows Server 2008 R2 that allows you to access local network resources using a secure IPSEC encrypted tunnel from anywhere in the world without the need of a VPN connection.

As soon as you turn on your computer DirectAccess will automatically connect you to your local network resources even before you enter your domain credentials. This allows the IT administrators to control, manage, and secure employees who are always traveling with laptops. It also provides the same level of protection for the employee who works out of their home. One drawback is DirectAccess does require Windows 7 Enterprise or Ultimate to run the client, and on the server side windows 2008 server R2 is the only supported operating system.

While the VPN has enabled employees to become more mobile, it is not without its problems. Who hasn’t experienced the following with their VPN: they are slow to connect to networks, most drop the connection often, and some have trouble telling the difference between your home network and the company’s network if they have the same IP scheme. I believe DirectAccess addresses some of these issues by automatically connecting to the company’s network with no user interaction and if the connection breaks, DirectAccess will automatically reconnect as soon as there is an internet connection available. The best part is if you have the same IP scheme as your company, the DirectAccess server can determine whether or not the resource you are trying to access is local to your network or the company’s network. DirectAccess will require at least one DirectAccess server running Windows Server 2008 R2. The server must have two network adapters. One of the network adapters will be connected directly to the Internet with a minimum of two consecutive Public IPv4 addresses assigned to it. The other network adapter will be connected to the intranet. The DirectAccess servers must be a member of an Active Directory Domain Services (AD DS) domain with one of the domain controllers and DNS servers running Windows Server 2008 R2. The DirectAccess client computer will have to be running Windows 7 Enterprise or Ultimate. Lastly, you will need a public key infrastructure (PKI) to issue computer certificates, smart card certificates, and health certificates for Network Access Protection.

The reason I say DirectAccess comes close to replacing VPN is because there are still some instances were VPN will be needed over DirectAccess. For example, if you have subcontractors working for you who are using their own laptops, they probably will not like you applying your corporate Group Polices to their computers. Another reason is if you have to have an unmanaged computer connecting to your network for any reason then DirectAccess will not work. Overall, DirectAccess is a huge step in the right direction toward completely removing VPN access from your network. Unfortunately, the technology is still missing a few small details before that can happen. DirectAccess will continue to be supported and improved in conjunction with the development of Windows 8 and Windows server 2012. Now more than ever the demand for companies to support mobile employees is growing larger each year and DirectAccess will play a major role in managing and supporting those employees.