Windows 7 Direct Access Review – VPN for the 21st Century?

Microsoft advertises Windows 7’s DirectAccess as the great extender, a next-generation access technology designed to connect remote clients in the age of the vanishing network perimeter.

DirectAccess is designed to replace the trusty VPN with a secure, always-on connection that requires little or no user interaction. Indeed, DirectAccess represents one of first tangible products to be borne of Microsoft’s “better together” development strategy, which takes advantage of the simultaneous release of the new Windows 7 client OS and the new Windows 2008 Server R2 server OS to add more features and deliver more value to customers who adopt both at the same time.

Microsoft’s New Efficiency cost-savings campaign (which was unveiled in September at an event in San Francisco) touts DirectAccess as one of the pillars of the “better-together” promise.  While virtualisation delivered with 2008 Server R2 via Hyper-V aims to deliver cost savings and operational efficiencies in the data centre, DirectAccess’ pervasive connectivity purports to deliver efficiencies to the workstation, through easier access to data and applications for remote-end users and easier ongoing management and troubleshooting for IT departments.

Early Windows 7 Adopters

In eWEEK Labs’ tests on a brand-new domain running the latest and greatest version of Windows on both the server (Windows 2008 Enterprise Server R2) and the client (Windows 7 Enterprise/Ultimate), DirectAccess worked like a dream, providing instant-on, two-way connectivity. But questions about scalability, performance and management abound, and most of the answers rest upon another Microsoft gateway technology that is still beta, called Forefront Unified Access Gateway (UAG). Although based upon numerous industry standards, DirectAccess also needs a thorough vetting from the security industry before customers can be confident of privacy afforded by the solution.

Everyone Else

For many, though, DirectAccess may be viewed as an unattainable pipe dream for at least the near to mid-range future: those whose network infrastructure servers haven’t yet progressed beyond Windows Server 2003; those who must slowly stage their endpoint migration to Windows 7 due to limited budget or IT resources and must therefore keep current access technologies active; those yet unfamiliar with the ins and outs of IPv6 networking; and those unwilling or unable to replace certain security implementations with Microsoft’s solutions to provide scale or backward compatibility.

Indeed, DirectAccess’ reach is limited: Workstations must be running Windows 7 Enterprise or Ultimate, while application servers must be running either Windows Server 2008 R2 or Windows Server 2008 SP2 (unless those additional gateway elements are added to the network).

Authentication

DirectAccess use IPSec and IPv6 to provide the always-on connectivity. When connected to a network, the Windows 7 client performs a quick check to determine whether it connected to a protected network or elsewhere.

If the client determines it is connected remotely, the next time a DNS name query occurs, the client will check its NRPT (Name Resolution Policy Table), a new feature of Windows 7 that helps map a protected network’s name-space to an internal DNS server, to determine whether the look up request needs to be sent to the protected network’s internal DNS server.  Non-matching requests are sent to DNS servers configured to the network adapter, keeping Internet-related traffic off the DirectAccess infrastructure.