Microsoft DirectAccess is a feature of Windows that allows connectivity to organizations network resources without the need for traditional Virtual Private Network (VPN) connections. With DirectAccess, client computers are always connected to your organization – there is no need for remote users to start and stop connections as is required with traditional VPN connections. From a user’s perspective DirectAccess is a completely automatic VPN connection that simplifies accessing corporate LAN services from wherever they are located.
DirectAccess is part of the Remote Access server role and is comprised of the following key components:
DirectAccess Server – This is the server that clients establish a tunnel with in order to access the corporate network. Client and server settings are configured via Group Policy to enable the IPsec tunnels to be established.
Network Location Server – The network location server is used to detect whether computers configured as DirectAccess clients are located in the corporate network. When clients are on the corporate network, DirectAccess is not used to reach internal resources. Instead, clients connect to these resources directly. If the client cannot reach the network location server, the client is considered to be outside the corporate network and a connection is established via the DirectAccess server.
Example deployment utilizing an HA pair to load balance the Direct Access Servers and the Network Location Servers.
|Client Transition Protocol||Comments|
|6to4||– Uses protocol 41 to encapsulate IPv6 packets in IPv4 packets
– Does NOT work when the client or the server are behind a NAT device
– Both client and server must be assigned public IPv4 addresses
|Teredo||– Uses UDP on port 3544 to encapsulate IPv6 packets in IPv4 packets
– Supports client behind a NAT device but not server behind NAT
– Server must be configured with 2 consecutive public IPv4 addresses
|IP-HTTPS||– Uses standard port and protocol
– Earlier clients/servers caused double encryption (IPsec & SSL/TLS)
– Windows 8 and later use null encryption to solve the double encryption