Microsoft Direct Access experience ?

dclee · ‎04-25-2012

Anyone have any feedback on using MS Direct access for win 7 laptops and 2008 servers ?

My support team is about to start a win 7 upgrade for all desktops and are asking to use MS DA to replace our

existing Cisco VPN solution. We are an IPV4 network outside and inside currently and are at least 2 - 3 years away from

that changing. Looking for feedback as I have gone over the design and its fairly complexed given the IPV6 - IPV4 translations

that need to happen.

The design also calls for a Win 2008 server with 2 interfaces to traverse our corporate firewall. One connection on the outside and

one on the inside. This design just doesnt seem secure to me

Any feedback would be appreciated

Cheers

Dave

andrew.butterworth · ‎04-25-2012

I was looking into this recently as I was on a customer site and they were attempting to implement it without any thought whatsoever. I would say you don't need to traverse the corporate firewall but you do need two consecutive public IPv4 addresses on the DirectAccess Server (or IPv6 addresses if you have this). You obviously can't NAT these addresses so they physically need to be configured on External NICs on the server. These can still be behind a firewall though, just not NAT'd.

From a security perspective it depends on how secure you think Windows 2008R2 & your AD is? In effect its as secure as using Windows RRAS as your VPN terminating device but without the massive headache (sarcastic) of initiating a VPN connection. Once it is set up it should be seamless for the Windows 7 clients.

http://www.trainsignal.com/blog/server-2008-directaccess

http://social.technet.microsoft.com/wiki/contents/articles/directaccess-and-firewalls-and-nat.aspx

Andy