Remote-access Guide

direct access vs remote access

by Prof. Elissa Rodriguez Published 2 years ago Updated 2 years ago
image

Fundamentally they both provide seamless and transparent, always on remote access. However, Always On VPN has a number of advantages over DirectAccess in terms of security, authentication and management, performance, and supportability. DirectAccess provides full network connectivity when a client is connected remotely.

Full Answer

What is the difference between roaming remote access VPN and DirectAccess?

However, there are some significant differences between the roaming remote access VPN client and the DirectAccess client: The DirectAccess client is always managed.

Why add DirectAccess to an existing remote access (VPN) deployment?

Add DirectAccess to an Existing Remote Access (VPN) Deployment DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.

What are the benefits of DirectAccess connections?

With DirectAccess connections, remote client computers are always connected to your organization - there is no need for remote users to start and stop connections, as is required with VPN connections. In addition, your IT administrators can manage DirectAccess client computers whenever they are running and Internet connected.

What are the risks of DirectAccess?

The DirectAccess client, in its lifetime, will be connected to both trusted and untrusted networks, just like the roaming remote access VPN client, and the risk of physical compromise of the computer is also similar to that seen with the roaming remote access VPN client.

image

What is the difference between DirectAccess and VPN?

DirectAccess can be used to provide secure remote access and enhanced management for Windows laptops managed by IT, while VPN can be deployed for non-managed devices.

What is a direct remote access?

DirectAccess, also known as Unified Remote Access, is a VPN-like technology that provides intranet connectivity to client computers when they are connected to the Internet.

What is DirectAccess for?

In computer storage, direct access is the process of reading and writing data on a storage device by going directly to where the data is physically located on the device rather than having to move sequentially from one physical location to the next to find the correct data.

Is DirectAccess still used?

Some time ago, Microsoft has announced that DirectAccess will no longer be further developed and therefore 'Always On VPN' should be used. However, DirectAccess has not yet been officially terminated and is still present in the latest version of the server operating system.

What is replacing DirectAccess?

Windows 10 Always On VPN is the replacement for Microsoft's DirectAccess remote access technology. Always On VPN aims to address several shortcomings of DirectAccess, including support for Windows 10 Professional and non-domain joined devices, as well as cloud integration with Intune and Azure Active Directory.

What services does DirectAccess use?

DirectAccess uses IPsec to secure the communications between the DirectAccess client and server. IPsec tunnel mode is used to establish both the infrastructure and intranet tunnels.

Is DirectAccess deprecated?

While DirectAccess has not been formally deprecated, Microsoft is actively encouraging organizations considering DirectAccess to deploy Always On VPN instead, as indicated here.

Is DirectAccess encrypted?

DirectAccess provides a fully encrypted and authenticated mode of connection. It gives employees an authenticated IPSec encryption for integrity and confidentiality.

How do I use DirectAccess?

To configure DirectAccess using the Getting Started Wizard In Server Manager click Tools, and then click Remote Access Management. In the Remote Access Management console, select the role service to configure in the left navigation pane, and then click Run the Getting Started Wizard. Click Deploy DirectAccess only.

Is DirectAccess always on VPN?

New features introduced in the Windows 10 Anniversary Update allow IT administrators to configure automatic VPN connection profiles. This Always On VPN connection provides a DirectAccess-like experience using traditional remote access VPN protocols such as IKEv2, SSTP, and L2TP/IPsec.

Is always on VPN better than DirectAccess?

Windows 10 Always On VPN is the way of the future. It provides better overall security than DirectAccess, it performs better, and it is easier to manage and support. Here's a quick summary of some important aspects of VPN, DirectAccess, and Windows 10 Always On VPN.

How do I set up DirectAccess?

To configure DirectAccess using the Getting Started Wizard In Server Manager click Tools, and then click Remote Access Management. In the Remote Access Management console, select the role service to configure in the left navigation pane, and then click Run the Getting Started Wizard. Click Deploy DirectAccess only.

What direct accesses allow to a user of computer?

DirectAccess is a feature introduced in Windows Server 2008 R2 and Windows 7 that uses automated IPv6 and IPSec tunnels to allow remote users to access private network resources whenever they are connected to the Internet.

What is the most basic requirement for a DirectAccess implementation?

What is the most basic requirement for a DirectAccess implementation? The DirectAccess server must be part of an Active Directory domain.

How does always on VPN Work?

Always On VPN provides a single, cohesive solution for remote access and supports domain-joined, nondomain-joined (workgroup), or Azure AD–joined devices, even personally owned devices. With Always On VPN, the connection type does not have to be exclusively user or device but can be a combination of both.

What is DirectAccess?

DirectAccess is an impractical solution for environments with unreliable connections.

Why is DirectAccess paired with Active Directory?

DirectAccess is often paired with Active Directory servers to function at its full capacity, which can mean troubleshooting and configuration required tinkering between services to fix one simple problem . As more complicated issues arise, cases are often bounced around between Microsoft’s network support team, to then the active Directory Team, and then back to PKI team due to the lack of continuity in their support model.

Does DirectAccess work?

Of course, DirectAccess will keep remote workers secure in perfect network connections without too much performance sacrifice. The sudden requirement for mass remote working means that scaling on the foundations of unreliable home networks presents a real challenge. Expect decreases in performance as latency increases and packet loss is encountered, which is common in networks outside of those which are corporate-managed.

Is DirectAccess the wisest choice?

If instead you rely on a wider range of Windows operating systems – or especially if your fleet includes Android, iOS or MacOS devices – then DirectAccess is unlikely to be the wisest choice. When to choose DirectAccess.

Is DirectAccess a good remote access solution?

But sometimes ‘low-cost’ doesn’t make it the best choice. It’s important to ask if it fits the needs of your organization’s remote working environment. The new reality.

Is Netmotion a VPN?

NetMotion has become the premier choice in the VPN market, with hundreds of its customers making the switch from other solutions as remote and mobile working become increasingly important. It today supports over 3000 organizations and one million workers that cannot afford to compromise when it comes to user experience, including 7 of the top 10 largest airlines and powers three quarters of first responders in North America. Organizations wishing to test the products in a head-to-head capacity can do so for free by getting in touch with one of our experts.

Does DirectAccess have a centralized tool?

DirectAccess lacks a centralized tool for in house diagnostics and troubleshooting. Organizations should never settle for sub-par client support and expect responsive customer service when problems arise. Innovative solutions should be backed by 24/7 x 365 customer support.

Why is DirectAccess better than VPN?

When you compare the DirectAccess client to the remote access VPN client, the DirectAccess client can present a much lower threat profile than the VPN client, because the DirectAccess client is always within the command and control of corporate IT. This is in stark contrast to the roaming remote access VPN clients that may or may not connect to the corporate network for long periods of time, which leads to configuration entropy that can significantly increase the risk of system compromise. In addition, the mitigations mentioned above that apply to the remote access VPN client can also be used with the DirectAccess client.

How many tunnels does DirectAccess use?

The DirectAccess client uses two separate tunnels to connect. The DirectAccess client has access only to the management and configuration infrastructure through the first tunnel. General network access isn't available until the user logs on and creates the infrastructure tunnel.

What is the difference between a roaming VPN and a bolted in VPN?

The key difference between the roaming VPN client and the "bolted-in" corpnet client is that the VPN client is not always managed, and that it is exposed to a greater number of programmatic and physical threats. However, there are ways to mitigate some of these threats and many companies have already introduced methods to do so, such as the following:

Why is roaming VPN bad?

The roaming VPN client falls further and further out of your defined security compliance configuration and the problem becomes magnified because the machine is connected to a number of networks of low and unknown trust. These unmanaged or poorly managed networks might be full of network worms and the computer might be exposed to users who have physical or logical access to the computer and who would otherwise not have access to the computer if it were to never leave the corpnet.

Is DirectAccess always managed?

The DirectAccess client is always managed. As long as the DirectAccess client computer is turned on and connected to the Internet, the DirectAccess client will have connectivity with management servers that keep the DirectAccess client within security configuration compliance.

Is DirectAccess a VPN?

Here is where we reach the point of making a critical distinction: when comparing the roaming remote access VPN client to the DirectAccess client, all the evidence points to the fact that the DirectAccess client poses a lower threat profile. Comparisons between the DirectAccess client and the "bolted-in" corpnet client are probably of academic interest only - since few organizations have these "bolted-in" clients anymore and most firms are enabling users with VPN access to reach corpnet resources,and both VPN clients and DirectAccess clients will move in and out of the corporate network, making the division between the "corpnet client" and the "remote client" virtually meaningless from a security perspective.

Can you use Manage Out on Direct Access?

This means that you can use your Direct Access server as a jump of point and RDP to a client from that server as long as they are connected.

Does RDP work on network?

If I understand the question you are referring to Manage-Out capabilities with Direct access and that inbound RDP from a client to a service in your network works fine.

Can you use a direct access server as a jump point?

This means that you can use your Direct Access server as a jump of point and RDP to a client from that server as long as they are connected.". If the internal clients never go outside the network there is no point in having the DA policy applied to them. Also if they are not Win Ent there is no point.

Does DirectAccess support domain?

DirectAccess provides support only for domain-joined clients that include operating system support for DirectAccess.

Can you use remote access in Azure?

Using Remote Access in Microsoft Azure is not supported. You cannot use Remote Access in an Azure VM to deploy VPN, DirectAccess, or any other Remote Access feature in Windows Server 2016 or earlier versions of Windows Server. For more information, see Microsoft server software support for Microsoft Azure virtual machines.

What is Microsoft Direct Access?

It is a product built over an old security concept of Virtual Private Network (VPN), but with completely different technology. So let’s dig deeper into this.

What is DirectAccess?

DirectAccess, also known as Unified Remote Access, is a VPN-like technology that provides intranet connectivity to client computers when they are connected to the Internet. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections are designed to connect automatically as soon as the computer connects to the Internet.

How many IPv4 addresses does DirectAccess require?

IP-HTTPS – As with 2008, it requires 2 IPv4 addresses. Now with 2012, DirectAccess eliminates the requirement for 2 sequential IPv4 addresses.

Why is DirectAccess important?

Ease of use and transparency for users: Since all the actions between the DirectAccess client and server are done behind the scenes, DirectAccess poses a lot of ease for users to access protected intranet resources with full protection.

What are the issues with DirectAccess certificates?

A common issue is the usage of an incorrect certificate template to issue these certificates. The computer certificate template on a Microsoft Certificate Authority (CA) should be used as a template for DirectAccess certificates. DirectAccess requires an SSL certificate to be installed for IP-HTTPS communication. IP-HTTPS is an IPv6 transition protocol used to transport IPv6 packets over the public IPv4 Internet. DirectAccess traffic is encapsulated in HTTP and authenticated/encrypted using SSL/TLS. Common issues here are incorrect subject name and missing Certificate Revocation List (CRL). Issuing this certificate can be done using internal PKI as long as the CRL is publicly available. For best scenarios, a public CA should be used to issue. Finally, an SSL certificate is required to be installed on the Network Location Server (NLS). The NLS is used by DirectAccess clients to determine their network location, either internal or external. The NLS must have an SSL certificate installed and the subject name must match. This certificate can be issued by internal PKI.

What is the best network configuration for DirectAccess?

Network Interface Configuration – Dual homed is the most recommended network configuration for DirectAccess. Configuring a Windows server with two network interfaces is complicated. With two network interfaces, there can only be one default gateway, and it should be assigned to the external interface. In addition, DNS servers should not be configured on the external interface. The internal interface will have an IP address and subnet mask, but no default gateway. This interface should be configured to use your internal DNS servers. Static routes should be configured for any remote internal subnets.

When did DirectAccess come out?

DirectAccess first comes with a 2008 flavor, and in 2008 DirectAccess had some limitations in deployment scenarios. Requirements for deployment are:

image
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9