Always On VPN is currently a hot topic and at the same time DirectAccess seems to be losing popularity. Some time ago, Microsoft has announced that DirectAccess will no longer be further developed and therefore 'Always On VPN' should be used. However, DirectAccess has not yet been officially terminated and is still present in the latest version of the server operating system. The question arises: what options for a remote access solution are available today?
DirectAccess allows computers which are part of the domain to establish an external connection to the company network without the user having to explicitly initiate this. The technology was introduced in Windows Server 2008 R2 and was rather complicated to implement due to the dependencies on IPv6. Starting with Windows Server 2012, the connection was optimized and established via an HTTPS tunnel, which made configuration a breeze. Clients with Windows 8 and newer versions can use a Kerberos proxy on the DirectAccess server for authentication instead of certificates. This also eliminates the need for a more complex PKI configuration.
DirectAccess is still supported and offers a very simple setup of server and clients via wizard and group policies. The connection via an IPv6-based IPSec tunnel and HTTPS - that is, a tunnel in tunnel - can be used not only for client access to the LAN, but also vice versa, from management servers to the clients. DirectAccess requires Windows clients with Enterprise Editions of the operating systems; IPv6 and Windows Firewall must be enabled. The only disadvantages of this approach are the lack of compatibility with applications that transmit IPv4 connection information to the client as well as the dependency on domain membership. This is why an additional solution must be implemented for VPN connections from outside, for example from external consultants. Moreover, there are security managers who are bothered by the fact that the DirectAccess Server must also be a domain member and therefore either located in the internal network or, if positioned in the DMZ, a corresponding number of ports must be opened to the internal network.
Configuring Always On VPN
Always ON VPN is offered by Microsoft as successor to DirectAccess. It is not a single feature or product, but a collection of different options that can be used in combination or separately. In principle, Always On VPN is a client-side configuration that allows an automated connection setup similar to DirectAccess. In addition to a conventional tunnel, application-specific VPNs can also be created, which are established when the application is started and are only used by this specific application. The so-called device tunnel offers the option of connecting the client to the company network before the user logs on - just as DirectAccess does. Please note: The device tunnel has different requirements than the user tunnel: The client operating system must be available in the Enterprise Edition and only the IKEv2 protocol is supported. User tunnels can also use Secure Socket Tunneling Protocol (SSTP).
Configuration makes the difference
The configuration of clients is only possible via the cloud service Intune or via PowerShell scripts and therefore not as intuitive as the DirectAccess graphical wizard. On the server side, a Microsoft VPN server with IKEv2 protocol must be set up for the device tunnel. For user tunnels, SSTP or VPN solutions from third parties such as Cisco, Checkpoint, or Fortinet can also be integrated. Furthermore, many firewalls offer integrated VPN services. Other network appliances such as Citrix Netscaler Gateway also offer this functionality. (Attention: Citrix also calls its remote access feature AlwaysON - there is a risk of confusion). Third-party solutions are therefore a real alternative - if the necessary know-how is available and all functionalities can be covered.
We have experts for all your solutions
Although DirectAccess is no longer actively recommended by Microsoft, it is still an easy-to-use remote access solution. Prerequisite for the deployment is the compatibility of the applications via the IPv6 tunnel. If this is provided, DirectAccess remains the author’s first choice for remote access, possibly in combination with a conventional VPN server, so that devices that are not domain members can also be connected. Always on VPN offers more possibilities than DirectAccess, but is not as easy to configure, and it is important to define from the beginning which features should be used, because they do not all function equally well with each other.
Whichever solution is right for you, the UMB experts will be happy to assist you with planning and implementation. Please contact me.