For the past decade or so, virtual private networks have been the go-to mechanism for allowing users to remotely connect to a corporate network. Although such networks certainly get the job done, they are far from being an ideal solution. Microsoft's Windows 8 DirectAccess is one alternative.
From an end-user perspective, one of the biggest issues with virtual private networks (VPNs) is that end users have to initiate the connection and then log into the corporate network in a manner similar to how they log in from inside the perimeter network. While user-initiated connectivity and logins aren't necessarily a deal breaker, the process does leave room for things to go wrong.
Some hotels, for example, actually block VPN connectivity or charge a premium to anyone wanting to establish VPN connectivity. Never mind the fact that some VPNs cause frustration for users when it comes time for them to change their passwords.
Administrators have also sometimes expressed frustration with VPNs. VPNs do a really good job of allowing users remote access to Windows, but there is no way for the connection to be reversed. In other words, an admin cannot use a VPN to initiate a connection to a remote user. It is always up to the remote user to establish connectivity. This of course complicates the management of remote systems.
Addressing VPN limitations
When Microsoft created Windows 7 and Windows Server 2008 R2, it introduced DirectAccess to directly address the shortcomings of VPNs. For starters, the company designed DirectAccess to be an always-on connection. Whenever the user would connect to the Internet, DirectAccess automatically established a connection to the corporate network. The end user did not have to do anything to initiate this connection, which greatly improved an administrator's ability to manage remote computers.
Although the concept behind DirectAccess was solid, the implementation was anything but. Windows remote access was complicated to deploy and suffered from performance problems. In Windows 8 DirectAccess, Microsoft took another stab at the problems and this time got it right.
The Windows 8/Windows Server 2012 implementation of DirectAccess supports enterprise environments, while also being simple and flexible enough for small businesses to deploy. Microsoft has accomplished this design goal by doing a few different things.
On the server side, Microsoft has implemented two major changes that go a long way toward making DirectAccess deployments more practical. First, the installation and initial setup process is a lot easier than it used to be. Once the remote access role has been added to a Windows 2012 server, DirectAccess can be set up in as few as three clicks.
Of course larger organizations still have the ability to perform customized DirectAccess deployments. A larger organization would typically use network load balancing for DirectAccess servers, whereas a smaller organization might not.
Another major improvement that Microsoft has made on the server end is that DirectAccess can now be used from behind a network address translation (NAT) device. This change was critically important to making DirectAccess accessible to smaller organizations. Such organizations often use NAT firewalls.
Performance and connectivity gains
Windows 8 clients also contain some enhancements related to DirectAccess. The most notable of these enhancements is in performance. Although Microsoft has not released any quantifiable benchmarks, it has been widely reported that Windows 8 DirectAccess offers far better performance than its predecessor.
Another big improvement for Windows 8 users is the integrated Connectivity Assistant. One shortcoming of Windows 7 DirectAccess was that it really didn't provide the end user with useful information whenever connectivity failed. Microsoft added a download called the Connectivity Assistant, which provides end users with a status indicator for Windows remote access.
In Windows 8 DirectAccess, the built-in Connectivity Assistant gives end users an easy way to tell whether they are connected to the corporate network. If a user has trouble with connectivity, he or she can click on the connection to reveal a properties sheet.
This properties sheet features a Collect Logs button for compiling diagnostic logging information, as shown in Figure 1. Links within the dialog box give users the option of emailing the logs to the help desk or viewing the logs themselves.
As you can see, Windows 8 DirectAccess is far simpler than the Windows 7 versions. DirectAccess will likely see widespread adoption once more organizations begin deploying Windows 8.
This was first published in March 2013