2

DELL.COM/PowerSolutions

Preprinted from Dell Power Solutions, December 2009. Copyright 2009 Dell Inc. All rights reserved.

Traditional VPN solutions can also

present significant challenges for IT

administrators. Because the remote cli-

ents are not always connected to the VPN,

pushing software updates and performing

other management tasks can be difficult.

Ensuring secure communication from the

remote clients over the Internet to the

enterprise intranet is also challenging.

The DirectAccess feature is designed

to overcome these obstacles by maintain-

ing a bidirectional connection between

client systems and the intranet as long as

the client is connected to the Internet

enabling remote users to access enter-

prise intranet resources without a VPN

connection while also offering enhanced

manageability for administrators (see

Figure 1). For example, to help reduce

unnecessary intranet traffic, DirectAccess

separates intranet traffic from Internet

traffic by default, routing only traffic

bound for the intranet to the DirectAccess

server (although IT staff can optionally

configure DirectAccess to send all traffic

through the DirectAccess server). And

unlike traditional VPN solutions, which

typically provide all-or-nothing connectiv-

ity to the intranet, DirectAccess can pro-

vide different levels of access control.

Administrators can use Group Policy to

control resource accessibility, granting

remote users unlimited access to all intra-

net resources or limiting that access to

specific applications, servers, or subnets.

The automatic bidirectional connec-

tion provided by DirectAccess also helps

simplify remote client management: as

long as a client system is online, it is visible

on the intranet, and administrators can

remotely push software updates and per-

form other management tasks just as if

the client were physically connected to

the intranet. This capability helps ensure

remote clients can be updated regularly.

underStanding the

underlying technologieS

The DirectAccess feature is built on

IP Security (IPsec) and IP version 6

(IPv6) technologies. It uses computer

certificates to authenticate remote client

accounts, enabling seamless connectivity

without requiring end users to provide

login credentials.

ipsec authentication and encryption

DirectAccess uses IPsec to support secure

communication between remote clients

and the enterprise intranet. IPsec is a set

of open standards that provides a flexible

framework designed to secure network

communications by authenticating and

encrypting each IP packet of a data

stream. DirectAccess authenticates both

the clients and users with IPsec, and

administrators can manage the clients

before users log on. DirectAccess also

uses IPsec to encrypt communication

across the Internet. DirectAccess clients

establish an IPsec tunnel for the IPv6 traf-

fic to a DirectAccess server, which acts as

a gateway to the intranet.

DirectAccess clients can connect to a

DirectAccess server across the public IPv4

Internet, and can connect even if they are

behind a firewall. Using the Encapsulating

Security    Payload    (ESP)    protocol,

DirectAccess establishes two IPsec tun-

nels: one that uses a computer certificate

and another that uses both a computer

certificate and user credentials. The first

tunnel provides access to an intranet

Domain Name System (DNS) server and

domain controller, allowing clients to

download Group Policy Objects and

request authentication on the user s

behalf. The second tunnel authenticates

users and provides access to intranet

resources and application servers; this

tunnel would need to be established, for

example, before Microsoft Outlook could

download   e-mail   from   a   Microsoft

Exchange server on the intranet.

ipv6 and transitional technologies

IPv6 provides the foundation of the

DirectAccess solution. This implementa-

tion enables DirectAccess clients to be

assigned as globally routable addresses.

For organizations that already have a

native IPv6 infrastructure, DirectAccess

can   provide   a   seamless   connection

between   DirectAccess   clients   and

a DirectAccess server. In addition, if a

remote client connects directly to the IPv6

Internet and has a globally routable

IPv6 address, the end-to-end DirectAccess

connection can be established using

native IPv6.

The protocol used to connect the clients

to the intranet depends on the type of

Internet connection. IPv4 is still the domi-

nant protocol on the Internet and on enter-

prise intranets, and DirectAccess can be

Figure 1. Microsoft DirectAccess topology

Internet

Internet resources

(Web and FTP servers)

Domain controller

Intranet resources

( le, application,

and Web servers)

Enterprise intranet

Firewall

Enterprise Internet

Router

Microsoft Windows 7

DirectAccess client

Public wireless hotspot

Microsoft Windows 7

DirectAccess client

Home network

Router or

NAT device

Router or

NAT device

DirectAccess server