Hands on with Windows Server 2008 R2: DirectAccess

Promises an unprecedented level of connectivity -- but at a very steep price

1 2 3 4 Page 4
Page 4 of 4

Using the DirectAccess setup wizard

Once you have prepared your environment for DirectAccess, you can use a relatively simple wizard to put in place the tools necessary to deploy DirectAccess. In the wizard, you specify which clients can connect to your corporate network via DirectAccess; choose connectivity and security policies for controlling access to DirectAccess; identify the right DNS, domain controller and management servers necessary to enable all DirectAccess features; and specify the application servers accessible to remote clients connected through DirectAccess.

To run the console, go to Start, Administrative Tools and then click on DirectAccess Management. You'll be greeted with the screen shown in the figure below.

Click the Setup branch in the left pane to start the process.

The first step is to choose the security group, or groups, you created earlier during preparations that contain the computer accounts that will be enabled for DirectAccess.

Next, set up the DirectAccess server itself. First, specify which interface connects to the Internet and which is connected to your internal corporate network. Next, choose the root certificate that will be used to verify certificates sent by DirectAccess clients while they authenticate via IPsec. You can also choose a certificate to use for IP-HTTPS connectivity. Next, determine whether clients will be required to use a smart card to log onto its DirectAccess-enabled computers.

The third phase of the DirectAccess configuration identifies and sets up communication with infrastructure servers, such as DNS and management servers and domain controllers. First, identify a URL that DirectAccess clients will use to get network location information -- this is how clients can figure out if a resource is internal or external to the corporate network. Next, identify the DNS suffixes and IP addresses of internal DNS servers so that clients can send name and address queries to the correct machines. Finally, you can enter names or IP prefixes of DirectAccess management servers -- this is optional.

Microsoft's DirectAccess
The DirectAccess setup wizard.

The final phase of DirectAccess deployment is to select application servers that will be restricted using IPsec and set up authentication and authorization for access to them. You can allow a certain subset of servers (contained within a security group) that you select that must enforce authorization, and you can also restrict access only to servers in those groupings.

The last word

DirectAccess is a highly useful feature of Windows Server 2008 R2 and has the potential to make administration in large organizations remarkably easier by allowing administrators to touch all clients, even those previously considered unmanageable. The benefits, however, may be masked by the initial complexity and technological requirements needed to fully deploy DirectAccess.

From IPv6 to the transition technologies to the very requirement that Windows Server 2008 R2 be running within the enterprise (forcing you then to be an early adopter), I don't think anyone is arguing this is easy. And it could be made easier, via better options during setup, a migration and preparation wizard a la Windows Essential Business Server and other means. But eventually, the benefits may well outweigh the costs: This is definitely a feature to watch.

Jonathan Hassell is an author, consultant and speaker on a variety of IT topics. His published works include a variety of books on Windows, including Learning Windows Server 2003. He also speaks worldwide on topics ranging from networking and security to Windows administration. You can reach Jonathan at jhassell@sunvalleygp.com.

Copyright © 2009 IDG Communications, Inc.

1 2 3 4 Page 4
Page 4 of 4
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon