Foreword
Microsoft DirectAccess is a revolutionary remote access solution for managed (domain-joined) Windows clients. DirectAccess provides always-on corporate network connectivity, enabling remote users to securely access on-premises data and applications anywhere they have a connection to the public Internet. Many mistakenly believe that DirectAccess is itself a protocol. It is not. DirectAccess leverages multiple Microsoft technologies to deliver this service, such as Active Directory, IPsec, IPv6, digital certificates, and more. Harnessing the power of Windows Server 2012 and Windows 8 Enterprise edition, DirectAccess represents a paradigm shift in the way we think about providing remote access. Traditional Virtual Private Networking (VPN) solutions require the user to proactively initiate a connection back to the corporate network when they need to access corporate resources. By contrast, DirectAccess is seamless and transparent, and does not require any input from the user to establish remote network connectivity. Through the use of Connection Security Rules in the Windows Firewall with Advanced Security (WFAS), IPsec tunnels are established automatically in the background any time the user has an active Internet connection. A distinct advantage that DirectAccess has over VPN is that DirectAccess is bidirectional, allowing hosts on the corporate intranet to initiate connections outbound to connected DirectAccess clients. This allows system administrators to "manage out" and enables help desk administrators to initiate remote desktop sessions or security administrators to conduct vulnerability scans, among other things. DirectAccess fundamentally extends the corporate network to the remote user, wherever they may be located.
DirectAccess has been around for a few years, originally appearing as a feature of the Windows Server 2008 R2 operating system. Windows Server 2008 R2 DirectAccess wasn't widely deployed, as it carried with it very steep infrastructure requirements in order to support DirectAccess, including the requirement for a Public Key Infrastructure (PKI) for management of digital certificates and IPv6 for network layer transport. My first experience with DirectAccess came when Forefront Unified Access Gateway (UAG) 2010 was released. UAG included support for the DirectAccess role, and also included new features that eliminated the need to deploy IPv6 internally to take advantage of the solution.
As a Microsoft Most Valuable Professional (MVP) in the Forefront discipline, I began to deploy Forefront UAG for DirectAccess on a regular basis. With the release of Windows Server 2012, DirectAccess is now fully integrated into the operating system, and the adoption rate is accelerating faster. Today, I spend most of my time deploying Windows Server 2012 DirectAccess solutions for some of the largest organizations in the world.
I met Jordan Krause a few years ago when he was first awarded the MVP from Microsoft. Our MVP group is small and tight-knit, and from the beginning Jordan fit right in. He had a wealth of knowledge and experience with DirectAccess and freely shared this with the rest of us in the group. All of us in the DirectAccess community have gained important knowledge from Jordan. With this book, Jordan is now able to share his valuable experience with the rest of the world. This book is focused on sharing real-world, practical advice for deploying DirectAccess in the best possible way for your given deployment model. Jordan pulls no punches, and isn't afraid to tell you when you shouldn't do something, even if it is possible! He provides valuable context to help you with your implementation, and makes sure that you avoid the common pitfalls and mistakes that many engineers who are new to DirectAccess invariably make. If you're going to deploy Windows Sever 2012 DirectAccess now or in the future, you'll definitely want to read this book first.
Enjoy!
Richard Hicks
Director of Sales Engineering at Iron Networks, Inc.