DirectAccess and VPN – Who’s Hurting Who? Part 1

It’s been called “The Death of VPN.” It’s been placed on a pedestal as one of the best available solutions to our VPN woes. But, on taking a step back, does DirectAccess  actually deliver on its promise?

Two months ago, VPN Haus ran a story asking just that. What that article found was telling- more and more, experts are saying no. While it’s certainly flexible, powerful, and packaged with a plethora of encryption and authentication options, DirectAccess decisively lacks the comprehensive features to be an all-in-one solution. Aside from only running on Windows 7, this “flexible alternative” is, ironically, more than a little inflexible when it comes to implementation, with a list of requirements a mile long, including mandatory IPv6 implementation.

Proponents of DirectAccess might postulate that it’s possible to circumvent the “mandatory IPV6 rule” by installing Microsoft’s Forefront Unified Access Gateway over DirectAccess to handle VPN requirements- installing most of the required infrastructure for DirectAccess in the process, as well as NAT64 and DNS64.

Of course, this brings to the table a whole new gallery of issues, mostly related to flexibility and client management.

If you decide to install UAG so that you can use DirectAccess over IPv4, The built in firewall will be disabled  and the Microsoft Forefront Threat Management Gateway will install. This offers full support for IPv4 -- but no support for IPv6.  Not only that, NAT64 offers no support for reverse NAT mapping- so client management becomes a considerable challenge.

On the other hand, if you install DirectAccess into Windows Server 2008, the built-in firewall will be able to support IPv6. Unfortunately, this comes with a rather crippling caveat --  the firewall will only enable inbound or outbound rules.  In other words, you won’t be able to get any IPv6 traffic past the server.

Either way, there’s the potential to cripple- or at least considerably hobble- your network in some way. This is particularly true if you’re using a non-Microsoft firewall for security. If you are, well…good luck implementing DirectAccess. You’ll need it.