Opinion: Does Microsoft's DirectAccess supersede VPNs?
By Bernd Reder
Microsoft's DirectAccess allows users to access a company’s IT system from a Windows computer, without using a VPN -- but by using IPsec to secure the connection and all data transferred in the communication. In contrast to a VPN, a DirectAccess client sets up a connection to the corresponding server after it has booted and set up a connection to the Internet. The user does not have to start a VPN session manually and log in to the company network. Nor does the administrator have to manage the system—for instance, roll out new software versions—until a client has set up a VPN connection.
So what’s the benefit of DirectAccess? Here are the main ones:
- It supports different protocols and communication processes like IP-HTTPS, SSL and IPsec.
- It provides authentication and encryption options.
Before you rush out to get DirectAccess though, you should hear the drawbacks, which are significant.
Restricted to the world of Windows
Does DirectAccess foretell the end for common VPN solutions? Definitely not. Microsoft's technology only works if the whole system is based on Windows 7: running on Windows 7 (Professional, Business or Ultimate) and a Windows server (Windows server 2008 R2). This means employees working on a Mac or with a Linux notebook can’t access the company network.
Smartphone users with iPhones, BlackBerrys or other devices running Android also can’t access the company network. And even more paradoxical, DirectAccess doesn’t even work on mobile devices running Windows Mobile or the new Windows Phone 7.
It is safe to assume that Windows will support DirectAccess in future versions of its Windows 7 phone, as well as the Windows OS for tablet PCs. However, until then, there is still a long way to go. On top of that, there is hardly any company in which only Windows devices are used across the spectrum of devices—smartphones, client PCs, tablet PCs, servers, etc. In most companies, several platforms and devices are used in parallel, leaving the company with heterogenic IT equipment.
Companies use heterogenic IT equipment
This fact will not change. If anything, trends (like the consumerization of IT) lead to employees bringing a diversity of cell phones, tablets and notebooks at an even faster rate. Of course, with these mobile devices, employees check their business emails on the road or in the home office, synchronize dates and contact details, and download documents from the company server. This simply can’t be done without a VPN solution that supports various operating systems and client systems.
Another problem with DirectAccess is that one of its mandatory pre-requisites is a Public Key Infrastructure (PKI) and the use of IPv6. However, not all companies use this version of the Internet protocol, yet. That’s still years away. In fact, thanks to Network Address Translation (NAT), many companies will continue to use IPv4 for quite a while.
So, what should companies do? Write off DirectAccess? Definitely not. Microsoft's DirectAccess technology offers solid advantages, like easy handling and easy management—as well as a high level of security. On top of that, it comes as standard with each Windows 7 packet, which means there are no additional charges. But the reality remains, DirectAccess is restricted to the world of Windows. In other words, the end of traditional VPN solutions is still a very long way off—especially for flexible solutions that support various operating systems and devices.