DirectAccess

from Wikipedia, the free encyclopedia

DirectAccess is a proprietary , VPN- like solution from Microsoft under Windows Server 2008 R2 and 2012 . The technique is completely based on IPv6 and used to access IPv4 servers bridging technologies , and Windows Server 2008 R2 for the IPv4 bridging the operation of a UAG - firewall or a NAT64 -Geräts was needed. In the case of an external connection, the IPv6 data is transmitted using an IPsec tunnel. In contrast to VPN, DirectAccess does not require the user to initiate a connection, but instead automatically establishes a connection to the company network when the computer is started if a client is outside the company network. The automatic connection of the clients to the network enables companies to manage external computers, so-called “ manage-out ”.

functionality

When a client computer starts, the PC tries to reach the so-called "Network Location Server" (NLS), which is nothing more than a website that is only accessible in the domain network and can be provided by any web server. If the computer cannot reach the NLS, the computer assumes that it is not in the domain network and tries to establish an IPsec -secured connection to the company network. If a native IPv6 connection is not possible, an attempt is made to establish a tunnel using the 6to4 , Teredo tunneling , or IP-HTTPS protocols . If this connection is established, the Name Resolution Policy Table (NRPT) is configured so that the company's DirectAccess connection is used to access company resources. Depending on the configuration, all network traffic can also go through the company network. If no connection is established (e.g. if there is no Internet connection), the user can, depending on the setting, be denied logon or still be granted with the help of authentication information stored in the cache.

Compared to other "road warrior" VPN (also Client2Site) solutions, this variant offers user-independent authentication of the device. With the appropriate configuration of the DirectAccess server, it is also possible to pull the tunnel through to the end point (the server behind it) and thus also securely in "Cloud Native" scenarios, in which the servers are not in the company but with a service provider in the data center to encrypt. In addition, due to the authentication options known from Windows, a connection to the Windows firewall can be allowed or denied based on user or computer group membership. Two other important functions are "Manage-Out", which allows the administration of the clients using "PSSession" and "WinRM", as well as the Always-On function, the automatic user-independent negotiation of a VPN protocol based on the existing network of the client Conditions (IPv6 ?, IPSec blocked ?, Teredo possible ?, HTTPS connections possible?).

In the course of the introduction of DirectAccess, the IP-HTTPS protocol was also developed, which, in brief, enables a VPN connection via an HTTPS connection. NULL encryption is used for the TLS connection. What looks like a dangerous security problem at first glance turns out to be non-existent on closer inspection. It is important here that communication via HTTPS on port 443 only takes on the tasks of the link layer so that the IPSec encrypted IPv6 connection can be established.

conditions

Windows Server 2008 R2

At least one Windows Server 2008 R2 belonging to an Active Directory domain with DirectAccess installed and two network adapters (one adapter to the Internet and one to the intranet) is required. Two public IPv4 addresses are also required. The network must also have a DNS server, a PKI environment and Active Directory. For the interaction with pure IPv4 servers in the internal network, the NAT64 function of the Microsoft TMG firewall (formerly UAG firewall) or a NAT64 device is required.

Windows Server 2012

At least one Windows Server 2012 belonging to an AD domain with DirectAccess installed is required, but only a network adapter and an IP address are required. A PKI environment can now also be dispensed with, although a DNS server and Active Directory are still required. A special firewall is also no longer necessary, as IPv4 bridging technologies are already integrated in Windows Server 2012 .

Clients

Clients require Windows 7 Ultimate / Enterprise Edition, Windows 8 Enterprise Edition or Windows 10 Education / Enterprise Edition.

Other operating systems

DirectAccess is a proprietary solution from Microsoft that does not support any other operating system. On the server side, however, there are third-party solutions for the integration of Linux into a DirectAccess infrastructure.

For the integration of other operating systems, it is recommended to configure a VPN protocol during the installation of DirectAccess.

Since DirectAccess is only a kind of sequence for using standardized tunnel protocols, implementation under other operating systems is at least theoretically possible. The protocol for IP-HTTPs is specified on the Microsoft website.

Web links

Individual evidence

  1. Requirements for Direct Access with Windows Server 2008 on Microsoft TechNet. Retrieved February 17, 2014.
  2. Configuring the infrastructure of a RAS server with direct access to Microsoft TechNet. Retrieved February 17, 2014.
  3. Centrify DirectSecure: DirectAccess Integration. ( Memento of the original from March 26, 2011 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Retrieved February 17, 2014.  @1@ 2Template: Webachiv / IABot / www.centrify.com
  4. MS-IPHTTPS: IP over HTTPS (IP-HTTPS) Tunneling Protocol ( English ) Microsoft. Retrieved February 21, 2019.