For Geeks @nd the not so Geeky

DirectAccess in Windows Server 2012

DirectAccess and Tunneling Protocols in Windows Server 2012

A DirectAccess connection between a remote client and the internal network is a two part connection. IPv6 is used by the client to connect to the DirectAccess server on the perimeter network. DirectAccess As IP4 is still the most common form of communication on the public Internet IPv6 transition technologies are used to encapsulate or tunnel the IPv6 packets by within an IPv4 header.

  • 6 to 4 – For remote clients that have public IPv4 address requires any router or firewall in the middle to allow outbound traffic using the IPV4 protocol 41. The client must have a direct connection to the Internet and not be behind a NAT device.
  • Teredo – Used by clients behind a NAT device and therefore have a private IPv4 address. Intervening routers need to allow outgoing traffic on UDP port 3544.
  • IP-HTTPS – If the above transition technologies are not possible IP-HTTPS is used. IP-HTTPS encapsulates IPv6 packets within HTTPS traffic.  Virtually all routers allow outbound HTTPS traffic so this is the easiest option to implement.

The performance of IP-HTTPS between a Windows 8 client and a Windows 2012 server is far superior to its 7 and 2008 predecessor as there is no need for SSL on top of IPsec encryption. This ‘double encryption’ seriously degrades network performance between a Windows 7 client and a Windows 2008 R2 Server. Only Windows Server 2012 and Windows 8 support Kerberos proxy which greatly simplifies authentication for DirectAccess clients.

In the second leg of the DirectAccess connection Windows Server 2012 –unlike Server 2008 R2 –providesNAT64/DNS64  functionality which enables it to provide a connection over an your existing IPv4 network. Windows Server 2008 R2 on the other hand required an IPv6 network or had to rely on ISATAP or 3rd party solutions transition solutions between IPv6 and IPv4.

Remember also that only Windows Server 2012 can be deployed as a DirectAccess server behind a NAT device.
Windows Server 2012 also supports the ability to deploy DirectAccess across multiple sites without any additional configuration. Windows 8 clients just need to ping the DirectAccess servers to connect to the server with the lowest latency while you will have to preconfigure the IP address of the preferred server for Windows 7 clients.

DirectAccess in Windows Server 2012 in combination with Windows 8 clients uses Kerberos authentication.  Windows 7 clients however require a PKI setup as it relies on computer certificates for authentication.

Leave a Response