Direct Access: A Seamless Remote Access Solution Part-1 (2024)

Direct Access Vs. VPNs 💻

There is no fundamental difference between VPNs and Direct Access , but Direct Access is generally considered the better option for its seamless and secure remote access experience. 🔒

However, Direct Access does require a more complex setup and ongoing maintenance compared to VPNs.🛠️

Using VPNs to connect to office network also has its drawbacks: 😕

• When a user gets disconnected from the VPN connection, they must re-establish the VPN connection. 🔁
• Many organizations filter VPN connection traffic, making it difficult to open a firewall to allow VPN traffic. 🧱
• If your intranet and internet connection are the same as your VPN connection, it can slow down your internet. 🐢

Direct Access does not face these limitations but it has own limitations, However It allows a properly configured laptop to connect automatically using a bidirectional connection between the client and server. ↔️

To establish this connection, Direct Access uses Internet Protocol Security (IPsec) and IPv6 . IPsec provides a high level of security, and IPv6 is the protocol that the machine uses.

How Direct Access works?

Step 1: Client Detection 🕵️♀️

The Windows 10 or 11 Direct Access client determines whether the machine is connected to the corporate network or the internet. 🏢

Step 2: WebServer Connection 📡

The Windows 10 or 11 DirectAccess computer attempts to connect to the WebServer (NLS) Network Location Servers specified during the Direct Access setup configuration. 🌐

Step 3: Direct Access Server Connection 🛡️

The Windows 10 or 11 DirectAccess client computer establishes a secure connection to the Windows Server 2016, 2019, or 2022 Direct Access server using IPv6 and IPsec. 🔐

Step 4: IPV4 to IPV6 Tunneling 🔃

Since most users connect to the internet using IPv4, the client establishes an IPv6-over-IPv4 tunnel using 6to4 or Teredo. ↔️

Step 5: Firewall Bypass 🧱

If an organization has a firewall that prevents the Direct Access client computer using 6to4 or Teredo from connecting to the Direct Access server, Windows clients automatically attempt to connect using the IP-HTTPS protocol. 🌐

Step 6: Mutual Authentication 🔒

As part of establishing the IPsec session, the Windows client and server authenticate each other using computer certificates. 🔑

Step 7: Authorization Verification ✅

The Direct Access server leverages Active Directory membership to verify that the computer and user are authorized to connect using DirectAccess. 🏢

Step 8: Traffic Forwarding 🚚

The DirectAccess server seamlessly forwards traffic from the DirectAccess clients to intranet resources to which the user has been granted access. 🔑

Direct Access Components

1. Direct Access Server:Windows Server 2016, 2019, or 2022 Connects to both the internal and external networks Serves as a gateway for external clients
2. Direct Access Client:Any domain-joined computer windows (Client or Server) can be established the connections to the Direct Access server using IPV6 and IPsec Employs IPV6 transition technologies like 6to4 or Teredo if a native IPV6 network is unavailable
3. Network Location Server (NLS):Determines the location of Direct Access clients (internal or external) Utilizes HTTPS communication for client identification Triggers Direct Access Group Policy Objects (GPOs) if the client cannot reach the NLS
4. Internal Resources:IPV6-based applications and resources accessible to Direct Access clients
5. Active Directory:Facilitates authentication and GPO deployment to clients
6. Group Policy (GPO):Manages configurations for Direct Access clients and servers
7. Public Key Infrastructure (PKI):Provides computer certificates for secure communication
8. Domain Name System (DNS):Enables client computers to locate internal resources
9. Name Resolution Policy Table (NRPT):Guides client computers in selecting the appropriate DNS server (internal or external)

Direct Access Tunneling Options

Direct Access relies on IPV6 and IPsec for secure communication, but not all organizations have implemented IPV6. To address this, Direct Access employs IPV6 transition tunneling options to ensure connectivity for clients:

1. ISATAP (IPv6 over IPv4):Enables Direct Access servers to communicate internally over IPv4 networks
2. 6to4:Utilizes IPv4-based internet infrastructure for external communication
3. Teredo:Facilitates communication over IPv4-based internet when clients are behind NAT devices
4. IP-HTTPS:Serves as a fallback mechanism when other tunneling methods fail

Additional Considerations

• Direct Access clients can seamlessly access internal resources regardless of their location.
• Direct Access utilizes GPOs to manage client and server configurations.
• Direct Access leverages PKI for secure communication between clients and the server.
• DNS and NRPT are employed for client-side resource discovery and DNS server selection.
• Direct Access offers various tunneling options to accommodate different network environments.

The one downside to Direct Access is that is required a great deal of time, resources and Knowledge to set it up properly.