Microsoft Direct Access: Extending The Workplace To The Home Office
Posted 20 November 2015 by Anthony Green
Giving access from home offices to the corporate network has often been a tricky issue for IT departments to deal with, if not a downright pain in the neck! Software nearly always needs installing on the end user’s PC, whether via a VPN client of some description or a full on remote desktop solution such as Citrix or Microsoft’s Remote Desktop Services. Even those solutions touted as being ‘clientless’ still typically involve some sort of web browser plug-in or reliance on a version of Java that may or may not need extra rights. Either way, there is almost always configuration required by an administrator and, frequently, extra software or licensing costs.
Enter Microsoft’s Direct Access as an alternate solution, with a much lower overhead from an IT support perspective and a significantly better experience for the end user. Introduced in Windows Server 2008 R2 and much improved in Windows 2012, it is a remote access solution that gives you full access to your corporate internal network, shares, websites, applications and more, and does not require either VPN clients or extra Servers/Desktops for Remote Desktop access.
Put simply, DirectAccess establishes bi-directional connectivity with an internal network every time a DirectAccess-enabled computer connects to the Internet, even before the user logs on. Users never have to think about connecting to the internal network and IT administrators can manage remote computers outside the office, even when the computers are not connected to a VPN.
One big (and very topical) question is ‘how secure is it?’ The answer lies in several places; firstly, all traffic is encrypted using AES-192 bit IPsec encryption between the DirectAccess server and the DirectAccess client. This is configurable to different methods but might require more CPU cycles on both the client and the server. Secondly, you can restrict which computers can use DirectAccess with simple Active Directory groups, and thus easily revoke DirectAccess capability. Conversely, you can restrict which application servers they can access again by specifying an Active Directory group and putting those servers in that group. Thirdly, it is now possible to integrate Two-Factor authentication, such as RSA SecurID, into a DirectAccess deployment. However, as with any remote technology, it is still important to secure the end device for which technologies such as Bitlocker drive encryption are crucial.
With the advent of Windows 2012 server this technology has really come to maturity, and we are seeing numerous requests to implement it so that companies can ease themselves away, in particular, from the burden of deploying VPNs.
To learn more about how Microsoft Direct Access can benefit your business, please contact us for a no-obligation chat on email@example.com, or call us on 0845 034 7222.
Back to blogs