Coming next month is the official general availability of Windows 7, and the industry is a buzz. So many new features and enhancements that truly make it a remote worker's dream come true.
One such feature is that of DirectAccess. It takes the concept of VPN and throws it topsy-turvy. User initiated PPTP or L2TP are great VPN solutions that we have used in Windows XP and Vista for years. But lets face it, it has its limitations. Many hotels don't allow for such VPN. When tethering with some cell providers, they won't allow it either. It makes it difficult at best to use it for that "anywhere, anytime" access remote works seek. And it is not always practical to buy into yet another appliance so we can have SSL VPN and still not get all the benefits we need for full corporate network access.
Worse yet is that managing remote computers over VPN is a nightmare. You have to wait until a connection is established, and generally the gpupdates don't happen fast enough which means its extremely difficult to manage the machines through group policy. And we all have seen the ugliness of remote shares and connectivity when using PPTP. It works well when the tunnel is up, but hangs everything when you try to access shares when it isn't.
Enter DirectAccess. DirectAccess allows machine level connectivity by combining IPV6 with IPSec to give you a tunnelled direct connection back to the office in a secure manner. This means you can actually apply full group policy and management to these machines ANYTIME they are connected to the Internet.
That's right, in case you think you didn't read that correctly, when the PC is online, its actually connected to the corporate LAN. That means it has full access to all assets and resources, and can come into complete visibility to your management systems like WSUS and System Center.
Of course, that in itself becomes a concern to some IT professionals. That means laptops in the field always have connectivity. How do we know for sure they are who they say they are? DirectAccess has built in trust through its certificate management chain. Each machine under a DirectAccess scope will have received a client certificate from the Certificate Authority attached to Active Directory. However, if you want more assurance, AuthAnvil can come into play here in a REALLY nice way, to provide identity assurance for the user accessing the system.
Because DirectAccess allows your remote Windows 7 clients to be always communicating with Active Directory, you can take advantage of Active Directory Software Distribution policies and assign a Group Policy Object (GPO) to the OU in question. In other words, if you were to create an OU called "DAClients" and apply the AuthAnvil Protection Policy, the remote Windows 7 clients would have the AuthAnvil Credential Provider distributed and installed to them the next time it reboots, giving you immediate two-factor authentication on your DirectAccess clients. And here is what it would look like when they go to log into the Windows 7 client:
Pretty neat huh?
Of course, since there will be times when these machines WON'T be connected to the corporate network, or more precisely won't be connected to the Internet... we recommend you configure the AuthAnvil Credential Provider to use Offline Caching Mode. This way you can continue to use AuthAnvil's two-factor authentication security even when you cannot reach the AuthAnvil Strong Authentication Server, like when you may be flying in an airplane or in the middle of nowhere with no network access to speak of.
If the concept of DirectAccess is still new to you and you want to learn more, please feel free to come listen to me speak about it at a few conferences in the next month. You can learn about it at:
- Microsoft TechDays on September 14th and 15th in Vancouver, British Columbia
- SMBNation Annual Conference on Oct 2nd through 4th in Las Vegas, Nevada
- At the Windows 7 Launch Party on October 22nd in Vancouver, British Columbia. This is an invitation only event, so the link isn't public. If you want to party with us, let me know.
Windows 7 is going to change the way we work. Real, true, anytime, anywhere access. And its ready to leverage your existing IT investment in your strong authentication architecture with AuthAnvil right now.
(Did I mention I am writing this on the patio of a Starbucks? I love secure remote access!)
Comments