Direct Access is a VPN solution that extends a corporate network to remote computers and users by automatically connecting through firewalls and NAT. It provides always-on connectivity for patch management, GPOs, and authentication/encryption. Direct Access supports both IPv6 and IPv4 networks and clients through various tunneling technologies. It can provide either end-to-edge or end-to-end encryption between clients and internal servers for improved security.

3. Direct Access is the ultimate VPN
solution that is one of the enablers
for the New Way of Work

6. Direct Access Benefits

10. Always On
Patch management, health check and GPOs
Corporate
Netw. Lvl. computer/user authentication and encryption
Network
Automatically
connects through
NAT and firewalls
VPNs connect the user to the network
DirectAccess extends the network to the remote
computer and user

11. Client Client and Server applications must be IPv6 compatible Server
app app
IPV6 IPV6
Internet Corporate intranet


12. Internet Corporate intranet
Tunnelling technologies for the Internet and intranet to support IPv6 over IPv4
Internet tunnelling selection based on client location – Internet, NAT, firewa
Encryption/authentication of Internet traffic (end-to-edge/end-to-end)
Client location detection: Internet or corporate intranet

13. Forefront
Native IPv6
Unified
Access
IPv4 Internet Gateway ISATAP
6to4 tunnel (UAG)
IPv6 in IPv4 protocol 41
IPv6 in IPv4 protocol 41
Corporate Network
Teredo tunnel DNS64
NAT
IPv6 in UDP port 3544
NAT64 IPv4
IPHTTPS tunnel
NAT
IPv6 in HTTPS
UDP port 3544 blocked

14. transition mechanism IPv4 IPv6
Internet tunnels

15. transition technology IPv6
IPv4 Internet
network address translation

17. IPv6
packets dual-stack
IPv4
Neighbor Discovery

18. Forefront
Native IPv6
Unified
Access
IPv4 Internet Gateway ISATAP
6to4 tunnel (UAG)
IPv6 in IPv4 protocol 41
IPv6 in IPv4 protocol 41
Corporate Network
Teredo tunnel DNS64
NAT
IPv6 in UDP port 3544
NAT64 IPv4
IPHTTPS tunnel
NAT
IPv6 in HTTPS
UDP port 3544 blocked

19. Direct Access

20. corp.example.com zone
IP configured DNS 1 DNS 2
DNS address
Corporate intranet
Internet

21. For end-to-edge protection, DirectAccess clients establish an IPsec session to an IPsec
gateway server (which by default is the same computer as the DirectAccess server). The
IPsec gateway server then forwards unprotected traffic, shown in red, to application
servers on the intranet. This architecture works with any IPv6-capable application server
but does not require that server to run IPsec, simplifying the configuration and setup

22. For end-to-edge with End to End IPSec protection, DirectAccess clients
establish an IPsec session to an IPsec gateway server, and that IPSec traffic
continues all the way to the Intranet server for end to end IPSec protection.
This architecture provides better security than just the End to Edge model.

23. With end-to-end IPSec protection, DirectAccess clients establish an IPsec
session through the DirectAccess server to each application server to which
they connect. This provides the highest level of security because you can
configure access control on the DirectAccess server and extend IPSec all the
way to the internal server. This architecture requires that application servers
run Windows Server 2008 SP2 or Windows Server 2008 R2 and use both IPv6
and IPsec.

25. DirectAccess Server Line of Business
(Server 2008 R2) Using ISATAP Applications
IPv6 IPv4 IPv6
On all internal DCs: Dnscmd /config /globalqueryblocklist wpad

36. MANAGED 1. Extends access to line of business servers with IPv4 support
2. Access for down level and non Windows clients IPv6
3. Enhances scalability and management
Windows7
4. Simplifies deployment and administration
5. Hardened Edge Solution
IPv6
DirectAccess Always On
Windows7
UNMANAGED
Vista Extend support IPv4
XP SSL VPN
to IPv4 servers
Non
DA Server IPv4
Windows +
PDA IPv4