?
Solved

Direct Access replace VPN in a TS environment

Posted on 2011-10-13
20
Medium Priority
?
356 Views
Last Modified: 2012-05-12
This relates to Windows 2008 R2 and earlier Windows environments as well. For certain remote users for various reason we now we have them establish a VPN connection to a server and then run Terminal Services on top of the VPN connection so they are logging into a LAN IP as opposed to a public IP. I am wondering if we can do this with Direct Access. I have heard that with Direct Access I need to have IPV6 configured and Windows 7 Enterprise for the workstations.  Is that correct? Is that the only way? No XP option?
0
Comment
Question by:lineonecorp
  • 9
  • 7
  • 4
20 Comments
 
LVL 84

Accepted Solution

by:
David Johnson, CD, MVP earned 768 total points
ID: 36970430
There is no xp option and the server must have 2 Nic's and windows 7 enterprise/ultimate is required, it works better than vpn by an order of magnitude
0
 

Author Comment

by:lineonecorp
ID: 36970753
Thanks. Do I also need IPV6?  

As well, if you have any links for this I would appreciate seeing them.
0
 

Author Comment

by:lineonecorp
ID: 36970756
One more question  - why two NIC's on the server? It's not an issue as far as me having them - just don't understand what the point is.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 768 total points
ID: 36971031
0
 
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 768 total points
ID: 36971035
Yes IPV6 is required at least from the internet to the direct access server
0
 

Author Comment

by:lineonecorp
ID: 36972345
Thanks for the links.
"Yes IPV6 is required at least from the internet to the direct access server"  - Sorry but I don't understand what that means.

As well, is the old VPN MS client - the one that  came with Windows XP -  available for Windows 7 - any version of Windows 7 - to connect to 2008 R2?

Also looking at the other way can Windows XP and the VPN that comes with connect to a 2008 R2 server?
0
 
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 768 total points
ID: 36976344
Direct access uses ipv6 addressing not ipv4 addressing and will assign the client a ipv6 address.  With ipv6 you don't need to use net address traversal (NAT) because you are not limited in the number of ip addresses.

The windows xp vpn client will connect to 2008R2 as vpn has not changed over the years. And yes Windows 7 does come with vpn.
0
 

Author Comment

by:lineonecorp
ID: 36978472
Thanks.

As far as the IPv6 goes, I take it I have to have it running both on the client and the server?

Can I run IPv4 at the same time?
0
 
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 768 total points
ID: 36978640
yes you can run both.. on your local network you do not need ipv6 but the Direct access server must have ipv6 and so must the client
0
 

Author Comment

by:lineonecorp
ID: 36983078
Great. Thanks for the speedy turnaround.  Is there any reason why I wouldn't go with Direct Access with Windows 7 vs the old-fashioned VPN assuming I can do anything I want at the server end to enable Direct Access?  In other wordswhat do I gain in my environment - TS over VPN vs TS over Direct Access?
0
 
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 768 total points
ID: 36983411
direct access advantages:
Client computer connects automatically (not user-initiated)Works through all firewalls
Supports selected server access and IPsec authentication with an internet network server
Supports end-to-end authentication and encryption
Supports management of remote client computers
 
vpn advantages:

Compatible with Windows Vista® and earlier versions of Windows client computers
Compatible with client computers running non-Microsoft® operating systems
Compatible with non-domain joined computers
Does not require Windows Server 2008 R2 on the remote access server

http://technet.microsoft.com/en-us/library/dd875522(WS.10).aspx
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 432 total points
ID: 36984166
This scenario is what Remote Desktop Gateway is for. XP, Vista, 7, and even Apple IOS devices (and probably others) can connect to Terminal Server/Remote Desktop Server through a Remote Desktop Gateway server which proxies the connection and only requires SSL to the internet.

This is a secure way to access over the Internet, can be done from plain XP/Vista/7 without any special higher end versions, and I would argue is more secure than Direct Access because Direct Access is much more likely to spread malware from an infected machine. You can even incorporate 2 factor authentication using something like PhoneFactor (which is free for up to 25 unique users per month).

http://windows.microsoft.com/en-US/windows7/What-is-a-Remote-Desktop-Gateway-server
0
 

Author Comment

by:lineonecorp
ID: 36984500
Thanks for the info to both of you.

ve3ofa:

You write: "Client computer connects automatically (not user-initiated)Works through all firewalls"

Can you explain a bit more what that means?

kevinhsieh:

You write: "I would argue is more secure than Direct Access because Direct Access is much more likely to spread malware from an infected machine."

Can you explain why you believe that?

For either or both of you:  

What about the idea of having your local drives available in your TS session.  It seems that VPN, Direct Access and newer versions of TS/RDS RDP clients support that. Is there any reason why one would be preferred to the other?  

Would Remote Desktop Gateway allow for local drives mapped into TS sessions?

0
 
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 768 total points
ID: 36984624
What it means is that the user is logged right into their work pc without having to select the pc from a list of available connections via the gateway.

IMHO, kevinhsieh is a user of other than microsoft products and is not aware of the current malware environment where the operating system and the browser are not the culprit (java vunerabiities is the major failure point approx 60% of the drive by infections, followed by flash, then pdf software, near the bottom is internet explorer and the operating system)  and wants to spread a bit of FUD. And also that remote access supports management of the client machines (group policy, patch management etc)

Remote desktop clients control local drive mapping.

0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 432 total points
ID: 36988431
What I am saying is that with Remote Access, or any other VPN, the client has the ability to make a network connection to an internal host and spread malware, or do other inappropriate things. Most VPN connections do very little to filter the traffic flowing over that VPN connection. While the majority of the real world risk is through web browsing and vulnerable plug-ins such as Java, Acrobat, and Flash, some modern malware such as Conficker does spread from machine to machine via open TCP ports. I have not heard of any malware that can spread via RDP if the user passwords are strong.

Remote Desktop Gateway only allows RDP traffic between the endpoint and the internal network, which is IMHO a much smaller threat profile than attaching a machine to the network via VPN and then running RDP. I would think that should be able to agree that a Remote Desktop Gateway that only allows access to specific machines, and only over RDP is less of an issue than a VPN which allows access to all internal machines, over all ports, all the time. Direct Access also isn't available for XP.

I believe the RD Session Host and RD Gateway can restrict if local drive redirection is available.
0
 

Author Comment

by:lineonecorp
ID: 36989945
Thanks to both for clarifications.

ve3ofa:
"and wants to spread a bit of FUD" Please note that kevinhsieh has answered previous questions of mine and I have a good track record with him. I don't think saying somebody wants to spread 'FUD' is very useful. I don't think that's what Kevinhsieh is doing - I don't think very many people consciously try to do that anyway. And even if a person is doing that I think simply going after what you see as the FUD and refuting it point-by-point is a a far better tactic than saying somebody is 'fudding'.   I appreciate your answers and I appreciate Kevin's - debate and disagreement can happen to the best people, good people can disagree  - it's the manner in which disagreement is voiced that makes the difference in whether a debate is high-spirited verus personal and nasty. End of my civics lecture back to the tech talk.

You write: "And also that remote access supports management of the client machines (group policy,   patch management etc)"  Are you saying that Direct Access makes this possible/makes it better?


0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 432 total points
ID: 36990080
Thanks lineonecorp.

If machines are conencted via some sort of VPN connection, you get the same management capabilities as you do for machines inside the perimeter firewall, such as group policy updates. That can be useful. For patching, my machines all point to https://update.domain.com, which is available from both inside and the Internet, so even laptops that haven't been on the network for months still get patched and report on their update status via WSUS.
0
 

Author Comment

by:lineonecorp
ID: 36995025
Thanks. You write: "For patching, my machines all point to https://update.domain.com"

I take it that's 'update.domain.com' is your domain not MS directly?
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 432 total points
ID: 36995768
Yes, I am using WSUS.
0
 

Author Comment

by:lineonecorp
ID: 37014939
Thanks.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question