DirectAccess Seamless, secure, anytime remote connectivity without VPN

What is DirectAccess? advanced encryption, authentication, and • Provides the ability to apply granular DirectAccess is a new feature in the authorization technologies that enable all policy control over access to resources, points on a network to securely exchange applications, and servers. Windows® 7 and Windows Server® 2008 R2 information and data over the Internet. It operating systems that seamlessly connects • Integrates with Microsoft Server and is built on a foundation of proven industry remote users to the corporate network any Domain Isolation, Network Access standards such as Internet Protocol time they have Internet access. Protection (NAP), and BitLocker version 6 (IPv6) and Internet Protocol solutions, resulting in security, access, With DirectAccess, users can securely security (IPsec). DirectAccess supports and health requirement policies that access corporate resources (such a range of network scenarios, including seamlessly interoperate between as e-mail servers, shared folders, or pure IPv6 and IPsec environments (end- intranets and remote computers. intranet Web Sites) without having to to-end) non-IPsec intranets with IPv6 go through a application servers (end-to-edge), or Greater Manageability: (VPN). DirectAccess also enables IT IPv4-only application servers. administrators to manage remote • Helps ensure that machines both on computers as if they were on the Key Solution Benefits the network and off are always healthy, corporate network. managed, and up-to-date. Improved Productivity: • Provides administrators with the How does it work? • Helps improve the productivity of ability to update Group Policy settings Unlike VPNs, which require user remote staff by providing the same, and distribute software updates any intervention to initiate a remote always-on connectivity experience no time a remote computer has Internet connection to an intranet, DirectAccess matter if users are inside or outside the connectivity, even if the user is not automatically establishes a bi-directional corporate network. logged on. connection from client computers to the • Helps ensure that organizations can corporate network. Secure Connectivity: meet regulatory and privacy mandates DirectAccess is based on a • Leverages IPsec for authentication for security and data protection for deperimitization model that uses and encryption. assets that must roam beyond the corporate network.

DirectAccess clients access the intranet using IPv6 and IPsec.

Domain Controller / DNS Server Intranet

DirectAccess Internet DirectAccess Client Server

Application Servers DirectAccess

System Requirements Features List Resources

• DirectAccess server running • Always-on connectivity that requires Web Sites and White Papers Windows Server 2008 R2 along with no end-user steps to access corpnet. • http://www.microsoft.com/ network adaptors for the Internet • Remote management, updating, directaccess and the Intranet. and health maintenance of remote • http://technet.microsoft.com/en- • DirectAccess clients running computers even when the end user is us/network/dd420463.aspx Windows 7. not logged on. Demo • At least one domain controller and • Granular policy controls for (DNS) server authorized access to corpnet • http://www.microsoft. running Windows Server 2008 or resources and servers. com/windows/enterprise/ Windows Server 2008 R2. videos/windows-7/default. • Tight integration with policy-based aspx#Introduction • A public key infrastructure (PKI) to network access approach. issue computer certificates, smart • Support for multifactor authentication card certificates, and, for NAP, health such as smart cards. DirectAccess and NAP certificates. For more information, see http://www.microsoft.com/pki. • IPsec authentication and encryption. By using Microsoft Network Access Protection (NAP) with DirectAccess, • IPsec policies to specify protection • Support for non IPsec and non-IPv6 a non-compliant client computer for traffic. For more information, see environments (e.g., using IPv6-over- that becomes infected with http://www.microsoft.com/ipsec. IPv4 tunneling with 6to4 or Teredo). malware can have its intranet access • IPv6 transition technologies available limited to prevent the spread of for use on the DirectAccess server: malware. NAP is not required to use ISATAP, Teredo, and 6to4. DirectAccess, but it is recommended. For more information on NAP, see • NAT-PT device to provide access http://www.microsoft.com/nap. to IPv4-only resources for DirectAccess clients.

© 2009 Microsoft Corporation. All rights reserved. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.