Many IT professionals mistakenly believe that DirectAccess is just another VPN solution. While there are some similarities between these technologies, both in terms of the underlying technology and function, there are some significant differences between the two. If you’re comparing DirectAccess to VPN, here are some essential points to consider.
Virtual Private Networking (VPN) has been around for ages. VPN is a mature, well understood technology that has been widely deployed, and today remains the de facto standard for providing secure remote access. VPN has broad client support, on both traditional computing platforms and mobile operating systems. VPNs today include support for modern protocols and integrate with numerous multifactor authentication platforms.
There are some serious drawbacks to implementing traditional client-based VPN. VPN connections are user initiated and therefore optional. It is up to the user to decide if and when they connect to the corporate network. Many VPNs require additional software to work, which must be deployed and maintained. Establishing connections is potentially problematic too, as some VPN protocols aren’t firewall friendly and don’t work in many locations.
From a security perspective, because anyone can attempt a connection to the VPN from any client, strong authentication becomes an essential requirement. Integrating multifactor authentication makes the implementation more complex and difficult to support. It often requires additional hardware, licensing, and support costs.
VPNs can be costly to implement and support. They typically require expensive proprietary hardware and dedicated management skill sets. Many VPN solutions also have additional licensing costs associated with them. Scaling a VPN solution requires additional investments in hardware devices, adding to the overall cost of the solution.
DirectAccess is a relative newcomer to the world of secure remote access. First introduced with Windows Server 2008 R2, DirectAccess differs fundamentally from VPN by virtue of its seamless and transparent, always-on connection. DirectAccess connections are established by the machine, not the user. They are secure and authenticated, and are established automatically whenever the DirectAccess client has an active Internet connection. DirectAccess connections are also bidirectional, which is an important distinction. The ability to “manage out” to remote connected DirectAccess clients enables compelling new uses cases for IT administrators.
Addressing VPN Pain Points with DirectAccess
DirectAccess connections are inherently more secure than VPN. Unlike VPN, DirectAccess clients must be joined to the domain and, in most configurations, they must also have a certificate issued by the organization’s private, internal Public Key Infrastructure (PKI). This essentially serves as a type of multifactor authentication for the connecting device, resulting in a much higher level of assurance for remote connections. DirectAccess can also support integration with many existing multifactor authentication providers to provide strong authentication for the user, if desired.
DirectAccess is very firewall friendly and works anywhere the user has an active Internet connection. It requires no additional software to be installed, and the seamless and transparent nature of DirectAccess makes it much easier to use than VPN. All of this improves end user productivity and reduces associated management overhead for the solution.
DirectAccess is a more cost-effective alternative to VPN. DirectAccess can be deployed on existing infrastructure (physical or virtual) and does not require proprietary hardware. This makes it much easier and far less expensive to add additional capacity, if required. DirectAccess can also be managed using existing systems management tools and Windows administration skills and does not have any per-user licensing requirements, which results in additional cost savings over VPN.
DirectAccess Limitations and Drawbacks
DirectAccess is not a comprehensive remote access solution. It is designed for managed (domain-joined) Windows clients only. In addition, DirectAccess clients must be provisioned with the Enterprise edition SKU. Also, there are a few cases in which applications may not be compatible with DirectAccess. In addition, there is no support for DirectAccess on non-managed Windows machines, non-Enterprise SKUs, or any devices using non-Windows operating systems, so a VPN might still be required.
DirectAccess or VPN?
You might be asking yourself, “DirectAccess or VPN?” Why not both? After all, DirectAccess and VPN aren’t mutually exclusive. They are, in fact, quite complimentary. DirectAccess can be used to provide secure remote access and enhanced management for Windows laptops managed by IT, while VPN can be deployed for non-managed devices. While you may not be able to entirely eliminate VPN with DirectAccess, it will certainly allow you to decrease the number of existing VPN licenses and reduce your investment in proprietary hardware, management tools, and dedicated administrators, all of which translates in to reduced capital investment and operational costs.
DirectAccess is not simply another VPN solution. While it does provide secure remote corporate network connectivity, it does so more securely and more cost effectively than traditional VPN does. DirectAccess is unrivaled in its security and ease of use, dramatically improving end user productivity and reducing associated infrastructure and support costs. DirectAccess can be deployed on current physical and virtual infrastructure, and can be managed using existing Windows systems management tools and skill sets.
If you’d like to learn more about how DirectAccess can benefit your organization, or you would like some assistance with a DirectAccess proof of concept implementation, consider a DirectAccess consulting engagement today. I’m here to help plan, design, implement, and support DirectAccess and ensure the best chance of success for your deployment.