Always On VPN and the Future of Microsoft DirectAccess

Since the introduction of Windows Server 2012 in September of 2012, no new features or functionality have been added to DirectAccess. In Windows Server 2016, the only real change aside from bug fixes for DirectAccess is the removal of Network Access Protection (NAP) integration support.

Always On VPN and the Future of Microsoft DirectAccessFigure 1. Remote Access Setup wizard with NAP integration option in Windows Server 2012/R2.

Always On VPN and the Future of Microsoft DirectAccess

Figure 2. Remote Access Setup wizard without NAP integration option in Windows Server 2016.

DirectAccess Roadmap

It’s clear to see that Microsoft is no longer investing in DirectAccess, and in fact their field sales teams have been communicating this to customers for quite some time now. Microsoft has been actively encouraging organizations who are considering a DirectAccess solution to instead implement client-based VPN with Windows 10.

Always On VPN

New features introduced in the Windows 10 Anniversary Update allow IT administrators to configure automatic VPN connection profiles. This Always On VPN connection provides a DirectAccess-like experience using traditional remote access VPN protocols such as IKEv2, SSTP, and L2TP/IPsec. It comes with some additional benefits as well.

  • Conditional access and device compliance with system health checks
  • Windows Hello for Business and Azure multifactor authentication
  • Windows Information Protection (WIP) integration
  • Traffic filters to restrict VPN network access
  • Application-trigger VPN connections

DirectAccess Deprecated?

There has been rampant speculation that Microsoft plans to deprecate and retire DirectAccess. While that may in fact be true, Microsoft has yet to make a formal end-of-life announcement. There’s no reason DirectAccess and VPN couldn’t co-exist, so it’s not a certainty Microsoft will do this. However, there’s also no need to have multiple remote access solutions, and it is abundantly clear that the future for Microsoft remote access is Always On VPN and not DirectAccess.

Always On VPN and the Future of Microsoft DirectAccess

Source: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-top#advanced-vpn-connectivity

Always On VPN Advantages and Disadvantages

Windows 10 Always On VPN has some important advantages over DirectAccess. It has some crucial limitations as well.

Advantages

  • Always On VPN supports non-Enterprise Windows 10 client SKUs (Windows 10 Home and Professional)
  • Always On VPN includes support for granular network access control
  • Always On VPN can use both IPv4 and IPv6
  • Always On VPN is infrastructure independent. In addition to supporting Windows RRAS, any third-party network device can be used such as Cisco, Checkpoint, Juniper, Palo Alto, SonicWALL, Fortinet, Sophos, and many more

Disadvantages

  • Always On VPN works only with Windows 10. It is not supported for Windows 7
  • Always On VPN cannot be managed natively using Active Directory and group policy. It must be configured and managed using Microsoft System Center Configuration Manager (SCCM), Microsoft Intune, or PowerShell

DirectAccess or Always On VPN?

Should you deploy DirectAccess today or implement Always On VPN with Windows 10 instead? That depends on a number of factors. It’s important to understand that DirectAccess is fully supported in Windows Server 2016 and will likely be for many years to come. If DirectAccess meets your needs today, you can deploy it with confidence that it will still have a long support life. If you have reservations about the future viability of DirectAccess, and if you meet all of the requirements to support Always On VPN with Windows 10, then perhaps that’s a better choice. If you’d like to discuss your remote access options in more detail, fill out the form below and I’ll get in touch with you.

Additional Resources

NetMotion Mobility as an Alternative to DirectAccess

DirectAccess vs. VPN

Always On VPN Deployment Guide for Windows Server 2016 and Windows 10

Planning and Implementing DirectAccess with Windows Server 2016 Video Training Course on Pluralsight

Managing and Supporting DirectAccess with Windows Server 2016 Video Training Course on Pluralsight

Implementing DirectAccess with Windows Server 2016 Book

POODLE and DirectAccess

Recently a new and very serious vulnerability in the SSL 3.0 protocol has been discovered that allows an attacker to recover sensitive information for an encrypted session. As DirectAccess uses SSL and TLS as part of the IP-HTTPS IPv6 transition protocol, I’ve had many customers ask me about mitigating this vulnerability on a DirectAccess server.

POODLE and DirectAccess

Figure 1 – Qualys SSL Labs Server Test Score for DirectAccess IP-HTTPS

However, is mitigating the POODLE attack on a DirectAccess server really necessary? Recall that, as I’ve discussed previously, the IP-HTTPS IPv6 transition protocol is only used to tunnel IPv6 traffic from the DirectAccess client to the DirectAccess server over the public IPv4 Internet. This traffic is already encrypted with IPsec, so there’s really nothing an attacker would gain by leveraging the POODLE attack on a DirectAccess session.

The recommended mitigation for the POODLE attack is to disable the use of SSL 3.0 on servers and clients. If you have deployed DirectAccess by itself, there’s no need to implement this mitigation as there is no real risk associated with this attack in this specific scenario. However, there are no negative side effects for doing so, and if you wish to disable SSL 3.0 just to avoid future audit findings, I see no problem with that.

If your DirectAccess server is also configured to support client-based VPN and you’ve enabled the Secure Sockets Tunneling Protocol (SSTP) then mitigating the POODLE attack is an excellent idea. SSTP also uses SSL and TLS, so this session could be hijacked by an attacker and sensitive information might be disclosed.

To disable SSL 3.0 on the DirectAccess server, execute the following commands from an elevated PowerShell window.

New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" -PropertyType dword -Value 0 -Name Enabled

A restart of the server is required for the changes to take effect. To audit your DirectAccess server’s SSL and TLS configuration, visit the Qualys SSL Labs server test site. For more information about the POODLE SSL 3.0 vulnerability, click here.

DirectAccess IP-HTTPS Null Encryption and SSTP VPN

An important scalability improvement introduced in Windows Server 2012 DirectAccess is the support for null encryption for Windows 8.x DirectAccess clients using the IP-HTTPS IPv6 transition protocol. Using null encryption eliminates the overhead imposed by the needless encryption of DirectAccess IPsec communication, which itself is already encrypted. This double encryption significantly increases resource consumption on both the client and server, and can have a negative impact on scalability and performance. When a Windows 8.x client establishes an IP-HTTPS connection to a Windows Server 2012 or 2012 R2 DirectAccess server, it will negotiate only cipher suites that use null encryption. Windows 7 clients cannot take advantage of null encryption and continue to use encrypted cipher suites.

Note: It is possible to replicate some of the benefits of null encryption for Windows 7 clients using an Application Delivery Controller (ADC) such as the F5 Networks Local Traffic manager (LTM) to perform SSL offloading. See SSL Offload for IP-HTTPS DirectAccess Traffic from Windows 7 Clients using F5 BIG-IP for more information.

For both performance and scalability, the best deployment results are achieved when using a Windows Server 2012 or 2012 R2 DirectAccess server and Windows 8.x clients. However, null encryption for IP-HTTPS is no longer available in the scenario where client-based remote access VPN is configured on the same server as DirectAccess. As you can see below, when DirectAccess is deployed by itself, the server offers null encryption cipher suites which Windows 8.x clients can take advantage of.

DirectAccess IP-HTTPS Null Encryption and SSTP VPN

Figure 1 – Cipher Suites for DirectAccess Only

However, when the client-based remote access VPN role is enabled on the same DirectAccess server, null encryption cipher suites are no longer available for use by DirectAccess clients.

DirectAccess IP-HTTPS Null Encryption and SSTP VPN

Figure 2- Cipher Suites for DirectAccess and VPN

This occurs because the Secure Sockets Tunneling Protocol (SSTP) client-based remote access VPN protocol requires SSL/TLS encryption to provide confidentiality for tunneled network communication. Unfortunately, disabling support for SSTP alone does not return null encryption cipher suites for DirectAccess clients unless the VPN role is removed completely. Of course none of this is readily apparent to the administrator, who may be completely unaware that they’ve sacrificed the efficiency of IP-HTTPS null encryption for Windows 8.x clients in order to support SSTP for client-based remote access VPN clients.

Note: There are additional scenarios in which null encryption for Windows 8.x DirectAccess clients is not supported. For example, if you enable the Web Application Proxy (WAP) role on the DirectAccess server, or if you configure DirectAccess to use one-time password (OTP) authentication, null encryption support is lost for Windows 8.x clients.

If you plan to support Windows 8.x clients using IP-HTTPS and want to take full advantage of the scalability and performance benefits associated with IP-HTTPS null encryption in Windows Server 2012/R2 DirectAccess, it is recommend that you deploy client-based remote access on a separate system.

Features Deprecated in Forefront UAG Service Pack 3

With the recent release of Service Pack 3 (SP3) for Microsoft Forefront Unified Access Gateway (UAG) 2010, Microsoft has published a list of features in UAG SP3 that have been deprecated. To be clear, this does not mean these features cease to function after you install SP3 on UAG! It is simply meant to give network engineers and security administrators an idea about what features are likely to be removed from future releases of Forefront UAG. Some of the deprecated features should come as no surprise. For example, DirectAccess support in Forefront UAG is now deprecated in favor of DirectAccess in Windows Server 2012. Also, features such as Secure Sockets Tunneling Protocol (SSTP) for client-based remote access are better handled using the remote access role in Windows Server 2012. Other deprecated features may present more of a challenge if you’ve been relying on them to provide secure remote access to applications, such as the deprecation of support for some authentication repositories (e.g. Novell Directory, Notes Directory, TACACS) or the Java-based Session Cleanup tool. For a complete list of deprecated features in Forefront UAG SP3, click here.

Overview of New DirectAccess Features in Windows Server 2012

Microsoft recently announced the Release to Manufacturing (RTM) for Windows Server 2012. Windows Server 2012 includes a new Unified Remote Access role that provides many new and exciting features. Along with significant enhancements to DirectAccess, the Routing and Remote Access Service (RRAS) can now be co-located with DirectAccess server to provide legacy remote access VPN client connectivity (PPTP, L2TP/IPsec, and SSTP) as well as site-to-site VPN. Windows Server 2012 can now serve as your consolidated remote access solution and can be managed from a single management console. Here’s an overview of some of the compelling new features found in Windows Server 2012 DirectAccess.

Simplified and Flexible Deployment

Windows Server 2012 DirectAccess includes a new simplified deployment model makes implementing DirectAccess incredibly simple. After adding the Remote Access role, configuring DirectAccess can be done, quite literally, in just three mouse clicks. The new simplified deployment model does have some limitations, so the deployment wizard includes the flexibility to fully customize the implementation according to your specific requirements. Also, DirectAccess in Windows Server 2012 now supports deployment behind an existing edge firewall or border router/NAT device. Previous versions of DirectAccess had a hard requirement to be placed directly on the network edge and have two public IPv4 addresses assigned to it. In addition, Windows Server 2012 DirectAccess now also supports a single network adapter configuration, allowing the remote access gateway to be deployed inside of an existing perimeter network or DMZ. Another significant improvement with DirectAccess in Windows Server 2012 is support for multiple network entry points for DirectAccess clients. This feature is essential for large organizations with a requirement for automatic and transparent redundancy and intelligent client roaming. To simplify deployment and management, PowerShell 3.0 included with Windows Server 2012 can be used to fully automate and manage all aspects of the Unified Remote Access and DirectAccess gateway role. Finally, Windows Server 2012 also supports Offline Domain Join which allows administrators to join computers to the domain without having corporate network connectivity.

Reduced Infrastructure Requirements

A major limitation to DirectAccess in Windows Server 2008 R2 was the requirement for running IPv6 on the internal corporate network. As a workaround, Forefront Unified Access Gateway (UAG) 2010 could be deployed in the DirectAccess gateway role as it included protocol translators (DNS64 and NAT64) which allowed DirectAccess clients to communicate with intranet resources that were running only IPv4. However, deploying Forefront UAG added expense and complexity to the solution. Forefront UAG 2010 is no longer required to support this scenario, as the DNS64 and NAT64 protocol translators are now included in Windows Server 2012 DirectAccess. The new simplified deployment model eliminates the requirement for a Public Key Infrastructure (PKI), although certificates are still required for authentication so self-signed certificates are employed. A PKI is still the recommended and preferred way to implement certificates, and in fact a PKI is a requirement in certain deployment scenarios, such as when forced tunneling is configured, or when strong authentication or Network Access Protection integration is required.

Performance, Scalability and High Availability Improvements

The Microsoft core networking team did a tremendous job addressing the performance and scalability limitations of previous iterations of DirectAccess. A common complaint from those who have deployed earlier versions of DirectAccess was the performance of the IP-HTTPS transition protocol. In a nutshell, a DirectAccess client would fall back to using IP-HTTPS for DirectAccess communication when it was located behind a NAT device that was also preventing outbound UDP 3544. When this occurred, IPsec encrypted tunnels would then be encrypted again with SSL/TLS. This placed heavy demands on both the client and server side of the tunnel and severely reduced performance and limited scalability. In Windows Server 2012 DirectAccess, IP-HTTPS performance is on par with that of Teredo, as IP-HTTPS now uses null encryption for DirectAccess communication, eliminating the redundant and needless double encryption. With the simplified deployment scenario, only a single IPsec tunnel is required for DirectAccess corporate network connectivity. Requiring just one IPsec tunnel for each client reduces the processing load on the DirectAccess gateway significantly in large scale deployments. In terms of reliability, true high availability is now included with DirectAccess in Windows Server 2012 with the inclusion of Network Load Balancing (NLB) support for DirectAccess gateways. NLB provides efficient active/active clustering capabilities that offer more flexible scalability than using failover clustering in previous DirectAccess releases.

Security

DirectAccess in Windows Server 2012 includes additional security options. DirectAccess now natively supports strong authentication using RADIUS One-Time Passwords (OTP), and also supports Virtual Smart Cards hosted on the mobile computer’s Trusted Platform Module (TPM). The Unified Remote Access role can be deployed on Server Core, which substantially improves the overall security of the solution by reducing the attack surface, while at the same time decreasing system downtime by reducing the number of updates required by the operating system. In addition, a new feature of the Windows 8 client prompts the user for network credentials, if necessary, to facilitate remote corporate network connectivity when the DirectAccess client is located behind an authenticating proxy.

As you can see, there are many new and exciting features and capabilities included in the new Unified Remote Access role on Windows Server 2012. Many of these features will greatly simplify the configuration, deployment, and management of remote access and DirectAccess. Also, many of the new capabilities provided with Windows Server 2012 DirectAccess effectively eliminate the need to deploy Forefront Unified Access Gateway (UAG) 2010, making the overall solution less complex and more cost effective. Windows Server 2012 DirectAccess will provide support for Windows 7 Enterprise and Ultimate clients. However, Windows 8 Enterprise clients will be required to take full advantage of many of the new advanced features of Windows Server 2012 DirectAccess.

%d bloggers like this: