Anyone using Microsoft DirectAccess?

SiD the Turtle · 23 Apr 2010 at 14:47

Anyone out there using this technology to replace VPN? If so care to share any stories on how it went and if it was worth the effort?

Looking at implementing it here, but I can't get my head around how you'd end up with one DA server sitting between the Internet and Intranet infrastructures, i.e. a single point of failure and a pretty critical one at that.

paradigm · 23 Apr 2010 at 14:49

I've got it set up in a test lab, but as of yet haven't got the inclination to spend the time rolling it out to our live network. We only have (at the best of times) 3-4 regularly external workers.

oddjob62 · 23 Apr 2010 at 14:52

SiD the Turtle said:
but I can't get my head around how you'd end up with one DA server sitting between the Internet and Intranet infrastructures, i.e. a single point of failure and a pretty critical one at that.

You need some kind of HA solution in front , like a load balancer or UAG.

brainchylde · 23 Apr 2010 at 15:00

We are going to do it - we are setting up the PKI at the moment. I doubt it will replace VPN as users will still use home PCs for some VPN access. We will be targeting it at domain based machines (i.e. laptops belonging the the the business). It seems a great idea, admittedly. Be interesting to see how it works.

kefkef · 23 Apr 2010 at 16:03

As oddjob says, UAG can be used for this. I've looked at it, currently looking at a solution based on 2 x 10mb circuits to a suppliers datacentre and a 10mb internet service from there (for resilience of circuit to DC and then the DC has resilient routing for it's internet connection), 2 UAG appliances scaled to cope with 10k users each (we have no where near that amount of remote users, currently about 600 full ipsec VPN, but publish webmail to 15k plus over ssl).

Costs are coming out in the region of £40k for the appliances with £14k ongoing costs, and £27k for the circuits and internet connection in the DC, with ongoing costs of about £6k.

/edit. Should say i have no CALs to buy for this either as i get them through an enterprise agreement!

quackers · 23 Apr 2010 at 19:01

How exactly does this work? I've only had a quick read while looking through my windows 7 book yesterday

brainchylde · 23 Apr 2010 at 21:21

quackers said:
How exactly does this work? I've only had a quick read while looking through my windows 7 book yesterday

As soon as machine finds internet connection, it connects into the company network, essentially. Authenticates machines/users using PKI infrastructure. I suppose it is like VPN, but seamless - invisible to the user for all intents and purposes.

SiD the Turtle · 23 Apr 2010 at 21:55

Cheers guys. I haven't been bothered to read through the planning guide yet so this might be an obvious question but here's our pretty standard, current setup:

Internet -> Router -> Firewall -> Switches -> Servers/Clients

We are talking a requirement for say maybe a dozen remote clients, therefore load balancing might be a bit OTT. In this example would I put in a DA server between the firewall and switches, which would be a single point of failure that would cut off network access both ways in the event of a server crash:

Internet -> Router -> Firewall -> DA Server -> Switches -> Servers/Clients

Or can I split the traffic after it leaves the firewall so that internal clients don't have to go via the DA server to get out to the Internet?