Windows Server 2012 DirectAccess
One of the significant remote-access
enhancements in Windows Server 2008 R2 was the DirectAccess technology,
which has been further enhanced in Windows Server 2012. DirectAccess
enables remote users to access network resources such as file shares,
SharePoint shares, and the like without having to launch a virtual
private network (VPN) to gain access into the network.
DirectAccess is an amazing technology that
combines sophisticated security technology and policy-based access
technology to provide remote access to a network. However,
organizations do find it challenging to get up to speed with all the
technology components necessary to make DirectAccess work. So, although
many organizations will seek to achieve DirectAccess capabilities, it
might be months or a couple of years before all the technologies are in
place for the organization to easily enable DirectAccess in their
enterprise environment.
Technologies required to make DirectAccess work include the following:
• PKI certificates / Kerberos—DirectAccess
supports both PKI certificates as well as Kerberos for identification
of the remote device and the basis for encrypted communications from
the remote device and the network. The simpler model is to
use Kerberos because no additional certificate model has to be
implemented to support DirectAccess. However, to be able to use
Kerberos, the endpoint needs to be a Windows 8 client system or tablet.
For backward compatibility to Windows 7 endpoints, PKI certificates are
still supported.
• Windows 7 and Windows 8 clients—DirectAccess
only works with clients that are running Windows 7 or Windows 8. The
client component for encryption, encapsulation, and policy control
depends on Windows 7 or Windows 8 to make all the components work
together. The improvements in DirectAccess in Windows Server 2012 that
include site-level redundancy as well as the simplification where
Kerberos is used instead of PKI certificates comes only when Windows 8
clients are used. If the organization has Windows 7 clients as well,
then DirectAccess can be configured to support DirectAccess for Windows
7 support, and DirectAccess for a simpler Windows 8 support.
• IPsec—The policy
control used in DirectAccess leverages IPsec to identify the
destination resources that a remote user should have access to. IPsec
can be endpoint to endpoint (that is, from the client system all the
way to the application server) or IPsec can be simplified from the
client system to a DirectAccess proxy server where the actual endpoint
application servers do not need to be IPsec enabled. In any case, IPsec
is a part of the security and policy structure that ensures the remote
client system is only accessing server resources that by policy the
remote client should have access to as part of the DirectAccess session
connection.
• IPv6—Lastly,
DirectAccess uses IPv6 as the IP session identifier. Although most
organizations have not yet implemented IPv6 and most on-ramps to the
Internet are still IPv4, tunneling of IPv6 is fully supported in
Windows 7 and Windows Server 2012 and can be used in the interim until
IPv6 is fully adopted. For now, IPv6 is a requirement of DirectAccess
and is used as part of the remote-access solution.
Windows Server 2012 has greatly enhanced the
technology offerings that provide better redundancy and site-to-site
mobility, effectively providing more than one DirectAccess gateway
server without the need to purchase Unified Access Gateway (UAG), which
was almost a requirement for high availability and redundancy of
DirectAccess in Windows 2008 R2.
If a remote or branch office has
limited IT support or at least the site needs to have the same
functionality and reliability as the main corporate or business office,
DirectAccess provides seamless access from end clients without the need
to purchase expensive hardware and software; you don’t have to purchase
costly redundant hardware add-ins, either. With the Windows Server 2012
branch office resources, a remote location can have high security, high
performance, access to data without significant latency, and
operational capabilities, even if the remote site is dropped off the
network because of a WAN or Internet connection problem.
RODCs for the Branch Office
The RODC provides a copy of the Active
Directory global catalog for logon authentication of select users and
communications with the Active Directory tree without having the
security exposure of a full global catalog server in the remote
location. Many organizations concerned with distributed global catalog
servers chose to not place a server in a remote location, but rather
kept their global catalog and domain controllers centralized. What this
meant for remote and branch offices was that all logon authentication
had to go across the WAN or Internet connection, which could be very
slow. And in the event of a WAN or Internet connection failure, the
remote or branch office would be offline because users could not
authenticate to the network and access network resources until the WAN
or Internet connection was restored.
RODCs provide a way for
organizations to distribute authentication and Active Directory access
without increasing their security risk caused by the distribution of
directory services.
BranchCache File Access
New to Windows Server 2008 R2 and further
expanded in Windows Server 2012 is a role called BranchCache.
BranchCache is a technology that provides users with better access to
files across a WAN. Normally, if one user accesses a file, the file is
transferred across the WAN for the user, and then when another user
accesses the same file, the same file is again transferred across the
WAN for the other user. BranchCache acknowledges that a file has been
transferred across the WAN by a previous user, and instead of
retrieving the file across the WAN, the file is accessed locally by the
subsequent user.
BranchCache requires Windows 7 or Windows 8
on the client side and can be set up so that the file is effectively
retrieved in a peer-to-peer manner from another Windows 7 or Windows 8
client that had previously accessed a file. Or, a Windows Server 2012
server with the BranchCache server role can be set up in the remote
location where remotely accessed files are temporarily cached for other
Windows 7 and Windows 8 client users to seamlessly access the files
locally instead of being downloaded across the WAN.
BranchCache does not require the
user to do anything differently. Users simply accesses files as they
normally do (either off a Windows file system or from a SharePoint
document library), and the combination of Windows 7 or Windows 8
client, and Windows Server 2012 does all the caching automatically.
BranchCache has proven to improve access time on average 30% to 45% for
remote users, thus increasing user experience and potentially user
productivity by having faster access to information in remote locations.
Improvements for Thin-Client Remote Desktop Services
Windows Server 2012 has seen significant
improvements in the Terminal Services (now called Remote Desktop
Services [RDS]) capabilities for thin-client access for remote users
and managed users in the enterprise. Third-party add-ons used to be
required to make the basic Windows 2000 or 2003 Terminal Services
functional, but Microsoft included those
technologies in Windows Server 2008 and further enhanced them in
Windows Server 2012. You can now access RDS using a standard port 443
Secure Sockets Layer (SSL) connection rather than the proprietary port
3389, and can publish just specific programs rather than the entire
desktop. In addition, improvements now allow a client to have a larger
remote-access screen, multiple screens, and to more easily print to
remote print devices.
In addition, with a technology called
RemoteFX that leverages the processing capability of a GPU-assisted
video adapter in a RDS server, full-motion video and graphics can now
be accelerated and support in Virtual Desktop Infrastructure (VDI)
guest sessions and in RDS thin-client RDS guest sessions. RemoteFX
makes rich desktop experiences that incorporate graphics and video
fully realizable in shared-system environments. This is a significant
improvement in supporting business needs in a shared environment,
without compromising performance and capabilities.
These improvements in Windows Server
2012 RDS have made RDS one of the easiest components to add to an
existing Active Directory 2003 or Active Directory 2008 environment to
test out the new Windows Server 2012 capabilities. After all, the
installation of a Windows Server 2012 RDS system is just the addition
of a member server to the domain and can easily be removed at any time.
