• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Does DirectAccess Mean No More VPN?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> Does DirectAccess Mean No More VPN? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Does DirectAccess Mean No More VPN? - 16.Mar.2010 7:36:46 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
It depends. Remember that DirectAccess (DA) clients must be Windows 7 and above. So if you have downlevel clients, you will still need to support VPN connections for those clients. If you have Vista SP1 and above, you can take advantage of SSTP, which is a very nice VPN protocol that uses HTTPS as a transport, so it goes through "restrictive" firewalls and web proxies. For earlier versions of Vista and for Window XP, you can still use PPTP and L2TP/IPsec. However, UAG does not support these VPN protocols, so you'll need to use a TMG firewall to support these older VPN protocols.

But what if you have Windows 7 clients only (don't you wish!). Then you should be able to use DA all the time. However, there may be applications on your network that won't work with DirectAccess. This is something you might see if you are depending on NAT64/DNS64 where the application protocol embeds an IPv4 address inside the application protocol header. This is a problem, since like with IPv4 NAT devices, you need to have a NAT editor to work with those protocols. If you're using IPv6, this isn't a problem, since IPv6 to IPv4 protocol translation isn't required, this includes non-native, but IPv6 aware servers and server applications that can take advantage of ISATAP on your corpnet.

So, even with a Windows 7 client, there might be rare instances of legacy applications that will require that you connect over a VPN. Over time, those should go away. Until then, just be aware of the issue.

Also, keep in mind that while the VPN connection is active, the DA connection will shut down. Why? Because when you're connected to the VPN, your DA client will be able to resolve the name of the Network Location Server, and thus the DA client components will shut down.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: Does DirectAccess Mean No More VPN? - 27.Mar.2010 9:51:01 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Do you think the end of VPN is a good thing?

What if you could DA to multiple locations?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to tshinder)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess >> Does DirectAccess Mean No More VPN? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts