Does DirectAccess Mean No More VPN? (Full Version)

All Forums >> [Forefront Unified Access Gateway 2010] >> DirectAccess



Message


tshinder -> Does DirectAccess Mean No More VPN? (16.Mar.2010 7:36:46 AM)

It depends. Remember that DirectAccess (DA) clients must be Windows 7 and above. So if you have downlevel clients, you will still need to support VPN connections for those clients. If you have Vista SP1 and above, you can take advantage of SSTP, which is a very nice VPN protocol that uses HTTPS as a transport, so it goes through "restrictive" firewalls and web proxies. For earlier versions of Vista and for Window XP, you can still use PPTP and L2TP/IPsec. However, UAG does not support these VPN protocols, so you'll need to use a TMG firewall to support these older VPN protocols.

But what if you have Windows 7 clients only (don't you wish!). Then you should be able to use DA all the time. However, there may be applications on your network that won't work with DirectAccess. This is something you might see if you are depending on NAT64/DNS64 where the application protocol embeds an IPv4 address inside the application protocol header. This is a problem, since like with IPv4 NAT devices, you need to have a NAT editor to work with those protocols. If you're using IPv6, this isn't a problem, since IPv6 to IPv4 protocol translation isn't required, this includes non-native, but IPv6 aware servers and server applications that can take advantage of ISATAP on your corpnet.

So, even with a Windows 7 client, there might be rare instances of legacy applications that will require that you connect over a VPN. Over time, those should go away. Until then, just be aware of the issue.

Also, keep in mind that while the VPN connection is active, the DA connection will shut down. Why? Because when you're connected to the VPN, your DA client will be able to resolve the name of the Network Location Server, and thus the DA client components will shut down.

HTH,
Tom




tshinder -> RE: Does DirectAccess Mean No More VPN? (27.Mar.2010 9:51:01 AM)

Do you think the end of VPN is a good thing?

What if you could DA to multiple locations?

Thanks!
Tom




Page: [1]