DirectAccess & PKI
DirectAccess allows remote users to securely access internal network file shares, Web sites, and applications without connecting to a virtual private network (VPN). An internal network is also known as a private network or intranet. DirectAccess establishes bi-directional connectivity with an internal network every time a DirectAccess-enabled computer connects to the Internet, even before the user logs on. A DirectAccess deployment needs a public key infrastructure (PKI) to issue certificates to DirectAccess clients, the DirectAccess server, selected servers, and the network location server.
DirectAccess is completely transparent to the user. Users never have to think about connecting to the internal network and IT administrators can manage remote computers outside the office, even when the computers are not connected to the VPN. DirectAccess isn’t really a VPN at all. There’s nothing virtual about this network, it is the private network.
What are the benefits to deploying DirectAccess for remote access?
Seamless and transparent: Since DirectAccess is an always-on connection it requires no action from the user to establish remote network connectivity. When a user travels outside of the corporate office they can access data and applications from their mobile computer in exactly the same way as they do when they are in the office.
Since corporate network connectivity with the DirectAccess client is established any time it has access to the Internet, management agents running on the DirectAccess client will be able to communicate with management servers to receive updates and report compliance. This also means that DirectAccess clients regularly receive group policy updates. In addition, the DirectAccess communication channel is bi-directional, which allows hosts on the corporate network to initiate communication outbound to DirectAccess clients whenever they are connected to the Internet. For example, if a remote user calls the help desk for assistance, the help desk engineer can initiate a remote desktop session to the DirectAccess client to assist the user.
The DirectAccess communication channel is fully authenticated and encrypted. Initial remote connectivity is established to infrastructure services such as domain controllers, DNS servers, and systems management servers. When the user presses CTRL-ALT-DELETE to log on to their system they are authenticated against a domain controller and not using cached credentials (as long as they have Internet access prior to logging on). This means password changes can be done using CTRL-ALT-DELETE and password lockouts due to out of sync passwords are virtually a thing of the past.