Windows Server 2008 R2 DirectAccess
Petit complément d’information suite au post précédent sur DirectAccess.
Voici les informations publiées sur le site Technet :
With the DirectAccess feature introduced in Windows Server 2008 R2, domain member computers running Windows 7 can connect to enterprise network resources whenever they connect to the Internet. During access to network resources, a user connected to the Internet has virtually the same experience as if connected directly to an organization’s local area network (LAN). Furthermore, DirectAccess enables IT professionals to manage mobile computers outside of the office. Each time a domain member computer connects to the Internet, before the user logs on, DirectAccess establishes a bi-directional connection that enables the client computer to stay up to date with company policies and receive software updates.
Security and performance features of DirectAccess include authentication, encryption, and access control. IT professionals can configure the internal resources to which each user can connect, granting unlimited access or allowing access only to specific servers or networks. DirectAccess also offers a feature called split-tunnel routing, which can reduce unnecessary traffic on the enterprise network. Split-tunnel routing sends only the traffic destined for the enterprise network through the DirectAccess server. Other Internet traffic is routed through the Internet gateway that the client computer uses. Split-tunnel routing is optional, and DirectAccess can be configured to send all traffic through the enterprise network.
Are there any special considerations?
The DirectAccess server must be running Windows Server 2008 R2, must be a domain member, and must have two physical network adapters installed. Dedicate the DirectAccess server only to DirectAccess and do not have it host any other primary functions. DirectAccess clients must be domain members and must be running Windows 7. Use the Add Features Wizard in Server Manager to install the DirectAccess Management console, which enables you to set up the DirectAccess server and monitor DirectAccess operations after setup.
Infrastructure considerations include the following:
- Active Directory Domain Services (AD DS). At least one Active Directory® domain must be deployed. Workgroups are not supported.
- Group Policy. Group Policy is recommended for deployment of client policies.
- Domain controller. At least one domain controller in the domain containing user accounts must be running Windows Server 2008 or later.
- Public key infrastructure (PKI). A PKI is required to issue certificates. External certificates are not required. All SSL certificates must have a certificate revocation list (CRL) distribution point that is reachable via a publicly resolvable fully qualified domain name (FQDN) while either local or remote.
- IPsec policies. DirectAccess uses IPsec to provide authentication and encryption for communications across the Internet. It is recommended that administrators be familiar with IPsec.
- IPv6. IPv6 provides the end-to-end addressing necessary for clients to maintain constant connectivity to the enterprise network. Organizations that are not yet ready to fully deploy IPv6 can use IPv6 transition technologies such as Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), Teredo, and 6to4 to connect across the IPv4 Internet and to access IPv4 resources on the enterprise network. IPv6 or transition technologies must be available on the DirectAccess server and allowed to pass through the perimeter network firewall.