Friday, May 15, 2009

Microsoft DirectAccess - some brief thoughts

I think out of anything coming out of the Microsoft Server 2008 R2 and Windows 7 releases the feature I am most excited about is DirectAccess (anyone remember DirectConnect?) Microsoft has some excellent content starting to build up at http://www.microsoft.com/directaccess which gives an overview of how DirectAccess works and how it can be utilized so I won't repeat that here.
I have had the chance due to both my Microsoft MVP status and Springboard STEP status to have access to some deployment guides that are not generally available. After reviewing these and after playing with gear I have some opinions on what Microsoft should be recommending to IT Pros to do as initial trials of DirectAccess.
In a nutshell, I believe that people should set up an initial native IPv6 deployment with a tunnel broker (use Hurricane Electric) and get native IPv6 addresses working in their environment. In addition, I would minimize the deployment model to utilize proxy services or a NAT-PT device for resources on the network that are available via DA. This model comes pretty close to many VPN deployments today but does not have the pain involved with doing a functional overlay technology like ISATAP.
So, what do I mean by proxy services in this case? Well, for those deploying DA, I would set up a new Server 2008 R2 machine to front end file servers that are still running Server 2003 or older by utilizing SharePoint, that same server or an additional one could potentially do Exchange OWA or front end services depending on what Exchange environment you are on. I would utilizes a NAT-PT for specific line of business applications but I would narrow the selected application list initially to reduce troubleshooting on the NAT-PT device. There are options for NAT-PT devices, Cisco can do it in software on their routers and there is the Forefront UAG from Microsoft.
Most importantly, I would set expectations that there are a lot of moving parts with DirectAccess to get a deployment done correctly. You need to have PKI with a public CRL, IPv6, Windows Server 2008 R2 and Windows 7 just as minimum requirements, that doesn't say anything about the networking technologies you have to learn.
DirectAccess has the potential to bring about some of the most exciting changes in how people will work in the future on Windows but it will take a lot of planning and testing to get it all right.
I'll post more thought shortly.
- Ed

No comments: