Built on IPv6
Windows 7 IPv6--click for full-size image.IPv6 is required for DirectAccess. DirectAccess connectivity is built on the foundation of globally routable IP addresses that IPv6 provides. IPv6 has been around for a while, and most systems and network devices are IPv6-capable, but the actual adoption of IPv6 as a replacement for IPv4 networking has been slow.
Microsoft was aware that IPv6 is not available everywhere, so the company designed DirectAccess to take advantage of IPv6 transition tools such as 6to4, Teredo, and ISATAP. Within the network, DirectAccess relies on NAT-PT (Network Address Translation-Protocol Translation) to provide connectivity between DirectAccess and IPv4 resources.
DirectAccess uses split-tunnel routing to intelligently route network traffic based on the intended destination. Only traffic destined for the corporate network is routed through the DirectAccess server, while traffic intended for resources on the public Internet is routed directly to its destination. Split-tunneling ensures that the resources of the DirectAccess server are not consumed by unnecessary network traffic.
Windows Server 2008 R2 Required
DirectAccess cannot function in a vacuum on a Windows 7 system. It requires a DirectAccess server to connect to, and a DirectAccess server means Windows Server 2008 R2. The DirectAccess server must have two network interface cards: one connected to the public Internet and one to provide access to the internal intranet resources. DirectAccess also requires at least two consecutive IPv4 addresses on the network interface card connected to the Internet.
DirectAccess uses split-tunnel routing to intelligently route data to the proper destination.
The IPv6 translation technologies mentioned above (6to4, Teredo, and ISATAP) must be implemented on the DirectAccess server. Only a PKI (Public Key Infrastructure) environment can issue the necessary certificate for authentication and security, and a DNS server running on Windows Server 2008 or Windows Server 2008 R2 is required as well.
Users who experience problems connecting to DirectAccess can use the appropriate troubleshooting wizard to identify and resolve problems. Open the Network and Sharing Center and click on Troubleshoot problems; then select the Connection to a Workplace Using DirectAccess wizard to begin troubleshooting.
Troubleshoot DirectAccess connectivity problems using the built-in wizard.
No matter how much network bandwidth an organization has, it is safe to assume it is not unlimited. As more users access the network, or more users connect to bandwidth-intensive data like streaming audio and video, the network bandwidth is nibbled away until it is gone, forcing the router to queue data, which in turn slows down network communications.
Even without maxing out the internal network capacity, this type of queuing often takes place where the internal network meets the external network. The internal network may be operating at 1Gbps speeds, but the connection to the public Internet might be 10Mbps. Network packets from the internal network are queued by the router and transmitted on a first-come-first-serve basis as bandwidth becomes available on the external connection.
Not all network destinations are created equal, though, or treated equally. Requests to an application server used to process orders or data being sent to a mission-critical database should take precedence over traffic destined for Google or Facebook, say.
Administrators can configure Quality of Service (QoS) to prioritise the traffic and ensure that the high-priority traffic gets preferential treatment. Windows will assign outgoing packets a DSCP (Differentiated Services Code Point) number that the router can use to determine the priority of the packets. As the network gets bogged down and packets are queued up, the default first-in-first-out functionality is overridden, and high-priority packets are sent out first.
By using URL-based QoS, traffic intended for pcworld.com can be given a higher priority than traffic headed for tonybradley.com.
The QoS functionality has been a part of previous versions of Windows, but it required that priority be assigned based on specific IP addresses and port numbers. However, multiple Web sites may use the same IP address, and one Web site may have multiple IP addresses, making QoS difficult to utilise in some instances.
With Windows 7, Microsoft has added an ability to configure QoS based on URL. Administrators can ensure that traffic intended for intranet applications or important Web sites gets processed ahead of lower-priority traffic (see the last figure above) without having to configure the precise IP address and port of the destination sites.
URL-based QoS can also be used to intentionally downgrade the priority of non-business-related sites such as ESPN or Facebook. Assigning these URLs a low priority will force those packets to be handled with even less urgency than normal traffic.
Tony Bradley is an information security and unified communications expert with more than a decade of enterprise IT experience. He tweets as @PCSecurityNews and provides tips, advice, and reviews on information security and unified communications technologies on his site at tonybradley.com.