Here at Celestix, we deploy DirectAccess on an almost daily basis for organizations large and small, all around the world. The feedback is consistently positive. Users love the familiar access, administrators enjoy the consistent management of company issued laptops, and security professionals appreciate the improved security posture of their managed devices.
We often talk about DirectAccess, either before a sale when a customer is evaluating DirectAccess and considering the replacement of an existing VPN solution, or after a DirectAccess implementation when network engineers finally realize the power and flexibility that DirectAccess provides. The question of completely retiring a VPN solution almost always comes up. There’s no question that DirectAccess can indeed replace traditional client based VPN for many organizations. However, often it is not possible (or even advisable) to completely replace a VPN with DirectAccess due to few important reasons.
DirectAccess is for managed Windows clients
DirectAccess, as awesome as it is, only works for domain-joined Windows clients that are running either Windows 7 Enterprise/Ultimate Edition, or Windows 8.x and later Enterprise Edition. If you need to provide secure, remote access for any other clients, DirectAccess simply won’t work. For example, if you are required to support non domain-joined systems, legacy clients running Windows XP or Vista, non Enterprise Edition SKU’s (e.g. Windows Professional), or non Microsoft operating systems (e.g. Mac, Linux, iPad, etc.), then client based VPN will still be required.
(UPDATE: Celestix SecureAccess extends DirectAccess experience for roaming users even for Windows Professional editions and Mac OSX computers. The innovative SecureAccess feature gives both Windows Professional and Mac users the seamless, transparent always-on VPN experience that Windows Enterprise have enjoyed for years. Remote users automatically connect to the office network when they have an Internet connection.)
Not all applications work over DirectAccess
DirectAccess has a unique dependency on IPv6, which can prevent some applications from working correctly over DirectAccess. This is becoming less of an issue as applications are being updated to support IPv6, but for older applications or in-house developed applications that are poorly coded, this can still be an issue. Also, applications that make use of protocols that embed IPv4 addresses, will fail to work over DirectAccess. In these cases it may be possible to make these applications available securely, using another solution (e.g. reverse web proxy). But often the best choice is to simply use client based VPN.
VPN as a backup for DirectAccess
Keeping a client based VPN solution around, is also a great idea to ensure vital remote access to critical clients (e.g. administrators and senior executives) in the event of a DirectAccess outage. Even if you’ve implemented DirectAccess using the latest best practices and deployed it in a highly available and geographically redundant manner, things can and often go wrong. VPN can serve as a temporary remote access path, until the DirectAccess service is restored.
The good news is that DirectAccess meets the needs for the majority of remote access users for most organizations. And although you may not be able to completely eliminate your existing client based VPN solution, you can significantly reduce the infrastructure and licenses required to support all of your remote user population. This can provide significant cost savings, and reduce administrative burden as well.
Finally, Celestix SecureAccess Appliance also supports the collocation of client based VPN services alongside DirectAccess. For smaller organizations, you can often consolidate these services on a single appliance. For our enterprise customers, there are some considerable drawbacks to doing this, hence we recommend deploying a dedicated Celestix SecureAccess Appliance for VPN.