Comparing DirectAccess DMZ and Edge Deployments

Introduction

When DirectAccess was first introduced with Windows Server 2008 R2, it required the server to be configured with two network interfaces that used two consecutive public IPv4 addresses which were assigned to the external interface. This was a source of concern for many security administrators, as the DirectAccess server must be joined to the domain.

Network Deployment Options

To address this challenge, DirectAccess in Windows Server 2012 R2 now supports perimeter or DMZ deployments using private IPv4 addresses and even supports single NIC configuration. This allows the DirectAccess server to be protected by an existing edge security device, reducing exposure and significantly improving the overall security posture of the solution.

Drawbacks

Although the perimeter/DMZ network deployment affords additional protection for the DirectAccess server, it comes at a potential cost in performance and scalability. When DirectAccess is deployed behind a NAT device, only the IP-HTTPS IPv6 transition protocol supported. With IP-HTTPS, DirectAccess traffic is encapsulated and sent overthe public IPv4 Internet using HTTP and encrypted with SSL/TLS. DirectAccess communication is already encrypted using IPsec, which results double encryption.

This additional protocol overhead adds latency, which can negatively affect the end user experience. In addition, the increased resource demands (CPU and memory) on the DirectAccess server significantly reduces the maximum number of concurrent sessions the server can handle.

Mitigations

To mitigate the negative performance impact of double encryption for clients using IP-HTTPS, Microsoft introduced support for null encryption cipher suites in Windows Server 2012 R2 and Windows 8.x and later clients. When configured correctly, Windows 8.x clients do not perform double encryption. On the client side, performance is equal to that of other IPv6 transition protocols. On the server side, the reduced demand for computing capacity increases scalability, allowing the server to handle many more concurrent sessions.

Summary

The support for perimeter/DMZ network deployments for DirectAccess enables network engineers to improve the overall security of the remote access solution by leveraging existing edge security devices to extend protection for the DirectAccess server. However, for organizations supporting Windows 7 clients, scalability and performance may suffer. To take advantage of this deployment model, plan accordingly during the capacity planning stage to account for additional processing demands. To eliminate the performance penalty entirely, consider deploying Windows 8.x and later clients.

Celestix SecureAccess Security Appliance – E Series is preconfigured with Windows Server 2012 R2, is ready to deploy, and it takes only one click to install a major service: ADFS/Device Registration Service, NPS, DirectAccess/VPN, Web Application Proxy, Remote Desktop Gateway, Remote Desktop Web, Work Folders. To learn more about E Series call 510.668.0700 or email sales@celestix.com, or read more here.

DirectAccess vs. SecureAccess

more blogs