With the impending release of Windows Server 2012 we will have our third iteration of the Microsoft DirectAccess solution. Life began with the DirectAccess feature coming to Windows in the first release of Windows Server 2008 R2 a few years ago now; it was then supercharged using Forefront UAG to offer a truly more achievable solution which was much easier to implement for many organisations given the improvements offered by the Forefront UAG platform. Now with the release of Windows Server 2012, we have the third generation of the solution which is fully featured and delivered as part of the native operating system. Given the impending third generation release, I thought it might be useful to prepare a DirectAccess comparison table to compare the different technology versions available, as shown below:
DA Solution | Windows Server 2008 R2 DA | Forefront UAG 2010 SP1 DA | Windows Server 2012 DA |
Feature | |||
Simplified DirectAccess management for small and medium organisations | No | No | Yes |
Automated DirectAccess server configuration | No | Yes | Yes |
Mandatory PKI deployment as a DirectAccess prerequisite | Yes | Yes | No1 |
Built-in NAT64 and DNS64 support for accessing IPv4-only resources | No | Yes | Yes |
Support for a DirectAccess server with a single network card | No | No | Yes |
Support for a DirectAccess server behind a NAT device | No | No | Yes |
Requires at least one Windows Server 2008/R2 Domain Controller | Yes | No | No |
Requires at least one Windows Server 2008/R2 DNS Server | Yes | No | No |
Load balancing support | No | Yes | Yes |
Server fault tolerance | Limited2 | Yes | Yes |
Support for multiple AD domains | No | Yes | Yes |
NAP integration | Yes | Yes | Yes |
Support for OTP (token based authentication) | No3 | Yes | Yes |
IP-HTTPS interoperability and performance improvements | No4 | No4 | Yes |
Manage-out only support | No | Yes | Yes |
Multi-site support | Limited5 | Limited6 | Yes7 |
Support for Server Core | No | No | Yes |
Support for Windows 7 clients | Yes | Yes | Yes |
Support for Windows 8 clients | Unknown | Limited8 | Yes |
Windows PowerShell support | No | Limited9 | Yes |
User and server health monitoring | No | Yes | Yes |
Diagnostics | No | No | Yes |
Accounting and reporting | No | Limited10 | Yes |
Notes and small print:
Items in red represent significant improvement or changes.
1PKI is still mandatory for force tunnelling, Network Access Protection (NAP) integration or two-factor authentication deployment scenarios. A PKI-based solution is therefore still required for some enterprise-class deployments, dependent on the required features.
2Hyper-V failover cluster is required.
3Smartcard only.
4IP-HTTPS is supported, but there is a performance overhead due to combined/double SSL and IPsec encryption. IP-HTTPS in Windows Server 2012 now support null SSL encryption and additional optimisations but requires Windows 8 clients.
5Complicated setup due to IPv6 requirements.
6Global Server Load Balancer (GSLB) is required.
7Automatic DirectAccess entry-point detection or user selected entry-point requires Windows 8 clients.
8Technically works, but the supportability status is currently unknown (full support provided in UAG SP3).
9Read-only PowerShell.
10Command line via PowerShell only.
As highlighted above, Windows Server 2012 offers the most feature-rich platform when compared to previous versions and can be considered as a superset of the functionality provided by the Forefront UAG SP1 offering. Many of the enhancements included in Windows Server 2012 DirectAccess are based upon direct feedback from customers and changes to facilitate easier adoption and deployment of the technology within both smaller organisations and enterprise environments alike. I am planning on creating two upcoming blog posts which will highlight the changes and benefits in Windows Server 2012 DirectAccess from the perspective of the smaller organisation and then also for the enterprise space. Given the improvements and changes, I think DirectAccess will be even more popular than ever…what do you think?