Five Pitfalls of DirectAccess You Can Fix With NetScaler
DirectAccess is a feature of Windows that allows a PC to automatically connect to the corporate network whenever it detects an Internet connection. It’s been around for years, but has recently gained increased attention from organisations deploying Surface™ Pro or other Windows 10 hybrid devices.
DirectAccess is “free” … assuming your Microsoft licence agreement permits unlimited deployment of Windows servers, and the cost of underlying server infrastructure or ongoing management and security of server instances hits someone else’s budget. This makes it very easy for server administrators to stand up a DirectAccess pilot during a Windows 10 or Surface™ Pro rollout without the constraints of seeking budget approval and similar formalities.
Unfortunately, DirectAccess suffers from some major drawbacks that tend to render it unsuitable for organizations with stringent security standards or large populations of remote users. Here are five of the big ones, along with tips on how to overcome them with NetScaler.
1. The Manage Out Problem
Scaling beyond a small number of concurrent users or achieving high availability for your remote access service demands a farm of DirectAccess servers. Whilst load balancing the incoming remote access connections is relatively trivial, attempts by application servers to initiate outbound connections to the remote PCs will fail because the server has no way to determine which DirectAccess server is the gateway to a given endpoint. This means important management functions such as group policy updates, proactive security patching, and remote desktop for helpdesk support will fail under this design.
NetScaler v11.1 includes a DirectAccess gateway feature which not only load balances connections to the DA servers, but also keeps track of which server holds the connection to each endpoint. NetScaler directs outbound connections to the appropriate DirectAccess server, enabling IT to continue providing essential administrative and support functions to remote users.
2. Only Supports Corporate-Managed Windows PCs
Most medium to large organisations need to allow remote access from devices other than corporate-issued PCs. Subcontractors, service providers, or even staff with MacBooks or other non-Windows devices need to access the corporate network remotely. DirectAccess only works for Windows PCs joined to the corporate domain.
The same NetScalers you are using to load balance the DirectAccess servers provide remote access connectivity for most of the platforms that DirectAccess does not support.
3. Domain Servers in the DMZ
Corporate security policies usually prohibit the deployment of domain-joined servers outside the firewall. Having such servers in the DMZ offers an irresistible target to attackers. Once compromised, they become a powerful platform from which to launch further attacks within the DMZ or into the data centre itself.
NetScaler is a security appliance designed for deployment into hostile network environments to protect more vulnerable infrastructure and applications. Version 11.1 enhances NetScaler’s existing VPN gateway capabilities to provide always-on connectivity to remote Windows PCs. In other words, NetScaler gives users the same seamless, automatic connectivity to the corporate network without the need for Windows servers in the DMZ and the associated compromises to security posture.
4. No Support for User-Based Access Control
Mobility changed the way architects think about managing access control. It became necessary to adapt access policy according to three attributes:
- Identity of the user
- Security posture and trust of their device (e.g. corporate-issued laptop, mobile device, public kiosk)
- Location from which they are connecting (e.g. corporate campus vs. hostile nation)
DirectAccess uses a machine-based mechanism and does not take into account the identity of the user or their location.
NetScaler provides comprehensive authentication and access control policy that can take into account all three attributes to limit the risk of intruders gaining access via the VPN.
5. Limited Support for Multi-Factor Authentication
Multi-Factor Authentication and One Time Passwords have become commonplace requirements for remote access across many industries. Although possible under DirectAccess, there are many constraints that limit how you deploy MFA and OTP.
NetScaler supports a wide range multi-factor authentication methods and products, making it easy to deploy multi-factor auth and one time passwords
Seamlessly Connect Your Users to Office 365, One Drive, And Other Cloud Services
In addition to all the benefits above, NetScaler’s authentication, identity management and federation capabilities provide Single Sign-On and seamless access to all your cloud-based services. NetScaler is the perfect platform to deliver the best possible experience to all of your mobile users, while satisfying even the strictest corporate security policies and standards.
With remote access, like most things in life, you get what you pay for. The cost of DirectAccess is the infrastructure and management overhead and the compromise and limitations it suffers – costs that make the price of best-of-breed remote access infrastructure seem like a bargain!
Learn more about NetScaler here: http://www.welcometonetscaler.com