DirectAccess is Microsoft’s built-in VPN tunnel solution for connecting clients directly to the LAN without having to install VPN software, but is it better than having a VPN client? When comparing VPNs Vs. DirectAccess, it’s not that one is better than the other, rather which one is more appropriate for the network.
What Is The Advantage Of DirectAccess Vs. A Tradititional VPN Client?
Before the setup of DirectAccess, you need to decide if it’s the best VPN technology for you. DirectAccess has the following advantages Vs. a traditional VPN client:
- There’s no need for 3rd party VPN software, which means that it can be rolled out to many machines easily
- VPN connectivity is seamless, which means that user training and intervention isn’t required for VPN connectivity
- VPN connectivity is always on, which makes it easier to remotely administer client PCs
- Because DirectAccess is always on, DirectAccess can be setup in a way that provides clients with traffic protections where ever they are located
- Because clients are VPN’d into the company, there is less need for external facing resources, which means that the surface of attack from the internet can be reduced
However, there are disadvantages to DirectAccess compared to VPN Client software:
- VPN connections occur prior to the user logging on. This sounds like a good thing, but causes latency while downloading roaming profiles, which can generate additional support calls
- Troubleshooting Direct Access Clients is more difficult than troubleshooting a VPN client
- The complexity of the LAN is greatly increased and the loss of specific servers with DirectAccess services running on them can cause outages to DirectAccess clients on the LAN
- DirectAccess clients must be running Windows 7 Enterprise or above, whilst VPN software is available for all versions of Windows
- Client applications that do not support IPv6 will not work over DirectAccess
As you can see, although DirectAccess uses VPN tunnels, it’s not as simple to compare VPNs Vs. DirectAccess and say that one is better than the other, but you may find that one is better for your environment than the other.
Addendum: I haven’t tested this, but I wonder how disabled accounts are handled with connections via DirectAccess. For example, if a user is logged onto a network and their account is disabled, typically they still have access to resources because their access token remains the same until they log off. If an employee stole a company computer and connected to the network resources via DirectAccess, would it be difficult to disconnect them from the network? With a VPN, you can simply cut them off at the firewall (or wherever you are terminating your VPN) by disabling their VPN account. This might be a security consideration worth testing when considering whether it’s best to use a VPN or DirectAccess.