Windows Server 2008 R2 has many features that are designed specifically to work with client computers running Windows 7. Windows 7 is the next version of the Windows operating system from Microsoft. Features that are only available when running Windows 7 client computers with server computers running Windows Server 2008 R2 include:
One common problem facing most organizations is remote connectivity for their mobile users. One of the most widely used solutions for remote connectivity is for mobile users to connect by using a virtual private network (VPN) connection. Depending on the type of VPN, users may install VPN client software on their mobile computer and then establish the VPN connection over public Internet connections.
The DirectAccess feature in Windows Server 2008 R2 allows Windows 7 client computers to directly connect to intranet-based resources without the complexity of establishing a VPN connection. The remote connection to the intranet is transparently established for the user. From the user’s perspective, they are unaware that they are remotely connecting to intranet resources. The following figure contrasts the current VPN-based solutions with DirectAccess–based solutions.
Figure 29: Comparison between VPN-based and DirectAccess–based solutions
DirectAccess was designed ground-up to manage a user-invisible always-on remote access solution that removes all user complexity, gives you easy and efficient management and configuration tools and doesn’t compromise in any way the security aspect of remote connectivity. To do this, Windows Server 2008 R2’s DirectAcces incorporates the following important features:
Authentication. DirectAccess authenticates the computer, enabling the computer to connect to the intranet before the user logs on. DirectAccess can also authenticate the user and supports multifactor authentication such as a smart card.
Encryption. DirectAccess uses IPsec for encrypted communications across the Internet.
Access control. IT can configure which intranet resources different users can access using DirectAccess. IT can grant DirectAccess users unlimited access to the intranet, or only allow them to access specific servers or networks.
Integration with Network Access Protection (NAP) and Network Policy Server (NPS). NAP and NPS, features built into Windows Server 2008 and Windows 7 Server, can verify that client computers meet your security requirements and have recent updates installed before allowing them to connect.
Split-tunnel routing. Only traffic destined for your intranet is sent through the DirectAccess server. With a traditional VPN, Internet traffic is also sent through your intranet, slowing Internet access for users.
Unlike a traditional VPN-based solution, the DirectAccess client forwards traffic destined for Internet-based resources directly to the Internet-based resource. In a traditional VPN-based solution, all traffic, both Internet and intranet traffic, is sent through the VPN connection. Separating the Internet-based traffic from the intranet-based traffic helps reduce remote access network utilization.
Another difference between DirectAccess and VPNs is that DirectAccess connections are established before the user is logged in. This means that you can manage a remote computer connected by DirectAccess even if the user is not logged in; for example, to apply Group Policy settings. However, for the user to access any corporate resources, they must be logged in.
In order to benefit from DirectAccess, you must be able to access the resources within your intranet by using IPv6. If your organization has an IPv6 routable infrastructure, no IPv6 translation is required. If you have resources that only have IPv4 addressing, you will need to provide IPv6-to-IPv4 transition services.
The DirectAccess server supports the Teredo Server, Teredo Relay, ISATAP Router, NAT-PT and 6to4 router transition technologies. Additionally, Microsoft’s Forefront Intelligent Access Gateway (IAG) solution will integrate with DirectAccess to provide additional management, security and deployment capabilities. This IAG solution will become available approximately 6 months after the launch of Windows Server 2008 R2 and the Windows 7 client.
Another common problem for remote users is the ability to access intranet-based resources from computers that are not owned by the user’s organization, such as public computers or Internet kiosks. Without a mobile computer provided by their organization, most users are unable to access intranet-based resources.
A combination of the Remote Workspace, presentation virtualization, and Remote Desktop Gateway features allows users on Windows 7 clients to remotely access their intranet-based resources without requiring any additional software to be installed on the Windows 7 client. This allows your users to remotely access their desktop as though they were working from their computer on the intranet.
The following figure highlights some of the new features provided by Virtual Desktop Infrastructure (VDI) and Terminal Services in Windows Server 2008 R2. For more information on these features, see “Secured Remote Connectivity for Private and Public Computers” in “Better Together with Windows 7” in Windows Server 2008 R2 Technical Overview.
From the user’s perspective, the desktop on the remote Windows 7 client transforms to look like the user’s desktop on the intranet, including icons, Start menu items and installed applications are identical to the user’s experience on his or her own computer on the intranet. When the remote user closes the remote session, the remote Windows 7 client desktop environment reverts to the previous configuration.