Using direct access for secure intra-LAN communication? RRS feed

  • Question

  • Hi all,
    This is more of a design question than a specific problem, I hope that's okay.

    I work for a service provider in Norway and we have (at the moment) one main datacenter that's gonna be extended to two during the next year. THe company is geographically spread out in various cities, and each office has a Site-to-Site VPN link into the datacenter. We're in the process of redesigning our network in order to improve security.

    I'd like to consider the various satelite offices "half-trusted" and deploy rules so that they're not able to access all networks in the DataCenter. I'd like to have some kind of functionality where each client is authorized before it accesses the backend bits of our datacenter - optimally this would be related to computer domain membership so that employees personal PCs can still be connected to a satelite office's LAN without gaining access to critical services in the datacenter. And I know we could use Citrix/RDP for this, but it would reduce functionality too much compared to what we have today. we could also use a "regular" SSL-VPN but I'd like something more transient.

    So, to the question: Is anyone using/considering DirectAccess in a similar scanario to ours? One problem I can think if is that (if my understanding is correct) all servers on the inside network (application servers in the DirectAccess design/test guides) need to be IPv6-enabled. We have truckloads of older (2003R2) boxes still that we won't be able to enable for IPv6. Is this correct?

    Any other pointers or suggestions to other technologies I should look at instead are deeply appreciated!

    Saturday, August 18, 2012 11:05 PM

All replies

  • Your situation sounds like exactly what we call our "Branch Office Scenario". Many companies have "branch offices" or locations outside of the main datacenter that today are most commonly connected either with a site-to-site VPN or some kind of MPLS connection, which can be expensive. DirectAccess can definitely help in this scenario. Basically, configure a DirectAccess box at the edge of your Datacenter and turn all of the computers in these other locations into DirectAccess-connected clients. Then they have 24x7 corporate connectivity just as they did before, but it allows you to ditch the expensive lines and go with regular internet connections in those offices. And in your case, it benefits also because you are not connecting the entire network to the datacenter, only making IPsec connections on a PC-by-PC basis.

    As long as you use either UAG or Server 2012 as your DirectAccess gateway box, your internal network and servers can be IPv4. Both of those solutions include NAT64 and DNS64 which essentially translate all of your IPv6 packets into IPv4 so that your internal network doesn't need to know anything about IPv6.

    Tuesday, August 21, 2012 2:36 PM
  • Thanks for clarifying that, Jordan. We'll set up a test environment with DirectAccess and see how this goes! Thanks again!
    Tuesday, August 21, 2012 3:28 PM