DirectAccess is a Microsoft remote access technology designed for managed (domain-joined) Windows client computers. Much like NetMotion Mobility, it provides seamless and transparent remote network connectivity. However, the two products differ in important ways.
This is the first in a series of posts by Remote Access Expert, Richard Hicks comparing NetMotion Mobility and Microsoft DirectAccess on security, performance, visibility, supported clients, and solution support.
The wireless connection itself should provide essential protection (integrity and confidentiality) for communication between remote client computers and internal systems. However, both DirectAccess and Mobility include additional security layers that ensure access to on-premises applications and data is given only to authorized users.
Despite some similar functionality, Mobility offers advanced features that allow administrators to exercise greater control over remote access clients. Ultimately, deploying Mobility offers organizations superior security overall compared to DirectAccess.
Leverages multiple forms of authentication. First, the device itself is authenticated using its Active Directory computer account and NTLM. In most deployment scenarios a computer certificate is also required. When a user logs on, their Active Directory user account is authenticated using Kerberos. Multifactor authentication (MFA) is optional and can use smart cards, RSA SecurID, or RADIUS-based One-Time Password (OTP) providers.
DirectAccess does not support the use of RADIUS challenge/response or CAPTCHA for MFA. Further, the authentication method chosen by the administrator applies globally to all users. DirectAccess is unable to enforce different authentication methods on a per user, group, or device basis.
Users are authenticated using NTLM by default. NetMotion Mobility also supports RADIUS user authentication. MFA can be provided by RSA SecurID and any RADIUS-based OTP provider. NetMotion Mobility provides full support for challenge/response or CAPTCHA MFA.
Mobility supports machine-based authentication and includes the ability to enforce authentication on a granular basis. For example, one group of users may be allowed to authenticate using only their username and password, while another group may be required to use OTP.
IPsec Main Mode security associations (SAs) are protected using AES-128 with SHA-256, and Quick Mode SAs are protected using AES-192 with SHA-1.
These settings don’t meet the protection or assurance requirements for all deployments such as regulatory and compliance mandates like AES-256 required in high security environments. Unfortunately, it is not possible to modify the cryptographic settings for DirectAccess connections in any supported way.
Connections are fully encrypted using AES, but allow the administrator to make changes to cryptographic settings to match their specific needs, if required.
Endpoint Health Detection
In previous versions, Microsoft provided integration support for their Network Access Protection (NAP) technology to provide endpoint health detection for DirectAccess client computers. However, Microsoft recently deprecated NAP and has removed all support for it in Windows 10 and Windows Server 2016. Today, DirectAccess does not include support for endpoint health detection either natively or with third parties.
An additional policy module allows administrators to define granular and robust endpoint health and configuration policies that can be enforced on remote client connections. With Policy, client devices must meet specific configuration requirements before establishing a connection. Those that do not can be denied access, quarantined or granted limited access to corporate resources while the device is reconfigured. Once the device is deemed to be compliant, additional network access can be granted.
Does not support conditional access. All authenticated users have the same level of access regardless of where they are, or how they connect and authenticate.
Supports conditional access using access policies. Administrators can define different access levels based on factors including location, network connectivity, device configuration, and more. For example, if a Mobility client connects from a trusted network as defined by the administrator, the user can be granted full access to the network. However, if client connects from an untrusted network, access can be limited only to specific resources.
Restricted Network Access
Incapable of controlling internal network access for connected clients. Once a DirectAccess connection is established, remote clients have full, unrestricted access to internal resources. An additional firewall must be deployed between the DirectAccess server(s) and internal network in order to control access to internal systems. However, this provides only limited usefulness, as the same policy must be applied to all DirectAccess clients. It is not possible to define network policy based on individual users or devices.
Offers fine-grained control over network connectivity for remote clients based on a wide range of parameters. Administrators can restrict access to internal resources by date and time, the client’s current location, the type of network connection (for example Wi-Fi or LTE), available bandwidth, current network latency, and more. In addition, network access can be restricted based on the individual application making the request, the device type (for example Windows PC or Android mobile device), and much more. The possibilities are nearly limitless.
Both Mobility and DirectAccess provide secure remote access in a seamless and transparent manner. While each solution delivers thorough protection for remote connectivity, Mobility offers greater administrative flexibility for choosing encryption algorithms, and provides broader support for multifactor user authentication including challenge/response. In addition, Mobility includes endpoint health checks and essential network access controls to ensure that remote client systems are healthy and that access to internal resources is carefully monitored and controlled.
About Richard Hicks:
Richard M. Hicks is a network and information security expert and a Microsoft Most Valuable Professional (MVP). He is the founder and principal consultant of Richard M. Hicks Consulting, Inc. and has deployed edge security and remote access solutions for some of the largest companies in the world. A widely recognized subject matter expert for DirectAccess, he is the author of Implementing DirectAccess with Windows Server 2016 (Apress Media, ISBN 978-1-4842-2058-0). For more information visit https://directaccess.richardhicks.com/