5 Things NetMotion Mobility® Can Do that Microsoft DirectAccess Can’t
DirectAccess is a remote access technology from Microsoft that provides seamless, transparent, always on remote connectivity for managed (domain-joined) Windows clients. Although it is positioned as an enterprise remote access solution, it lacks essential security and performance features many large organizations require. In this article I’ll demonstrate 5 important things that NetMotion Mobility can do that Microsoft DirectAccess can’t.
1) Traffic Filtering
When a client establishes a DirectAccess connection, it has full access to all internal network resources. This is by design, as DirectAccess was meant to emulate internal LAN connectivity which typically provides unrestricted network access. This is not always desirable from a security perspective, however. Commonly, administrators are required to restrict access to a specific subset of network resources. DirectAccess provides no native facility to accomplish this task.
The only way to restrict access to internal resources for DirectAccess clients is to place a firewall between the DirectAccess server and the internal network. The challenge here is that the same policy applies to all DirectAccess clients, as all DirectAccess client addresses are translated at the DirectAccess server. In addition, network traffic must traverse the secure connection before being filtered, which is not ideal.
NetMotion Mobility® allows administrators to apply fine-grained controls on client network access. Access can be allowed or denied by source and/or destination address, source and/or destination port, and protocol. In addition, traffic filtering can be defined for individual applications or processes. Further, access restrictions can be dynamically enforced based on network type (e.g. ethernet, Wi-Fi, cellular), network location (SSID, DNS suffix name, etc.), available bandwidth, on or off battery power and battery level, time of day and even physical location. Importantly, traffic filtering policies are enforced on the client, eliminating the wastefulness of sending traffic over the VPN connection only to be dropped by an on-premises firewall.
2) Conditional Access
In the past, DirectAccess included support for Microsoft Network Access Protection (NAP) which was their version of a Network Access Control (NAC) solution. NAP allowed administrators to assess client configuration and health status to inform access control decisions. However, Microsoft deprecated NAP in Windows Server 2012 R2 and removed the feature completely in Windows Server 2016 and Windows 10. DirectAccess does not support integration with any third-party NAC platforms.
NetMotion Mobility includes integrated NAC functionality, allowing administrators to define a set of standards that connecting devices must meet before being granted access to the network. Optionally, network access can be dynamically controlled based on the status of the client making the connection. For example, Mobility NAC can be configured to warn a client that it doesn’t meet current health check requirements but still allow access. NAC can also be configured to quarantine the client, restricting network access to a limited set of resources such as remediation servers. The client can also be strictly denied access, if required.
There are numerous parameters that can be used to define NAC policy including existence and status antivirus and antimalware software (Microsoft and third-party), existence and status of firewall (Microsoft and third-party), the version of the Mobility software, operating system version and update status, existence and status of a specific process, and more. Registry key(s) and files on the client file system can also be evaluated to inform access decisions as necessary.
3) Granular Policy Enforcement
Some DirectAccess configuration settings are global in scope. For example, split or force tunneling settings apply to all DirectAccess clients. The option to enforce strong user authentication multifactor authentication also applies to all users. If different users require different configuration settings, a separate DirectAccess deployment must be implemented to meet this requirement.
NetMotion Mobility configuration settings can be applied in a granular way to meet the needs of any organization. Settings can be deployed based on user account or group membership (local or Active Directory), device type or device group, and more. For example, if only some users require access to a specific application, a policy can be configured to only allow application access if the user is a member of a specific Active Directory group. In addition, network access could be restricted to anyone using an Android device, or specific applications could be blocked when a mobile device is connected to a cellular network. The options for policy enforcement are nearly limitless, giving network and security administrators fine-grained control of access and communication for their mobile devices.
4) Role-based Administration
By default, to open the DirectAccess administrative console the user must be a member of the domain administrators group. There are options to eliminate this requirement, but they still require the user to be a local administrator on all DirectAccess servers and to have full control over DirectAccess-specific Group Policy Objects (GPOs) in Active Directory. There is no native way to provide limited, read-only access to the management console for the purposes of reviewing or auditing configuration settings or viewing connectivity status or historical reports.
The NetMotion Mobility management console supports Role-Based Access Control (RBAC), allowing administrators to define different access levels based on specific requirements. For example, help desk administrators can be granted access to make changes to user and/or device group membership, but not to make changes to server settings. Roles can be assigned to local or Active Directory domain users, or domain groups.
5) Cloud Deployment
Surprisingly, DirectAccess is not a supported workload for any public cloud, including Microsoft’s own Azure cloud solution. As many organizations are moving applications, services and infrastructure to the cloud, having a fully supported mobility solution in the cloud is critical.
NetMotion Mobility is a software-based solution that is installed on Windows server. It is fully supported when installed on-premises or in a public cloud such as Microsoft Azure, Amazon Web Services (AWS) Google Cloud Platform (GCP), and others. NetMotion Mobility gateway and infrastructure servers can be installed and configured on-premises, in the cloud, or both in the case of hybrid deployments.
DirectAccess is a good remote access solution for Microsoft-centric organizations, but it lacks some important capabilities that are required from a secure and robust enterprise mobility platform. NetMotion Mobility has a distinct advantage over DirectAccess because it provides administrators with tools to restrict network access and do so in a highly granular way. The configuration status of remote devices can be determined prior to connecting, enabling dynamic policy enforcement or restricted access as necessary. It also supports RBAC for administrative console access, and is fully supported for both on-premises, cloud, and hybrid deployment scenarios.
Guest Author: Richard Hicks | Founder & Principal Consultant, Richard M. Hicks Consulting
The views and opinions of guest authors do not necessarily reflect the views and opinions of NetMotion Software.
- Best practices in financial services IT: Sean Croston from Goodbody
- Voices of NetMotion: advocating for mental health
- Neuro-Diversity in IT: How remote working has created a more even playing field
- Moving to the Cloud in Legal, working from anywhere and what the future holds
- Voices of NetMotion: the gender gap