Monday, November 30, 2009

Configuration Manager and Direct Access


This is a topic that is close to home at the moment.  Silversands has recently been piloting Direct Access (DA) with Forefront Unified Access Gateway (UAG).  For those not familiar with Direct Access it provides an ‘always on’ VPN connection to the corporate network.  This is a major plus for the end user, there is no connection to establish and no software to install.  The connection is established behind the scenes, it’s all transparent.

(UAG is currently available in Release Candidate form.  A RTM release will be coming soon.  UAG RC0 can be downloaded from here)

Direct Access uses IPv6 (don’t panic) and a number of IPv4 –> IPv6 transition technologies like Teredo, and 6in4.  For more info look here:

Now Direct Access on its own is pretty good.  But UAG offers several advantages:

NAP enforcement and quarantine of remote clients
UAG is NAP aware, so if your clients don’t have up to date anti-virus, or the firewall is disabled then they will be quarantined until they are compliant.

Simplified TCP/IP Requirements
Native DA requires IPv6 on the corporate network – I’m betting that not many people have this!!  UAG acts as an automatic NAT 6to4 and DNS 6to4 gateway.  All this means that your life is a lot easier (and you don’t have to IPv6 enable your entire network).

Portal Access
Should a DA connection not be possible (and there are scenarios where it is not), then UAG offers a browser based portal interface which users can use to establish an SSL VPN connection.  As a bonus, the UAG portal also supports NAP :)


Hang on, where’s the System Center angle? 

Configuration Manager has a feature called Internet Based Client Management (IBCM).  This makes managing internet based clients a lot easier.  However it is limited to a subset of features:

  1. Software updates
  2. Advertised programs
  3. Hardware/software inventory (and, by implication, Asset Intelligence)

This means that actually managing a IBCM client can be tricky.

With Direct Access, it’s as if the client is actually on the corporate LAN.  You can ping it, and more importantly, remotely administer it.

I recently had a problem where one of the pilot DA clients fell out of NAP compliance (the A/V software had broken).  Now because the local laptop user was not an admin, they were not able to reinstall the software.  But, knowing the client was DA, even though it was not NAP compliant, Using Configuration Manager, I was able to make a remote assistance connection to the machine as if it was in the next room.  Excellent!! problem solved!

Now I was able to do this because I made the connection from one of the defined remediation servers on the network.  Any other machine would not have been able to connect.


Configuration Manager + Direct Access = Full Management of Remote Clients

Because DA allows full control over remote clients the full suite of configuration manager services is available, perhaps most importantly the remote assistance tools.

DA is more flexible than IBCM and (in my opinion) simpler to set up and requires a similar amount of infrastructure.

Configuration Manager also adds an extra string to your bow when it comes to NAP.  Natively, NAP allows you specify that windows updates should be enabled.  Configuration Manager, on the other hand, allows you to specify specific software updates that should be installed on remote clients.  You could choose a minimum service pack level, or perhaps a specific hotfix for a recent security alert.  Clients won’t be able to connect to the full network until they are remediated.

Remember Direct Access requires Windows 7.  Configuration Manager supports Windows 7 clients with Service Pack 2.