Giving employees the ability to remotely access corporate resources used to be a big benefit to most companies, but not necessarily a requirement. That mindset has changed significantly over the past year, where many of us are now forced to work from home because our governments have put orders in place preventing us from going into the office due to COVID-19. Most companies and employees now expect to get their work done from wherever they happen to be. Cell phones are a big part of this equation but are limited by the scope of what can be done with small screens and restricted operating systems. To grant remote workers the ability to do their jobs from home, coffee shops, or hotels, we have traditionally used Virtual Private Networks (VPNs).

Most VPNs in today's businesses are provided by products from companies other than Microsoft. The Remote Access role in Windows Server 2019 is here to change that. With many improvements having been made to the VPN components...

Giving a user access to a VPN connection traditionally means providing them with a special network connection link that they can launch and enter credentials to pass authentication to connect to their work environment's network to communicate with company resources. After launching a VPN, users can open their email, find documents, launch their line-of-business applications, or otherwise work in the same ways that they can when physically sitting in their office. Also, when connected via a VPN, management of their laptop is possible, enabling successful communication flow for systems such as Group Policy and SCCM. VPN connections offer great connectivity back to your network, but (remember, we are talking about traditional, regular VPN connections here) they only work when the user manually launches them and tells them to work. Anytime that a user has not connected to their VPN, they are navigating the internet with no connectivity back to the company datacenter...

Throughout our discussion about Always On VPN, I mentioned Microsoft DirectAccess a couple of times. DirectAccess is another form of automatic VPN-like connectivity, but it takes a different approach than that of Always On VPN. Where AOVPN simply uses expected, well-known VPN protocols and does some crafty magic to automatically launch those otherwise traditional VPN tunnels, DirectAccess tunnels are quite proprietary. Tunnels are protected by IPsec and are essentially impenetrable and also unable to be impersonated. I find that security teams love the protections and complexity surrounding DA tunnels because it is a connection platform that attackers have no idea how to tamper with or how to replicate.

In my experience, at this point in the game, Microsoft DirectAccess is the most common reason that administrators deploy the Remote Access role on a Windows Server instance. As stated, the easiest way to think about DirectAccess is to think of it as an automatic VPN...

You are well on your way to giving users remote access capabilities on this new server. As with many networking devices, once you have established all of your configurations on a Remote Access server, it is pretty common for admins to walk away and let it run. There is no need for a lot of ongoing maintenance or changes to that configuration once you have it running well. However, Remote Access Management Console in Windows Server 2019 is useful not only for the configuration of remote access parts and pieces but for monitoring and reporting as well.

When working with DirectAccess, this is your home for pretty much everything: configuration, management, monitoring, and troubleshooting. On the VPN/AOVPN side of the remote access toolset, you will be making many of the VPN configuration decisions inside RRAS, but RAMC is the place to go when checking over server-side monitoring, client-connection monitoring, and reporting statistics. Whether you...

VPN has been around for a very long time, making it a pretty familiar idea to anyone working in IT. Always On VPN certainly brings its share of new capabilities, but under the hood what AOVPN is doing is launching a traditionally configured VPN connection, so the connection flow is similar to what we have always known. In this chapter, we have also discussed quite a bit about DirectAccess in order to bring you up to speed on this alternative method of automatically connecting your remote clients back to the datacenter. Now that you know there are two great connectivity platforms built into Windows Server 2019 for enabling your mobile workforce, which one is better?

You don't have to choose! You can run both of these technologies side by side, even on the same Remote Access server. Each technology has its pros and cons, and the ways that you use each, or both, will depend upon many variables. Your users, your client computers, and your organization...

DirectAccess and VPN are both great remote access technologies, and combining the two of them together can provide a complete remote access solution for your organization, without having to pay for or work with a third-party solution. Better still, in Windows Server 2019, there is yet another component of the RemoteAccess role available to use. This third piece of the remote access story is Web Application Proxy (WAP). This is essentially a reverse-proxy mechanism, giving you the ability to take some HTTP and HTTPS applications that are hosted inside your corporate network and publish them securely to the internet. Any of you who have been working with Microsoft technologies in the perimeter networking space over the last decade will probably recognize a product called Forefront Unified Access Gateway (UAG), which accomplished similar functionality. UAG was a comprehensive SSLVPN solution, also designed for publishing internal applications on the internet via...

Unfortunately, the ability to make use of Web Application Proxy comes with a pretty awkward requirement: you must have AD FS installed in your environment to be able to use it—even to test it, because the WAP configuration is stored inside AD FS. None of the WAP configuration information is stored on the Remote Access server itself, which makes for a lightweight server that can be easily moved, changed, or added to. The downside to this is that you must have AD FS running in your environment so that WAP can have a place to store that configuration information.

While a tight integration with AD FS does mean that we have better authentication options, and users can take advantage of AD FS single-sign-on to their applications that are published through WAP, so far this has proven to be a roadblock to implementation for smaller businesses. Many folks are not yet running AD FS, and if the only reason they are looking into implementing AD FS is so that they...

Web Application Proxy was introduced in Server 2012 R2 and had many improvements when Windows Server 2016 was released. There have been no major modifications since that time, but it is still important to point out the latest benefits that have been rolled into this feature, to show that it is still learning to do new things. The following are some of the improvements that have been made if you haven't taken a look at WAP since its first iteration.

Preauthentication for HTTP Basic

There are two different ways that users can authenticate to applications that are being published by Web Application Proxy—preauthentication or pass-thru authentication. When publishing an application with preauthentication, this means that users will have to stop by the AD FS interface to authenticate themselves before they are allowed through to the web application itself.

In my eyes, preauthentication is a critical component to any reverse-proxy and...

The nature of the world today demands that most companies enable their employees to work from wherever they are. Working from home has become normal over the past handful of years, and specifically in this last year, with a worldwide pandemic, we have seen staggering increases in the percentage of employees who work outside of an office building. Companies need a secure, stable, and efficient way to provide access to corporate data and applications for these mobile workers. The Remote Access role in Windows Server 2019 is designed to do exactly that. With three different ways of providing remote access to corporate resources, IT departments have never had so much remote access technology available at their fingertips, built right into the Windows operating system that they already own. If you are still supporting a third-party or legacy VPN system, you should explore the new capabilities provided here and discover how much they could save your business.

DirectAccess and...

1. What does AOVPN stand for?
2. What are the two primary protocols used for connecting AOVPN clients?
3. In which version of Windows 10 was AOVPN released?
4. In what special instance would an AOVPN client be required to be joined to your domain?
5. Does DirectAccess require your corporate internal network to be running IPv6?
6. What is the name of the internal website that DirectAccess clients check in with in order to determine when they are inside the corporate network?
7. What role does a Web Application Proxy server hold in a federation environment?