DirectAccess can be deployed on existing infrastructure (physical or virtual) and does not require proprietary hardware. All of this improves end user productivity and reduces associated management overhead for the solution.ĭirectAccess is a more cost-effective alternative to VPN.
It requires no additional software to be installed, and the seamless and transparent nature of DirectAccess makes it much easier to use than VPN. DirectAccess can also support integration with many existing multifactor authentication providers to provide strong authentication for the user, if desired.ĭirectAccess is very firewall friendly and works anywhere the user has an active Internet connection. This essentially serves as a type of multifactor authentication for the connecting device, resulting in a much higher level of assurance for remote connections. Unlike VPN, DirectAccess clients must be joined to the domain and, in most configurations, they must also have a certificate issued by the organization’s private, internal Public Key Infrastructure (PKI). The ability to “manage out” to remote connected DirectAccess clients enables compelling new uses cases for IT administrators.Īddressing VPN Pain Points with DirectAccessĭirectAccess connections are inherently more secure than VPN. DirectAccess connections are also bidirectional, which is an important distinction. They are secure and authenticated, and are established automatically whenever the DirectAccess client has an active Internet connection. DirectAccess connections are established by the machine, not the user.
First introduced with Windows Server 2008 R2, DirectAccess differs fundamentally from VPN by virtue of its seamless and transparent, always-on connection.
Scaling a VPN solution requires additional investments in hardware devices, adding to the overall cost of the solution.ĭirectAccess is a relative newcomer to the world of secure remote access. Many VPN solutions also have additional licensing costs associated with them. They typically require expensive proprietary hardware and dedicated management skill sets. VPNs can be costly to implement and support. It often requires additional hardware, licensing, and support costs. Integrating multifactor authentication makes the implementation more complex and difficult to support. Establishing connections is potentially problematic too, as some VPN protocols aren’t firewall friendly and don’t work in many locations.įrom a security perspective, because anyone can attempt a connection to the VPN from any client, strong authentication becomes an essential requirement. Many VPNs require additional software to work, which must be deployed and maintained. It is up to the user to decide if and when they connect to the corporate network. VPN connections are user initiated and therefore optional. There are some serious drawbacks to implementing traditional client-based VPN. VPNs today include support for modern protocols and integrate with numerous multifactor authentication platforms. VPN has broad client support, on both traditional computing platforms and mobile operating systems. VPN is a mature, well understood technology that has been widely deployed, and today remains the de facto standard for providing secure remote access. Virtual Private Networking (VPN) has been around for ages. If you’re comparing DirectAccess to VPN, here are some essential points to consider. While there are some similarities between these technologies, both in terms of the underlying technology and function, there are some significant differences between the two. If you didn't already, you should set the RADIUS server authentication timeout to 60 sec.Many IT professionals mistakenly believe that DirectAccess is just another VPN solution. That server sends the request to Duo, which in turn, sends the push to the device. When a user VPN's in, the authentication (RADIUS) should point to the server/port with the Duo proxy. You don't want to select TOTP in the Sonicwall. Not sure if what I quoted there is relevant or not, but the first link is still good for setting up Duo & Sonicwall.īasically, you want to protect an app in the Duo portal (probably Sonicwall RADIUS), and use those keys and endpoint in your proxy config.
If you have issues with the v10 "Contemporary mode" and cannot update your device firmware, access the "Classic mode" login page by changing the VPN login URL in your browser from to There is no setting in the SMA config to force use of "Classic mode".>Įdit: I see you said NSA, not SRA. The issue displaying the Duo prompt in "Contemporary mode" was fixed in SMA firmware update 10.2.1.0-17. This mode may prevent display of the Duo prompt. Sonicwall introduced a new "Contemporary mode" for SMA in v10.2.