According to my good friend Martin Williams there is a take away restaurant in the North West where you can get a Vegetarian burger topped with Bacon and Cheese. It’s called the contradiction burger.
I think the new DirectAccess feature in Windows 2008 R2 is brilliant, however, the early documentation is a little short in terms of clarity, certainly in the case of a single DirectAccess server which needs to be a member of the Active Directory. But which one? The trouble is that Active Directory member servers are very good at opening holes in firewalls.
As the DirectAccess server is both Internet facing and Intranet facing you might hope for it to be deployed in a restricted (Amber/Dmz type) network. Many organisations have separate Active Directories in perimeter networks but it’s unclear (yet) if this is supported – hence the potential contradiction. I have posed this question directly with Microsoft and will update the blog when I get the answer.
It certainly seems that the old school principles on network zones need a rethink to cater for DirectAccess on the client side. I read a good analogy that suggests the ‘old’ thinking is that the network is aligned to your office buildings. The reality is your network is where your people are (regardless of location).
In a corporate world DirectAccess will need to align with clear thinking on network and Active Directory design. What I like most is it will drive the validation of the end user device to make sure it is fit to ‘join the network’. I will write about the associated network access protection technologies in a later blog.
