L2TP, SSTP, RDP, DirectAccess, ISA, UAG, et al: Understanding Microsoft’s Remote Access Story
One of the technologies that I've been working on is DirectAccess, a new feature in Windows 7 and Windows Server 2008 R2 that provides seamless connectivity to your enterprise network from wherever you are. I've been dogfooding DirectAccess for months now and I think it's going to be a real customer delighter. It's hard for me to imagine going back to traditional VPN.
That said, one of the first questions I always get from customers when I talk about DA is how does it fit into our overall remote access strategy? This is usually followed up with a joke about whether we have any strategy at all. That's a fair question because while we have a lot of great technologies, we often don't do a great job of articulating what to use when. For example, customer hear us use terms like L2TP, IAG, RDP, SSTP, and DirectAccess, but it can be difficult to understand if these are competitive or complementary technologies not to mention which ones fit which usage scenarios. So, I wrote this post to try to clarify how all the pieces fit together and hopefully encourage customers to see all these technologies as different tools in the same box, all of which share a common goal of enabling secure remote productivity.
I often use the following diagram to illustrate this relationship:
The foundation of the remote access strategy is Windows Server. Windows is where we ship the base protocols (e.g. L2TP, SSTP, RDP, etc.) that users connect with as well as the APIs that partners (both internal and external) build other products on top of. Above the basic protocols and APIs in the operating system, we also ship more complete solutions in the form of server roles and features. In the above example, you can see that Remote Desktop Services (formerly known as Terminal Services) and Network Access Protection are both roles and features that build on the base protocols.
Above the operating system layer, you can see the Forefront remote access technologies that provide further value on top of the protocols and server roles. Forefront TMG is the next version of ISA Server and implements an enterprise class firewall with reverse proxy capabilities. On top of Forefront TMG, Forefront UAG implements an advanced web based portal and SSL VPN, integrating various connection protocols like RDP and SSTP into a single easy to use interface and management control point. At the very top of the pyramid are the remote users connecting through these products.
If this seems like a lot of different pieces, it definitely is, but the net result is actually much simpler for customers. Basically, it's this: for Windows 7 clients, have them configured for DirectAccess. DA provides the best, most transparent end user experience and unparalleled levels of remote administration and control. For all other scenarios, use UAG. UAG integrates all the other pieces together into a single package, providing users with access to all their apps from wherever they are in a policy driven manner, simply by typing in a URL. For example, an administrator might say that a user connecting through UAG from a home computer with up to date anti-virus can access OWA normally, upload files to SharePoint, use Remote Desktop Services RemoteApps to run SAP, and create a full VPN with SSTP. However, that same user connecting from an untrusted kiosk machine might not be able to send attachments in OWA, only download files in SharePoint, and not be able to access SAP or create an SSTP tunnel at all. UAG also has the benefit of providing a single packaged solution where a customer can get an appliance, ready to run VHD, or traditional installer that sets up everything they need in one place.
So, when you're thinking about the Microsoft remote access strategy, you really just need to think about 2 things. DirectAccess is the premium experience for Windows 7 systems and UAG provides a single solution for managing it and all other forms of access.