Avanade Information Technology Services streamlines remote access, data security and client management with DirectAccess.
Business SituationAvanade Information Technology Services supports more than 5,000 computers for the company’s global, highly mobile workforce. For remote users, traditional VPN was used for connectivity to access corporate resources, device management and to push corporate security policies. With a mobile workforce, Avanade could not predict when machines would connect via VPN and receive updates, which introduced a higher level of risk and inconsistency.SolutionDirectAccess with Microsoft Forefront Unified Access Gateway (UAG) provides an “always connected” mobile platform with fully integrated security that requires no end user interaction. UAG DirectAccess uses IPv6 with IPsec and IPv4-to-IPv6 transitional technologies to create a secure connection between remote machines and the company intranet.Benefits
Better Remote AccessFor more than a decade, companies that needed to provide mobile workers with secure remote access to corporate resources relied on virtual private networks (VPNs). While VPN accomplished its goals, it also had challenges, such as poor usability, performance impacts, and requiring users to continuously be connected to be effective.At Avanade, the goal was to provide a secure way to have always-on connectivity, improve performance and productivity, and reduce network impacts — all while ensuring it was able to manage the thousands of devices its mobile workforce uses every day to serve its customers. The introduction of Microsoft® Windows® 7 and Windows Server® 2008 R2 operating systems presented Avanade with a solution that met these goals for remote access: DirectAccess.Always-On ConnectivityDirectAccess provides “always-on” transparent connectivity that requires no end user intervention. For the end user, it eliminates the need to manually connect to the corporate network, saving time and increasing productivity. For administrators, the always-on connection improves the ability to have remote monitoring for system health checks and management, simplifies Group Policy updates, and allows the computer to download security and system updates as soon as they are available.“We wanted to enable a data encryption policy on client machines, so that no matter where they were that policy would be electronically enforced,” said Justin Martin, Avanade Information Technology Services (ITS) Infrastructure Engineer and DirectAccess project lead. “DirectAccess allows us to apply policies to remote machines as easily as to machines in the office.”Avanade ITS implemented DirectAccess with Microsoft Forefront® Unified Access Gateway (UAG) to create a secure connection between remote machines and the company network. UAG DirectAccess also combines the edge security of the Threat Management Gateway with DirectAccess functionality, providing a single, scalable, fault-tolerant resource for remote access.Eliminates Unnecessary Network TrafficIn addition to better security and administration, DirectAccess reduces network traffic through split tunneling. While the default behavior for a VPN is to send all traffic through the corporate network, DirectAccess allows public Internet traffic to route through the user’s local Internet service provider (ISP) without passing through the corporate network. This reduces the dependency and utilization of the corporate network.Two-Phase ImplementationAvanade took a unique approach in implementing its DirectAccess solution by dividing it into two phases. In the first phase, client computers were configured to allow the always-on DirectAccess connection only to domain infrastructure and management servers. In the second phase, client computers were configured to allow full user access to intranet resources such as Web servers and file shares.The two-phase approach allowed Avanade to more quickly address the critical issues of risk and asset management. It also supported an associated deployment of BitLocker To Go®, which was implemented to reduce the risk of lost or stolen data storage devices. The BitLocker To Go solution encrypts data on any mass storage device attached via USB or FireWire (e.g. flash drives, hard disk drives) with the recovery key automatically being stored in Active Directory® via the DirectAccess tunnel should the user be remotely located at the time of encryption.Avanade deployed its DirectAccess solution in January 2011, rolling it out to more than 5,000 machines in 23 countries. Client configuration for DirectAccess is done through Group Policy, so when a computer is joined to the domain, it’s immediately configured for DirectAccess with no additional configuration necessary. This provided a nearly “zero touch” deployment for users, and the transparent nature of the change was reflected in a low volume of help desk tickets.Better Security, Management and ProductivityAmong the benefits Avanade has realized with its implementation of DirectAccess:
“Being able to reach out and have constant contact with the mobile workforce is a huge benefit,” said Greg Petersen, Avanade Security Director. “Part of the benefit is client management in terms of the physical management of workstations, part is asset management in terms of being able to track all your assets, and part is making sure that policies are electronically enforced.”