10 Reasons Why You Should NOT use UAG for DirectAccess...anymore.

Author by Shannon Fritz

I am the first to admit that Forefront UAG not only enhanced the capabilities of DirectAccess on Server 2008 R2 but it truly made for a workable solution by adding some key features that would allow you to deploy a better experience with DirectAccess, and it made deployment easier too.  Today, those great UAG features for DirectAccess have been rolled into Server 2012 and more has been added and improved! Let's just compare UAG DirectAccess to Windows Server 2012 DirectAccess and you'll see why the new Windows Server is a better platform to deploy DirectAccess (the third generation now), even if your clients are still running on Windows 7.
  1. NAT / Network Translation.  Possibly the single most exciting NEW feature is that Server 2012 can use NAT to deploy DirectAccess and VPN using a single NIC, IP and Port!  Previously you needed two network adapters and two Public & Consecutive IP addresses directly assigned to the outside interface.  This was a pretty tall order and this new deployment option makes it a lot easier, allowing you to use existing firewalls and publishing practices that make the "security guys" happy.
  2. "6 to 4" IP Translation.  DirectAccess client computers use IPv6 to talk to the DirectAccess server.  UAG introduced two features called NAT64 and DNS64 that would automatically translate IPv6 traffic into IPv4 without needing to actually support IPv6 on the corpnet.  This is a really big deal because it eliminates the need to make changes to your network architecture and NAT64 and DNS64 are both included with Server 2012 now!
  3. IP-HTTPS Improvements.  There are three kinds of connections that DirectAccess clients will auto-negotiate based on the way they are connected to the Internet.  IP-HTTPS is generally the most available option but it also carried a "double encryption penalty" that reduced performance because it wrapped the IPsec traffic inside HTTPS.  Using Server 2012, IP-HTTPS performs more like Teredo now, but only for Windows 8 clients because it can now implement SSL with Null Encryption (Windows 7 still suffers the "double encryption penalty").  Also, IP-HTTPS will work with proxies that require user authentication.  Pretty handy!  Side-note: If using NAT, IP-HTTPS is your only connection option!
  4. Clustering.  Previously, if you wanted to have multiple DirectAccess servers to provide load balancing and availability, UAG was required.  Windows Server 2012 lets you create an array using Windows NLB and/or Harware Load Balancers of up to 8 or 32 nodes respectivly!
  5. Performance.  As described on Technet, a single UAG server with 4GB of Memory and 4 CPU Cores can support about 500 simultaneously connected DirectAccess clients.  Not bad, but Server 2012 can support about twice as many clients with half the system resources!  So at that same 4GB/4CPU server can support nearly 2000 clients now!  You will likely be needing a faster Internet connection before you need another DirectAccess server based simply on capacity needs.
  6. Deployment and Maintenance.  DirectAccess has always been just a Role on Windows Server, but installing UAG also includes TMG and SQL, and there are several updates, rollups and service packs for all three products causing the overall installation of UAG take a couple hours and several reboots.  With Windows Server 2012 you just install the Role and you're ready to configure it in a matter of minutes.  You don't even need to reboot!  Updating is also simplified now because you only need Windows Updates and not worry about the other three product lines.
  7. Certificates are Optional.  One hurdle is often the dependency on a Private Key Infrastructure / Certificate Services.  Many organizations do not already have one or don't want to maintain such an environment.  If you are moving your workstations to Windows 8, then you do you not need a PKI for DirectAccess with Server 2012.  Instead of using Computer certificates to establish the IPSec tunnels, it uses an HTTPS based Kerberos proxy.  In fact, you don't even need a 3rd Party certificate for the IP-HTTPS interface either.  You can let the wizard generate a self-signed cert and it will be distributed as part of the client Group Policy. With that said, using certificates is still recommended, but you don't need to if you don't want to.
  8. Multi-Site Entry Points. Deploying DirectAccess for organizations that have multiple geographical locations was possible but rather difficult and had a number of limitations.  Windows Server 2012 allows Windows 8 clients to automatically connect to their "closest" entry point.  Windows 7 clients will be married to one entry point or another. Note: Using Global Server Load Balancing (GSLB) can effectly give you a kind of Multi-Site, but it is a seperate thing from "Multi-Site".
  9. Self-Hosted NLS and NCA sites.  DirectAccess clients depend on a few simple but significant web services which always required a web server that was separate from the DirectAccess server.  The 2012 DirectAccess server can also host the Network Location Server (NLS) and Network Connectivity Assistant (NCA) sites which saves you system resources and possibly more licensing costs!  As an added bonus, if you make a DirectAccess array, these sites also automatically become highly available.  NOTE: The NCA used to be called the DCA or "DirectAccess Connectivity Assistant".
  10. Price (the bottom line).  It's pretty expensive to run a UAG server if it's just for DirectAccess, but using Windows Server 2012 can cost about 90% less than UAG!  Let's assume you already have the Windows Server CAL's purchased and focus on just the additional licenses you would need… - UAG on Windows Server 2008 R2: The Microsoft Licensing Advisor wizard can show you that a single UAG Server license will run you about $6,500 by itself plus $15 for every computer that you want to enable for DirectAccess.  Assuming you want 100 DirectAccess clients, then you're looking at an investment of about $8,000 just for the software licensing.  Tack on another $700 for the Windows Server 2008 R2 Standard Edition license if you're not running it as a Virtual Machine. - Windows Server 2012: There is no license required beyond that of the Windows Server license and CALs.  So if you're running it as a VM then you may end up not needing to pay anything additional making it "Free" as in "I already bought it because I bought Windows".  If you haven't then for about $880 you can buy a single Server 2012 Standard Edition license and install the Remote Access role on it to deploy DirectAccess.  Better yet, install it as a Hyper-V host and use one of the 2 VM licenses that are included for Remote Access!
Some other honorable mentions: Support for Windows Core deployments, Full control and deployment with PowerShell, Two-Factor Authentication supporting OTP such as RSA SecurID, multi-domain support, co-existence with RRAS which provides traditional VPN connectivity to clients and even to servers to provide site-to-site VPN.  Backwards compatibility with Windows 7 and 2008 R2 as clients makes migration an option too! And one final note... Using Server 2012 should really be about deploying a "Remote Access" solution as the Server Role is called and not simply a DirectAccess deployment.  You can deploy DirectAccess and a traditioanl VPN for your non-domain joined devices that need connectivity all on one platform. Want to check my work?  Here's TechNet a comparison between 2008 R2 DA and WS2012 DA http://technet.microsoft.com/en-us/library/hh831416.aspx  
Author

Shannon Fritz

Infrastructure Architect & Server Team Lead